Malware Analysis Report

2025-06-15 20:06

Sample ID 240515-nwphzsga58
Target 2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock
SHA256 15dc6d8cd97ec807ed9c0f49499c7cdb89bfc1c8a9d0b2f5db0cd9ddc401596e
Tags
evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15dc6d8cd97ec807ed9c0f49499c7cdb89bfc1c8a9d0b2f5db0cd9ddc401596e

Threat Level: Known bad

The file 2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (75) files with added filename extension

Renames multiple (57) files with added filename extension

Loads dropped DLL

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 11:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 11:45

Reported

2024-05-15 11:47

Platform

win7-20240419-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (57) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\ProgramData\HWEkAYco\deMIsAEI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQMcIcQY.exe = "C:\\Users\\Admin\\cgYEgEsU\\OQMcIcQY.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\deMIsAEI.exe = "C:\\ProgramData\\HWEkAYco\\deMIsAEI.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQMcIcQY.exe = "C:\\Users\\Admin\\cgYEgEsU\\OQMcIcQY.exe" C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\deMIsAEI.exe = "C:\\ProgramData\\HWEkAYco\\deMIsAEI.exe" C:\ProgramData\HWEkAYco\deMIsAEI.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A
N/A N/A C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe
PID 840 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe
PID 840 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe
PID 840 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe
PID 840 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\ProgramData\HWEkAYco\deMIsAEI.exe
PID 840 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\ProgramData\HWEkAYco\deMIsAEI.exe
PID 840 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\ProgramData\HWEkAYco\deMIsAEI.exe
PID 840 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\ProgramData\HWEkAYco\deMIsAEI.exe
PID 840 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 2616 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 2616 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 2616 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 840 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2656 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2656 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2656 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2496 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 2772 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 2772 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 2772 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 2496 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2496 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1244 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1244 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1244 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe"

C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe

"C:\Users\Admin\cgYEgEsU\OQMcIcQY.exe"

C:\ProgramData\HWEkAYco\deMIsAEI.exe

"C:\ProgramData\HWEkAYco\deMIsAEI.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGMAQUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyYEgEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcQoUsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SygokgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GAgsQsEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yUMUoQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIsQAQIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgMgkgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYocYssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCkoswwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lqYYMcIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EKkckQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGoAUUME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEwwcEkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WyggcAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pekoscUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKkgcAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEgEcwAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOwsscUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kgUEcUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAUYEgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmwkYMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsIEoEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DecwAYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGccAQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NaUQUAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCsMAAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSoIgQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUEIEoQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WyYwcAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYUQsAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYUEkYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWAcksUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIEEcAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcwoAgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nEYsAEAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gusEYQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UyQYgkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ysUUMocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wsgAgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lckUkAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMcUooco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NScEEwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zosUUsUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OKMUEIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYAYocks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qKIkAQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAwUcUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMoUoIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tyskAIMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VoIMMYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGUgAsoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIUkcYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywIYoocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkgwsAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuwkMEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kYAcQcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcUQQUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGkMsQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BuUcEIsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUYYMUcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOkEIgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIcIIYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikgwwAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKsQAkYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCYEQcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaMUwYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAsUEcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuUcMAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bocsIUMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmwMgAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\asoEkIAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOYAEAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EIAsMYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycocwAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOwYEgEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-620483395-3076086882013875445307881911869954338-7144832871442942745-1529602009"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmYEwcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUYoIock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "931662013-1545174389174410928716855797121146183856-2042605722172525414-1145128651"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DmIQAsYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuAooQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6438941489706499807934374180515137-1446387397-1057013776-1128055707-255916229"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1241719839-1652636909037003111297718075-2000611983-230635287387686352184738049"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UywEYEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMwEMYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KmkYMIoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wukosMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSUwsgUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10205582301433622817152354832112705924261801668517881789010-953099373-238245858"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JSoQoIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "805709010232366675-1199230827-993810795444725279-1011369966-229127642-316503556"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMUMoYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1488521569-733304918-1260613145-1933265738-1148894141-1733169636-2071609788235820839"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwssokYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUoAEAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aocgUcAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1710358483-1716976980894294217-4856068419188870871338569009-1732735805658431645"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMwgwUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-693968276-1264781182534418536-643348011509553848-1743808589541520851798267687"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Aiksowow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1005462750-7895472381264827142-8417922951239901575-2039026987-77654762239978030"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmQsggMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-249783934115653335755919842120084809868811885631487638932-1786101794710544978"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "786405815705309044-2093014539-1128959193-20401403781458158709-1720686119-1485825650"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUwgcIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\roYkYMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkEkMEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "560941987-1019796910-5251600561652008867-1439898671-140073496-15934282251068520637"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sGAYUcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuIMcIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "852996300-28462696622884816-17855258521926272395-1501180372980658086-1986337353"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1975915734-110968642-1531229715268888097683692517-196428047437087298989256844"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAgsoIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUoEUEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWEMksMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1961839020201361726-616627529-6887102167451527381189501894-1357862046800133209"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NKcIsQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7227123765992426781685730184-1095312963-8409187192178498541373082409-1951751035"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIcgowEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "594227233-3783856812143323986-3893540622065924579624262075-300154975-1958706930"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\reIQkUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17949197581712395641343886546-14307381531596400005-459241676-826554402-445965960"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IgQMYccE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\syYooYgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-895699510734108025-14627623171378839820-381934364-683096708-1577234544-383289036"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQUEwQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12256901139203807581340319168-2076288141305220309-734565827232303382-431439307"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYkIUcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKEUUgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2083321002-5598506661739234460-1972135193-1209298084610047442-10650120131060337229"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUkMAAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "245893173-1047678868-110395166394265610-74827420-1660766404-2937657362014595401"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8730167751295825451-1921057913-2603154663039414414418933461706803353-1839009145"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lkMIAQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UaIYAgwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-38561517-1029857166-1936491605-2088790882-1331651998-977234017-7194627341740623877"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1244574194-2143578094-1466501171-1956125748-3218543891218018825-1540204217-1346551683"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20224658379501842482061175548-19204337661423857831-1065888634-7250564721188040942"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WycIgAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CAkcEsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2120781774-519913344-151990240239578574114256510661821032220-5091401541885093603"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7610732971182412615-1145347698-201885224589084705-330646283-1844407729-213405052"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAMAswcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1587751617-16703839021061957710-1668138183-101325260422359445575478030875174907"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkYIgEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCsMkgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGQEAcQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2046050691-16057866821596530860-919009525-377835127-1422383084-1736269694-1649222158"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-921183340-69601637-188054019218320192371018522071-211782513695297039400809873"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OSoYkwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GmMsQgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUgskIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECIIYoMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LyUcoYEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "721375273-188617194487851167991666776-2113293592-228923295-1496953649-581725567"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fekEowMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1006725945587271987-2939037311838878104-1116294421-1976723037-14224833301197607884"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-922314827-1627001956-726235709944296673-7797066942056893008237679369-1418685480"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUsIsQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19008063951712073064-699287731-17788192-1893838923984919120-18092842941126542127"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rycAgoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\igskYggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CSAsEwQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "202104769810274042841507228092-17861363-2114795433180115039-998129232-1293355934"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19315839551235055922-18620350171766888274-1448379108-1858944850368622333-1251608835"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IKwIAcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
FR 172.217.18.206:80 google.com tcp
FR 172.217.18.206:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/840-0-0x0000000000400000-0x0000000000432000-memory.dmp

\Users\Admin\cgYEgEsU\OQMcIcQY.exe

MD5 e78f1b9cde52cb4e16e060ff839a9b09
SHA1 4bcc4e87403cce6da7b6a50e02086ebc6cfc1b54
SHA256 40c392b804a267508ecda14061f19762e17d496241a3e89ffee2c28c9e0de04a
SHA512 4c4518a5db146c6ca7c0be1acaea2756bd26d10471d44b39d89f27370b2bb8cdc2ab4267a1e9ae2bcae82cc9032af3bea50c7edb741b1c2119864290d5dacbba

memory/840-9-0x0000000003DA0000-0x0000000003DD2000-memory.dmp

\ProgramData\HWEkAYco\deMIsAEI.exe

MD5 4eb20d6dd715c9fcc92b130310a98cb3
SHA1 a26e4f4c3445bdfcf66c1e7fbdf8333fc7ec5051
SHA256 25517547ccb6ae54ae827ad459a29b570cbbf4a1cb3e12fb539617316912ee37
SHA512 83e86b8c28cde1e7761efec734979a432c54220f6e731e2b53452cc773591d11d568495aee8cb5a2362753883fc1f0b30e858f03055c6ec6f9ebfff5c4af90bc

memory/840-21-0x0000000003DA0000-0x0000000003DD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hmMQEIMA.bat

MD5 96b113cf3b350e17ad1825c944d3bc74
SHA1 1dbe84e9c70361bbbecdc16362308a4e50e95340
SHA256 0e55304d11e19aa24448f07cf27a598fee9372feae1597619279934346c06700
SHA512 38a83a4b6a68f489c82b1fb0fa74045771350668de9aecd4c15bb6e4c6b5d2184cbedf9b4017ba1afca067734bcf75c026ed060875a0bf7639320baf66c1bf18

memory/840-20-0x0000000003DA0000-0x0000000003DD5000-memory.dmp

memory/2680-15-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2496-32-0x0000000000400000-0x0000000000432000-memory.dmp

memory/840-40-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jGMAQUow.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\NKcwUYYs.bat

MD5 f3de6de7719d0349fc93b5e9c343c9aa
SHA1 ee3480e80825e93e0c52d9478eb85399e9dbf35b
SHA256 b29726218c38b85cb1d4b326699bbaee338bb866334069dfa888ff63065b8166
SHA512 e4a5a188ff992ce0b727ef6aa26f9d96d3068e4a045b0cff6dfa8019b31c4c0596b5fea814c343554140988090e7c1db928bf0dc566d0ee9a8de0bfc454b9ab7

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

MD5 170555a84120985bef1afa430a90c465
SHA1 aa3652093aafc935d3d65b65954d59c9ba198b16
SHA256 0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4
SHA512 cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

memory/2804-57-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2772-56-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2772-55-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2496-66-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hmYMEkYs.bat

MD5 e825b14131b945f17d39d83c02239492
SHA1 1fe501237e6b9b441cedd67ef21740f4770ecd78
SHA256 f1ae45d00ca7a1fe7f6aae445b57ea9a40ef7f5da8195e11c6c5fdc2bca25b27
SHA512 73913a7e797458b164e2e303c96a841b6d8768f34c75de69ec2ef6f3643307228556a5e2aaaf00ac8bad404af8e159438748820a43fe56ab274b72716fbfc0f9

memory/2024-81-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1824-80-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1824-79-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2804-90-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sWAAQoIU.bat

MD5 0a4eac03550faf964d3ce666954996a3
SHA1 49edef40d693f3aa5fce1ec454c3786b3b8e6bfa
SHA256 a01671c63b6877a6aece5739235361222148d41e8df2de53fa4d122b63179efe
SHA512 c15dda835e7bb1411b8138201290527009483e56d3d53e2c421114cacb26ce286fabf96e94546961ee853824cf11a63795b447c3ca4e43937a9275cc81368534

memory/1460-103-0x00000000001E0000-0x0000000000212000-memory.dmp

memory/320-104-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2024-113-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OwMEIkwE.bat

MD5 50fc1bdbe2a6ee304f7603e3b318a64c
SHA1 0aaae048b7a92b4cce629136086bd8f6e90c2b90
SHA256 fa24cf0621cf68dc977b47275c735bfc1827387da7377eeb54d3d4bbcdea57fb
SHA512 870f7f282471446da07ed8c59e878ccc26e6ab1dc87a931d48ab730926a490226344b7efc4725e34a6f51dbb05c7e6795c3758b48685cd9d6f243e21f5189081

memory/1108-127-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2080-126-0x0000000000230000-0x0000000000262000-memory.dmp

memory/320-136-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SeEggscM.bat

MD5 d0fb4b5ae110b06082cd4bca443ff5bb
SHA1 69e996edaa22c67ca8fdb60cb2775f610b68cefc
SHA256 6e25073341c4d249f0e283a54e71bba99a6a14d280064c7d964fcb06381ad758
SHA512 1b9f3984859072804e47d6f396c51b7984fde1b311ff7e0bf5f381d390f7d2c6555a429e55a85ef757e3307ec8b2f8ff72b674e8357bdaf63aecf61ad3f6133c

memory/580-151-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2144-150-0x00000000002E0000-0x0000000000312000-memory.dmp

memory/1108-161-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uMIsEQcY.bat

MD5 25846740caa0ae6e06ce85a16e597361
SHA1 da70cbf529d46e790ac70915aba16a77085867e8
SHA256 3e1dba83ab825538168bc74be1777d907222bfdfc73f955df734c1b3a820bc7f
SHA512 903b879d82b537a027ef81bf84e0ea6d8e77fa7ca6d6973765fda5fbdad6522ddf8124e24b4816d7d9fe4356eac8304a5d6c75a8eee5f813d3887a9b1ba5a918

memory/580-184-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2396-175-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3008-174-0x0000000000160000-0x0000000000192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NcEwQQMg.bat

MD5 5d037e6dbd4cc87a57154de22deaa623
SHA1 1a39d93b56f5ab81960722715afdd22e0adc8b69
SHA256 3d3e12d1d7fcc7e3e14a823c76ef9ac2ed9b6a7c970bbbd43704424a6ca42b7f
SHA512 3e73b2e63b4a70a3d8e07d437bbb9a2f5c9ffbbc1d59f5b4f9cc1ea81fe00e319616f7fa1d25eec263b75566a09ed2d02646fe8ca8edb42104c8834605fb5a9e

memory/2824-198-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2756-197-0x0000000000850000-0x0000000000882000-memory.dmp

memory/2396-207-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dwAkgoIg.bat

MD5 786ff6fbf2723f2d9cdf8b547747c443
SHA1 bfecb05445b826de7fa4c192bb1f6df969035bef
SHA256 58b9b9c3957d4d09d14883cdae657eb5ef1d6655954d6574e900e1914a895180
SHA512 72a4ba7fde13aa67fb595c01c0450131adb1461ff91ed049d29800a141c36df1078f71aadd4e5ca0e886462f5495d126bd1251561f9951469cf06c31e4e6aa6b

memory/2360-220-0x0000000000210000-0x0000000000242000-memory.dmp

memory/2188-221-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2824-230-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FSMgYEwU.bat

MD5 8b978b8f9ae692edecf60291ac5d1202
SHA1 7a8883f7b8cf064878e1ad5f1b444754919aa0a8
SHA256 392b804cc588c575f419202261aa92aa883bc1224c8110aa66026bf1a73cf826
SHA512 4d6b8cf3fa0271e2ad79aa414c431050e59bb44bd2b1bcb7e50008839ce449e3a09080d83d560c9ab9aa1d7e0aa2982979eb2c2c24d1365a9831855182044bb4

memory/1948-247-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2244-246-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2244-245-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2188-256-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lGAkIAcw.bat

MD5 a47d875ef99826af3051fbba453429f9
SHA1 b113adce216674dc99951b3562da47c06b6a7900
SHA256 045e5663a89dc3b9660dddb170e758af7f867a7e93258c9f2e6b1415a116f261
SHA512 f59c1ec1eb6fe585aa54f9152a6e06d84e384753acb61904d764d6ed320ce17ff9abf65831cb96b345f7ebfc60daa4efbeae9cfa5db0bd8d01d229f586e20efc

memory/1604-271-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1940-270-0x0000000000120000-0x0000000000152000-memory.dmp

memory/1940-269-0x0000000000120000-0x0000000000152000-memory.dmp

memory/1948-280-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eagYAcko.bat

MD5 2f6579879270b674b12a479d745f308b
SHA1 12baa91e7c20e3cca553a3710d50688f255f3f6f
SHA256 6620e32c134d826be9211d7cb94b0cc2ef4a7918785acbf434828314a140489b
SHA512 53dd313caa50204191f27fca59dbc2c9bb5172a3a2c9cc78041b6fa96f7f8d41f18d23b29ea05a2c1e2d2853e601f993cb68eebb397f341528e1ccd8dd1adb61

memory/1292-295-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1432-294-0x0000000000120000-0x0000000000152000-memory.dmp

memory/1432-293-0x0000000000120000-0x0000000000152000-memory.dmp

memory/1604-304-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WeQcUgAA.bat

MD5 99a453e4bf90c81b35141081f709546a
SHA1 c59b495a62de2f28d4da2133939c6ba2d665034d
SHA256 a41cb429811394f6d72cc3114942253ae383a511913e3bbed79ada9b8ff3cf99
SHA512 4b2087d3d4ac241a30067c416be4797defb97ee8f577cbbe15cbb5a31464b1d01a7106e2101e60f28c6f563f3112f6449a311497ea2ec0127cfee9e6481daee3

memory/2556-318-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1500-317-0x00000000001A0000-0x00000000001D2000-memory.dmp

memory/1292-327-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SqooQIIw.bat

MD5 16bd2a533bbe84dc98211e9ce2cae0a8
SHA1 f87b53add902f2c7437a6944673b5e6f97b74799
SHA256 8a173128a1759d443e65e09e297cb371f56249a87404619ff59366a4dcaa1680
SHA512 b1142cdf9f33d94d938fc3c456f85ef54f3feb7a6ea5044b0b7f375d2ee8578917a3592b2e46f9887a8b205011257b89274e51319f7605523ccdc8918babdb59

memory/3008-343-0x0000000000120000-0x0000000000152000-memory.dmp

memory/1364-344-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3008-342-0x0000000000120000-0x0000000000152000-memory.dmp

memory/2556-353-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gCAkIUIo.bat

MD5 e1e80837e0b97e42b59619d7a50678ed
SHA1 9f175cfcc9aba42f29854aba9166756b4e6fc07d
SHA256 38d257c60750e35ea5807262e5f37601e8ee5e06f7b44a0f9900fd2f21bca3f1
SHA512 20ee9fcc6ad33afffa75221784eeb895d406e0d39b88eee7b0bba0227beae451cb275509ae2090fcd4ea298283dcce0a944cfbad00df467f6868a89ef085ef54

memory/2528-367-0x0000000000120000-0x0000000000152000-memory.dmp

memory/2676-368-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2528-366-0x0000000000120000-0x0000000000152000-memory.dmp

memory/1364-377-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RcEIowQY.bat

MD5 ca6f2f6e8bd5d20b838af1c503aa8312
SHA1 d432b33f39f1c727416e636896a339c7562857fb
SHA256 93cbd1cef4588ff0ad1d1570236dded749ad33f8ee7360262f5b8aeaa6ff5cc9
SHA512 34f46a90c469a80ec6da1c73767979c6d57e8359944537297465cd72ffc4d7c3cdd4693f8fbb5cf49db661e4197332ea2a5ccb6f11f9943f210c6098bd1a7612

memory/2228-392-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2360-391-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2360-390-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2676-401-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fcoYgIEA.bat

MD5 2a4a005bbfb8d926946553299ae62f49
SHA1 7ae08420487de712f74ab2f1624a57e60c15a339
SHA256 ddf417c442d07d811aac315ffeaae0c1f9bceff1fa835cc01b3d4104e9984440
SHA512 3d59b0f2293850468f22975b1256295cbef1dfb86306b17b05face9e1c7605c009f1360382246a43a038186aa35adcd45e3ec3159275505e9b1f7e4118256010

memory/344-414-0x0000000000260000-0x0000000000292000-memory.dmp

memory/1436-415-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2228-424-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PsIQkcQI.bat

MD5 3d607ddb61b5f6eb9f1f2e8db03c64dd
SHA1 55619d228302daaab75efac47046d751bf20371b
SHA256 5bf13eb3678bd112583d653a4458aec2150980a5215b30e3bedb4b7c41ebbe89
SHA512 c897f0b930aa20c0a6e075983d8188bf350e7eeb1bc71bd3502169f9b58255a2787b5d1e2459c2d41225ab10fa6f94f6a9feca938973ee64d98df4d053fe2d5d

memory/1436-447-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2144-450-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3004-449-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3004-448-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Lkokccgo.bat

MD5 37ab4e44f78d45aa92f83b9cbbab07d5
SHA1 b25873174c05231d165580c95b1eda1725a9fe27
SHA256 896a83fb0dae321595a33ae1a82864a937dea779957da21447d8a8e754f91393
SHA512 c75c1f78a2b7d74f0c5604262a8fa0ba40cc65492452dcc719190e57267e647e80469766d62263763153e399bd7e9ab267119143e44ff0a844e90000622fca50

memory/2108-463-0x0000000000120000-0x0000000000152000-memory.dmp

memory/2748-464-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2144-473-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GQwsUgkU.bat

MD5 5bfffcd71bf11bc3a6dca4f455d89beb
SHA1 53a7d11f5a9c2ef5e225f5902a452dd68aa315de
SHA256 ddf27c4a10657a7b6be1368d8c8954c05ab7ecc19eb8e573444c377a661e2dd0
SHA512 54e2441993514922c2ad4718b73f224ef13ba0dc697e33250af0315214b3d5f27cd911c38dfe18de2f279d10f46231c0e718236fffc6ae3e64f4c5a3b5f88440

memory/908-486-0x00000000001F0000-0x0000000000222000-memory.dmp

memory/2500-487-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2748-496-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\woMgQoAY.bat

MD5 ee59a57dd05470542077796478fcaa3f
SHA1 cf301cc4d72edb803ee6cc1be6f491824aa33e6e
SHA256 a69c2caef5c909599c89a1b95c1426cee9a2292f222b3c703ddc30085883db5e
SHA512 ccc26080901ba76b1e043207f33a979269c80f8d78d424d810f96a29715c7f701d30267ef4815c5bce1b55259566c8c0610c367bf9c76a20540f0b286a59b6d6

memory/2720-508-0x0000000000120000-0x0000000000152000-memory.dmp

memory/1820-509-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2720-507-0x0000000000120000-0x0000000000152000-memory.dmp

memory/2500-518-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kiAAcEYc.bat

MD5 6a9db7027a78df752610107e76a4064d
SHA1 24d7c0fd579b9fc096fc3934b97d407ea33df326
SHA256 5626e01fe5ffc8b21ce462fb6db2722a48921c695480d09b27345dd32b4e10ae
SHA512 e9bb6a721c55fc32cbd4537a7cb908c7af0cf088e543d1f050151eb667495eb4734fa66a4581cb850ec12e30938088b57513b6d454ba07b6aa5022ef77b910b0

memory/2676-532-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1908-531-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1908-530-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1820-541-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kOoUogkg.bat

MD5 ff89288a69f10a60d0466fa3258fb3eb
SHA1 1558b058974097a4150088e160e5ba127dba4301
SHA256 9d7e88b17af4c1801e24d553ad08d6a0784e07d77f55a5f5fb1239d4bfd64c2f
SHA512 2cb49e7f5ab9f87483a52d35b910270b452992d6a453d84886bddbe41e50de6ccd6201acc40a8fbe98b14e7f41e3fa3692de404fbb8f2fdd0b607bd01997d2ff

memory/2988-552-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2416-551-0x0000000000120000-0x0000000000152000-memory.dmp

memory/2676-561-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vsAogMoU.bat

MD5 0cf215654378e89f00f56bc14b204322
SHA1 4d6366649a8fc4b0f34ef1c41877258d5ca36248
SHA256 92011e205c3049b410217e77454b3ddd0c32f326ba768c9ec221739222e482be
SHA512 c90b85f47cde2920a95f6d29964e158812d4af4daf2bb4dfc35bd4b0d6aabfbc6b5df37a2bcddf1e10df2a521c8e69162e7bc1103b816ae1c90ca3326350e3d4

memory/2248-572-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1436-571-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2988-581-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VgEAIYYw.bat

MD5 92f388fdddbb892f3b2c0f7ba0d31c6b
SHA1 2c1d6e4eaca4426bb1d13ef00b46dda6a931ec0b
SHA256 5f4d7a04192b023b9e987efaeeb8efbac36bce0ded31808fde75d90950bc998f
SHA512 81a811a7e14b8fb9ffa1a5224f34421e315391a4de8dfdd89f674404b1e6094205c7e4f548394ecc1be8415e069c06ffd60291dcc64f55ebdb0d7c1b3f57febd

memory/2760-591-0x0000000000170000-0x00000000001A2000-memory.dmp

memory/296-593-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2760-592-0x0000000000170000-0x00000000001A2000-memory.dmp

memory/2248-602-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BEwMQEgQ.bat

MD5 31db303ceb66439beb3a569b372c6fda
SHA1 e161f485928ef85067d0adf532a13594de3cfd6e
SHA256 ededfd1f4ba094a8ac7847641ae855960aa79afd93c8c1a81682e639a3d2f228
SHA512 56c508cf63a943239c3c4171bc4111b331fb12fb5e403e180b3f47a55336eb8c49492a9256880e54181bfd234751b9f4b4af171d2a06fb0175b7e49679868045

memory/1804-614-0x0000000000180000-0x00000000001B2000-memory.dmp

memory/1804-615-0x0000000000180000-0x00000000001B2000-memory.dmp

memory/2132-616-0x0000000000400000-0x0000000000432000-memory.dmp

memory/296-625-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HakcIQog.bat

MD5 a8980a01a6e2c181dd28eedfcc44c2dc
SHA1 4117eb01aedb5734b657abc62db348928ea7844b
SHA256 b9784b54d2c71e72d837ab21ec02f6adcaafd49afb1b2aba5dfa0a2f0df9f431
SHA512 51d825483d0a27c215d7c63a344839c2173dc733f8c12ce11f05df25fce536564ef0280e85872963653ecda9912926918e4e1fb65dd405a729fcc5bf1bda1d62

memory/2176-635-0x00000000001D0000-0x0000000000202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ocUcAEMM.bat

MD5 917cc342a905d3ef079f86cbbd13cf5d
SHA1 4aa1fb4ac5f1c67dea47842c43d6b9355abe2f33
SHA256 99b172afa52b1b59ad7af51360a438c74f325bae00ab8e0ca3bf6682ce4cc43b
SHA512 a0dd2782376153a2ac804bf46030f81db56dfc7c024ccb3b6dda4218d0800520e15c897fc4e3522627f0c7a76c0cf5c33fdac5cce63252f72f20100cf251588d

C:\Users\Admin\AppData\Local\Temp\KmkEUMMo.bat

MD5 f526c5eea1217ea1f92ae6ecdf5f3ddd
SHA1 df342b6767cacc14ad8beb338bc651f20c890c9b
SHA256 11b7e0e675c16702d43ad9279d3bf038376cf84a8f448ea4e479de7811309219
SHA512 54bc75f6120899cf4243e657a696a22ff78e49381318ce4d7e6d6325c18457e83d6fa6cbf83ef567d3d06d2f17984f098a6200b977b9bf195bab7b1236007f98

C:\Users\Admin\AppData\Local\Temp\AEwQYYww.bat

MD5 9d970c7faaabecd584f2a1a7dc792058
SHA1 2cf1a4b9c240d365c86dd2885211c0392db0c63b
SHA256 1e5fbb9818d601805be9352cbcc8752acb2ef38602720a14c61e24797516703f
SHA512 3a29201675e319f62371a321b426b68d9667a97393c4e216281e77dabcd09bed3cd32a10fef5935f80d224ad2748dba70688c0de1319534bc6323ca0e5190258

C:\Users\Admin\AppData\Local\Temp\OAsY.exe

MD5 b6cdefd73e9fc372e2a467e2fbc05461
SHA1 b56ec86d52c9baac2fe35d24de1006d976d99635
SHA256 b34234a9b74f06bc397db146ed87b35c09f1cc29ad168cac0af2b8f4c1934e0d
SHA512 bc411aa230ba4427cb2bbaa77bdb068387839ca960fb7fe3cb6f39b3f2e11fab8ced99f2e9029ace41ab467d6872cd7276ebd35d28a8b8b04f980a4ea6c3afc9

C:\Users\Admin\AppData\Local\Temp\aUgkocUE.bat

MD5 e778225119a4de1e05691e8730a82a77
SHA1 760b99c9e3fb99fa9654283c751db948db046a00
SHA256 c2f7690cc40ba979dc05f8f433162df455f4ad849507f0827a1259d0ab9f69ce
SHA512 8c5b0103cd56108606ad472d03171f65367646453eb8fc7b736aff7599fdfca367bc3ce06f18d44eaa79bb305db88084607e55b45077d08a73650aa130d92b9b

C:\Users\Admin\AppData\Local\Temp\sGcQoIcg.bat

MD5 046ea6f2318335e9331788e87196ff6e
SHA1 c821f309f262b352210acdc7c51ffef6fa80f693
SHA256 2b3b18b1fc79ca1d063544a044e329a4ac1956fc6cc4e48d7d61cca281e2f27b
SHA512 450e7a0c7c29f5528964a29de0d2e0825ff99549e2a6ee0487fea6d07fb20ed3f565008e63a311d5d2e5524f7a459e5d92739a344c4bdabd0d35002180ff3229

C:\Users\Admin\AppData\Local\Temp\PKQMMcIk.bat

MD5 3ab8cc6a8b586c152178ebf07b5b317d
SHA1 965033c2bc6265a8d594ae56ef5f150c6058ba1e
SHA256 d3b58db74441c70c31f6c805f4ccab181072c87e59bdda80cac8d1cb308ffb3f
SHA512 832283b589354ed7cac8b3bd3020eae3203a33ebe9e4de4f40f3cee6a2bc2ce1b0a43b0f90fee4e86359f4adcd6a12b737dabb817923daa6b49f0a78d3923eba

C:\Users\Admin\AppData\Local\Temp\hGMowYMM.bat

MD5 59255422fc86799a5a8e8d5159f0a02c
SHA1 5ed81d687b6356b7423fe088d859963bfb0882d7
SHA256 72393f10b2670529e19208349e7ce35203dacf3f4a46c01252047e507221a03c
SHA512 e676bafafc86f6ee32ff49e731a8ded67cd28761d1e0955da70b50b3f718c1ec3e7386f11c0daa9dfcb2c747ab5189ba4e48245fb03894929c7390256f42510e

C:\Users\Admin\AppData\Local\Temp\ZmEgkIws.bat

MD5 c5fd44b6aac6af04f9d85a2ae8f53f46
SHA1 958f489c4fc87d69fa5619553d1fcdbbc9e569b2
SHA256 9d01899ea12595150960b1a7c1d9c8209384537d9711168001a22c174a9f7730
SHA512 21c17f7ae7c87a110687f5b7fb9ed35dd519d51990c2c5f683b6342489fc31da5b26f3a525f955d1dda0875b1b101f9c0b0ba5774a7ed65e816710b625e0c724

C:\Users\Admin\AppData\Local\Temp\FscMcEkA.bat

MD5 be939cc7a39a9ee75616b38411438113
SHA1 4f9c5ca23548c6eb94b3b16f4c0d947795c7a94a
SHA256 10e40dfe18bc1474b6128f8ab4aae5dad1ae59c87af870bd99ef691e010a7827
SHA512 32bf1f50c4de2a560dbcc976ace3a6a28a774ccfe268cc86f7a6d2a8f010e71d16139582a3e2ab75f35872bab292576f7e909dc715686d8d595684847385e878

C:\Users\Admin\AppData\Local\Temp\qQsIIEUI.bat

MD5 e41a440e1dbef995ea6ce8b313e18a28
SHA1 8fd3032c6d693286c8a0966a7686a08d6641101a
SHA256 d47bb461de4eef9612afc193fe9119e5dfbee63ac562fca874c140fafa5a24c5
SHA512 14b2620a19211c62646b5a32de502863e8a60e951aa1f1a42fb4a0c9d53c2b4c70b31da4738e2f5df40ca62ec9f9e83d3a0b303f3b61be608227ac1992845013

C:\Users\Admin\AppData\Local\Temp\QAcsoIsI.bat

MD5 422ed0c74f71efb56e75dab0db8c8027
SHA1 0af80e336ee313a5a98f6eafcf54cdf5763ec053
SHA256 c1219b92716aa530e2f0d3549558418fb741249577fe233d8df957d5d16222db
SHA512 338675d3ae722b028e024ee75fe0afeaf5cd04387b5ae403a59c3a68484e9783058b769897e5ffc772d719f9ba803556dfaf31d07d45e5633ea95edf6433d656

C:\Users\Admin\AppData\Local\Temp\KIYMUQss.bat

MD5 8568167c84aaabb62c1483a2497162ae
SHA1 7d8dde0248a6ebce804029a366f50089997600ad
SHA256 cc2889b8b598a991f5e7a2f1abfcfb418bfdf8616827c66db5b10e002ce2d0d1
SHA512 9ee06867f2dff52b73cb3a31e251aad445a88a668285c34eb3005564ecdb4214f90c638afc824a874db078f34ae8111737602bada7a40b3245a2009ec3de75f1

C:\Users\Admin\AppData\Local\Temp\EkkEMswc.bat

MD5 ab301fa32cdb75c455cc7d915c8fa863
SHA1 fb9dc2b7fa63980d3a30223a8a2e9bda4960340a
SHA256 46dec77647bbbd9cbb759455a6e524950964e879ce7cf939922d1f6a50f4209a
SHA512 4648a2a7afb52400f3a413673e3ffeb25d3bea8aced4f82fe2f2aa818b8c8ab92e480c4c3a6e33b6e9a8e4204a1f92fd32e54abde181e33a6f98cdd080ffd390

C:\Users\Admin\AppData\Local\Temp\DeoIMkgs.bat

MD5 01f2d24e811294e8fec5ddd3fa26b130
SHA1 dce875de15a8ce6a6c98ee5860bf09a161e41471
SHA256 906d8b5989c237eb2eed5335525591e2fcd1528319e2cbbf7f8492fe41a6a955
SHA512 f3534f24003bf96d2bb957d7e0ef8191e65ce4a307f104afc8a7eb895e1a1a318cadadba8eeab91d1486801cabaf3bb358cbb523ac38763ba527a47473b17e70

C:\Users\Admin\AppData\Local\Temp\XuwQwswA.bat

MD5 62f785431811ce270d10dff7226c0377
SHA1 04f5bc187261a7ab69d7dc8571b7a44c01dc7d87
SHA256 7eeec3c94ad829748d5d232f5bea3c89df93b496adeac41c350885d4e07fe502
SHA512 22989c59b41cbe896caa0d745bb83be22081e23d4e4e7dd01f56fa190572a463239ae504e47214bfcd7bdae4a439c1206a595b89d7b6715fa0a9f24f4cf9d5b9

C:\Users\Admin\AppData\Local\Temp\pWQgQcwY.bat

MD5 53fa96d97680946ea7fb9eb62437f735
SHA1 320b422382db1ee2a38d57bb5618243bf0475f5d
SHA256 ae068db3940a446bdbcbe1c3786193cb265b6ca61930e10f75337e575163ca11
SHA512 f19a7372fb30c677e6090b9e4b97fe9375d79254385c784e59fd733c79807c69f2e3b9b4006585ed420d86e9e2acb24b8de180e0b4a4a86d983da94ad375ad92

C:\Users\Admin\AppData\Local\Temp\jGocUcEs.bat

MD5 fda606432fb9dafa92d23333bc86bf1e
SHA1 3d89289abdcbc0b8b2341e6e41969fd4f13417a1
SHA256 54f3084d1098e60f8b7b59cd10a1e4388cac6344c906bee26069d7e27643b8af
SHA512 d0fab4f08825f7ecb5e7616c19ba7ce98fb2d692440af5e903e7b84af731c049a073d7f8b4b265d21044bffa98a9a84d744f28fe31082839ce3ef1d685be71ac

C:\Users\Admin\AppData\Local\Temp\KOwoUYUo.bat

MD5 4aad403a01399034b8c80a63452f9721
SHA1 0f2d7288918fef53446143ac38a797a08ff9a6af
SHA256 8d11cbe4cae22ba0006eabf462cc7469a6d9374c9525e24cd83c307195808c43
SHA512 fdaec50b7a355d866f35095b24d5259856d4020905fc69432f6b6190e42be3f0f8736bc5bf4df4abfd17e3b7085dc32349e65d05e58e12a6672e823efd309fad

C:\Users\Admin\AppData\Local\Temp\wmIIQUUU.bat

MD5 c5483764382b986cc49d269496bd6ee9
SHA1 6807ee12b426e179fe9b393e24e235d767507e88
SHA256 fed583fa60046711bff2002db7f28b1b7e8c79470ec75bfa3cf50b8168d11470
SHA512 32527e6e8c4e5250c57a41c2e0d7d0adf559799233cf5fabb0de285917105c1e95d4ad864de6a84567b0969d4f987d09d4a1039d03a87782e94d22e3b6353291

C:\Users\Admin\AppData\Local\Temp\qiQEUYoM.bat

MD5 c7093e56041c9f0245e2c0bc91ad4534
SHA1 2abb4ed65709be53f99faebc71b75304b0af7e38
SHA256 f10e0a3c0fdbec508f1422c76e31d0a27a8c145e03926e6c3450a3b890ce6f5c
SHA512 f481697d28d23fd07b853407b52d3325f0968a1189731d757cc193966c0795637907530572fdb5f35ec64f5aa275c2a22632e046b6e14d18fa5be571298af3b1

C:\Users\Admin\AppData\Local\Temp\OaAQYgoo.bat

MD5 32bb2918012f74a5b2382c0257eb3c02
SHA1 9a365fd2eef35a9506311340456203c32e9494f3
SHA256 55f23e831c5fb44f567ce28b05b17e18bbb418cabd62b5acef6ac9bfaae863d5
SHA512 fcea0d411bfed3c245589fa7101a9b4af0f23ebdf4878c1fd879432025fa2d2f2017852918feb24b86130edb693b00cff6e14c41de201a5db269b416075ecf11

C:\Users\Admin\AppData\Local\Temp\USAsgwoQ.bat

MD5 95c305a979280d030bc03ab747fbd891
SHA1 db37161ea955f83a48ad7084eff1317874190e28
SHA256 471d971b599f2c7bdb5ac6fafe5991b109c7da18072b2366a4f40f60dbe0c5eb
SHA512 1701e1dce7c5938d72e64da29aff41d7f21e60da60e604ee249712e143984bb33646e7e7f72dafe139ce1717caf002b53b7e6e594596538cb54e17e9e1e57551

C:\Users\Admin\AppData\Local\Temp\pyssAIEE.bat

MD5 4cca1a445675b824acd99d8a866e4b26
SHA1 96bb03a8ce5d239ed92764ebab46e82f15657475
SHA256 b4a582945076ec7afb1a2f5d19e22aa187c01f08b28a608c58881e9136459e0c
SHA512 d30d047f969ebd495aaaebb14226d5a1558d15c49f6bfc2aaa5c3106ef1087cd3c0d2fc9e115be21ad26eab7af483b73f259191a581bb75779cb6424c45ed76b

C:\Users\Admin\AppData\Local\Temp\haYkUskU.bat

MD5 7a2f486156d41429b4c9301524f387ac
SHA1 0341edbb42b2742e5874e34d4bd5009aeca96b5e
SHA256 8b76f1719aaaa0ed04606e66f6ad615f5c92a49fd72dedfa7c12de27fca23042
SHA512 67a573cb48f138dddefe88a4d5d1caf8c79a1d154b9e7c57db6ebbfae2302410b60766821b1539e6e2a8afc768910e089d2a8719eb168df4fa818e771352cc4e

C:\Users\Admin\AppData\Local\Temp\pEMcEggo.bat

MD5 67b6b147cd0c03c7aff75d3b61877442
SHA1 c17c9262f1cf189cc424925274ad7eb540f2cba2
SHA256 9d053543053f6ccc5e9a0dc9d8eab6f3e78ed3d7fb54be63b6b193b5a57592a0
SHA512 0045231e47930830c1815c03c00d8cafc9fe81eb533c579a87d0f3c29846aca4ce618c2737b95fcd4ca32ce63fb5620ad65177b6ddd612cba47fd3285e9252d0

C:\Users\Admin\AppData\Local\Temp\QwUm.exe

MD5 7ed2f62be64d7660972c4acb1b81d778
SHA1 10653af59cd390da248c21d7244b1c9f951415e0
SHA256 f77bac4bedb433711f212d25c80bc6d3ee3fd2328eb5e5baf6de376747980127
SHA512 5773975baa20bc21c24b7b9c73f33e01ca8887c643596c36d9e4c56bd901bfa5f5abe92f07c954ea8bdf12a3c7c9fbad89f95f991edfa3dd4564e795cb27fe20

C:\Users\Admin\AppData\Local\Temp\KgMs.exe

MD5 024709c16fb25648a28fcb6c9bf1581b
SHA1 6902fe32c26c7cb266caf59fe86253ff11177e90
SHA256 ee6d580c43039a2df9341ec317b072caefe944d92c131943d0fe6161bdf83ab7
SHA512 18f564c47bfb913f9fc5318aae35412595e9723ee7606241fa6106862880cf92e3bdbff77f5c5e1fbf00788ea6a26e18ebe0d5d52f528f5df789e88c34e16b0c

C:\Users\Admin\AppData\Local\Temp\IMYs.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\UMEg.exe

MD5 4ccf70570e55ca44a283773c0ce6c131
SHA1 dd64f04fe9678d8dbf7d1b7b8774ca34f0fd182e
SHA256 fd346ee669da8f2d9bf83f8974ee7460ef95b2de243bab90e9c8f014dd7e7c8a
SHA512 771b865bc98b1231f14909f47197b584008a122d64a00062aeabc638d94c7c63147f6cb2e85e3bdb4be46fa71223354098d806ef8a84be5f2d5f2cf5c4988397

C:\Users\Admin\AppData\Local\Temp\SgIM.exe

MD5 dca2934ffc7a088684c6dff0daeafe45
SHA1 6e956dd2fbeb49ae226ee76bc3182a052da73f29
SHA256 fe8d963cb5b65b83eae1beaeffdd4a50f24207c67aa8d33b0a5eb85ac507ce76
SHA512 36089200e220aea33b75b83118cc73fe33b6f459be0d39af1fd57de06c9eb533ad847c41b0dd7f42982207b6282c5f1447d41705e3b16f5b00b328290af0e5eb

C:\Users\Admin\AppData\Local\Temp\PgMoEYQA.bat

MD5 b2d446329f216be693515b956d6e6f88
SHA1 dbf1b7e5a0789a236ed8df1259533f2d03f64aae
SHA256 f200fd3bb9a582632c83a871b46c8bb7cddb89a85b45cc08657274d6a1c3554d
SHA512 7342e09987f534acbd4bc22a35c540daf52f5c8a9e37847c09eece7dfae9914a9cdf2fd484231fdbdd3857dbc7188c8d2a288b1800c4f6e95a3f2d6352bbe628

C:\Users\Admin\AppData\Local\Temp\kkQe.exe

MD5 194fef70d88c3afe20fca358e1d27480
SHA1 64361e84471818f0af7906ff5130022aee56903a
SHA256 1e5577ecd41274adedb5101f97c591d00b8df3a1da1a2a67e1c08d94c2d94edc
SHA512 f2f4930758793b3dee044becd3abccc47a349ad62e2bf9d3ffe7035f12215f23bf3edd4dee5ee5788773aa9a63347df0f822af8f995dc149abbad331b249ddd3

C:\Users\Admin\AppData\Local\Temp\KksO.exe

MD5 af9dd017fb869a5e13eff03e9b827d2c
SHA1 3b101ffc5a2b84f5a145b11df285e0f7466cbead
SHA256 62a3c812bbe12e60c8eb46af8e6338d4bdaad117b4a56ecaaa819ac9fc88a583
SHA512 f64a93fb3e7d7f3c57191778baf09205d2805a5838f1935e976d590e3e8705c0c802808fcc562f3710f026c57d6bd4ee877c32afc15042a4ea8db952d9a73c31

C:\Users\Admin\AppData\Local\Temp\MYEy.exe

MD5 a93eafcd02c1363e36d04f5fb9152a50
SHA1 6572329150da9ba599e29d5822c6af92e05740e1
SHA256 14103e37f1f5b69be056d1143f2f40412b67015962468f655849d4dde7474173
SHA512 81b62b05c8e662c3c4bcf6e3a84f58c13262a3940becdccbc241caac98ecbc0564e925c991b3428a3f43f0a1846513863f012ba1facb7fe48cb8ffcb92e2ad19

C:\Users\Admin\AppData\Local\Temp\IEEo.exe

MD5 c6ad22b355c7371cd5d62fb8ef0a6c73
SHA1 0ae462b5a6f0ba84a4611eff2476f552a8a9042e
SHA256 a52929c4b345a1b3c199975b2de2aabdd97a71d91d44c6803e92021b6c3e0dde
SHA512 999422648535716187eb5a7cec7a32bd228c90c506edfbc8a57c19fa9f568b229b8626338368a086d4fef83de38be726ab1851cca43c2fda5d2baee464051274

C:\Users\Admin\AppData\Local\Temp\agoi.exe

MD5 c789ab10141127bab36428f56a8556b4
SHA1 ec74ff527e08157bda9fd8176212c2bf1edd58d8
SHA256 255fd8dc16a2c0f0cd62edcb81b719fe99de8f3ed8b089cb8f46f4aeda813f5e
SHA512 3563f3307d31f32c731be0adf235bb2f9d89db0c3ca625b5c6cfc158de81eb9f3b229033a653e156591c1116737ccac506a951d12b625d7f64ffdc0141965025

C:\Users\Admin\AppData\Local\Temp\QgMwMAEY.bat

MD5 6db8c6aa29bb41c91e060e92b99b048b
SHA1 8b712be7750b9037c4627f85edfd7485fb357e67
SHA256 789d3361883d11314d578c4053c54b37a03e66141e7a5b7ab5836b4f8cc91f5b
SHA512 24e5ea85a03f63219a1c3c0c3d08118dab213d4021376ba75838066b4043269c28eb421607074402924e69c6ba18c7727ddbc6a4a1a20d9c50fec1cb765b2568

C:\Users\Admin\AppData\Local\Temp\mkoU.exe

MD5 9e85ffd5fcd5dab94160beffe0ced28b
SHA1 406f8e1024ab6bd78f5356b75a8565f2ad3fcd4a
SHA256 3afecb835b191cb366704f41a3fca7f46f1ad138cd954a2ee4b7de1bcda37053
SHA512 795b3cf6c3ae945a1912085d9e3701c11a0b6fd8aae9399b67e2d8e757070ec19428b49273efd3ab8fac2988483aa1865308b1dbdd93f3ae0693c19b40d2126e

C:\Users\Admin\AppData\Local\Temp\mwUU.exe

MD5 d7fddab414eef5b94f4d8b69e70847ff
SHA1 155e63f67b2fd8e6c9c2ee18251bd6fc049fa082
SHA256 f3d00cadce43957e7829f424adefad11a28027a6b8062cc3b24851aa081749b7
SHA512 e4fb6559ba9ce44cfde003942c677931f4b172040a7a2c58a5c4e9788338c6e2a7634e0bf5dfc4d990148503f6ecae9eaee934e2db2cbc465883836be65efe6d

C:\Users\Admin\AppData\Local\Temp\Kswg.exe

MD5 2a2374bc8a1bfa2c53acd2004b0795ed
SHA1 73087c208c3acbeb197c9d68e3ec93f33ef91c0f
SHA256 255b432dba4e3a067c662271b451ce0992b99bf6d1e2adde6c2ff3df51ab42aa
SHA512 d428d9fb857a1bbd29e051235bc91c7d8a4e0f3387a04137d8f716faf9ef10c9e1c0fc4f8fe5ae99f38619ba370c74b81eadd3a09b37915ee6ce1478851e52d3

C:\Users\Admin\AppData\Local\Temp\WgMm.exe

MD5 f21932583c757ad7b5d17af3458fa94f
SHA1 f01ee0c5ebeaa95d1041a78e9a9c93b7ee3067dd
SHA256 c091ac7ca47103b0fe79f90979ce4a62ef7d9e0ce49b69b71c30e4be4fdeb222
SHA512 8b8c13a30685bc431d383a7ff9d98c0e8aa70954ec91a759c53a07306ea45868acc4a863952e4427ba28d0efc23c24fc73f50eefab77e0b3a85d645adda9d671

C:\Users\Admin\AppData\Local\Temp\uiUEEQUg.bat

MD5 50b74ec9a4331aa029fa2524f0e57a59
SHA1 de9a2db78dd3fc34bc78801ccd44363f6db86615
SHA256 b4145e8d15764ed2e8120dac02d4a8e4a7b48e1bad41f024b3c1e9d9fbc23f9e
SHA512 5839b38ce3ff1b45a11f8d2faff3642ac7b52237386c0e57afa06582a1b0716d9730da3abf041ad4fe196a8a44107a74b262d7434ff97b3ea8b4054369247122

C:\Users\Admin\AppData\Local\Temp\ggUU.exe

MD5 57362f6b6ccb96cda862f35f0e504bd8
SHA1 b10904a45e64e20937af07af934f091153b04997
SHA256 d4111c88481149dc7e926981130eeda5471845f1fcf223cff5c237437c19f6b2
SHA512 621acf397feaac3b637bcb1d36744a1ca3142c39ae70daa41af119b720e3331bee25f9ce346b4ad4aa814ba271a176b4c02a2ad66c35c0eeab2effea4ae2be33

C:\Users\Admin\AppData\Local\Temp\AEwq.exe

MD5 84332e5c9561f6168cb804ded142cbb7
SHA1 a27a52afa9367d6965e283095dc40345ee20d1d3
SHA256 2618d0eed4e700dd0f6a83732fc7459ec085aa8f0048d0637dd21e5614ae28ed
SHA512 9779d014a0b1d605e9045053b24e7a5fc07f726e3db97be2e8ab2afbe54b7b0e2b9669ed8423f87ffa651b299d387d62fc36c0c14db12c5c2af82f74f9058576

C:\Users\Admin\AppData\Local\Temp\qkUG.exe

MD5 c45de52912000b86a6a009f194e24151
SHA1 b6e1fe80d847b1fec3e0afe52c7c3308c383ef02
SHA256 3e699494fbd9eec5f5d10b5fd6e25c51766c240b85ec5187acc74aa746b828d6
SHA512 b091502d176584f3a720b9526ebc3e763294ad73c2ae65c5e05e214260ffbb7ff624a48ae65a2f062e90f7e0e437005c3bbd3d06285b83de8fed7792d88f9def

C:\Users\Admin\AppData\Local\Temp\KgIW.exe

MD5 0602d655433d05b407303b29f14a151d
SHA1 890773d148fadaca3d7b51e39491c028313cb6b8
SHA256 e7ae5d5163332742a99336bfe8fc7d430babb5d131a0e6d509adebf8b58ad524
SHA512 ce9d04b266445c8d249f54be689cf0a3d1c49d0f0e7f74b95c926fbe753c974b38bac3ea88f877fa858e98c5eec29a8725cc15eca583d9f5a203608e539a47eb

C:\Users\Admin\AppData\Local\Temp\KgoA.exe

MD5 34dfc3966d50da57fb0755da3bf334df
SHA1 da3cbb7827cda8fce4f29c1aa190a037d0efda69
SHA256 bbf0a460120c3dfed01036d3aad3f5523361370b2f8b9ab81d5d4cb20a9bcbfe
SHA512 b4e48ef0d7c157f3eb1ace09159bc8d1fccfdd465023a21ae56d596fd7bf330c5971b78eb6d13666f79710bba8809b07c9806d5d23e8a0ee1f9e930aae866944

C:\Users\Admin\AppData\Local\Temp\gMQkcogE.bat

MD5 a6dd8257128f492814ce1065b66d31ba
SHA1 5f0149871f436c704a1be6dc66dc714c50fc0eb5
SHA256 7c5de4e1c700903d974650f009cc5db28dfeaac8abfda9ab4115049b17f0706b
SHA512 c45da7d544c0d6234a055a5bb6ad205078ac981d4616aa9143335c12cd6bcff2754147af5c7008a538ba8cdc46a8aee06a35ec949183f95916dd1a5976ba047b

C:\Users\Admin\AppData\Local\Temp\QQMI.exe

MD5 a85c7cb3a8e6abe7b936dc2792e67053
SHA1 94eb462af51e358f85b306f20579cef5548b7b2e
SHA256 f7c0cd2f1c78a1596cd6bc16444e4fbe4375266d129ae2e0f06513926dd88db9
SHA512 186f9f3411555910904938dd2b28616b96eb0cb02ddba5329caa76fe993e33b8ce6c9bb96f222b2ee2ce47b0688d08e9bd8d1d69839114d2c8ddf33168e213e3

C:\Users\Admin\AppData\Local\Temp\IMgO.exe

MD5 dd94957f5080ef32222bbd1c7f29ec05
SHA1 f255b05baf559596d8d7d67077d0051ef262daf5
SHA256 04e1725ce0e34010834aad77e91004a219bbefbef66b4990d9214c7bf298f890
SHA512 0180367437fc5e9b32ba33e493d5b660f82a66fda07e4411945e75528b9fe34adf168204fdf3a52b54c642d1043e3bfd1a6521997bd38222a551f8e7b270cf9a

C:\Users\Admin\AppData\Local\Temp\ewEu.exe

MD5 fa55e05e7694e673d26a26e7e4a5953b
SHA1 13f74dc68870251be84133a03a12fe0b1457f395
SHA256 986785ea10ad63e5ccecbf0109ce7346ae4c13eb6d838c04edb31185798bc67a
SHA512 9d324e959d0df5c9baceb24efbcd73eedc41c970c3ea8a02f411d2270bb6dce974b645f6e0a938eedc6a3457ac8806c2855f2a2152d05772f909053f91f8db26

C:\Users\Admin\AppData\Local\Temp\AQwG.exe

MD5 d0a7dbdaae3c4150deef8a7bdf89e9f6
SHA1 12aae3d72c874872f33faa9f0d7f0df1670491d5
SHA256 531ecfe7d1d1bce7447a879315b56ea7d4aab562a282149af5f0ae2c071e6f3b
SHA512 7cc917a0fe3b9dbef14e076e98eea2ed5b3cae447aabf582290da135728b652b4135dbeaa6303d80ac36a0ea7449c974dd869130c46aee75bf0d77906219f514

C:\Users\Admin\AppData\Local\Temp\acgg.exe

MD5 75ca7576be7bd362a2c41eb70a76d1e8
SHA1 67ad7a7f8545bd863ad6e978b0ecc1427ae122d3
SHA256 100599c5a009bf079c5a1753acdca51f02a7406a69ebeecbf27f550d6c9129a6
SHA512 9033fdeb3e5a5fedd0a1ee636580ed8dfb3cd15ee351e27635091dd52014cda7947a3003058c8360f1057945e11434c176d4c108e63c2d067a190a91eba16fac

C:\Users\Admin\AppData\Local\Temp\YMcS.exe

MD5 38a21f577e262a9208d09fa29f3ae285
SHA1 28a249dbe232a273c5008fa62a17995fd1551563
SHA256 82f34e2fff5fbccfcf367921f1d42dfa96b669032e249feecc040ece34d09f57
SHA512 e6a1678658c310f64f6894506a605188cc2093f6d9698919f6ba47b07afe75cf6621a740e56e858238db875773851d24110c759108a45eb17b538357d87161ce

C:\Users\Admin\AppData\Local\Temp\WQom.exe

MD5 8670ce8b0a1a12356540db338b55b939
SHA1 b640b1481ef31bebc306974884f282e1ba5699d0
SHA256 41a53fcb0e8fd287618e9924237eae0106b689653c3ec79b93dd564251e365cd
SHA512 a9a9b0d22d39691d9125fcd606887cf77af065af79d09fd4774f31ab59dc904f836de1de185257ad06934ac551e50b0a776c429392ef9c4fa316dc9fa1d9328c

C:\Users\Admin\AppData\Local\Temp\OkQm.exe

MD5 9540043ca0db23de59ef71567f2f453b
SHA1 063917157933ca00e8c3207acb0d0bac509e506e
SHA256 59f06c072305a93a374738a99926fddd2e9648d05bb6f87d6f8d0cbd5712aea1
SHA512 4a6e7ea5276a7f81ed472b79b42eba2de928d94c388565407db301c1d82bb04afb036afde5c52a29609ed605402f65ee4de1d92298c7c2593298f019e6cb0774

C:\Users\Admin\AppData\Local\Temp\Ckwi.exe

MD5 0b278154cc7e6b1dbadb348ac1be0c95
SHA1 06c53a9c644e7a6ef8ff34de79486aca452c0ec1
SHA256 8b50eec6b8cf50726e00dbe34a8a0fafcc610cfcc26c1fc5bf533f4fd977cc05
SHA512 e9f7fe1ff9de2454a0a298527a8a9542cae5e0246a536c64a7c17b1c704324eea14961d607fcbe225058c759ec2a6538e42d7776201ebe7db2399ff97d955304

C:\Users\Admin\AppData\Local\Temp\YCoggAcI.bat

MD5 bafcdca16b06a721d083996f6eb452f9
SHA1 64d56839a2fa18064497b08e81dee8f5a098e3e6
SHA256 99a4338414d6716a0bbcd8a6462d91106566b929b1ae26b66f143fd1e40d6d1f
SHA512 16f1ec720173c01802a0b09f160f2ba753dee84b6f28a180ae5bb4cf618c9f4bf3bb3bcf6e3b5362ad2fb81c1a046f5dff02fcec6dcf090f06f6be8e30e39ecc

C:\Users\Admin\AppData\Local\Temp\IAUI.exe

MD5 e1b21fab51d3da3398305e204b1e5609
SHA1 503bfc55afcf1f8e80634c21621af2f1ee7f5139
SHA256 72a7ce6fa6d8a938c1bb35015c2401a72598aeda79c0f4689fbf01ee6c8d24cc
SHA512 eb3a501d55cbbe852a7cd3ad276a95c96d1aa03607e1fd84d8d62a2dbeef3c5cd51c145852f34dcc3ee350401a67eff095783f749116663b67c004bfea5d6ce6

C:\Users\Admin\AppData\Local\Temp\egAk.exe

MD5 2eaa8769fae033b3966fa43e67cd4b55
SHA1 fd1b0f578d7eeba2b116e1592fc63bc7c6ea0e4a
SHA256 b8e0bdbd428960fb2131450a5c9708db31fd87594c39a9e4168ffdc6230e3792
SHA512 c535117c7228735d9e8a692e9b22d5d489822563a94a1140fdd2dac7b7edd49780cc1ac632dcefe8c34dc819d6a7c46a0b3378cd4d1e1ea70782ed277f035c28

C:\Users\Admin\AppData\Local\Temp\QQoa.exe

MD5 3d5544c5cbd94d681b4a29d627acd060
SHA1 48291375c83ea0fed95887f903e8cacf4ba8f63a
SHA256 ee6c6acfd164fd0b4f86ff9a5fb5297878e5c0c425d7ff3df934a85343c6da8d
SHA512 8db65dd187d9bec72b0a15c5550d601e93991574c1eec3a6d30dca87d74f3a5c3da9347413f7b964b1b03598d416cf9cde55f96209886f9bec84fc1cf530dc70

C:\Users\Admin\AppData\Local\Temp\WMwg.exe

MD5 0d9ff69de111e295c33cae6f3e9b2567
SHA1 c6e9d1ada535251c4b2ce6bcaa6a98025c99dec7
SHA256 efc999959ee7ca3b68b0c595a123d7e3b57aa30d4f69c1619e23c61b61e40fcd
SHA512 73890686a53a5143db8f2961912f1bd4d2d6b40fb93eedefbb55a8a7785391381cc8de96ba9b28caead836b0a5be9b908465bd8eae2fc2d1e5fb1a26fd052793

C:\Users\Admin\AppData\Local\Temp\aUkA.exe

MD5 8d51fd60520ba5d8768ba63907d39957
SHA1 48b58cea9bb2335c4d814218b4a0b436aff61eaa
SHA256 603f65d4bc213af8b9849a76d699ba6779c0360b151b5f15fe3d2535632669b3
SHA512 407c31050f96e8d4e3ee48ec053aad4fa65f3532a229b8eb4aef1bf56cbf7ee45799e254941fbff7a7fd44cef1f160b53a5db1cdae19397f06e1a237bd5c184a

C:\Users\Admin\AppData\Local\Temp\QYEW.exe

MD5 6253ae4c6840385292c183a545956136
SHA1 f0adceef5ae82eb52de7b72b687879549bbf0019
SHA256 a4f8b51e88a91704a625678f9d1cd405ae7482e1b2fa0f9b23466d0687f9e080
SHA512 473092c9579b42126b102c3765d47f4acfdffb0e52aa6d490f4eaf7bb824b763ecfb303db09153ad1a3b28d260bb326f3229ab231c9a2fb6e0fead548d07f51a

C:\Users\Admin\AppData\Local\Temp\CIcs.exe

MD5 4950ec379fdf7ed62ca6626312bf224b
SHA1 43a86d862491446ac9ae2ec6f23213ceb38ccaea
SHA256 dcb2b7a9ec881e8a7b2e454e49440acee35df4d1b36bbc850ef55f44d78be5d2
SHA512 2b6827310653cb5e4e50c7fa4259dc34d1c0d9d05e5558721a38c776c332078a13209f8a51a40cfaf618df2fff8d8b49c8ce0e1e240204601a715dea562fa0ce

C:\Users\Admin\AppData\Local\Temp\CsIq.exe

MD5 002257bb32bf38944ecca5dd9575cde3
SHA1 458e69212ce57b55e0b1c2c44da102321ea33087
SHA256 9f38591467d1db60b31ef438331634a787c759a510070b16ec334f056712cddd
SHA512 7e699cfe60099fa5897084c917b781be4791e481212e8cf9c4f5801391cb5243f5e1e894fc7d6a39075f30ac00d03e7c4029f061b86532ec4c3ba8a6ad85867d

C:\Users\Admin\AppData\Local\Temp\IoQkcMcM.bat

MD5 f61e4cda99e174a6d6f22654447dfb43
SHA1 c57e5a204ae6ec7b841e170c50da7cb0162d5547
SHA256 c75ac11b1194c62e6ec63d10f51fed644c6c40274899950e06d8db101d1a7a13
SHA512 e8f88845eed21e254553094976c9868466535b05497d38f0034aa29b6f6c2ef71dd1257f9567254d511c881ef63a4018831d96e2f65b68e133c2e20297bcab5f

C:\Users\Admin\AppData\Local\Temp\gcke.exe

MD5 9c1d6db49fbfe9bdb223ddd823914778
SHA1 3bf04048d908eebc65a4f1c31cc4475f858529a5
SHA256 0177627e3ac3820c04db182d2fc7bc587049ba159ab9790d6821f250a737be62
SHA512 673d5002a31245187094aa2c1de9bb996f9b60169950b90a2831eda39454f43cd5d252b35227ba25c7e9f321460009861a0dcbf1ff12326b689ebd1fee1f62ab

C:\Users\Admin\AppData\Local\Temp\UUYY.exe

MD5 6867f4998a9477f9e3e88b4ec72cc1d8
SHA1 4812aa9b9a3e3df519d8df9895a510c994f02e63
SHA256 3dc4136090f7e4cdd23a8df41e2cc19e2d56fc858275d40aa26f9baf6e845541
SHA512 d86cb18d314341d7917f04575807286fd0feab37dfa25108f7a92f82d2683f93c0efc61fad88da56b1224d75298b9a68244b6dcc8040dc586c910423530a4702

C:\Users\Admin\AppData\Local\Temp\AAcA.exe

MD5 d599a0f23b59d66db76a6cdfc98b3365
SHA1 e57d8ce4b1a77a61f266d2058403f7e9d2ba6779
SHA256 5402e31f91d580c7ca9d40bb074d36948e2020cadeb8383cb793b8502b082b56
SHA512 77181a2a461165497ed2e492230e49c319c4bb2091999de969468d12cbaeba9daedeeff011d1df2c28043de1f1e806d95582c3c8a70e576b774c49160193f9b2

C:\Users\Admin\AppData\Local\Temp\oQMK.exe

MD5 d01eb905da1a91ee2c02cd6b8fb426c4
SHA1 ba0507d6e495e0ae72aaaa797e04b00274a168be
SHA256 2e90c30131d05f089a8a6e9006eaa0b2929478d660b5ca62687622574d8568ea
SHA512 dde3e3f207f7a8fc914f0a8817dd611f122bf628477389bd8d4cd6033f25bc98ba7b3325f4669874d8b19ec1d16897f34aba755106889d69ce41ff60e87f416d

C:\Users\Admin\AppData\Local\Temp\iAcS.exe

MD5 4f7c88ac20b44f562222de7f32f23f65
SHA1 5bbbe380f4a2f45bbfe8dec36dbcd9cada65c0f9
SHA256 94f8359e28685eda1b84e1d8482233a25b310c62dee96738d764fc90f75e419b
SHA512 79d56875444e3fbea1fb0f8fc09b940b5fd2ed990bb5d170f2eca7e12de60201f603cc32eab5014c135a8764e3a67edc1a6e1c735e209f9d5b508e66e68c6a83

C:\Users\Admin\AppData\Local\Temp\gscA.exe

MD5 48965004ea53c5a71a51e05d0c50c559
SHA1 275308084f4a42a023715c6df4b977febb15d816
SHA256 8efe82d9ceaa6ce5e2b7db3f1a8027432f65befeb63031947fa268f10670eed9
SHA512 3e4daa9f5ab6297a756fd857488833fcc3831bee2f3d9e829949b5daa1bdf8901d027ca74466496835a0efd42bc0ff05c976bafd7aa50b94b258236ed0558ded

C:\Users\Admin\AppData\Local\Temp\OgkY.exe

MD5 e344d76ce3ebca4581786c5a272300a2
SHA1 85f81db1fde6b6195d4f4c49e9ad21b29ce7da81
SHA256 187d22b76b225b0590fde7010c37ac9135f48c1ab5e08c4afc45283f501cc5c0
SHA512 36b1052877c36d4c935474fd4603d3b05be1672fc9c6e6c9a0199ab71425e46bb5d266c624654f128c51ca5920f66c83675e5ea45408c45f1e34beca6735935b

C:\Users\Admin\AppData\Local\Temp\rmUEAIEk.bat

MD5 fe5e95761fd3657f629eb04a568505b4
SHA1 928e71e69fcc3a18a512f891acae31e5b8941902
SHA256 a23f1a19d2898d8cd4d1ee2dd6db720dc3b78550e1f8174b8877f1c6c015b997
SHA512 2f97e51329a700471da2e9eaf4c30915ac6a1cbed063833dd301ecac25647cd49aa42a095575560f0d2206e40e2547f6b607e4262bd5580b1f7d41c61bc94302

C:\Users\Admin\AppData\Local\Temp\McsG.exe

MD5 e1c7af369c224a53c98842f28feccc55
SHA1 ce07e5a87eff1c98ecd35a0000c0394031669ab4
SHA256 88e368401f7af1c11e10d7b3e03ed465398b37b75cc8582167e460403a560059
SHA512 793ccff21c903b75403618563c6781977732de216fabe4686549840abc81149cd7b4c2db2bc76f849a42555607a1206df8a88f08c7858a40eb91707f3089263c

C:\Users\Admin\AppData\Local\Temp\AIsi.exe

MD5 045500de7997ab52cb25df98e735e26f
SHA1 422b151a53f58592947f54c88253039e1a63894b
SHA256 d61a5f9ec7e63c50ae4c15ed4dbbb7a6034e302041978c32d9145d06ba3af3c7
SHA512 7d79ee74017c46427a7aca8efd504f5ec381fecd546095d4f1d065f54f50647c8ba4445e669326c2af3c0605540067a578f804f9505af1fd98f4e927080ea442

C:\Users\Admin\AppData\Local\Temp\wcIA.exe

MD5 f222644c10e0c2383e59681614d0630b
SHA1 a1b5c3ea8f49e79136810aa67e9581226cea68a9
SHA256 e2d180d9d66ccfe4aee4b4ad29573c70c875f51bb16c0a029d9f8c201d0ac2df
SHA512 63662c93b73f6e7c3f1f88651e38b670dafcbc46ccdf092fe229eb216134b155ea22854b571eafcde57a2e22f359df9c18e71b5f82a606379be4b140e60b7d80

C:\Users\Admin\AppData\Local\Temp\CQQA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\mUok.exe

MD5 3b163e7919c6c5c0e3675db943c663bf
SHA1 6e0a8c7673c2f4f312502f4aeec203e48a00bdca
SHA256 0257d392caa0aa6b5dce6ed999738344a19cb49353dacf20a3609a1dc698130d
SHA512 e52efa80fe30507533d1b59b5289316a706182d07cbb25a5c1e64e93595d5b10a5d3f3ac68cf7643b5ca8089ceb5d894af183cf8ae3d666b8f900512a10e6692

C:\Users\Admin\AppData\Local\Temp\JYEkQAYc.bat

MD5 cc257acb9f291334bc85380dc762e353
SHA1 b86ec7ef916db1f9c68cc5faae12a5c1d8f5f81d
SHA256 31ca85bc610c85b917a46be8b149abb8483111c1aa8fed287dc4514c37b8feb2
SHA512 7bf2daba31b2db408d19526508015e06f1bb5a8bf7f495b3d102168e259705e457daea75a904b0ee5b9e7772bd39a9d164f421aa2788154a668abfea0db7e182

C:\Users\Admin\AppData\Local\Temp\GwUk.exe

MD5 b48abd69e2baea40acc21d01b10a1a8e
SHA1 0e6191f0b01db456769223c12ca924a7557b6729
SHA256 5bf6ba4b6ae9715e34b8ba9420707be97f5cd97146a91bd8ddffabf9cfc450b0
SHA512 11474c91599c449379e59a89f2d7366e46d9525921d9ad1be4b197d5383a78250bb4827055e4b4e36a8ad56f64789f9bc4860a4fa574685894ea3f43304d9d02

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 1a49d6fcc1e71c341a6c4f1a458c13b2
SHA1 761beaaa0bfe90f988184381e7f4158c657a37bd
SHA256 c6099cf82df33c74274ae9114a7edcd43278fbff0692b3976c38ecb4f086032f
SHA512 aecad0d9aebbd94c253ef9d27730144f46f4859a6f3bf2b99932055850ed7f4184b311cabe205300b1041dddda73c752b5025c6347e6a67919e5ba7cdc08176d

C:\Users\Admin\AppData\Local\Temp\OggW.exe

MD5 13a5a19b385580e0d4d6a3b7458feb0e
SHA1 da43aa21ff515cc3b38b4ff395b6aeb24c094eb5
SHA256 3288d492b28a4cad13ba8f9384e5497d6f866256eaaa2123ebdedafc0a92bd18
SHA512 a789b82aea17ce8e96c8ff35227cb9b222986479b5633cd9fa64eb720dba3e12881f761cc6483873a50f5d3bde8c098315934163d91606ee9ce98c64f7306113

C:\Users\Admin\AppData\Local\Temp\rMkcIccM.bat

MD5 c01438786bc1870e6869c47c1c6f729d
SHA1 8b8e2f3b207530d4cf80fd423e633da27f004d76
SHA256 2c1df23e68dda15c7122e9261fe2562807c64db0800fc45df616141f957760c9
SHA512 8e376408183e2271c590a7e14faa2a734cf6921f3ac9ea8440590b874737728d430cd2fd5123736b73ed7d492fc78f464ccc626cea84b5047b22ca0e4ced292e

C:\Users\Admin\AppData\Local\Temp\nmwAgUYI.bat

MD5 92b24b0f761cce0012c6770a8bab0846
SHA1 17c9378e4ca30674c1ef2ffefa5851fbb26c6372
SHA256 4ee608186cec8ea8a5cb982305a61a6d83ce3a39a5b8b2076e3f4778f7cb3b81
SHA512 b7d44b088520946e321959a06f1dd08a49888f6e0d7380134faab5f74aed3fb07d5c9adb97743ef1ed16cb3277ec3d909757526ba3375e7635937f3d117ab860

C:\Users\Admin\AppData\Local\Temp\yUsUgwoA.bat

MD5 b2fccd7951481d6910716b7b2141e646
SHA1 8e3c9c515b6ded70fa6d4cc9a24c421a18c177b3
SHA256 3e9e5491ce8a011a2c73a593f92623618aafed0e7721517f78b90b13b5d49a53
SHA512 f1184295fa346d3cf7e4a7877cbcb1669064f1b8c25063376d7654d99e1dff0b152dee3545cb66fe3238f1fd8c19679343e03f457130dc919b88885226dd15d1

C:\Users\Admin\AppData\Local\Temp\KuQkUwko.bat

MD5 282575aedd0adb2f5dea8931cb5b93e9
SHA1 8780bccf2f9b189557b633a98e8b81bda25f88d7
SHA256 e9da5c46bef9de0680649d85e3439fe029976a003c15e480b537d154ef1169c3
SHA512 cd0286904d26ed1887b40b84ad55d89c8203344b6b96f7a8e7264eb102dc2e3bc6ce6fe48ccf78865a651a870adad16b3f3b8c0de75ecd01bc7106e6093090a6

C:\Users\Admin\AppData\Local\Temp\CIwookEg.bat

MD5 505c19f23f2c1904bdf72ef3a9747633
SHA1 20402321ab24eef83ccf74846877bd359024e626
SHA256 f01f6e0ae6cf8ae132cc88065d7aa105ec4668683d7e8238c9848fededd63350
SHA512 989c2126cf3b6416f8153d7916501cc892b420177e4a35998194935db6ff084c23b0c0bc676968b076ec3a63ad6de361077abe3364cc55bf42a659a0b93e9bff

C:\Users\Admin\AppData\Local\Temp\SeQUkAQc.bat

MD5 882eae47b4ccc0df59c2f02661513450
SHA1 353cf8cca5673eca8253ba02c1df9249a78ce600
SHA256 159467a8a9fa1ccaa4b8962981a744ec0bd405af2215893fcb0dc26810a40876
SHA512 628adb60421b39fcf3ae6ad19300a7991262efe2bb7ee0f51c57c768a3ffd669b925e883eef42326abde3ddebe4c51105d60c82f5fb37a969e6cc76b43a21e95

C:\Users\Admin\AppData\Local\Temp\UowEIkwc.bat

MD5 4b3c752d983170d54ec62e1c3de99e77
SHA1 59730dd7019bb8cd5e6b7c6322641382770cf6e7
SHA256 be85755456cfd0eb45393dce2fe9f74e0787cb9e40c5a993d7853dc5132c96f7
SHA512 0ffaf6cb45cfbeefc22b45f5dc996fabdb742718612ee9fd1906156c49044cb4c084dccc80453e7bd2a1f253517e72cbc84bc5e0d3b554185f3e010f49e6f3e9

C:\Users\Admin\AppData\Local\Temp\XYgMsQAI.bat

MD5 1726fef29656bdc1c7852d80f765e5cb
SHA1 895d33dbbe61347628696b917c9244ae040364a6
SHA256 72a18f958f7b0895e8f687e4d6846880e673a61a4f0606ee3b9882569b1b0504
SHA512 b370b031c5b8beed3c4a1bc2781ced1edd1d4ef88e4eb00d8dc795c70c848dc095c2e751ea459cf9a4a455487dc1163d364dec10c0a66fa15b2c884c0d56a2c4

C:\Users\Admin\AppData\Local\Temp\dyUkogcU.bat

MD5 b789b9279881e09ef3da53becb26f616
SHA1 fb0dd4d95a3c30224e89ffe2ad3dc9bb8cd90dd4
SHA256 32182c8b5e8d1acf6481e0891738a1552a5353d16ec505b6148c72b96f0ba5d3
SHA512 5b9cab5ec457f70327e07221e03c5b2f551778e0bb7a2ee809ba8b2c96250c69566901ab345b4162dc51f9b1b1a38829a41951794b3ab76f4a11fe8962f273f6

C:\Users\Admin\AppData\Local\Temp\LeoUgokQ.bat

MD5 8b4c1221ab50faef57310b29f49454f6
SHA1 9784ede566a0966f529d6cd23fba3993c62fbd4e
SHA256 812cd0c991f6a136343fed0e55145dcb26f6a5de18d192e0043ed88ba8b6d34c
SHA512 221b40652ecd3c99fa6b7d93542f4f3f00045795a2575d065612bfcf38261ebe33b368f5ce80646ac61d9d401bdc4c8daacc6b72ebaf01d4f21b9d6e52c0c0a9

C:\Users\Admin\AppData\Local\Temp\ZkMQQIoU.bat

MD5 26a90ccf50f8c81105f83d68c2f903cd
SHA1 0500034f3677d2e22eb81c1f499d2dafb5b87934
SHA256 61a8de275404454580d5fa9ed65150586abeb36651db55c0d867860127b572cc
SHA512 04599851baf6e7c989538c83d45cea36d8532ee52d67d70d95148807c4e62c152d1ffc27a4d68c00c58be871704ca1d6b5b921bea2a8fc9293fbd3a828f7bd81

C:\Users\Admin\AppData\Local\Temp\yickYoIw.bat

MD5 18eceeea62092fe9a3621e517fc03e80
SHA1 406c0222c0d3964ae63be849bee5e7c1dc5b080b
SHA256 8b7b66cb8961a35f9f4ff59bf5db10f40dc352b2b4500c0eb3cc96b3c31b5e15
SHA512 1cd32cef918e6f812c162f484009c89a73437270a8c49434810160534fa1438d0c1692ca63c56f59bc2b8fba14bcab247c3c9a703c03e2f094145299df2faae7

C:\Users\Admin\AppData\Local\Temp\KGIswIog.bat

MD5 072efade632e3c688d079cc315e486ff
SHA1 f421670a161a60424eca88ad5a2c5f1dc6306486
SHA256 101e3d84fea052d6b05fd90671c971d11c2b1a70a5a75008dcf796c3236a7de4
SHA512 3a844b20da9f880a1def17d4981212a50e94fd998dc94a7385ef1b8352e60a9a0bdf480eb99eb4931ea7feeb41971f80170e7b799f9755af4c846bbd02cd4339

C:\Users\Admin\AppData\Local\Temp\SEcsccQA.bat

MD5 0f9912576f7e2c893636e0f7e801a6b4
SHA1 7e4548435865ed9dc15042e41201dc7d5130e948
SHA256 693f6f1fc51739d5fc00469e6368cb93070d5a27fa1d9961bffcd246ff54020d
SHA512 63e22c8892277a672bbd9c71175b33f9f81f837e55c2d501041be8447ed28f07f0b821a3109e3824e7ca1c4ea4d6a4c3d593165f74ea8e60d84fac762e511c5a

C:\Users\Admin\AppData\Local\Temp\UMEi.exe

MD5 448388b0833f46a21ce4d3cced7f944b
SHA1 eaefbfc6ed6bdca10af25e02d22298b84161daa0
SHA256 1bf1e779b5625e436607a9b47dae0e5949a74523f7104fc6dbe2be44931b1829
SHA512 9541a5369d9a3cfc324368e326407616194b267c590d83ff9a2ea1795fb72ddacfb7fdada13cd5a6c6619c501f0a48bc91106d0e39ba58da306889320897534e

C:\Users\Admin\AppData\Local\Temp\IqwUokYs.bat

MD5 7712de14c49a1340eb99ea571d566b15
SHA1 d5c531b3e747e11864fd4d7191278b617804e787
SHA256 6aaa4e1357abe582d906ccca306dd4a0487ef0c8369643797f7f14757eecfef2
SHA512 af113e0b22de596ed3fad05ce2ad72dbbabacfe78c6b428be708bcc0a094576adce2004f00aa8bb63d3d0e23633706cbef8b64adc5bcd812013e2a85beb23e71

C:\Users\Admin\AppData\Local\Temp\uEsM.exe

MD5 1643da795d7bc941e952c7ad924dba85
SHA1 a9e9775435936080be22adb55135c0d6db5bc121
SHA256 9f68d8cb0323e68d8cdfbc5071d92725ba979a452fc6c6d1eb9a7a2372461464
SHA512 d2071de17a05995d048e78e6f77591acda3ddb418d7ab867fee0b4219911be8a975ea1a8a406b0baea1f0ff2b5dee045ccf3dbc4fec2f99cace7edf01f23565e

C:\Users\Admin\AppData\Local\Temp\OoIG.exe

MD5 a21962f57aacde97f5af01bae3b0efaa
SHA1 b286fae621a00b9c305a0ca3878693e10b1f4081
SHA256 a4c3d1b279d1848cfdd3f58030f4b2f30c5160fb874fdc694fc3f03bef9064b9
SHA512 c6d0fe09c455b4af636bb84a9b8ec56336cd9eb5a45592ddb405ee13505ed2ef98ee62c5c83f1c39968402bf40c513815de39a5ad826d959ca17b84c1ca906dc

C:\Users\Admin\AppData\Local\Temp\Qggi.exe

MD5 d74183da400375a2492aa991add0e383
SHA1 7353c5a062dd2e67a4f3cc9319d5090576aa2f2e
SHA256 504fb67b7dad2c65cc188cfa867ad24f2dbb1cdb13f2892b46c64c3b0ecd4cd2
SHA512 71833b2903995bfb670210b35457160e421a96041f30ad5f39ab2e99b2f2a3db3a750e1838091ed8f7acf7736fae15b122cec85b1eed1e6f1b386cb31758dc04

C:\Users\Admin\AppData\Local\Temp\CoAu.exe

MD5 7ff55a360f634312cc1565f4bd19afbd
SHA1 e7759421f26026c40f66a57aca3bb7253b134dca
SHA256 92491fafa93092169e0770c9a31978da78c2c2cc11623400e594ae35e906c3c0
SHA512 4b9ec902120b1573b9b63c5646fbad39272ce5f51e4cd8a4112b11c547af480584cf6e497d714dee461fceb2293ffb93f54078d9bae0b4e510cc2b6a89c19717

C:\Users\Admin\AppData\Local\Temp\ysga.exe

MD5 0255de78a4b1b469506be8a180185f47
SHA1 3aeaaf59f41644142e608e592ea965c1f4cd9df9
SHA256 f078a2d3ce39ee96b3a3626bd693b5194e5f9cee7eb98ffaf02efc8492004c28
SHA512 0fdab1d31f325a2df5586118c325521eeb4434676f26f049a4c2af65cc7ecf2c332200470255486368ea95a5ce5d64f60bfeca6a1ce08674655683cbf2e47454

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 f97d27a6061cc56550e18bd8d198bc48
SHA1 abee75f7a75f956a7df9cfa677c1b5e2cbda1908
SHA256 3e9b2b482a2f70c19cdb68a47d0ff668313fecf3a46fd670b190ed14355ee68e
SHA512 86d890122ea5f1c2c46a4b3ca2e54f59c7fbcdc26f1942ec8ea6a0c8d314f564489559994b8e98c1a32571f7d72faae4e6304b0dda82aa8b7f3df63c76e087c5

C:\Users\Admin\AppData\Local\Temp\MUQQAEMY.bat

MD5 1a9df9b0d9b9a7cdff609db3831a4c6f
SHA1 aeb8d95236aae8a857840d08267708edea0ec07c
SHA256 a414db7ad665e34ea55a5f2c1aca33ac27dd257b0aaad6f3b39aad042e1b8576
SHA512 eed2f970fb43050a39d02e763eaa9d09547cf87a04cca48cb227fb6e576348131a01f9a0fbf15519cd261b2ff0ec8228f3e7f6260f7f5b2964f0aca7a1d23727

C:\Users\Admin\AppData\Local\Temp\kkMK.exe

MD5 b49ab078fd58652e5d1af086182eb569
SHA1 636008f152acc3d6c60e597ebfe1b08f2177532a
SHA256 0569a1406f5d7e8fb08bf5908922e18b9aaa63fd5962f10d4d5c13c3ddc3f1b4
SHA512 14d34e9e02ab445f32cee47d358849137cc2dd0b001da6a189e1959b667871a586c0bbfee109947f2f17e7a13205d8f124023df1908c1e6afb64a9f965a5ef69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 2a123967998c4b5f34f94fe4881bd7b8
SHA1 746413b21c9cb7b0cccfc8b38704320c717b058a
SHA256 1380c773392472b50ad07cea1cecc87a1723e67d5c99cf79e8bafc2b6ad18390
SHA512 18af973e0c2e2eaff1cd1fa88d7902da8a5935412db8f4df46288781030eb8666fb6d6dd2a1e1ec0bcef33de156460903f0c2724249a266fef532dd2cd736647

C:\Users\Admin\AppData\Local\Temp\GcgM.exe

MD5 7bf349664ce7b8a6f9e96773db436f12
SHA1 545cc3f91e1b620df8a71b9785bbf6d4cf5acfbf
SHA256 0131a3f16d58260c1ad0c68303dde521636b2fedeb05b74a3efa12295364a9a3
SHA512 1ea672a4a70047d2921d23cce5a475693c3e74a390738055cc8d9451146e6972dbb4563051ed31cfea368bf088b329d2a696c67286db6e2e302cbbd0ce3055d8

C:\Users\Admin\AppData\Local\Temp\mYoa.exe

MD5 a7e1c177fe7f4507b7670ea29e4ede68
SHA1 e2bb813d87c8d221274c2c58de6a1b6f39af16d6
SHA256 d5fb5b75ce5b0b6bdeb3eefed8c8ae797e3fc467d5f20c342766208730b2dc07
SHA512 752d7770f7ee2d8236510cb0105416fad156779b8431b27ba310a88585eb87ed9420085d76a123dea8c8ff960931a26af4b1a45298af2efd7de163b2a03f5e0b

C:\Users\Admin\AppData\Local\Temp\ruEYQkos.bat

MD5 be1b6d78a128cefb0dac26b3c7599c04
SHA1 765074a958061db3c122410c9376707222e8467f
SHA256 f618b5dd0a9538bc74d869dfcec36087a2472c992b4aa9aabdbac24d803ca0b5
SHA512 843446353d24c98399ac7ccbc0cbfd75cea920144ba903db6c24de2d405cda6e64020e13e0d87317dc1adeecc9ece3d11dfd59f8fe2f47aba4f6f048de8672cb

C:\Users\Admin\AppData\Local\Temp\cgYI.exe

MD5 28c81d9d463e3f171cd572e311c6b11d
SHA1 a46a8481585d9b3e1df4f3893a53400a4c700b8b
SHA256 39d11f6393c51d06385870091ed8546398e2bab2c2dbc85d019322a0144796c6
SHA512 b8b68f807e02b76b6038c5312b694af7350f4db716e6860eb9f83b3760f31751788869bdba4232d1e44a93b8d62d676122e7dba2486be891296c13e26bd85594

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 cef59962cc2fb50c9183c554b2a510c9
SHA1 8d94335a382c870880d646a1ffb22ff2564d25b5
SHA256 7d8f97d6b5d3f649eac1c2e0a4bdf7dda1de643183c56ab2d1fa9d76eb3c435f
SHA512 321cf645ff0ed541a637172e3552a13add750f8ea46b6a80d4b251936bd942bc65750f1640ca7ea8bb9e75ff8fab84b90e613e5c242fe75556c9da1a5e000725

C:\Users\Admin\AppData\Local\Temp\KsEA.exe

MD5 40ef22fd220fac47d7f95378324062cb
SHA1 68073f407078349295c4aa164e8c52e1f5c77b55
SHA256 f2d24dfd1196b8d1ff61a9b5f46a25b95bd0c52111be699212ad888f69182f03
SHA512 0014a4eb2bda28d7c0c0f00ff4cbf2ede4d3e495bc9789b075cd5b120525f73f224a4d0b7ad4ebbc6bf6e6f3270a1ec0bedb0823a99951be5a9f3450210a2712

C:\Users\Admin\AppData\Local\Temp\RUkUQgUk.bat

MD5 b1944a233a48a86b6052abfa0ac5c3a7
SHA1 9ab2d692f51c98aafa9b0be964168644398a7873
SHA256 9d85cd30aced6653b73c37bb1c9889869acc466d13519afd7ccfb8ec2f4305d3
SHA512 88fdab7a7dadc03cdef3e679757096425da9e14b4cd6c0e1f70b24eb0235f7e4828c2e1ce1070802764534cd5ada683aa7bbcff7d89b66e51ec76c52b9902f74

C:\Users\Admin\AppData\Local\Temp\OYgQ.exe

MD5 ca068571fcade00f381b2619eccdda7c
SHA1 81aceffc0db8455e88d93867d9c4657a7648e7d9
SHA256 a63a41dc82b5e180941ead0a504b268fefc7a596b6226549e507b42b2b9d68f5
SHA512 37e0cfd1e01f6da75cf33f16f26c987f936374a444f08fbf72fe9103bcfed6341bedd134659dba2492f119369b97b0a4415cc35a560a65790faa67f2759513f3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

MD5 caa344143df8b355fccbb38f20af894c
SHA1 0eca04aa4858c7d5e7daeaf967ec2f4bd39ea8e2
SHA256 46b9e0f3c4200684aa2c9344544203524dc227a9f560162be5fa73979e2d600c
SHA512 6da6d7687fe6974dbcd5aa67d5e32045e60a33df53cb5804390740e3baadbd8489e321037327242eac5fa367a072ce1042d00ea193da4851b1b5f898336421de

C:\Users\Admin\AppData\Local\Temp\cIge.exe

MD5 58dcf3c7e537a0e74ffc9459e092c619
SHA1 26005f02e262d2f58f2a7414388abd4fd5661592
SHA256 e6f30a780a82edc6fc8ac89d3742b0cd31c8c23dd8182689a99d7517c8d6982c
SHA512 92345a2044ddb2cb4937778b05d355e61dced6ba52ef470d21039119cd59d622d2a8a1473f843cb7f576e2665bfb4fff1688fdf134159d7d56b776f5ce273291

C:\Users\Admin\AppData\Local\Temp\cEAG.exe

MD5 3c2b61dea8831f2c559286ebbb16b8e6
SHA1 375cb6981041c9acd323d355c6cb95f73d689231
SHA256 9b30a9f2f1c9e58076cc0d589c0b139c87307eeca2227bf3f8b614de831ccc71
SHA512 227a9111d06fc9917ddd19595af8202e67d2cab412aef7da68792a37d0247ae419b46bbbbfcd6e3268fdb1d48d6cb6471fffa9da45a5e8214e12c4386651442a

C:\Users\Admin\AppData\Local\Temp\cQEs.exe

MD5 3a6375126cf43de3ebdcb353ce6b8100
SHA1 fe7a5fb1681645b3194ede0a6238f59d524f7d80
SHA256 e48b831afd8d0f51ae11e53b4f360baed4978f2017e7674ffd06c97c03917e7a
SHA512 f7e066cc7eb42ed48c6550ac18bffce761ea80b7246d8d238322da32803695bd40501c6bc7fd2d9004f9722aba9554062d4c4e7ec5b3b6995907a169ce9179f5

C:\Users\Admin\AppData\Local\Temp\FuwwAUMU.bat

MD5 9689ab3e8ecf47375cde451782ced773
SHA1 50e2f6714d4169cdc5c2119c1faedb16ebdaf073
SHA256 f195cad6a8debebbb6bbbcd3cd6a4c1cd86664f59c5bd11fbd13b1a898af1806
SHA512 be28a18765436235d1a8c3afbb38a3f529f30fbe5ab2cbef60db5ffcbe754c7603266d452e23d221436729cf2520cf7bc6c4e1b395b10f680e92307dd2b0ccb7

C:\Users\Admin\AppData\Local\Temp\QIQY.exe

MD5 92c28bba328075e61fb2a803fc5207d7
SHA1 76ed129e156cd5b62da85cf834fef17f2efa8d05
SHA256 28fbd76af55e82f03d960bc0c3f8312717f245833af9f8fd9c358baefb749233
SHA512 280d0a5d028ac32189d18ac98a00af6229c6f24a93a7cc8ec8f9ae4ba490e7db97a1cad461eac42eff42bc6865b4e1cbf03c5784e694e60f7768c5baeae2c97f

C:\Users\Admin\AppData\Local\Temp\mEoK.exe

MD5 7877a1b24f7eb2b5015960c5f08dc552
SHA1 f05e471b6cbd3d313964bd5dc2bf250ef4faf451
SHA256 82141583c42285756de3f7b23b7eb33c4e8331658f3619cf94dc77e1a0507dc7
SHA512 d8319ab31090cabc45ef6ba015841f8c4351c5b5866edc73644af64d3e8bf4275d1a0956c60fc5bb0392671194d61a5f93dff2886d0cc1347061e77ea9e027ac

C:\Users\Admin\AppData\Local\Temp\QEMs.exe

MD5 2f7fde867a288f297e8e324753be86b8
SHA1 1b395a688a909ee2a463fdaa4b1c5d323ce09f91
SHA256 8a06f8916f6680c35481278bbb759b894cb91a39b30d93501f3d730ae1a8c058
SHA512 2b022cf99df964964232deeda40826f525da4111cde7a64892b2fcf3966ad249d88b4e799e46715de68475484fe79336fb3a548b4daa51280f662d3134b7238a

C:\Users\Admin\AppData\Local\Temp\FmYwMcME.bat

MD5 d4cac16a5350517e876aeeb36752d396
SHA1 6bba72225e5ba1c55effdb525acacdf2a90bc7e4
SHA256 cc9d3894077e563b12d6358f4e70fb4fcbd9f70d18458e274eeba891b7e2e38d
SHA512 063f9b8e203fc03492d2f21fc39234fbee072e402664277496d66b7f01197a14203ac5df54b955d2e37977f8ff69271bfe3059095957b7fce94810003e362b8a

C:\Users\Admin\AppData\Local\Temp\mIEy.exe

MD5 768c7a6df5314e88023610b2e55c54c1
SHA1 d9e36689d2b860ae6f545c6f559089732c8d0ab8
SHA256 dedb8981b62b7f00e7517e11dcbe4552dead27ceac2da38d3f4e62627118dee8
SHA512 d5f188802bd066c975aa5323fa55b3da9f23a9fab487696f01de7417d61b2b113d789e309f32c205028b2b182b4cefcb0cc1724b8cca816e2b07f90abe5aef38

C:\Users\Admin\AppData\Local\Temp\WkoO.exe

MD5 bcf73b6b215a3bd593c72cdd896092f4
SHA1 45cfebddac0a32640d597f87c20b259bf44817cc
SHA256 81b9b4a0dc3c208d446f0374f2470e2250350f1956641ccaf58e17ecc07f5862
SHA512 e362e53d0ddd2a3fab022116742e873749354c983f780b6bbb7a3a31b4a45657d3da44cd55123e6dc368ec92c44fb50e8ab315b9dcbb9a9d0e74e34bc177f56c

C:\Users\Admin\AppData\Local\Temp\cwAIowkU.bat

MD5 af11ea3580b315aa3e5e884d564a6f37
SHA1 9843e473454d564f2f95be05c8eb399715fe2be4
SHA256 c77d566f447c6cd33f0dab15ad0b4b097e133842bcee2e67cb9989ab7e7c1c7f
SHA512 53726d17eb63a15dda99170d5740fcb404b0e9ffa5bcaee118e8f3a214ab09ebe18bdd1c916253030b04fe04915c5fb73d1ffe4c60eabec5b1c04ede4faabf0f

C:\Users\Admin\AppData\Local\Temp\oowg.exe

MD5 fc0da86b43083c4c8b61343e2ff74c11
SHA1 88cc25b3f69afdedcf70836855e100f9ed05e807
SHA256 277326f146175391a6562ba4bb7b7ff35b75e4178add7f6f18dfceaa56c5f84a
SHA512 8abfb1aa4178dd69b871de655bfb320e612657637c22ca8ff895531873d9f561ee8cf0e6f81ae3108826f568bcad6a4675916633d9cb7ae32a31547679f936bd

C:\Users\Admin\AppData\Local\Temp\OwAEsEEA.bat

MD5 64ce9f16bc9e6ab39d17de145bb78683
SHA1 599217f64ae20212291558b62b57850c4aa4b40d
SHA256 120e8e32e285d035d8be4ffc3567c45b9844b245174fa9ca54498dbbc9f91f18
SHA512 23d696fdb47d102b486dbd531889545cd3ff482bc912dbf5495116a5b9f5aae2a43418818732e283cce84e5dd65bad60871240ae58806f25d9fa2584dc50f42e

C:\Users\Admin\AppData\Roaming\ExportSplit.mp3.exe

MD5 303a9875400c6c172af43e1fbd3218da
SHA1 2b2b861918b9ff92639a5c03501df539c24767d4
SHA256 bfde5a88c1dc5e298b98ac50883a0cc37cea53f8f7452ef672cd22bf692da175
SHA512 89b52889d5cefa33864e4c2c1f0abfa7bcdf00c5db9c0843529d18530fffffa628d666d1e2ea52137084a04a038427f4718e8ea1e94d4ea3a4889bc3b805f3c3

C:\Users\Admin\AppData\Local\Temp\yYQe.exe

MD5 33539d75ca0f5a83aed8aa0437b14777
SHA1 d444ce695a5e8491ad26f4f044845a68373d55a5
SHA256 04e83e9bfa72395b7f8bb5a5b3e40215d12092091fc4e03a746e7e66204aba7f
SHA512 7216816a6a0c35555c4b67c54b8e0a171b87a2107354d1fda81114976f90bf52e07ee1f95e8dd13c7e0d0ec5e51e23930a7087d21a4823c6889f63aa4b06829b

C:\Users\Admin\AppData\Local\Temp\ysYS.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Roaming\SearchUninstall.wma.exe

MD5 f5267e4eed4ef2e1f88b9eb58046b5f1
SHA1 55cd1be878a8c508d1707259dbc7d586fc025cec
SHA256 79449b39fb7fd518530638f8300cb2ede2d5aeb4e9a8b6232d79dd8849b3550c
SHA512 65b3e51deaa38c1b4802f37e729de7db329a853a8bb863ce08b1fec6b1876f749a6601e56d86181082b69af28cbae4d422c1e44d50fee3c0d7eb3eaef8ef75c7

C:\Users\Admin\AppData\Local\Temp\oMsoQcAw.bat

MD5 e7b1de947ed03bafc885b95e05c710ac
SHA1 0f5072ee4995fb88b6b4aa67981d519c72263a3f
SHA256 f4c1f19932d936611d6783810ac48d1581707ee37aa603da3451c5f68d78baa1
SHA512 dfeb767679ddd477784315689b432d09cfed7a342f1334ebf23f45a6edba70ac563a70e7940301821777f9ae5ff7231f9f0639764c51c3c87b7feec088d4b725

C:\Users\Admin\AppData\Local\Temp\ycwY.exe

MD5 0b1e191ac47b2323a101517ba8f6ae6d
SHA1 2672f4d37aaca88b5c0a566762ac41b094a79d8f
SHA256 d6613021a231b4552507a43401f631907c3b98ce5f8ca140a7f8c52bea7239d8
SHA512 a04508bb4b275968bd4444542c910400d593a03b117a31d8773479a89d4e90d1b40efd92a9be7ec930732c0fa3b853d883ce6d6059b0685e357567b268a4d9fc

C:\Users\Admin\AppData\Local\Temp\AwAI.exe

MD5 74687e4d30a2a93458bcd0af97e0a619
SHA1 83871838cbac9ce4e2c8e594961c4fe105eee9a4
SHA256 90d3a429b9a171a5f5b8bc9ab3c14cbc8a67faa48527192c5bbf70e15f046122
SHA512 d62905c4e0ac92853e6b41bb537fe13923ad3f3085da43786ebe210ab945d36657d97da7e8f5f71d3505e220bda44b7370f2bbc9ba6881c87353722c581a0258

C:\Users\Admin\AppData\Local\Temp\ysoI.exe

MD5 9a526bb5a1f528cbdf77fc59fac4ca54
SHA1 3c9bd3369d842e43db1931d0e50955bb525754b1
SHA256 c1f364f7f97add98004e5a66ad88b64a7dbc943cf5d7a47df1e605418227b720
SHA512 d222789d3a43c7ba0b9b08417e06c4f8d25e0093f0032a177eb627876cb6ee56a46629f2b5d9d2b9504692652db25d07a1f634983037dba0ab3208fe68f5453f

C:\Users\Admin\AppData\Local\Temp\EWQcIkYY.bat

MD5 ff42f44272e6f95d9c5d27664836a7f2
SHA1 08c436c151bd2dd2eef96aa60cd6e8cba7c3f11c
SHA256 9f26f8cf93d960dd76850a88461146f7900b1a62a82404b0a261183f794a147d
SHA512 298b8c580844085edaa236ee79b03d1f6edf09747610963aaeeac1e21c39fe074914a150b10be32e3609294d72cee4955189e9c25986f514a6444c5486718fbd

C:\Users\Admin\AppData\Local\Temp\asgI.exe

MD5 142e08b321d459e3f8c7be4935ffb902
SHA1 c79b81868f716b6d67ffa329b4858d587c4d5dcd
SHA256 23e6da01ca9215b537a99c1fb7afe3165f22e693014aae2e3c23b50e1c12e578
SHA512 f6051033be0bd086f0c44b9a0ec6f18ec579f37a877d55680715a7c279f6a89ab7898f0fe7ab9b249c57c4fe91316b0eb898e9ac2eeb34e9a90665011b89007c

C:\Users\Admin\AppData\Local\Temp\SEUC.exe

MD5 1a63376784685d927beae3bd74faac73
SHA1 726bfba37570d291b060ebf50e1677e2a1a8ca52
SHA256 0d8036409ff630ae2c7d2229df62cf8dd79c5e06cd2077c6e43f84eee2a53a05
SHA512 6140a7a39244a09323c312db03eeeb77de4602097cbbc2db9045e46d189ba7f304ad3ca58ad9bd07c3382a9642e3c891e1b11ad53c8f1e60360b04240ef97e0e

C:\Users\Admin\AppData\Local\Temp\dEQUAIAk.bat

MD5 2faadb72176996a90be61ce363fefb11
SHA1 99289a30394dbdc230495de4712bb116a2856f02
SHA256 2a326732576945592ede6dd4af427d8ada29c17c0e4e4b82e72fe4f5cfc02084
SHA512 350b283e09773d9ab833be27c6d213094ea7ed2993cadd56fdc16d3a26b47d801391f75ce7a48a0e6d98dbde263fca0982e67d909f48fab52ec48cab0500b03c

C:\Users\Admin\AppData\Local\Temp\OkUc.exe

MD5 7030e0a5a643a0fdc7b56257591d2b37
SHA1 078d1e4c8ad7bcd60943e77ddb4d6f8e26c600ac
SHA256 afbeec32cd4ee711f554e7f676aad05ebc44a7f5cfc8b4d0ec2fdf399b08510c
SHA512 7d65e1f2420f1b580fcce7095623c738d8863ea0bbfd5a10bf0406d37029eeac605e9120bc864f3856e4140c68e7ea49a5d89f1668a4175ede4c04b25b8f9ebb

C:\Users\Admin\AppData\Local\Temp\egkm.ico

MD5 9752cb43ff0b699ee9946f7ec38a39fb
SHA1 af48ac2f23f319d86ad391f991bd6936f344f14f
SHA256 402d8268d2aa10c77d31bccb3f2e01a4927dbec9ea62b657dbd01b7b94822636
SHA512 dc5cef3ae375361842c402766aaa2580e178f3faec936469d9fbe67d3533fc7fc03f85ace80c1a90ba15fda2b1b790d61b8e7bbf1319e840594589bf2ed75d92

C:\Users\Admin\AppData\Local\Temp\aEEW.exe

MD5 339c09c5dfc7c3d7d92c1d95d1a48044
SHA1 681b8e1741fba3dc682293f73c583e0e6a203850
SHA256 da2d5a351eb61fea5d0f33bd9b8552b2c09e7ab9b42547053df0d915f364bcbe
SHA512 e983cb406893c903b825d06d57cbbfd3893da2c96d22f72f3825a502e91d78da86dd52787ae657918a7915c9b126e46a8978aca3f5c881abd298a7a534d23292

C:\Users\Admin\AppData\Local\Temp\iAEo.exe

MD5 0c851fb4c9572309809ee7bef3921950
SHA1 f56bf557d0397844b3627b5739a8951a04faaa42
SHA256 d17b8848462c80c00fcfc0275a1adb0f45cf981750ea79667c67fbee3a1681d2
SHA512 fd157360164d5f3f1a10259c0c509dca996b948f3a936f1f0ee47ff3740eb76f4879a0aa3a20c30a28d7ea5a8a00fe58cfcd25a02194bea5adf4d0c30241c925

C:\Users\Admin\AppData\Local\Temp\WkIO.exe

MD5 5792c786c5753e0f5e6a37019c8514c3
SHA1 f2c758f5e221813b1ed8981f1e85d6d9997ba18a
SHA256 7305f895a0086fd08807887f1fdebad695771ad0c2393730197fa07814828c26
SHA512 75e535e45fdbb2081c7a81c3f21dcde243a7c38cfb99b25114ab81a57553daec9de4b2ab25dc95280c9e0bb58ec99914e3f11b3b21e7e8045903018f8b1edfac

C:\Users\Admin\AppData\Local\Temp\YgMK.exe

MD5 a112dcc7c92db8e451fa935895808fcb
SHA1 e330e340da2bdbd3c43a3f6a19cd4a5a3b0df2fa
SHA256 438f6b31020fcbee369fd5d8952350c3ff2a9b9618cf4fffcff2d3eb020c8362
SHA512 1fd7a55ed13b63132d95e8cab13b9bff5324c98b8b6155d137de30a3a02702f1fd21ea1d3a5949fd34bb6b244c4575cb0f34f9e03c174c29a0fa0830681c8537

C:\Users\Admin\AppData\Local\Temp\vcgAYkoQ.bat

MD5 35071ba48d1ad62097847f8fc9a8cdcc
SHA1 2ab7d13520a810e68acfe22e5fdb1256e4081c81
SHA256 a8b86d387c941c82e731a07e9a7669df64fef1aabb44326aff2d8a0a8104a3b6
SHA512 834308d7a1e2c4f9cb52e755a92c94caa922c2b7738dc9519810869b1eddfe2e022d8eeb7f6405c3c23c3e5d09836741402a96ede3891053221828d3a03ffb19

C:\Users\Admin\AppData\Local\Temp\OUUc.exe

MD5 77a6cd40418c3efe389693663f59d897
SHA1 2f9f6689efea013f085427f70576bd9c5cb1ce5e
SHA256 38d856a86849bc68c3c0011767dd1468e5fff79b878c5061ca8e10bf7ed9fac0
SHA512 3ec0927855b84ec4a95b32701ca8336ff24c10e66cc73760b3e476063cee30c34666f71642423c9c13800319e9e54c4b15b4da3d820a70cc1bd2fd2b45793b14

C:\Users\Admin\AppData\Local\Temp\SUwq.exe

MD5 66b7666432d34ddd51809db1060c3de2
SHA1 85a3aff47f41c317b49cf1deb131effd16c61ca0
SHA256 ea2988ae1b682ec132131ffd6d6d6f4f38fd96cf96b8e3da829767b2f47d9e32
SHA512 ede54edcc1c90999a187ab940e7de564d2eb4e1e77ae2d2878102aa03bbc0ef031d635cae94e576c782737dcbe233133cddd582d3716c7ec815914cba13e9827

C:\Users\Admin\AppData\Local\Temp\Skcq.exe

MD5 6e77b79b3d16f3b26db15d182b1e4876
SHA1 677d8669a142c9e1f4f6625c7fa4b181662640bc
SHA256 f19dde6c57af237c7334e96c95a56b0cd231d909bd226a9f9539bbc42da6e467
SHA512 1895b26e866cfe0a5153d3bc3747e6e4284ee6f4434c7c87b3bc2baef30f8f41c125039223be1cbeffa622926bffbc5d51b55578fea2be08687e2738e2d289b6

C:\Users\Admin\AppData\Local\Temp\PCwQUgAw.bat

MD5 f5111efe14fcefdf32e75ff6237c2c7e
SHA1 06871f0b4536a8e78df2174bd6c78bee56353767
SHA256 0b351dcdadd944d1857fd4d230c5d3b19866bc58a39b7d782e2716b6a318e252
SHA512 c45374f53d1d7ea4ab45f4882d60cbd2b19463f6af52f5b7d5e3da37837582cfa5f8dd679a741b6166880997299669ce9bc64a2e5533330c3b5769ea4d332d04

C:\Users\Admin\AppData\Local\Temp\oUMU.exe

MD5 0490f3a337b38ef5ae1d9c21138374b1
SHA1 9dd4edafb879759525107aa3dd44628a03d2ee48
SHA256 bcbdf3463a67d78258fac81df7bc20feda76f52c0e45bb90fc092cd4d763754a
SHA512 dfbf2b6c1712a0aea791703f9d644edd6a55409a12593488378d058caddc46bbcf7935dbfe5de7b4c17ecc88c044d5a447efbd14053a700556bc83f7c70fafe2

C:\Users\Admin\AppData\Local\Temp\QEoC.exe

MD5 14907347986a9fb811d39cc336505570
SHA1 76209f1052cd17650f1c6bab800a0030dd381d7f
SHA256 65b1a4000a758048ef9c937bf636aa2215c187080b9acfb16f683f89ccc3e0b5
SHA512 4f2128d43bb111f9f7445f5539c102f7ec2fd31213a538a71f0500d8c2ed788d6276290d62422a52ae948070774b5107d2934ce23fb4d04c0cf8522dbea4eebf

C:\Users\Admin\AppData\Local\Temp\OIco.exe

MD5 2b55954ea2adb34414e11b0be5aad8f2
SHA1 daf478b1cb7a9f5dd916e40f544b6c786d8859af
SHA256 11760966528ec9d1bb998fa3a34eb045237f9d09044c285fddfe33e6bec1138a
SHA512 b260765d308c1ca8b77fc132f7c504c25a4dc1874d7aad3b5ce02fe948561ce924fc7077cbe7b0d8db72e986f5c538ede57b788b928e63d3c0b3a9a95e017362

C:\Users\Admin\AppData\Local\Temp\XGUQMEQk.bat

MD5 ea2232f8d610baa18efa6ec3328eecde
SHA1 39015c409e5ecd949233ce4734afff7d67faca54
SHA256 a2b831e6b3f40f805796c6ae262e3a72fc7b7d392a4ee5ed87c6a57240890e85
SHA512 5c500a7e07c4458e65e0f0b9c8770b55d74bce184ca65973b7474c4f6b60598a92ab4032425942f76fea0d771de8b1af5a38eb5b2b4d49b2e83e5d934d3e8bd9

C:\Users\Admin\AppData\Local\Temp\UgEs.exe

MD5 8de387f9c2bb23b47b77318168667bd3
SHA1 b099b5762c2e3a6d1b3bbe01a7e46ac10363bb79
SHA256 d52adf7fe13b18120fa8846d4f7519897d7b202c14f587d70e1342be6e62dd7a
SHA512 b081f50bb101efad84fa6855e65baf1005a4f9d113998908957851f1c0ac1e00237ebcf2838c2b2bfbb480499f77ccc1bf16625dca15bff9e619ab5bae0db5db

C:\Users\Admin\AppData\Local\Temp\aEUG.exe

MD5 209268cc37341172b6596ee0bdd54fed
SHA1 fc4c4088f22a565aca7af25bf6cadbc88c985461
SHA256 a5a11d20df42c539fc372768313b7f294708019a83fd785507f4a822c928f223
SHA512 8b208d731d302478ea7929011d62224af89a3ddb2cecb27b8c4a73e758eb7dbdbcf45f15184207cedd0b1b1f1e581f20ba02d28a7a52b90556dbb718d0c851ae

C:\Users\Admin\AppData\Local\Temp\Owsi.exe

MD5 e4f44844dcd30a1ada850798b86b3c2b
SHA1 0eac1ca539d033b75fc08efb9c9ca1719b3ddc8c
SHA256 9222776156fd01349dbc627e8f49d05e7aa7607135a6e5cba7cc58f1e2c6e808
SHA512 5681d7b8e11d8a0c00addecd18e029757041bb0cd18ba736054f9c69c09e31970e07c7d9a5b596b0885deaa3bc937cbd0948de4fc6babf5d6894371204f181b7

C:\Users\Admin\AppData\Local\Temp\qgocgIsY.bat

MD5 fe852ec077af4c19680380aad1845bfb
SHA1 4d0c73f4ca828e286ffdf6623e3dd75bd3f25625
SHA256 349167bf8c83b9855fa062bf6194d2f4d142cec1ced8da73393a8af1c6be1f7e
SHA512 86fbed009c3878a17dac68bf6d7aab3be6662f9ec7ae81daa51ca5f59a1f97d5b6ff63bdee73bc26dbc853e8ee15f1c14337e26710a7abd132a24955a7baccf7

C:\Users\Admin\AppData\Local\Temp\kQEQ.exe

MD5 b370fdf0d7a3cff0af68b1208b917f10
SHA1 5da52b1f5165dcf08bd5c3917566d65ffaa54e0a
SHA256 03a0bfa230479b348adbb961135bedbadb399d6ee67d5c3d5a0fb47d7665a73b
SHA512 ca9889d2c4c2842b0cd52d509e88981166da45d592273bffe29f673b1cc1fc57d85545e1695dce86a5609e3a019885301088d18b5f7650d8e9e60326ca5e834b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 830b3c0f06eefd408bef621cdc4d35bd
SHA1 62c9d6349cbf136a8dd783223b632232706e796a
SHA256 e8fa0b8603570710926a386b66baca4e20cd9e549a54c660552cfda0463eb95c
SHA512 27e85d339cce46839ccaf4db2f033484413d49bf876e593125b649b22383cc7de82e2b87bc0ecb0ddec00ab681181eee05bfdcb1800db51ce39229abf15af1e9

C:\Users\Admin\AppData\Local\Temp\cwkUoMgU.bat

MD5 c965918ddf404c89d45300125c50bf9f
SHA1 39efb6d126d6bedb3314a65e66d1f2a87d250f28
SHA256 18eb3edb3bfcd6468c66562d45bd65b27a7c79a03f7119842a6418385e6d0707
SHA512 3157adb8fc326faf1e6d91efb80b5af6dc68d04c998204368c759bdcd6ed4d1ba41009221dbec695ef30cd54e054099c9f2002a91032af0304167c22a8009a0b

C:\Users\Admin\AppData\Local\Temp\oQQg.exe

MD5 ab80e4f73b5c619cf4205658782c585d
SHA1 d997eb7f1dc21b2b431f34d9617a93cf036fe80d
SHA256 bbb3da5dd48e9f5a319408d412e3ad2b18efb3756bd4d365062458ca070c6114
SHA512 be417411d456339f88be63f6a4da4054896b6aef021b8a6e0b236e1d0d5c6a371aeba9d5c3cac87a8d6e3f9e392de24a27574e5e4e89a532f082aec5321f2752

C:\Users\Admin\AppData\Local\Temp\Wosg.exe

MD5 39728b7848ca5a83ddb54745784fc64d
SHA1 dfa868e3ada22de983a58a1fc5bca75362184d9c
SHA256 89875efd4dad4c27c4242b0e43eccdb11f11dcb034aa9552a0247d3e70636ab2
SHA512 c376f29479a3d20e36c2c259cf75f354248e2ec58c50f7ea0076aa9c1d9a3df788a80bcca1f9c2670c9bf069d81b2ce0f8d06ab8d6b30f8328ab33e19d23df8a

C:\Users\Admin\AppData\Local\Temp\KGAoYYoc.bat

MD5 907445206a282d2309aff173cfa419e4
SHA1 0e0d6664568402a0430906b35849615c6637e028
SHA256 284f097d667e3ce73dc5e4a53bda34e668284d5f2397f6900af515c79e605b7f
SHA512 17eb1f2ecd2a387d6bd3d78a95969ba61c4a93f39d1d7303c2f48c784bb2e7635136f4182de1599c384490a55e2bc5d0b1f5bfa4606e2c14debd21eb72653b9b

C:\Users\Admin\AppData\Local\Temp\IQYm.exe

MD5 12fcf459b68733c7571c3829d97fe3ad
SHA1 f5326b701dbb83a9511ae2432df6f7fa7ca287b8
SHA256 fc4db3e17171e41b76e038f41dece3926a78076204d398cd7bd1e6ab2c285892
SHA512 42017703af7edf28cba9a5c4f71e6e3d47c57414f6c885b1c45941a25b26d0961ae736bf59bbce4a188e0ba77dc1908d03104242044e2d988b2a28c838c6bf29

C:\Users\Admin\AppData\Local\Temp\UgUs.exe

MD5 77c148ceb77cc636addb8d949c0ecff2
SHA1 b0e9bdb3174aa0d2c144f31fbf9d32f890993375
SHA256 45258c6f5275348d04a7bfcced372dfaa410f9dc25a06a59ae450c9d850b9731
SHA512 b4d9cc0ccba5035ccab43562b27f40c885c60572ed1a9ca0d717647aeb2c9309a9e3757d432ef54782a30c787898ffc26185b98a3666fbd82ae9ffa6a23cc471

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 885a8d64ee6c130e402ccf2a7583b8e1
SHA1 3262231db9c41f2c36ad8b8f3918d8f5c548fea0
SHA256 2a6ae1a7427e9f6a16ef91cc5d091b618bb003c143aae4339474b5541898ca48
SHA512 67b2f528efb846df049a35308bc13aeb5e0840fa104144a789fad2cf3f6c3abf4e2b5adcd74f0c62983d2f20090d1641ca76192a6a8ef649dd37be700909b6c6

C:\Users\Admin\AppData\Local\Temp\aiMIYUkA.bat

MD5 ab490a4ff288de592a7afe52657d7a19
SHA1 df841fe3555ab81fff785d17bc18869db1e289bc
SHA256 8270060ea3800fe9270be3fa39f353d1affc5417f313d59df1b64e5e0a7c5043
SHA512 d58a671035c2d983d69b8a2da5fa2934846a5bc4487bd8b7433edf19539b0d45729c0341defff88ed76db737acf118356ea9b8365e897d1ae6f2e96404f63ff5

C:\Users\Admin\AppData\Local\Temp\GkYs.exe

MD5 ad11ee2c3d4ca46d324717472ad749bf
SHA1 a6b8e76a95fc57958675d473871feeb82330b665
SHA256 0a4ae2955c3e95a5cd0c68017a9569aca588949f508b15e21d7555badf1e87da
SHA512 f2e3833aa1ea36eff30f6e89ba30e648633662090a1fc9fa4a5a57a76c23abe4d66be831b20e4cf8c06287302e43c4f68c371f3333e8e433f98f0b14ca993de5

C:\Users\Admin\AppData\Local\Temp\sgEm.exe

MD5 95aa2ff39861a004e2d605d14c3514a5
SHA1 c79085e510240215aac1c7298aa37468c8f7876e
SHA256 58f9bacce5ef04be6237518edd6b17f7387312fb1da5511b2e8ebedbcc7dc91b
SHA512 b7762343a6880601a9a60a0c1614444ab7e8f2b5dbc9b78ae4e666b65fae82a1ccb97b30afb10bbc7020f51e5109c9d5af7ba62beca9df8271fcc4b97b4c891c

C:\Users\Admin\AppData\Local\Temp\qIUI.exe

MD5 bae55f3c4bb2cd7f8b21b64b642e351d
SHA1 57aa8c7996ff91fb74446c777353da97da8a99e2
SHA256 20a9a2774034a0d80911cc16d37709d2a3febcfb8072c644b29b084eaae078ac
SHA512 aa39701dbe2b687dcf2bf9d6b3eec136d1dfb47c4f97be37d29ba51b6ae6cecd0c4700104e918c7907933bc07798e6b562a205b9cf98b2278027a240d92fda0f

C:\Users\Admin\AppData\Local\Temp\GkkK.exe

MD5 1bee48f01927ea34903a63a4d1ad4f0b
SHA1 95bb9d7c5bef47e9aeeb1e721f918aef4ca875cd
SHA256 3f7506ee92a49ce38653ba26cd4ab7b17d34821db9f181ac21c7efa3491e4910
SHA512 058033ec0852b5ef593f544d542eabc281ba47a572ea2e0d6d24bb6a38bdc5995821394542991b5344f6fbe5b33e461ca03059e57beb0bb5ee23adcba7aae8fd

C:\Users\Admin\AppData\Local\Temp\kcUo.exe

MD5 d3e7b99244c77f98eed8582f1ee079fc
SHA1 50bd8fd61769d2f38b642f1ae95c140074e51832
SHA256 ee8da5c995e1996ad3f75a60cf16095a1208b5d03e82bd9de7286ea962d15a3a
SHA512 f4dcbf584603bc159574b0ab258280161e5374c00660e204664af7433ca16e6c15832fe4e123a8040c02e79a17e0eebe2b72140a53888add7aa733308a9d7c19

C:\Users\Admin\AppData\Local\Temp\IEEgEIow.bat

MD5 08792938a61383304df39c66adb3c031
SHA1 3c899618ad68583a3c726b5d87ef6c813e0a782f
SHA256 81850151339d028d09f0d2ceda151d2895bbba4a878914b58f7ba48a6f0520ab
SHA512 c080c1b22a749c80dd4e943e18b39864131319bc83d3da834de1f39dbfda26547e7170ccb0f2b51de9f7e6bf2ac3f18c5bd1eb318f815e731fe0e689cbe19d06

C:\Users\Admin\AppData\Local\Temp\yUYw.exe

MD5 e8a44018e41dcf388b47af6d8aa4c84e
SHA1 1fba1515469feb13559fbbc97bb341f1c45db55d
SHA256 e42cc7df0e364dcfa467a391878426fad5d7ff36850babe01b71d12bc2a1dfad
SHA512 4aadf7142f5bd2fc7d02d73d838968118c778ba7fabbcce08347d9546e165ae323a758179f601261567acf667a2d5acf0b696bb8c0fd3b262d0b4aa376b8e920

C:\Users\Admin\AppData\Local\Temp\oIgg.exe

MD5 1e2472430432f0c68916c4459b2b5469
SHA1 23094b003e10697157cedd11d72356621debbd9a
SHA256 108e69a5ea6b0e98bb4d9d254b440eaffc0b74db36c8365b3c327dac51f27de9
SHA512 8c06cbd5d6f6cc90d6756efd2d021e6d943c2484f8d429b09fb9aef39236df1510cbf1efee348ad1f97763bce27908f4bb0dba76c49a120508c42c5525d28c99

C:\Users\Admin\AppData\Local\Temp\qUAQ.exe

MD5 3d7c3d8f477011795da4552090a06f7f
SHA1 4ea983895c1c9624a4598e6f0c227bcd81ffaa58
SHA256 7d36d9fdb4284e0eded792cececd9c7d91f7261cda880630fe5d71d66ece2840
SHA512 78c602f07d11279248784d72aa4e8801bb2b1fa08cfc62092ec845272f8cc4f14ec9e3c0af0e2d06f7e8ceb03881ea3ce9f86ff5392c1061f59419f364b6a26d

C:\Users\Admin\AppData\Local\Temp\cMwc.exe

MD5 3a10072c61ae7eb8a13d39528163a2a3
SHA1 21aad4d14df15d70d9855ae1e2a584c126b39bb2
SHA256 65ccda1e43b3fe0677d2d1bc9fdc6ebb09655a1efdf158b1a0053ad9e5bf5e2a
SHA512 5f81a50f563a839a759d9b6d70263257e6f0ab5b77897123ac81cde64a35d8dc4d5b2169d3f40f7d357179379148dac439b874f553102ecb79d643f80de51e18

C:\Users\Admin\AppData\Local\Temp\IMoI.exe

MD5 9f0b7810bdd0c51129405412b3c76c1e
SHA1 933f0822ba2d20d457a5ee0969e0f5d03e37bce3
SHA256 50f24f40c5e464ff52b8baf78578c44592b38c7bda7837ca92ecc926d5a53c92
SHA512 4c05aa5bd299e06db86b169ef0d9b283a2b5b854f416cf5986248d85e91f11192f61b4b1b954f7b56a2d11ea98b6396d808a64f5c810d5232d31ec70657fabca

C:\Users\Admin\AppData\Local\Temp\REgQooIc.bat

MD5 d29cfcc9cf8bf661377e800ec713a6bf
SHA1 af111d005d6636799bd0fbeac8a6750b163631ad
SHA256 eb2b817a0fcbc5504e96c7008a16f06ec53cb8c0a8858d5dea032682f16ba92c
SHA512 2e452047d362e5ad065aaecb83946b33f579e3be60591da06d2963c292bca5b6a566ae8f0e9248e726446399e209f3bc8fd56c17ada8803083abb692d784cb53

C:\Users\Admin\AppData\Local\Temp\swoa.exe

MD5 9972c59c890e5d62e10b0505074a1474
SHA1 e53226aa5dc092874a2d3a78bfd8517c5e7a96e5
SHA256 7c1cbae74ef01b2c3d2615b004bd9c4399ef0a7cbe1470d4f5fda1aff57ef187
SHA512 372b81fa7ee80ed7f64882b3dc4e62b4ce1ce2ded4cc415fa934e15bf213f698931406c7f37ee541add96087b1bcadd21c5f6efcb5ba83145c9df38a84e96430

C:\Users\Admin\AppData\Local\Temp\EQUK.exe

MD5 49047bbab2e094a7a18cf99e958f1086
SHA1 18897c1846bdbe034c234bc66ed88f45b028c29a
SHA256 d7b299789b8d7c95a82d54516d1047905aa1204ed038d02060a4d8a31024883e
SHA512 1a374fb2eda15fa11c77154bb64b3b3f27f0fbcdf01b340683c697932c5390ec2c2dfafaa0623c1cc9563ee497ccce0704197136e71438e6c4080b243fd6980e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe

MD5 3b2e2081c792adb3d7013debdcb2fb7a
SHA1 a7c8d314553aa0689c2ef2145aa6aa1a1a307416
SHA256 87afa48f04be33c3d232d3d83891b9210cbb58940dd740c828df82a081eb91c6
SHA512 a37982996d1fe1a165a6ad68f8510813b67782d6ce340356abe40b38ff579ea73f1d4ba26f0b12bb98948bd7c7c7fdcd1e94f7cfd7b30ff9ad142559cfdda247

C:\Users\Admin\AppData\Local\Temp\TIIcgkgw.bat

MD5 d16d19602dc2b06ed7c0c14d8642d7f4
SHA1 8a8d3439d947a8e992f87b26a5f2e0a4891df3ff
SHA256 20698ce49dd4d0081343ae36a930304788be36bb05e3c961492cf467d3a997f0
SHA512 f190a75c82bbb3c5b9bf332a397140ea6a8e1a0c1643e552d33b0a4282c58be4fb7f542b3436b0f2710746298d98fda686004842f0af6ad959da6885bc3ba3c0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 89f926151f3804d5084da039fd83892f
SHA1 9db63f3171e5717b21e2232ea9e14d6cae335385
SHA256 c859c1a0668d3a920b4ced23568ad9365ca4dc07ada25ad91d6da21514422ecc
SHA512 6658d2b91cce6c150b0eafba506652699c7a0a79d276e09dfc272f1a513a12ada65479e2a807ce07d498f63a2bceb17d1ff70af01486f4edd51e065cf0f7aa15

C:\Users\Admin\AppData\Local\Temp\uYEo.exe

MD5 797cc9aa3ddd939c923511fb4fea33c2
SHA1 3865944cc43d4cb01f8aae8475bcfa89dd20faba
SHA256 1982968f45e0fe7480c9e8fb34416295e2b33492d161bfc23acabf6aeb08b552
SHA512 e58b9286a501eaf25e4d6622242b0575a6d634fbc65ff676bbf52ac40da7c5ff8fa8df5deb2b5dcc1d1d7ea53379095354dfceb16ade9272d9a939911e0e87cf

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 ba83c08290350640b279d781a54dfbf1
SHA1 f4d655aac18ad9788acc875c50de8dca9db99ae4
SHA256 7dc76b2eac6d71aa07b4e7b77380772727916b885b254cfc95103ab4c13aad92
SHA512 fd34e6b22bcaddf5cb4e4c3f7d20a91c7a892f6976d51d1fd870c25c9620820fd43a1e9953ba0179d7e12b5a4edbb32138047235e887eb1c12c734a0af620db4

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 d8c120f33fab418ef110cfb2ca6c673a
SHA1 92fc9f470d958c3acf574452eeb874cef486317d
SHA256 c3d2df916af446f5f994af6abfa9dc9b1746e2a3e74fade41d3374a2c41a0caa
SHA512 d8ba3ffa10f030213aa6831f740a21fd81d424b4528c5a6899f341126d1ddb29520d2069f84a14e22e4a5ecc60db2233fcf3614407e6e7c5c1f1fff46e7d5177

C:\Users\Admin\AppData\Local\Temp\fMoUAAkg.bat

MD5 7afc2d92fb011d08acab846f21ab9a2d
SHA1 4ffd8c8ab2f90703bd877417d7700e6a41093d93
SHA256 6c28b38c80ada7971acb9e53b22dc6bd5207e17dac742f687a43beb95e906742
SHA512 5788093d7de57d70938da0a29e8ba576141cd1b96cbf1dfea79524dbe34525cc3d9a75b1c2aed6710e56b40e734a03315f4bd595e10b66f8aa5ef00705f45d91

C:\Users\Admin\AppData\Local\Temp\sUIU.exe

MD5 0491f8727567d5636e1590512dafe008
SHA1 5eb0c5e4beb6cc41edc2c9050bfd6e98c601a163
SHA256 ef36c244c3d0c4693e3ab3c50216508e8a9558681534a243d4c2ad34b5887421
SHA512 028bfc573d7d5cb75e20fb83491e31338fab6001a9e8e20025544978c5aa32387ca06e3a4147bdf94c4b2ca4051df99ca2b8fa375f441d4fc8afe4b965bbf167

C:\Users\Admin\AppData\Local\Temp\cwEc.exe

MD5 be53bbd0be007023cb85218ee5ef4f3e
SHA1 22e4e1728e362dd4a393a2a909ace5dff4722d91
SHA256 9f7910a051bd1ae182ff39905da63f6a7cc081883ebcf5c3e30f0dd79912dba1
SHA512 93dac912ae2921cb67966fcce04789061bf434cc43dd5b187e2e15f0655e6fa4385e9a544da9571c6d5c8e8784bdd0fc6bf4f3a19c95447b60a07f3485c322de

C:\Users\Admin\AppData\Local\Temp\LWsQkcgw.bat

MD5 4905ee98fa7fdce0db2aaca4cdf23ea7
SHA1 55cd2711edc0dde5aeed5540d46e985bec84a43a
SHA256 3aea84a15e8304118883b69f2f7bdd257de70ef8c3eee1c9a76447dbdd3964bd
SHA512 0b227e5261df51538ed6e28e910169a3ad07627c84125860ab088c72300bba5b784b26afeecda343848bf5201ea67591530b0598e3596db905f925349d944f29

C:\Users\Admin\AppData\Local\Temp\OooI.exe

MD5 1876dc9fbdeb08c541ed225bc4dfc55c
SHA1 6a43a92a65f3c6220a1aaa320b6c2a3fccd16ddc
SHA256 c6b8e38f5a8aa2b4bd3d9f88bae0d6ab6a9b0f173a421aef0ff4ebbb2f81f27d
SHA512 b8dd21039f884d4b361c5064b15ae0eb5880a18d0b29e7518d5aed0dbaca019a8db50e941e1bf84f829f011be388fad93a6525c94f3f7cef3512ac0884389bf3

C:\Users\Admin\AppData\Local\Temp\YUQE.exe

MD5 93b66acb55aa23b9de3369b8c6a34daf
SHA1 98f5acc371dc5136a6f2d29bedfd8f91ea1d1573
SHA256 0ceaa56114a4c87595df5adeda0c17b884f2096e0be27efdd47c62191ca6b22b
SHA512 8ea74541d064ab68d3c95e9e6bddce3162b15977a54b1de9a8017f03eb425b29240ddff3614574f28ef54a4877643a2800e410cc9498fa4d47e57277565f9546

C:\Users\Admin\AppData\Local\Temp\UQgO.exe

MD5 5ce32574380ce961e4835c713e920589
SHA1 16b60a8963532991e3a0678cb1b308ed96bacf1d
SHA256 4acdc042e40ce66c40f5661098cf0118cc46ca6bcd468b61777c5ca54d63bcf9
SHA512 6f6622c14be9ed7d8a3ea199fdde7698dba99091039356984405ee3232ffd1f8721f1e8f7433376415204c3a68a0397454fffe1b9a55e0a49354bbf5093c2674

C:\Users\Admin\AppData\Local\Temp\AMAG.exe

MD5 f4c30d5295f2d1d0a825c8eb30706a15
SHA1 a2da3f791d016f9528a8663813318cb72fcbcce6
SHA256 c21c22e97e250930ad74fc7444e94c44f83c85bcc34309bdd5ead58c0642c22a
SHA512 a7b8de18561c5a05456ff7d307244c6fcf79b8b0fa0eb01aac6788b57425875ab0d2dcb22b68eabb2473dadb8066cbdfe6da0b13b3a41cef497f4a0d235491ed

C:\Users\Admin\AppData\Local\Temp\GIIoQQMM.bat

MD5 71700f11fd37925257c5f5b266ecb69c
SHA1 0222930c89e6ba20431d93a6fe27eff51f7710d8
SHA256 a08235d8e127b0133820a64b62dd219eb105722f2eebcc8ea90ca364ade3c4ff
SHA512 b143e54506c5e46863d7d335b00dba82832adae77c20c6098d1c85a141e5df49051fcf397b6c8ec0703c979e04e7087787b79c20de868cde2abc7d7ba7e2ece4

C:\Users\Admin\AppData\Local\Temp\EQMe.exe

MD5 afa7b39ccdc679ff7cdac07b2e135853
SHA1 a0daaf5e8013cffcac8a5310ddb1cf8c668952b4
SHA256 7393fa3e8df663b45151584136b7c6dcd11bee6e9a5f3af49302896676ef2a11
SHA512 ab45c49987c89e858b68ac46fcd4102e26a5d4b02995f7c8b6dc96ecb04495304e46df1b21883ad82c4b1f6d5b65cb22a7a08b4ef519072a2fb3d8248f5b566d

C:\Users\Admin\AppData\Local\Temp\Iwww.exe

MD5 b2bfa2be9f223e3928ed49d3cfa6370a
SHA1 5bbf85d47bae5762b1dd761fb99a26a2fbfd4908
SHA256 d404f6133441afa067a8f26219200ad8280a55c65dfcac284ac5b29c08218305
SHA512 609135e8050f9eeb2d4a7e90a6b22f51ee40dd050df930398a7f0e98f3c70ce22026c4d87f4e95029b54055debabf6bcf5d4bfd8951933da488f83055cddad90

C:\Users\Admin\AppData\Local\Temp\EQUA.exe

MD5 e95b8c60bc455c090b3377f7c0b76abb
SHA1 5e03c381a56ba5f40dade1c4725be87759e1269a
SHA256 3bb74f9c6ab39c4ccca76a80a17d316ec943876498500fcecf537eba493d9479
SHA512 4a732f649d89b089d9ed4bc1038d0a7cf4e82f18b8f9c3e08a5f106e297bfdcb2c2a9abd34281c0198ffcd91027dd80ebf2e8aac04c882f462a4e832a355cbc8

C:\Users\Admin\AppData\Local\Temp\wsYoYwUA.bat

MD5 f3ff901ea20193a70e019004be26008d
SHA1 550c70da55fd2d194b29f42576900c4073ed1e5b
SHA256 ade643362c89288f00822f80c841d6d02f113642ea0c165915681c716ef50382
SHA512 f715bd7f7a5f43da48bd928cb5664c532325d8fd23367dce4bfba25ee1ecc731d4fabc4b9bf0dbb002d26e7e64b2915ff023cf137aa001a278312dc6b429afce

C:\Users\Admin\AppData\Local\Temp\YOIQMYMY.bat

MD5 7e48b2d760ded4998cee7bfc662511f6
SHA1 50a202e4b64489d6d3923446c2caf6a69d37bdfc
SHA256 a7637ef3d5201256bce75d33d11bab57666a21c5ee37e43fc83959dcf3bcc233
SHA512 ef10c6f2bdcedd019a855aa1164e7275faf9cf4c8e3f734c2d561c7f7664e33c77d78b62a43e6e7fcc094e0aabdd40c74be33e16818b423680dadbd34b06bf77

C:\Users\Admin\AppData\Local\Temp\csYC.exe

MD5 5e99e7a7a2a736292602a06a132137d0
SHA1 812a8382bba5e7d1ac344a1fbcfee93efc57f7b1
SHA256 1c44686bf53351d6152c79d2a90d58e6e9010de44b4137f0146e5e7fcf9c8219
SHA512 ddac03d8f5a316de54eb5c8435e9f0fd0a969ec4dd06e8ece2e71221ee627f1c42c4948f003353c984a6e503aee6cf33198ca5e1df9b498bb53be15988e87d64

C:\Users\Admin\AppData\Local\Temp\IucUUwwA.bat

MD5 662955e2332ac3fc5c655cd95728cea7
SHA1 766295e0655a376654cd67b1097a7045d1496222
SHA256 f9c91c61de64a34c789e287bcb3a13fe3dd61766808e09c5cf069ab6587f48d2
SHA512 efef940221c066e7d6d736fab18afb281d9c57636d90b159cf3ff74881ec0d2582626b77ff290edc20b4a906ec4243478bbe63059592d0e06ed24c8790c99245

C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe

MD5 52717dc6256084472d2bea02336a27c7
SHA1 30a40b0a99450c6814a437fd71f8f18f54207268
SHA256 5b6882776e7f90a8e5446c16783f3ec417e98c398f4c5051ba95eb4bd21b4213
SHA512 d07792031b28f60bf5a0eca2c0013eae2dd7e81fe95178890b3a3fd058d3a88fa8cee8626fa8e244576532f11adaa29705c12d68d3c1d1e4f7b194e536d3a121

C:\Users\Admin\AppData\Local\Temp\UwYG.exe

MD5 67af8d866ccd3b30566e512171c918e3
SHA1 ec98e75e5d12fb87009c6d859f8050646d9a1a56
SHA256 c0abc6c4b0ec439810ec54a53f8635fe130c519edc314a091c1b89e50df721ce
SHA512 82eeac7109875304802734d06a0e94e773591890f876e22c35d1ccf24c0fa716e034055855e7ef84ff0a4873600ca0322450169c77926a26b5ab68a23b95f3d4

C:\Users\Admin\AppData\Local\Temp\oQYw.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\togMsEwI.bat

MD5 f61935ad7904983d8bbc7e6d9a53b5b4
SHA1 b00ea2e80c9f6c56d67e36c328363175e27b76c4
SHA256 33f384e5018a963927e5c146d2a6423405b73b847ca193788b1b550c29f0acab
SHA512 7c7e757ff39e2aeb25f8d1133e84b9c02679a59531acc747df26ac096d3d9dcefe46a3431e65bad0c8e7459f58dc84d9528d2ca5a9ae49f0a6120c6f3c4cb7a0

C:\Users\Admin\AppData\Local\Temp\iEwY.exe

MD5 4046ce5a8b59bff48616ebc134d999e3
SHA1 6f94dc79e3b4f9833b4859dcfe137f90e91941d4
SHA256 64353d288c6aa3aa34678c8681385ec9887c0b1800de86afdfd6d151a8dd3d66
SHA512 89788a06c38d067d820b8a66b853a80a4d2e041dfe355c32869892dc972061deeffd065ce084d3e288b48f530e2143aae5782483f008a6eb9cf6b0aebfa97dd2

C:\Users\Admin\AppData\Local\Temp\Ywgm.exe

MD5 7d5e555d16b0a20c93f73a2e512ebbb2
SHA1 ee5638cb276cf1f296bb55232ca194d61ea72a0f
SHA256 79a3bf1376ed6e60c8788929434c70d0bafe583232feb0920b3f7db9ccbb9ed7
SHA512 32adadc95c765f15e3ceb4d0d546baeda28fccff7a695c142989ad5a074ca62bd0270be1d900361d3c5675180a54349af1b293bc2907afb47e607c5ba763bea6

C:\Users\Admin\AppData\Local\Temp\SkwE.exe

MD5 284b65ac21eb00195c74df19bdffc154
SHA1 04ef9157c3129bbac053d764a2ffc9e883b3f5b2
SHA256 97552812b975bff8068c53d023a22124fb99a23f73b30eefbf8973eb0c562a39
SHA512 72c9ce6fd947aea92b736bc1c9a57db168aa8beec5e1101d87f57f5a0332ab9568cc44738326efd135bfbaf092e9b608a56599c57179dd5672c475af116de12e

C:\Users\Admin\AppData\Local\Temp\gEsg.exe

MD5 bec3593572cbd2119219ca92beb9a58c
SHA1 5a0dede1f7b01d3d4a5963daf9b1b92dc8146794
SHA256 f247cb4b00d1eb660eab6b0e7871d7911c6dbf03ae9ab3b42ce2c6e0970d95db
SHA512 ebf63387d48f6a90b6cd23292ede6c47557f5edbe9bbec575b2729dd376a5038fba4f0c50ef3d9f48d4648eb155b817b05253d15f949ca7e11aadfd3a205e19e

C:\Users\Admin\AppData\Local\Temp\uQkY.exe

MD5 a47cc6415795f8eb46d2133a4a79a489
SHA1 5b05f1e7242c61d71f10dfe5cae68a7929b540db
SHA256 47e8f2341c0c6a042c6beb9a57eec6b64ff5134698850e79fa7b682b68c89275
SHA512 bfed52d12c03d3167198ce927202faa6919793dbf6cf2f02f6f601aabfa6dee92fc3ed334d17a34dfe8be9d2faaddf7af9083c156064188525432237a94190ce

C:\Users\Admin\AppData\Local\Temp\YcEe.exe

MD5 4f7dd23eec5f0e8a73921391556d39d7
SHA1 9a9e8ec1452938df6c8b5c7bc3e7584873192cbe
SHA256 d810474b8de9492d4eb5693e582a6a4bc4fa4fe804b6bf6b08431c08e72f86ee
SHA512 a5909071a552fcccc201cfe2b72c871c3bcf112f4599159cddf9379d6b77a9cf21ad4c02058ead766a2a7a5edaea777b4c2bd7c7125413eef5944082aad19ab9

C:\Users\Admin\AppData\Local\Temp\iQQE.exe

MD5 c442eda1e9aaa0748ae0e818d2826a82
SHA1 fdf1d7db4559a0091c903a6c3d6f0e4621c210a2
SHA256 5469012bab5fb86f145b6d25e640a2985925a30de3c3ff90826dd2c5d65a98ec
SHA512 439422c50fbefb06eb2165c0edc471e6a9cf6e479c8087af79df96e33b02b2c1960b83fd3baab36bc5af271b1d8176a04b284ab66f15ab11c9d036ee51097af5

C:\Users\Admin\AppData\Local\Temp\ZSMwwoMM.bat

MD5 5cc0a0dbd5560f3d70d8d4a5d8e654ad
SHA1 fba06b09b1ae0469eb841c8f7c9390acace604aa
SHA256 56ccc704642ae90577379684e87f51bcbb46ca9034fbee543aaadc766fd11069
SHA512 7704cafca82018aa218c35969481af48d851de605c57ca3bda156c9d5abebbde8b73795e4e17dbbae9c1a296fcaa3f90c3dd12349c703ecd2af4fcba28330a9a

C:\Users\Admin\AppData\Local\Temp\XiAQQsgI.bat

MD5 8b48ee567700fb1b64f28a75d8ee09e8
SHA1 2150af28f3cd136c6ee429cc3313f3ff44fd8cd3
SHA256 dd943b4f4f5b9c7308269c20fcedc8ef6db4e364e268b0c5ffd1fec5c3fd9217
SHA512 60962e9ddccb338d3877c0af6f41e83f10a70f2196547ab72bdfc2cd12b4970d73cd834fef8cc316d7f43bca03bd5449801bf0dfefb340f15211c9c13210c9cf

C:\Users\Admin\AppData\Local\Temp\oGwEoUEQ.bat

MD5 fc1c749fcee3690e991915254f592b44
SHA1 3eb44ef085b039a477f30db728f7db118a019b79
SHA256 1c5bdb576d1c52720249593eb5f378c543ce90b259c381bf6a98da53f83efd0e
SHA512 142acfa6168fb34897341f4ec7f122885d0b9a5f08b5d854d3c16f3c080073dd066517521c5407cd13634d2fe5d63ea7719c21bee312e1009f00817c2af4cfa5

C:\Users\Admin\AppData\Local\Temp\wasIgYII.bat

MD5 f35a28da343bb9dbbe1afc68596ccc20
SHA1 5f777a73384cc5a5c7f8ef9420da801ad26d998d
SHA256 ae5964aecf05a39cafb246e2713945faeda35e2fdb64ae39f6872d715a042266
SHA512 8ed5dd427867caaa7387faece98a2c7acfbe9479ccc7150b38346f8ecf4e9d6b5766ebc5520f4a6d8e153bdd9f964d103475e798bbde7e7fd8c9943c28ea5f55

C:\Users\Admin\AppData\Local\Temp\GssQYcQk.bat

MD5 425035a691066cd2dcb054046d893c0a
SHA1 f835bcb65ed784a33549045871a9932461d4d433
SHA256 35fc4273bc88d5cec24aba633abae83ee2577f6fba9dd9d4cbad20dd2d2218e4
SHA512 1c367a980b4711df0e38f6efa69c2c6c0957b3d3e100687df3734ca5dc65bdb36b7fdfa8bc57fae6159713028cb222b7b769cebc8772c0533a1491433f2990d4

C:\Users\Admin\AppData\Local\Temp\kKcIIkAk.bat

MD5 3fa96f6595282c55e75567b6464ed714
SHA1 2bd08eae8b3c49c2a04ef4fe10be0bea415a733f
SHA256 f7a4f4e6d52625d28a7136d76889763966544697c16010ef6c9d1f4c152b2b4b
SHA512 79ca410432f1a57ac10ac560b2b378e80ce81b0ea25307054fe935052bd9f9dbcc005aacb9489aee4b899fa7e2bff721ef143fb6c1b0ea79a30e89eadcd3f624

C:\Users\Admin\AppData\Local\Temp\tSwsgock.bat

MD5 3f10a50701c6a71171d4c18e9fc5b7b9
SHA1 abdddbc74a4a626a40da0aa77507373f9f15b50f
SHA256 cee525b61578f247b65f2149ea444557cd693700e42ac3fc0f9f58227803bb62
SHA512 7c6136a273d14e716ea35ac31d36e6240add9c25474c3924c0a538df51f2972c6b2f63ea6ea0a5e8b5e814c2ed221bece3c3995db942eed2005221b52c2fdf89

C:\Users\Admin\AppData\Local\Temp\RUsMMAYw.bat

MD5 76e8acab460d4e186912dad97dd9a44b
SHA1 8309d3c644d5b45464e8d20914ff27e5de1f4c1a
SHA256 663e776ea17af4594bc05649a56a6b57c9f2e0a816bdbbc9cf997eeae61749c5
SHA512 8e35c7beb678abf45626caafd002b2d2ba2f0f007d22cadfd472045aa4d693282591e211b04cee0063ce9e4054283e7aa03d6ec59d46f570f2d4293458e10c06

C:\Users\Admin\AppData\Local\Temp\taUMwQAY.bat

MD5 35132559adf9310db1a20b4cf84b4d67
SHA1 95342a2798054707bd439ed5eff79d3e0b191552
SHA256 d8fd7d761343ecf7af8552324469eac2d2fcbf0e64a343e342af27019f081431
SHA512 50ea2a6ec4699ce71920950269a90adfd70626781ad6b4972a8e8b6dfd0db6a34c38221f431231549b4047187de704b48f18df849fa56be927578f67156b544d

C:\Users\Admin\AppData\Local\Temp\PqEoMoEk.bat

MD5 246fab4e91fa323bb3d5466839cc16ab
SHA1 f926cd4dbfc8cfd5a06c54c92b3430754831638b
SHA256 382387f54a23f612ceaaf58dac92b0bd7e5dc39191b4b7bf966e9583236f6e58
SHA512 e1742e0dd6287d5191e38c096b3e893f43aa43e289ba12a1504e964d0f26852840ad391dd0d42a28ee5db0630a0085ed1d176310d486d6a81bbe4ccd33db19c6

C:\Users\Admin\AppData\Local\Temp\waYwUMME.bat

MD5 5e5977f760a1bcfc8d5095ed6e94241d
SHA1 4764753dc28c6035ca6f1ea3e5c6968471430db9
SHA256 ae4ade8049513d31d4fa9df9d745bf32ea43e49219ee594d7217e369351d1b16
SHA512 3eecf7a76eb4e87cf9eb5b81e64b3b16aaaeb54cc215e7d2fdf7ae3665b463f08a97365083fc00afaf95baf6a4e31d97a629e704b20a858e6b03f38c39ff6459

C:\Users\Admin\AppData\Local\Temp\CEYMIIQc.bat

MD5 1c8faf6fa36b16afe6454c42b10e59b0
SHA1 6b1b1c46807e5d9b59016c59bd3b391c0192beee
SHA256 368b5a231e149ec762ab81c236efc7a150538cd1d09efa4a13b0f33b5c930aca
SHA512 782c3da7167d1f0c6a45b0e26eb8950321e6a6abc88fec1a1f393c55f407e50b7b2d76a08dde36f873647cde419139f11671392e25aa056ee95df30c648e91a0

C:\Users\Admin\AppData\Local\Temp\NSoMQsEE.bat

MD5 c130831a5eb2081d1335812f0ab19446
SHA1 0a689fac382238d02fd0cde00eae45880395cbd8
SHA256 047339d26a775559782160079a4e60a1bd4d16cf59bba7d1583b9287d7047fe5
SHA512 9c0d5f8ec14bd25ae87f5cd8068f07621a4f339f05d4b8e656722057c8ac066c3aa89eaf7bdcac6fadc2b7d994bc10bed6698fd64adb9c3ee0fdf119a5ef0169

C:\Users\Admin\AppData\Local\Temp\jMUgoMsM.bat

MD5 f0a773c246443b170119e620ee0a6b11
SHA1 2c9f74aa77f3a49a3a3f5da69e5bf682804d2d9c
SHA256 7b6cdcb581e8d87fb3a1222da9e7bd7dd8ff77b724e8983f0a6607cd636cb486
SHA512 c61c55193d655b1bb4af991e1b121722ac07541ac0f9745117ce1173773cda9c2af5788e2bfe6ae156b05c4dd488a2040aa7d5b778d1f19e344cd11782c6f1ae

C:\Users\Admin\AppData\Local\Temp\zoYUQgso.bat

MD5 36c3c7e68d644875d2a83e93c2660aff
SHA1 65d30cb87380b88bb2d57a011e362dc848f99480
SHA256 ac338d04ee67cdfac144b7dd4ff775363769609835a22ca6be0c05621b91e2ad
SHA512 6010bc5ee67aabb3472643c99f60e0532493564e7d96ef0118de407672ddc15d289db4c68840c4c00dbd6b5f4432c83984ba300541be51b20ba92d0c8408558a

C:\Users\Admin\AppData\Local\Temp\NIQIQUYM.bat

MD5 cb133f059b0c6500df463dfe2c4391a9
SHA1 d3a0c185ac81681e7375a150ce78428377310c66
SHA256 e56e204a6371ae773f2c94b7619ef16edd41f8b2c27305d6beef8dfcf72c32a5
SHA512 1fd38f1956adfa0767812e7412f3376f26b380ef0a0cb07da81f6682b3ca8ecef8b700879fa6ee26f7c47b2c5110d15582060e8ac2b7d32bc503ef67cd8b402a

C:\Users\Admin\AppData\Local\Temp\sykAAEUk.bat

MD5 a5aa00a00d602c842b3632acbd5e2e94
SHA1 0d47d86fdba33473041a0418b795ee3b86723dbe
SHA256 3a98cd88897291effc2facb3ad38e06f74ba722ed999d0a4c3e4f4462c376e0a
SHA512 018f828f0241c2c2b222f9e30748077b206766959275ec0ff632573a875bee473ee015c57aa7d4933a55a95097d14b0a0c6da77d34bc859b797bef1a13d510dd

C:\Users\Admin\AppData\Local\Temp\mSYwYQgU.bat

MD5 e807804e641956d6639cf19b844b264a
SHA1 f95fce848a10c368bdcae07600b66b31d423abdf
SHA256 c78d0f19ae9588e0dd8aef6b643c171fc77d1b707f2ea804a3d424d6bbe4d7ba
SHA512 0f067ed42aa668c0af84c27324d66dffd30faedc3a20eecf6d705f78395d7bd185e2170f9fa3fd187c7b8d2de3dc17711c3c23c3bb08221cb832666738269ffb

C:\Users\Admin\AppData\Local\Temp\yiEUIoIE.bat

MD5 5d822d09cfa921534f1c510c8699f51b
SHA1 c1e7893882ccc0b9c47cc651acbcf2cab9080279
SHA256 100205701778c9ed575e66e1cbc39bf8a1212eec7f305cc48cb1cf6cb1e75eb0
SHA512 377a1dcec452cb6c0c7c308a04fc34d868d6edbd4f5dfe3f806c99e05efd39e770fc3633b7ebcb59b3ba0151bafb2989979ba9761bfe76324f703f09a919683b

C:\Users\Admin\AppData\Local\Temp\ugcMUMsY.bat

MD5 8828c79b360ada6638e9109d2a527032
SHA1 c876def1c105ff2969bf2a790373eb7c5750f93c
SHA256 814228baa31690b5a6be51460834368ff8963e7e2a64430a3e4e747d01007ce7
SHA512 5ed022c0466e483af403a54a949e56328be08b981ab2fca2155ff11fe235944829706366fcc9a517446d2d22dfb92b2215265ffbfa6b50e66f99bfa681b88892

C:\Users\Admin\AppData\Local\Temp\AewgsgAw.bat

MD5 2d8687add1e73476d3b9f2f3a9805a1d
SHA1 484b9aa2308adb72cf9ac974ae10c564f83d51dd
SHA256 18c1bc4ca462b2441417ec56f55c391026b2cc025c5e6415e872a15d642adc71
SHA512 8b44f96cda04f968b0a1a9aff72a4f32256b420bb64e8773d9ab516b0523a01c63e84c290ba128b439d243124613f499251c969d3954406c288f4f117db09baf

C:\Users\Admin\AppData\Local\Temp\duAswowk.bat

MD5 4fea02bbc5508636f0203042a38c9925
SHA1 0194f18df9bcb9e559bed8775a2818bfc668365a
SHA256 5881bfd93a533b412209ae3188315370cf9d8917cb6181830073d6274a20372f
SHA512 cc890b23b2be2037fad959901bcd720fde04777d25575a660a8ea1896f1daf02990ff3db3906d4c48aa90da8bcdb3be5b44c986563c72a8a1c9eaaf5e485ac6a

C:\Users\Admin\AppData\Local\Temp\bwkcIEwo.bat

MD5 e4ff6e90d9a3de26c251d47a59575bf6
SHA1 95157dc2fc4eed058ac304a814e7f0c3a62e9ded
SHA256 7bbf55983cf4d020958a8332438f2482278ec1690b978b8d8a3c6c161670d93c
SHA512 6f8c3139941922e71099f6a4d3065dfa0c4c52ad9121114ba6a17da08c697684cb7c6bbc5d909290709f7651b48bbe173fcee8364e7ae5f8a824c599b6bfdd12

C:\Users\Admin\AppData\Local\Temp\NoMAoIsQ.bat

MD5 87fbe911a0bd3891338919e1019a35f7
SHA1 02805fa91cb40c882e4dc2b28daa6d1d396c87b9
SHA256 568e35ed3b75e244c6eee41ff32bd9902160da1e8f7e9f606528ec6f5498cb6b
SHA512 3335269e25979281751ab579cf02f8917fa7734325568e63947e9f787b55cf18762d1eba67c2c3bc87b1e3eca9cebf1f2135178cc432baa8d1b8bb38377b2389

C:\Users\Admin\AppData\Local\Temp\ZgYIIMgU.bat

MD5 19c976b1907cc945ff25c2690ab56825
SHA1 7c82c16c8d250aa5c41c3219ea460e33e23929cb
SHA256 a0d4e4385060e4efebf55319c61296eb17e669326a4084483039ef71704de59c
SHA512 0910bf09337b4242495361769afab62b7251b9ca5cd17eb6e49b9c9f7d8711b383e633ec4eb0f6dda09c3fffd56012358b3c0123958c93e9b20785ea391844f3

C:\Users\Admin\AppData\Local\Temp\OMIYssAA.bat

MD5 fadcdc4d18454cad5def00c3768425ed
SHA1 54a5cec1b1942e0e5ce4c8a137e51c0c6235b6f2
SHA256 05b15e91a56b8c73cb8cb10921e89deb89c11acb75012d73cfa4d0f810ecbc95
SHA512 70ecbcdb91bae27e3a18bef92c30c2ed85b2977e71f7e9654544a966471761f655c492609a20fe2ccacc206a9fd3190212316a421caa933a7c0a49e5442ef86d

C:\Users\Admin\AppData\Local\Temp\kekgIUcw.bat

MD5 6188b342d9a08e67b73879edfec11ba2
SHA1 cf49c3465208e6d2e687fd39692864d15bd06cfb
SHA256 8dd7ef7c6ea7a618343163560cfef637dc50d36844576778cb39529d8e0a658d
SHA512 a0ededf70b6133a5b9ecfff2f5f8dd88b8b1c37b776be38aa03f07aed4482b102a81fb9b406b2cf748f83c1e26b40e5c57aeceb3ff5353bf08982e5919890fd2

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 11:45

Reported

2024-05-15 11:47

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (75) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\hIsIQIQk\EWoEssMw.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EWoEssMw.exe = "C:\\Users\\Admin\\hIsIQIQk\\EWoEssMw.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PeMswcoU.exe = "C:\\ProgramData\\eIckIQAg\\PeMswcoU.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PeMswcoU.exe = "C:\\ProgramData\\eIckIQAg\\PeMswcoU.exe" C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EWoEssMw.exe = "C:\\Users\\Admin\\hIsIQIQk\\EWoEssMw.exe" C:\Users\Admin\hIsIQIQk\EWoEssMw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A
N/A N/A C:\ProgramData\eIckIQAg\PeMswcoU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Users\Admin\hIsIQIQk\EWoEssMw.exe
PID 224 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Users\Admin\hIsIQIQk\EWoEssMw.exe
PID 224 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Users\Admin\hIsIQIQk\EWoEssMw.exe
PID 224 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\ProgramData\eIckIQAg\PeMswcoU.exe
PID 224 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\ProgramData\eIckIQAg\PeMswcoU.exe
PID 224 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\ProgramData\eIckIQAg\PeMswcoU.exe
PID 224 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 1212 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 1212 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 224 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3152 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3152 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 880 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 880 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 3492 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 3492 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 1560 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1560 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1560 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 964 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 3300 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 3300 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe
PID 964 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe"

C:\Users\Admin\hIsIQIQk\EWoEssMw.exe

"C:\Users\Admin\hIsIQIQk\EWoEssMw.exe"

C:\ProgramData\eIckIQAg\PeMswcoU.exe

"C:\ProgramData\eIckIQAg\PeMswcoU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmMYQIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWosAogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyIoAgAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKsgMAIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIsYQskc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIsgAgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUYcwUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daQcIYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIwIcEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmMIEooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggEkwEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwcgQYIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEUoEEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkEkggAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksEYgUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwIQAUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAgkwgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKEcQoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqIsswwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWAkkosk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REMsYsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKgAswcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmUwsMUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEgcEoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqAwwYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeQwUIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmgYoIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGAwQIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKAQEgko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgwkQgQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsIMMwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQoIsYIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwgsMEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKQUkUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEcgMoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQIokYIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCoMgMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkswsogE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACgAAUEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoAckkMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swMYoQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUoQUsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKEwUYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMwQAoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQUosEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EawAwkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKYIAIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkYUwogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCAYAkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouwUgMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyokQkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqIAMckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcoUoYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoAQUsUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCUkgsQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEsIMMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQsgQUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQQYIwsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeEgQccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqMUIcUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeAYwgks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWcQsYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCowoEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kucAoMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeMogEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOgYAAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGMQQUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMQYEwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOcEUQUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUUgUgEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoUkMAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liAcsEAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSkYwsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoosMAwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqIgUkco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hssYQAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQYwUYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmwwQgws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSAgYcMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoAwswoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQYQwEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OysAAYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIsoMMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgUwscUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIYwMgUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMQwkQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYgssUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAEYgIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwIEAsIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOsQUEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMIEcwok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYoMokMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOkUEgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgsEsIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSYscAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEQkowUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QokgkcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueoEEYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSgQEIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkcogQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIsMMgQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiwsMMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIQQUcco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgkEgAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKgwUYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoUUsEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsMQcgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgwMgggo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bukUYkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSokIgEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGsMIIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUIQkQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAwMQcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSMUUMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsocIkwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWIEsMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKAMQMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGMoIgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQMcsgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSkQokcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUUwEwww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkQYAscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOwsYYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEkwwwAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIsUYEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMgQwUUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKQkEQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
FR 172.217.18.206:80 google.com tcp
FR 172.217.18.206:80 google.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 206.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/224-0-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\hIsIQIQk\EWoEssMw.exe

MD5 b7fd8a1ab91de74dc4f14abe28f87818
SHA1 942d1fc3e32905963a15f0a484a881541916788f
SHA256 663b00bf14dec62f628ab961d48c80628c5d794074657336ad4f2939f42cca4a
SHA512 81a05ca3cafd2d801bba5f6087f7e47f11c5a3e952b601d16bb47761c3bf1434d2c2c8856c1df6e9e9b1ade4754c067abf3cc8a36f3743af02a44e4da82145e8

C:\ProgramData\eIckIQAg\PeMswcoU.exe

MD5 71e379a8a71ce10e0042896fd68f06e7
SHA1 089a3a799c3d115bb9c2871e5c4a336a6d1a53c7
SHA256 2d5ff0a3df4b64fa64d9a53bd6bfb8c128ee8f622c4400e4ca6a36a302168ee5
SHA512 97ab496e2495691e2d6ba3e1b930372c8f66c3c5447069327a48cb4aa6020287e0604ebd69214f30d620f9d762445eb7c35ed087943961de0510007169005d50

memory/3068-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-9-0x0000000000400000-0x0000000000431000-memory.dmp

memory/880-16-0x0000000000400000-0x0000000000432000-memory.dmp

memory/224-20-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-05-15_617e906c7eddc96288b409e78c1ec01c_virlock

MD5 170555a84120985bef1afa430a90c465
SHA1 aa3652093aafc935d3d65b65954d59c9ba198b16
SHA256 0eba5399fee276a0834e1488637ed1bf611ca1e28da39f2abc6edb2c59d6c4c4
SHA512 cf95ce630a758dade0a7ddaa39abc5cd561a9ab2bdf73cd6abf154fbd0a84d63b04bf239626e987d595d75a6c009d53bf3a0f45b818c0512d3baae15add5d399

C:\Users\Admin\AppData\Local\Temp\jmMYQIgg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/880-32-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/964-34-0x0000000000400000-0x0000000000432000-memory.dmp

memory/964-46-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2564-45-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3960-54-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2564-58-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1928-69-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3960-72-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1928-84-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4580-83-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1112-92-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4580-96-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5076-104-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1112-108-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3708-118-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5076-122-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4080-130-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3708-134-0x0000000000400000-0x0000000000432000-memory.dmp

memory/976-142-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4080-146-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3296-154-0x0000000000400000-0x0000000000432000-memory.dmp

memory/976-158-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2412-168-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3296-172-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2084-181-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2412-184-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3004-192-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2084-196-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2436-204-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3004-208-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1516-218-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2436-222-0x0000000000400000-0x0000000000432000-memory.dmp

memory/768-231-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1516-234-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3396-242-0x0000000000400000-0x0000000000432000-memory.dmp

memory/768-246-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2484-254-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3396-258-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\hIsIQIQk\EWoEssMw.inf

MD5 023f8c4484ac67d0cd30423d1cd87e97
SHA1 a384eb727e3810ce15700a711a8b80c2498883ea
SHA256 1e3f824e000d7f7a38b9de5ce74c69b98860ff621e54802864e516a7a52bb940
SHA512 1dbd5fe0fde4c39c9bee9f26babf54557c77e02bf114923f46cff910ebc32b5e80ee29f1059723fe301840d3706f83bd16df029dd89e576177686adc25ee0b30

memory/2484-271-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1492-272-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1492-280-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1124-289-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4108-286-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3344-296-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4108-300-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3344-308-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1072-313-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5084-317-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1072-325-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5100-331-0x0000000000400000-0x0000000000432000-memory.dmp

memory/392-335-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1224-341-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5100-345-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1224-354-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4348-351-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-359-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4348-363-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1644-374-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4328-371-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4328-382-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2980-390-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3396-398-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4256-405-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1204-409-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4492-414-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4256-418-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3096-423-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4492-427-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1932-432-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3096-436-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5068-443-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1932-447-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1072-452-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5068-456-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1800-461-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1072-465-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2740-471-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1800-474-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2740-484-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2084-485-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4100-490-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2084-494-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1732-499-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4100-503-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1788-511-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1732-514-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1788-522-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2660-530-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2484-531-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2660-541-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2376-542-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qoMO.exe

MD5 4fd4878e5992fb384d355eda36020cce
SHA1 04dc992d27087ea8410a620e99431e3edf1a73c6
SHA256 e2d2db3a1dddf69b70e4f8a293cc38c349ebd8e02f17a3c24663b4bb4818534e
SHA512 75ba31507253833cacc5cef9be885e367e54ea0307e5b6987ed0a4bb46f0b2816b2fafcf359e189ac0d2ce8c13bd3c59b885013d191f5cc07b665fc6fce909a2

C:\Users\Admin\AppData\Local\Temp\gUku.exe

MD5 8de9d2d88c0ea8bd75735a77735277b4
SHA1 8cb49fc4fc149692f6b62fcc8583c1308394908d
SHA256 216ccffc93759a509509f576362885ec96a97bd4756476199d0db3e30594564a
SHA512 3b22fc44f602ab8b70933ae49103e5bebe1fe674ef6489a95c34f6ee8b52155bd994ea8f0b995d391c290516e46fa90841090d77511a7f1378502443ed906e0c

C:\Users\Admin\AppData\Local\Temp\sIAI.exe

MD5 509d981e0cf1c403f6a00da57d1968b3
SHA1 2430d1578cad2493aad4c8076b1ce713621a599b
SHA256 0f708984a74e29f52ee3478f0461858b1a0b1a93d656b3006ff1d4ed0dfbd1ec
SHA512 967d038986af4d72dcf67c7b73df811b66544154f0607241893376c939ec0536f3e5d1a0cd5e9e9f075a712c8fae320813d09a5489872e1670b81b9ae9f02378

C:\Users\Admin\AppData\Local\Temp\sIEE.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\DwwI.exe

MD5 0da6d4eaefe326e10ae33d28f5724fbf
SHA1 c3cbb78b11e91c85b12c89deaf46ae5bc94b48fc
SHA256 61b354c62e94afeffc7fed5ade149fd6aeb004b94d29436ce2f79c67900d51bc
SHA512 80b9e3864df9ca1527ddb183e2d0680ccc61e36917573e44ab41f5c70a6c6ce1897859e24ade727e6a3e6699edd821a89c0ad78e968fb3c87d9829b4f2673186

C:\Users\Admin\AppData\Local\Temp\Hkcm.exe

MD5 379087b7e8405e3e9a7cdf7838e76785
SHA1 8be1452c034601346045a807be84ef132eccd33d
SHA256 bb06a2f48deb4b552dea8c4fdb440facd8c8aa0472b7704eb9f82873a2fdde10
SHA512 312ff8a4a58fd37b93d4258ffc42182683d73a088a2045fc87b698350e163ca7d93280e4b2029f1882cb4b39ac35734ec41f11dbb1e4f070900ada2d63dc7898

C:\Users\Admin\AppData\Local\Temp\MAkc.exe

MD5 6f7e28fc2db1c370a59db1b007573a5d
SHA1 87d185c9867c1f08610952e7d4e0fc1b664f5785
SHA256 d1a184ac36670a7b81af92c7ed923105121346045a5a984e033410351920184b
SHA512 e152eda84a842ba3c98e2cbcdd3d246cab2d57cba875179f41aec710f989562a6ee2f4e16906623c13b17f3c2d6d21e47878f222be01c6f94681a5e2be623390

C:\Users\Admin\AppData\Local\Temp\xwAO.exe

MD5 ece351f5c3f071afa8ba0affbb5edd34
SHA1 58f954ea2b1227a4b15b94bc54eacc8b254a71ba
SHA256 4e90a878b94cdcc624f65d43743c9737ad53cdae41c978199a198b4c0f7fa35a
SHA512 dace7e3e92d742eb0d7d73417ee78a4d522d8311a051da9d2db0db875f6e75d3a5e2f37af802439fa6e6f2b1079c729b38f38046210d88a316b79cade0df8b20

C:\Users\Admin\AppData\Local\Temp\Ckou.exe

MD5 1aacead84ea6cba1f450930fddca81be
SHA1 f359d1aed9387b7d730cc06f9e86f084f195ac48
SHA256 ad87d2930c8674733b677b92fc3d9a1f6d64fee5c7daab9d6fe5be3cf08e5061
SHA512 a71043b8a25892be472f38831e9baaa5f824508837df22e7c875440969ddb7e8cf429e727161518a3382bae00b393d10913ebe5b7d8d0e5d15845b5740ea4af1

C:\Users\Admin\AppData\Local\Temp\WkoC.exe

MD5 f8d030390759958a4dbc714d4be10d0c
SHA1 b9db0aaa83ab2223d48289d185bf668123421871
SHA256 a3ee8b034594e6972a2242166ba57461de9e9ab62c8889ff7917b98c78eba5a8
SHA512 a2e31aef1c303486cf8cfec1493c047470ea68a22c4b9b5759305b1c15b28e510ab4bdfdff0c6b21879f3eb65cf2d4a035f99fd55987d594ce6375ce40d924fc

C:\Users\Admin\AppData\Local\Temp\HUAw.exe

MD5 47e1274e1af3190b60858d783e8e29d8
SHA1 b0b9b942fee50a6f234d2d44d0b3cdaeca840ccf
SHA256 136601767a7b7d9f1bcaab3573194c7004b1ca8e7d56aa71946b951b4c2f7d75
SHA512 3dbe684e1c32993d003a27e9d27547d94b6b61a75b01e6d75472f11587ae7d920bb8883149626cf09e1b661dc2c0d679b9fbd4ba9ac676caef603c496fb97bfe

C:\Users\Admin\AppData\Local\Temp\JkAW.exe

MD5 ebbaa50803a4b498963d80eed682e69f
SHA1 0ebcfada117a4c820f3dfd756599cf5e5ca6d84d
SHA256 db3fa7c1b647e849d789cebb1c71f880ef42afba147510069a9f3fc54d45e21f
SHA512 22ffa38fd661f601dab9c4c9c7b2253d10c49fcae0eb6f9abbae200a115fbb973acabe9138f1ab58e2a9247d9c8ff7d55fbeda49b665e9ba286bd35ef6e4cfe6

C:\Users\Admin\AppData\Local\Temp\tcgk.exe

MD5 26ea6875247c0eff5ad117e49551f55c
SHA1 61236fab74eb6769209ef2db1fcbc732e4ed2251
SHA256 512b255d4d5c25f7f98e9fb99a4def6670ff606562b691aa0c460fe717ba1378
SHA512 67b4e2d92fdfe50bf5731d4c05f24d497f4d068269f4d5055569218c2bff000d413efbd7fda7f11ca5862d47aaea3a24874764a069f73f01f19ec9abd9b87be1

C:\Users\Admin\AppData\Local\Temp\tssc.exe

MD5 150483d84bef22087c2e460cd4e9452c
SHA1 05b483677d81d577500450669f6c4294db8b7abc
SHA256 97235ad86495fc231106a7cdf384f0e56a9df5716d3b7e6042a36c0f932577e4
SHA512 5b51929e4e3d618aedee2e8cdca379311a24eb56d37d8353f87902cf8d99eb4ecaa0479f11f038c588507cf564d3530d88643b5493051c9bf0e429ca8cc1a879

C:\Users\Admin\AppData\Local\Temp\LAEg.exe

MD5 321c39278b852944ad46f4fff70b3753
SHA1 7c42e1595788ed691d389f95ec99fb5b65047e0a
SHA256 e2704c74a4fa765a96fccf46a4a5fb443ea097ac799a8f2b01c52930c99302d6
SHA512 8e62f3cabf1f490f9a61b1d0e50822a7238b34b3a13def6d262143a54eec69a49c0fc6f9f1812b5a1068b6e62d639f278158fe4a1d8d5cd18e66f7f45c8af08d

C:\Users\Admin\AppData\Local\Temp\sUEy.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\CkUk.exe

MD5 1e113aba980fcab34e5bf402fb1e3694
SHA1 f3b1cc0d09ffd5ff36874dd7000482c1cd23be0c
SHA256 8a9e0f88883a3cbd6ef68d5440320d9684e5c2bb01c382ffd2be35f65ffaeee9
SHA512 729570681ca620653e18ad437499210afb7923ce155675999182798fbbababf5fdbb8ba47f15f1dc7f59db85a5bb6ac1c005328a5f405f3f529ed69257ad1f66

C:\Users\Admin\AppData\Local\Temp\zIQU.exe

MD5 e00aa971d93a4bdf01bdadcc8be11eb1
SHA1 761ad69f7af087203e2e29722791ab570c4a064e
SHA256 bf12ed06878debc63a38db1ad64c7347afa6f5e7e9172315976a215e08fe9468
SHA512 325e33f2f2ae90474ec80a786947235b79d4725d4bcc7de7b23ef281ac626372cf75b17690043874020fdbe3e2d60eae9b3f3f1f930b1384815297bc5d7959f3

C:\Users\Admin\AppData\Local\Temp\zcow.exe

MD5 16baff6916982f4cda83708975647288
SHA1 e0c058d5586d3b3689e6086f4c14c80521ee38f1
SHA256 de1dcc50dab9470cf14ad0c2a3fed331822c1d205ae1a5a730aa19a00c8e9434
SHA512 7df86fdb4f45fc4eed476c8a929251f52a3c70917bb81fe3e06cdf6373ae1d02f3010bd46a7ea377fd5bde90fe65aee02e8fe292ad1af233f75455c76a5f2220

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 d9eb5a6e277b542881a43b9f1c153375
SHA1 478fbad70a500c59b1a780e546bb75b93f4b0bf0
SHA256 cff44dee5a93b5f1fc9faf06b0db91fc6803d753747319898ae260a57cf9d631
SHA512 f7f368e056850c8d7282a27979bbfb895536b9066af745119f0489bfda23e9e8a7c336f9628018de3f787644fa1d5246d9573bc45eea3735928d45d2fb6e3ac6

C:\Users\Admin\AppData\Local\Temp\kcQk.exe

MD5 ae1cd42a8256efed0a276de08359eb60
SHA1 4205101a6f18645586c1b564b86797786bf47d0a
SHA256 e0888e64489cd2a7e0bd28ff0fd64da864aab5b9df3fcfef85bb703f7e6f33fa
SHA512 37a93e72c7684e55359037b4171b428e749c3793b1150420bdc8ea38ff1682b9d1e7c92ee914d8def0b3def5e137178bfb0a293778eebd4b34e6b8166855a0b2

C:\Users\Admin\AppData\Local\Temp\vIkc.exe

MD5 fe0a22b1c9577ceb5571be0623db0d79
SHA1 c3e8811b523da630f53392ec032401e182822ddb
SHA256 adb6fb7529d9c420900e17bcae087339adbf30015ddaa98a64e52cbfe4ba41af
SHA512 b62152dbfde1bfd0df8dfa419098a39d6c4523fea08d71eb05170053d916196a44f256c53bd051841c48df84b0e41ad476f794e4e504941586e728b3ecbf28f2

C:\Users\Admin\AppData\Local\Temp\rAsk.exe

MD5 b28781a3f70ab0f81c87128aa4c2b990
SHA1 2b29006b5a4c9173ce3eae5b59f265180c63becb
SHA256 bd5bf533771de7ac0c02b6b2df8db8d7433cb2bf3c35dc75c9c8e406f4551cb5
SHA512 42f38ecad56301f70ee13da4202c9dba342aa26545ee56db47ca0c262f381cfad33fa7dbaca28bcfdbb025c336e238a316f3558d3b6de432238a0ad199110b80

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png.exe

MD5 9176576cd25df5d48a8548f658408ffe
SHA1 c4410a2da73567aebaea2a170667ed038f87b9ad
SHA256 65340b5eda3b1ad4743ec49f4ab5bd2afcc52ab7e0b1fb55d33709a0c4ef7ffd
SHA512 20eed97a537c3a70a75d134b9226939a50c246d026623a4ddd270222efa7c0058da5015c52d4253f6826755c6bdbb3b9417baf63a955cd6b06cf73fb08a13efb

C:\Users\Admin\AppData\Local\Temp\xsAQ.exe

MD5 e8095f88735c5102a3fdd5db64e601bb
SHA1 88908c35b1a4ad641e99cef10779cf0e2f64c655
SHA256 2e2003703974b7fbcbdbe25a28a42431643234fb97e8d4f6eca2bf05ee0b4168
SHA512 bfed56f7810124ea4adf86e7dc0495aaffe2e27e53bb31bf4a91ab571ec85a2a7cf7c362b43a36d3c73f76f7feed702e921a7630b531a6ee39fbf2aa0c37da4b

C:\Users\Admin\AppData\Local\Temp\BcQI.exe

MD5 0805e4f602114c090f51e2cc88dd6442
SHA1 4cd7795990f0af2ac48915758c74fd1d4bb81804
SHA256 b1741773bfc7e80fb4bd59e67a00d38574d16d4a70d8bd4cc652fa3a8f1de50a
SHA512 8c7df4281762b21ee2dc683fbab0594adf2b85a569bf47574aa7280f939ea61243a498b47aa0a0012aa274cfda8c4007723a78b5a0e11a86e57bc88c5b83beda

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

MD5 ce8c536d2e3d7cd997cb9380bcb17e9a
SHA1 994930f07ed2f97d3b92987888a3604918fe1820
SHA256 67c034f66c28bc42db52377ca7faf569c9e9799eb3052a59864d6e473cada1cc
SHA512 98971393308744269e21991d2d94cee86f911956d6d218dce8225341d83b0efb787fb1875e62dd6dd4699be382a40c52d418046b051eb48f3cda297a07f74051

C:\Users\Admin\AppData\Local\Temp\TIcW.exe

MD5 474dfe890a254aae030c95d4dd58a131
SHA1 0a008b49ce73df37c935566225fe675250112d5a
SHA256 b6bd9d304da1c1b601daa07f6163fe2ee139cf97ca7823be3b0e40592d4bf9d9
SHA512 21b5825040ac81951996d6183e142e33d91d1b02454c481fd100250e14033f5e5a76cdc86999dc7e59311f485944cfdf8c2586949ed49f62895ee352fd8959ba

C:\Users\Admin\AppData\Local\Temp\NIwy.exe

MD5 1bdf74743d3193f8bf5b789d85c630a5
SHA1 c71a2c1ac65e3507154750b4299d7b2ba412ef81
SHA256 599cd6f0739cb1d41975a53175644f94aa8f94f4b3accae5596054fa916659e6
SHA512 bfcc1cf20727a2fb2f56c71479f2a730507087d1e2c4ef7d7e977b3a0fd996cbd47e736223244319dd15ee3ffe2d55f216807b8ee1a097bd4a136a9e17bf951e

C:\Users\Admin\AppData\Local\Temp\esIO.exe

MD5 e79598d6284888c217e810a40a29a3a5
SHA1 6fe0109bd5cc9e5a2b5521527b5a9c6fc3c0b2ac
SHA256 972f64e04857f7bd5895f29a962253a83f4d2789f500ee9556b8e5e30e9404d3
SHA512 c833b9581a01141369b46465e7d5c06e5b3d3f6b2faa4d30efbc668847f51efd487a6e62e54126f1bf2ca8637f0976b6eb103534aa134ceabff8c430e3677f50

C:\Users\Admin\AppData\Local\Temp\qgck.exe

MD5 fc25a2b654355d911b6666fed888c8f8
SHA1 efde334fdb2ae5099154baddff34bae106a64342
SHA256 53d6c50a0c41d3befc7b47d8783f244a260ff069ad31bc53dfc6178c8dae8e94
SHA512 f8473d6f1313492e39ad2fa61decb531314fad496bfc51a3241ca0fc8658a9826b0911c215b31f6514c2733c7d8beb2b35c011a0dfebb41e4cf63ff0a7a8a615

C:\Users\Admin\AppData\Local\Temp\IUgO.exe

MD5 bc2a2ab3b97aeb11d90c9b3437be53b3
SHA1 e7665525308f3f2dbc8bf7e8260adfcf5b340c70
SHA256 d4e67f3e729b36fcd319acfe919bed675688775c30352603ceb89f504d0fcc67
SHA512 1a022f71c83e4425e614984a8f2df0f06356d36cc465fa629bf23bccc698b8f31efb8d08fd5d40f13ed6c22d80abe3277fac0bfb75eb1dd48305988a78cc541c

C:\Users\Admin\AppData\Local\Temp\agsW.exe

MD5 50fca46cff0fc0fb63c0e9c76a6cab86
SHA1 bb222dd3ac4b8b6d977ac164c5ffe8bba487d851
SHA256 b494e914a048ef9a6e76efb6d3aa023faea326ae5bf52943ec77e9e40d04e50c
SHA512 fbdec227355c966df4c4ab1dbbca339d97f817f3948ee090edc430e122d79db6c23d82c6712e5d8c7dc6eae46994d06e9218ff65a925d3882250dd69828be4db

C:\Users\Admin\AppData\Local\Temp\XAQg.exe

MD5 20288f2eeb872935c803e19f0caedd4e
SHA1 e419c1d394bcb84d9353585499500e8fa7863228
SHA256 95f9e4e6a5b6c9822e2054f2f1c2352ff7e39fe56b0e548c7820b8e68ce44952
SHA512 7203b2d7dc7d166f2e907218879226241d6ebc0d143b65e7a86007df0bce0902c124212ee84e891fe94f447b6b672991c82788e9f40e03d147b2f792bd7e08a9

C:\Users\Admin\AppData\Local\Temp\GkIS.exe

MD5 2d948d640938a998ab03347aa7a64205
SHA1 f25bef618cc2c200feb737f04f60bdc535c78775
SHA256 0b4eb025135718f8e707feef04f51bdeb27613701f631eeaa1488287e6ba08b0
SHA512 b303ab816057ecaccb8b094e7498fed1e587068eda55e332366c5c2ea5f7fea225d79588f39b06f9869e61d6cd92ab2505e8e9d8899510dab1f3e101337edfdc

C:\Users\Admin\AppData\Local\Temp\RYIY.exe

MD5 d6b2bd22042ed9f09ee2c6344d299f75
SHA1 76ffbdf9c137033b6bce9eabe624006c9b2e2a1c
SHA256 d520b79fb159c1470c3f8b384c42c5f0853dfa87ab009bc58c6f7f4ae6191ebf
SHA512 9a31b31a3191bae5327ae35f7feae63d8743e2a290e8111eac017674ccf4e4e6f15fcac3b5f50d594cbc974e5512d5f8c7e7622928d712fe3172b53a995877a9

C:\Users\Admin\AppData\Local\Temp\UYEQ.exe

MD5 b9fe278ae5e8a1be579a9850e2e7806d
SHA1 5bdd2cfa3d5dda1b4e4456a475c4557b87995c5f
SHA256 de0aef260659b7cf0e86483245462742bc413b60b9369a804a6cda2dafdc1ad8
SHA512 cb313e64d27501902a5f12647a444eeddc892a083a290212223ed23f06967d1c7a8fb71197906066e340fcd9f640346c51c3d0e20867bc8f43883a9a26efd5b7

C:\Users\Admin\AppData\Local\Temp\OoQq.exe

MD5 0854582052fbcd41e18b0d1d2f5f2921
SHA1 4c25febb3d55ebbd2c9649ce0256b144a888568d
SHA256 579fb0f133887b9437a56275b978dc96cbef47ffa226edd88fc6078f02e3a0ee
SHA512 2fc8ac429e642458e20c97c375be9e552444018566f0ae6f28977fcae233c9eb48dc9cad5b2a6a3a960d2a84547860a41ca56d7b7ef53c1a26bd73f517696dcf

C:\Users\Admin\AppData\Local\Temp\ikwg.exe

MD5 d1fc0b067308bed6bcb7db1d558148f1
SHA1 a390817e393aba16579b03e4c9bc993a37583d68
SHA256 84d579e7da3e3ca6c26fa01a6896a1e4c9989d50b28a86bd91fd108980648c18
SHA512 bfaab853926e603f33e4471a2f2f57a803c77e72e2e61a438ed83ff95527ff17940724143db11abd7c6e071fee434e8e325ff9addabf9000320215001fdc7bac

C:\Users\Admin\AppData\Local\Temp\mgIM.exe

MD5 616df97791e4018b6ff49ae5521390ae
SHA1 f6fbfe48ff9ac366a4909ef828a978a4479258b6
SHA256 f78d310b23aedac2a109617053d5f6d55f082b08f360995d646e69a30f7043ec
SHA512 11acb0f5b9dac8f7c893f7fa06647b6a478510cd0fde00b98021bd4c00f9e25f0d32a901c838cebacf23dc9787c45d308ba6fea09356122b175fdb2bedf7cc34

C:\Users\Admin\AppData\Local\Temp\OgkM.exe

MD5 9fae21c76579ed90e3aec4d7aba9b0ad
SHA1 567ffbcb8137c67509f2508d9a73311b32acb8dd
SHA256 8ab8f75035033a4ede42fbe46c9086e53e5cd731203d0d464a4fca06416e14eb
SHA512 2ed8162d78537c32ac8fefd5ce748ad7bde78cdf7ed000f50082f4b3ec64fcf7431fa5aa34420d02abca9e8ce5d1b822a4613506cd84770df387795d2669b97a

C:\Users\Admin\AppData\Local\Temp\Bkwy.exe

MD5 62cd63dc0405c964f3d9ee4b9182b748
SHA1 57f1a06287548a7f2ebff7a71be329547cabe7e7
SHA256 d6334cc8a451cbc7dc2a56885b8130f742eff5278edd1327868fa7ed56a447b0
SHA512 b54cd6068f369a9ba46e9769deeee905ad8bc1124c66f5eaa567787c179658f9765340259f55c17194fb3504e252dc209edc1a9ca5e26830edad6f0450207a53

C:\Users\Admin\AppData\Local\Temp\xAEk.exe

MD5 17791ec7a7921fb2aa8422a4f2b0f50b
SHA1 c6864bf706ef88e30e500054d507f60892483c27
SHA256 b8cef4c84ef97478957ced003596c3c7dbbe39159fc34b8067bfef0e6f528519
SHA512 05f23d1d0a469445c94a6efe133c3c6494c2b9fcb6c5dbdbc456314554662123ca1d84ad20a2a9eeee87606d363f3d954f39f8bf670e49e32de75bfbaeff753f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 7edd3623a20d96ff7ab726c6a3b7a75f
SHA1 fffd9494c528644be719c1b3c122541f5ba10f8f
SHA256 9f9f71715b91dd181d3cf386910fa033ea7adcf3ec57bc15216fe68ef3a5452d
SHA512 82831cda3f5e99926a6509cdd59c15100964ac92900d6614a380d38f3406f7a2c89cb205ad2dc1731da31da6e29cf5f67622672dee8387ffc298dd91ef9671dd

C:\Users\Admin\AppData\Local\Temp\OAsy.exe

MD5 f4f741143a9b36363e4c518ada09f460
SHA1 4ea4c7039ed9e2eaa6ec100f2db0256a6027f9ca
SHA256 29d65cded3df8102a4673a92415a91bea7e377a2d313188b4a513218526c9eb6
SHA512 29e7fa35dd198cf1af49921a19504211e37e058f8abe285ee4b931d2bfee6f96d51ded09deefd77e6c7535f2d225bd2bc644adde938aaa7001c8e8b96be1075e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 90ab260d0f377abd1fe5a4fd4c874964
SHA1 335bbb591788ff23b84e4cc2ce0a3300bc32fd01
SHA256 77561785567535c5c7ab14772c5803fc4aff54ab399bfe4b2e8baad91e079eed
SHA512 200e2be3adddb82fa839a764eddcffb9f6c02089106a48ef49dfcc8d4d0990ead9c1b0784073c296a01855aa41bed7c35d5e61a60e5e88730a78567e4c30de70

C:\Users\Admin\AppData\Local\Temp\LgYa.exe

MD5 29614d894aac495a01a079b1e046541d
SHA1 9c705da598abf14d8e689fa8249f2fd8493f1f4d
SHA256 fe6f604dee9d6f52c3d526eb9b9d2f696f1269d70f0f5d0986b0f3c91bf5719a
SHA512 491969a091a2080efa3088efd0ce4d94dc29f1dad251934918727339784dfaba3f05468ad8761934e1ef16007d15a33bd08e411175c416d685be48998181e956

C:\Users\Admin\AppData\Local\Temp\gMMm.exe

MD5 8872a940c7cf7df151820c5f0ef17f2d
SHA1 305b2c3bb3461389bff6ca2759045c72df5a0e10
SHA256 d396244ddb60c08dbf57c79bdbf5afff717b46429394ef8fd8cc9570f760ae8a
SHA512 1e95f6f97f283afd39f03bbdc4160c8a5bf8837fd16c459dfe3a770ffee5935d0b78c1288d429984bfe9d4c3297b5ad606ffe9ad8211842baa1eca3fcb947cfc

C:\Users\Admin\AppData\Local\Temp\HAkQ.exe

MD5 5330010e888c9b6d7628bb50736bf85f
SHA1 ecb3b484e8094e89a317649e11810b9c16eaabc5
SHA256 e7e0450da8b3d993c1e995343e700dd95413d46c0b61edcc1bda1e748e6e8f18
SHA512 9f033d4c12669b06cba7e80d345d580f82e7d71e79145675165df34da5925f0c28ea8dd509d42e80c0ee700ea615ebdb82281aa5cee1567980d79fca8de1b326

C:\Users\Admin\AppData\Local\Temp\DAQQ.exe

MD5 7d15a823e6cb27db5b239e72cdb312b4
SHA1 f5e81643863c81ea21303a75dad509b4ba733030
SHA256 a2c33f61907044f1c976ea4a51cafd8eecba2e2c7240f212a627ec8add088795
SHA512 e19af5933df5634ac86f60a680b7b52448581dc58822b475e040c5bea70eb7c9a1008dd5b6a7b86451b44b8fed6489c1543e4a7f6787f361adc637ae7aea045b

C:\Users\Admin\AppData\Local\Temp\oAQa.exe

MD5 ed164ebf426c6ebf0389e3f419866894
SHA1 f509b595ba6c11665ba04b3c159029c0412b7388
SHA256 0e2a4268496e7a1f486b6fddbd04c2bfa366f8b8360abb27c7c58c61335c80a0
SHA512 fdad829a5beb2949265be34dd64a307a6fd90dd8923220688f2c08964b3cafe6b4c1483ebd042893b1a5fff1738b06e57eafae1e305d870a9d9d3ee431ca68f1

C:\Users\Admin\AppData\Local\Temp\HUQu.exe

MD5 c85c93a1889bda5441a579836c845696
SHA1 1c39cc4b7b66aed182e436717fdc6b83c89c50f5
SHA256 ac92af643c346ccae7b75c1d47a963984e28604397c5bea37315ba0932c43d9d
SHA512 4abcb0f5768f9c606df7820052ceb2f9ed2f0acd54563beac1921bc9b0e3e93c68cae65e26f9acca751b73e4413b57cfae8ee3042ab9af141a5be1e1a334c88b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 d036b40d3de247d310793550fc4f960a
SHA1 ec3f2b874fe9855d081df033b9d80b7879f50e03
SHA256 cd93ef78951b001ee7cb2e3c36c02c9ac2d67ba1b3b19adb7277dab070232540
SHA512 d6785979e38ad40bd7cc674e394adbaea1d66f97c7b4932a9495034b370eb2da4089fac7b32f8cbc0afbcfac8d7ab9aeef12fda00bd6985d311d9fdc19e0fc16

C:\Users\Admin\AppData\Local\Temp\CYMq.exe

MD5 295309a76ace4847e29e9209c5c9a00a
SHA1 f2e0f46d2da94ddc6891621f6f56a2969b491c8a
SHA256 76589264a13b0a3099655c9d341be5131606e5d90d081739a504ca6f3fa8b12e
SHA512 8cc9ba0527e4ba496a47d4123c96fbecb5fd494fae33c18f5d79f875f053e22eaf79a6e1ce875b0ec55e9e453bf0c553729e9b1f2e1c56b66cb395f0cd528cb5

C:\Users\Admin\AppData\Local\Temp\bYAU.exe

MD5 a2274bc44bae568ac3120efeebb1b1a8
SHA1 213bbb986b4df0555e7b3dec8df1e099bc8f88df
SHA256 e14b339af2c32ddb6ffc677025ca96e55fff407ac1b89be4bb851c18493f30e4
SHA512 fe5ff1627ee1d86572f48dcf1c00cf03c41b6525b2bec60549bcc727bf2c8b04fc6391d67939f23e64699a32f91d48b33255b14b8920bac4a4b1dc416eb46678

C:\Users\Admin\AppData\Local\Temp\XMAs.exe

MD5 1eedbd3287ce561b14f03df0acf5eda7
SHA1 ff5f4575a2cf4ec91a49616d4dd387a854527839
SHA256 aa99de35580695850fbb4ed0c893b50af1d2475bd6b0ee9528c170a0c9774919
SHA512 a7721184d05da074534b079c33c6989bd57f0ca5f72ad271d717602ff676bb47fd93461a0809267d417c8a0efe70dcadb0cf703b956439ca99619947477b3864

C:\Users\Admin\AppData\Local\Temp\ckAc.exe

MD5 2276f8cf4bdd8599efb29ed0903ca94f
SHA1 487bb2ec5aa6d89a4307bc5013d3e9cd89f51f5b
SHA256 ebf5a390962c81fae56c9fcca39dbd49b3899660e5b0a0533e2933206a0c9fc3
SHA512 5bbd1fa04ab5d40a86d523e91056493b3d5de6a317299201ec55db697a37268b2f9e8998a8b9bf5d4a520a7f0ad55d6b17a200e3e01a2be8fc41b8fe107a6023

C:\Users\Admin\AppData\Local\Temp\WQcw.exe

MD5 12cfc3edf2a70563189dbf880ac36cae
SHA1 995175d86be5aa51289176e647e9e6431699f5c5
SHA256 1b4e389200e2b581867ab624008fa41e1b6029ec5d9218d88e6ae33b7a1215e4
SHA512 ef2ae64fa6ae1588d14a877d18cdf8200dedee3fb205cf5afabd2532bb92429905a9c32442b599099700c703f3394941dffd92f86c81159a64a0d24b9de20299

C:\Users\Admin\AppData\Local\Temp\FMEk.exe

MD5 7ae38c6812be2ddc570f23b2d1204077
SHA1 e8e8071e9c5239bbef84e6b8dd51b1ed665c90e8
SHA256 6795756488a068fcf2d2fec93978a1dd137d764fb678bc832c31f370c3858174
SHA512 b457045a076d742471f5be334a29d74b4737faff90b46225c670517f0158dad01410615c26c7aef0e9f69d87cd2ece099039e9210449341262e7f87f3aed4cee

C:\Users\Admin\AppData\Local\Temp\egcS.exe

MD5 bc31d95d0b9861ff135f7151543d0d8c
SHA1 9f2c72644dd45498954d5270dade504d886fe531
SHA256 1bb6c25b7f7f17d5555e3f1d63c3bf027d175a3a25f7266727c3c463dbfcd957
SHA512 fd7145efd7a3af02f10e54d7d06be15b2ca0d619a63510e87e669767fc1d6f6d85541e2ea804313edfaa74ffe736cdc8277f447caf1a224b9fe7fcf4dcfee989

C:\Users\Admin\AppData\Local\Temp\jgAk.exe

MD5 6bce02d659912bc89f3e797280736c20
SHA1 1bec7dade23739bb8212986bcc7660b9cb58acd2
SHA256 09347a7e5c87569b1bcb1be78885e601a86f733a2da08b706700820f7eeceb95
SHA512 ecb2aecf0a451591d1fdb36e0044932385e2e4f23942b9d90efbff38b9f2ca9e8453c8e4f189597584d64d6835dec788032a4f498bc952960f1ce839371e72c5

C:\Users\Admin\AppData\Local\Temp\PUQa.exe

MD5 3edc391929fb7300dd8cf2694c5bf55f
SHA1 78361e9591d98429e4d58b121a0e467b4ea7e3a1
SHA256 09ee1f0afb964d2e64ebd5a7ac36c6006e6a6834deb28bde63bd614e5cd5fe3c
SHA512 0c128bc8a388fbd2c86312ead2ad10fb77db11a7a9bd236c9f25e8b88b1821ea30eccde4a5c4f0e7173742b0a5ccd1c51173901878974edaa836ba8dfd61615b

C:\Users\Admin\AppData\Local\Temp\RMUE.exe

MD5 6d181a8eb3dcd9b4470c6bd07917bfcb
SHA1 cb77cdb330384a703c8e33841d1e2e162cca7d21
SHA256 4185863198b7904b92dd5ebef005b805c83733a35530e6b39b6ce0d6b846d621
SHA512 75151b83d05812d0cab6c38b28596f808c10b2b847a2b5ac7adaac9009e9469b8f534f715a3d4865e6e9047179d00fd64b994086f16df789157f624a4596fe0b

C:\Users\Admin\AppData\Local\Temp\Pgcs.exe

MD5 9a47e8552e100570ac797fb6dd25e54a
SHA1 ab35c010b2ccc165b763464e0b92c1111597594a
SHA256 5fb0a0272a56c57cf0a7c1d79ff289b2fd384f8d5b94498b0eb264a1a9f398f3
SHA512 e28973dda0548c29884b895abfebe64be268fc27b97682a354fdec51f5b2bd1a04a469783a76337518badb9500e2ad2bd34bd09cde52a925ec8bc1239f783f10

C:\Users\Admin\AppData\Local\Temp\fwMo.exe

MD5 35ccc20955c86ca605c3ad2de2d7124a
SHA1 326a7d373f8ad1ad30971e9b3fbc788ca1e70c8f
SHA256 b9e1000850d4f1ae487cd80e340ca667f0fe6f9fde50b5bf0b2838e193dea5dd
SHA512 49d4b554e9a88136feba4c740dc5de894eedbc1eb11aea125b383f8737cf2efa5c49709f2b63523e8986fe0dd1704b145b6daf6c996c0cac6724b3a219aff566

C:\Users\Admin\AppData\Local\Temp\skcM.exe

MD5 df36f72865910ef55daebdca040af6b5
SHA1 7892fc5ccc7168ce629603d83f38e9006d243af4
SHA256 0aeee51ca5146ab421a4d8705efd12664c4cdcef630f436c717747e6e302d713
SHA512 2d01f0a076817ca7a24357a18521f3a6d2a594e221c09b4b116f30ea2bdf166bbb9678228bc907459912a77320bb478f4554b9b4e46721cf547724c8a210e415

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 abf687076def6ccad092f40a9b716aae
SHA1 908f30b16659c0086fe15c9cfd6e420f22021cf5
SHA256 74df0bd34d7020c45977ec0dbfa5bfb536749ffb6ebf1f0cce0851d5345cc28f
SHA512 6d3a3915744c49c6e3505c9b4e0885237c173cee82925ff0581ec0262cc99f0e837a5710f9afe7cd85d5c1b34e22bad650b4614108c088bf8492ed4f97086efc

C:\Users\Admin\AppData\Local\Temp\uowk.exe

MD5 ebc98851539e405aa0a16a45ab3b3a54
SHA1 5f93f0b04155fff75eaf3c0b53b907d7a583a7f9
SHA256 ee5f97cca1ad229eca8a62a4f7534c893e5e9063d5c25a5ac67a67c0dd47fb0e
SHA512 0e23b90355c265143972e7188febd12cd4f849d665bf32c41b642ba4baa61dc3fe51f5fbd796cea1b43a5783b58b8b20c8ca016dab2aa41c6331ce6b4c92de3a

C:\Users\Admin\AppData\Local\Temp\KsEw.exe

MD5 eefcaa887c90a352ca68e015270c9e98
SHA1 ebc98786d7d8a3e2f8d69d9a9f9097a1cf11baf6
SHA256 127bb42e5dd8ab7f728e83df05b34236c73c7a203c68bf740ce03c39bb61a959
SHA512 e1da944d919df425cf9e0af06a658b88db8a888507d4f8d47a0bd9f1cdbc1db5b67f778d430790c6f95858e23363931a8f680aef0e6ef4e618d5692a0b7a864f

C:\Users\Admin\AppData\Local\Temp\pMEk.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\Fskq.exe

MD5 0662f6e11195dbc86f234179f210b5cc
SHA1 9d355777fcbc96918ca0042da2f5154b18bc3052
SHA256 ce5369e0e603e21f144155d5e5f6d58699d92aa685d12f3ce3bef5fa02fe8fb7
SHA512 cbff132a59c68b50fe47af75796f7a6a148f68b1856a4ac4e838a63d58dd37fd5e8ae4d17a3c17c4c267f08c3367c64d2fdb27cfe28010884b2f4ade441a9a02

C:\Users\Admin\AppData\Local\Temp\ZUMo.exe

MD5 77616bcaedde039b3588a8f539e305f6
SHA1 fc96244a05f37ec23e96d9b2097ba97927d7be0d
SHA256 733c5f5f3a11859677f76fe4dbe234f4fc762c6aaf42c315c4aaaae272cba42e
SHA512 a33e4979d47c3dc2725939c3b469b6154bd83d34dba30dbe27c23375af95e2a5edc7940c668e1918596c7b2e07b65cea8d09a9aab83c576bf15807b29f372eea

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 451d4cc8f0e6466f5e5e482fc30fe93e
SHA1 61dd6026748cc9ef346d11a9af657644106c2c19
SHA256 7b0312b675c7536fe9cca90709e2244d0219a00662ee7b99a1240f6fce940c6f
SHA512 7dd28c209b529895c16206e78717eafd659ab1b8dc96147753f533bc3992ade4948a3f180174c032b9ca72f4149a577dea1a074a25dc61111174a99144e5b6c4

C:\Users\Admin\AppData\Local\Temp\KIMo.exe

MD5 5a56bcc492c511a19d024dd2e01f2b40
SHA1 a0a191a05676c2ab65b2f10c2103d320953d0fb6
SHA256 ace85b2c6af51cc27c966b199f068b1cf5ba72ceffa4f2cc6b50acc7a7bb24fd
SHA512 8c8bde6634a3992ef728a94dbf2a7f6c19047a7b0cc5d07b8a8ffaedf5bd2778bfb14da6eece8a9dfcb750c458ed736f0076b814447b59c2c8dbe7df71e408ca

C:\Users\Admin\AppData\Local\Temp\BIAs.exe

MD5 5c3d7feeded3d675756541baabe5954b
SHA1 b30c7dd44098d401d1911afcc22e8264a2d6b1c7
SHA256 868051cc1c1713dbd1b3ee703ae50f9d7a81752e6869fa35fb62f41e4e6a733a
SHA512 3408c12fda50b38d7b18a8bca73c99854515e8f6b8414bfef810389cabfbc677f5837320a7b9ed3c277111498603df5f5f0aa90d64a0a0703b24fbddd5362f52

C:\Users\Admin\AppData\Local\Temp\qQUo.exe

MD5 c91d1b6d3252dceaf0cf3890f71169d2
SHA1 91b48fb84b8222e1e130166037790da58a75ac92
SHA256 f5e4885401db178427d55ddf3ec21d2c2851af2f3f2cc1d1d19e4d2353c2ba4d
SHA512 34fe1b9cdae795b5949227b5c396edf2a1697c3f8d3d5c77d9331194dba99b3804fd23a4148c2a911c11fab24c28ba9c197269268db4410c87913297af56419d

C:\Users\Admin\AppData\Local\Temp\eIEC.exe

MD5 8dd8dacfa7834a13d4fa13ed4846c306
SHA1 ba7dbd41f89bb49f43bb31dc2af28dcfa9dd52b3
SHA256 3bc218a3f770575f4516b178d5242d3f5e7f24a63c30308b7d6437f79684e824
SHA512 b91494b7ab0f04821b529b6891311108ff2e053c804d84c1fd92151ad45f6d1742b38038f898813356c1992d130644f023609e0cd4caae276916419bc5b94802

C:\Users\Admin\AppData\Local\Temp\JsYC.exe

MD5 2e437f54181b44ff8512f302430d2825
SHA1 508660c9c80a9b25cdbbc867177dd394c64b4e21
SHA256 f2599040c1092003abc0b21570ef3a4904bfea61d7a5ab97a27a416419efcfc7
SHA512 6615f365f36b18bca690b49cb0de6cd8633320326e2ccb6e59270693ad617234c79d6c9859d2652a41d0b34a4ada14fdc782cb85a30e62ef7ea9ed78439281e2

C:\Users\Admin\AppData\Local\Temp\HUAg.exe

MD5 8d9f42f5a409f2d2fffe23820ddceddc
SHA1 e160f6a2006a421bd1405bf3056d0f1fc7344d03
SHA256 ff0685dee004c2f25abbbe05157da1d0fe63c7c11c0ddbfa70d399ed6d5336ad
SHA512 14b80ce5525cddf03416983c7350147a6a9dd13fcc01b7725a90cbd046abc3eb66c256ab827610dec06456ce48339de3e8ce03264f168d62a3d31529da238cee

C:\Users\Admin\AppData\Local\Temp\WMAy.exe

MD5 cb54ab179c20c26e4d09544aa855206c
SHA1 ad7f6fd93cb7066b8beed80bc0b2734d2fff14aa
SHA256 4982d287e2437d45b4b2b25fd9da85aa2d3943e1129a75f03bb77e276c69e485
SHA512 ae11daaef1ba09b275a9db3b440f875d6cc5db7fdd83c0abe55288f463af8fdb17c9188b1b97ae2ea3ea2c216b427d9e181b05a4e1c9e060e3a0e1be62fff59e

C:\Users\Admin\AppData\Local\Temp\OEUC.exe

MD5 e1efb53bbc4b67512efda1464820e801
SHA1 e27fc78de56b6758acbb2da5ac26c2953428e47d
SHA256 2c2e2d0919ee1b619bc0aa053eb3573002dd8f79225f63e02060c1a27b5831b8
SHA512 ab6961c6c5344cb20558258e4b9c704d38f61a0d26cfda869474cf5b2332b9ddf64a53666971b085292c3e4cf27c4831a0c513ae9de16f90c2c384527ed9b563

C:\Users\Admin\AppData\Local\Temp\ksMG.exe

MD5 dc30c43aa5259a6f1810244d3bf374b4
SHA1 9bbf085581e63ce0783f31d347e48bb4102c746a
SHA256 50e0c4593a977c5bc55004347f320aeb50b0de698db96f0ae4fce081333402ac
SHA512 519a94227f4e788e839f7c73f3429a49e37067c78e6b2d6c151caeac4ec7c315d00ef20a7a10fd0f69e8e54dadfa84c89e8a7b5579fb9a9710e370e1c816dcd7

C:\Users\Admin\AppData\Local\Temp\bMQQ.exe

MD5 bb25e46b769516c45994383a67318b4a
SHA1 55c65feed4ce717d194db57614cc6064f615185f
SHA256 0a8e8c6831102170f7e121d3bd2565eb4639dfd8df9ee1438c033ddbf5485ef8
SHA512 698426b2cbb361de4ed650aced96cd75e1944c6086fc4b87c8d70c9e8c455e10b8e1771e7ece9beb28e36b1924916d31db2110b44437ac76b858424dc3ef2dc8

C:\Users\Admin\AppData\Local\Temp\kcoW.exe

MD5 fe59aac955ea59bec78cc21e1cf3f788
SHA1 fee1d478d37fe55093cd5f05af09642e48c11e05
SHA256 2dea4c809222b0b21245019fd5a5fbc6646331681053a49281f75f1dabaa6232
SHA512 1b05b4c444fe3dac11618391f78a92d011e62aa559d159d62ade29bb3bc45ad207cf154f7ee81a6560e32c85490b67a067973ca11eb4cbddf34aaca718c339bd

C:\Users\Admin\AppData\Roaming\StartRemove.gif.exe

MD5 5ba8a03a802275a05d81391bb5d56f02
SHA1 e1411669155f7087328b3a1e2fb1fbfa434b7968
SHA256 4339297c5b811db16684b48c49f9c6fe2b4bf28c5290b1f265fbf4fe39244df0
SHA512 215000439bc32e7819acb80106ad1b6983214c42413e776dab2700ed6dd72bf073a929d1552d7b4ccba2139cb1860e8f20427d73c874868f1e4b7ef3804a54be

C:\Users\Admin\AppData\Local\Temp\BQMU.exe

MD5 5d79c4e5175120eb46b84d2978abb35d
SHA1 1fea8bebe0e7fd23cd3d88b00abd1b9b831b557d
SHA256 91c8d1d7db753cb464f7c3523e0bdbf1fbb5ad90a92ec06c3d3c732d76c54fab
SHA512 690fbbc984f4cb58f0be47d03d189581d517db48dd6d24841fa3dcf6072b5eef765a80d448689fe4c89150b8d711a314dcadce2844af6d95524ea597d4dba0d5

C:\Users\Admin\AppData\Local\Temp\PowI.exe

MD5 b0d742c83b7bd32b536acf2f1a7ccf2d
SHA1 7aed44b81688d0f49761f733e43e1cb716ab99c1
SHA256 591524e546086eb3cd5ec016e52aab914a3ea67eb8bd726f3ebf5694915389f4
SHA512 7c5d3452e533f87a73d5be7384bc7fcc9122464056dfd79220b43d3f8732fcd766f72f97bff9c973b1dca6e3de472ccaeae3aa68d31d8b28ea69e69e46b78d03

C:\Users\Admin\AppData\Local\Temp\AoAo.exe

MD5 5fb4150d2027f4192b0354c9812e6ed9
SHA1 df2e1f661b7ca1197ffe04bac13f82dfa6b0edf5
SHA256 1ae18192ab2671410d738f0d8612ce35e9e5912c792e1f5a840e28a83da146e6
SHA512 b96ca444c7b833233ce57d2fce4c304afe4b7f21f8f5027220ca0139e1c5138960fec6642032330bd4f43519720590113bcbcd2ffa779caea0b0d3d2c8b27148

C:\Users\Admin\AppData\Local\Temp\YUgS.exe

MD5 ec723b24cb9e11addfaf9ba994fabef7
SHA1 d1b2a59a31a4d72ee0490e2fa621ac65f13e35ae
SHA256 13f31611068f71f68760d0d4e05bcd93aff451def1005323e0a581be6c230c14
SHA512 5d9367e7a540958d9da1684ca2a31c4a42384aeb794f61ed2327689692a6fcea3644dec856b3022dd82eceff4f226a6e3895039ea153e334bb0286cb4bfc43ee

C:\Users\Admin\AppData\Local\Temp\MEAE.exe

MD5 3fd6237c2759bf4d4ed742818e9cf4b2
SHA1 285ca57f65868ea17877a4c85a07ff7b68e5a0a8
SHA256 a7d320823df9feaf256cee5a3b336f95c14d4adb67a78cac2985f0f3306c4dc1
SHA512 36b7805e9669d6696f3403795c8dfb9322c81aef8ddeb93349d2ce9279daaf1ed8f94cb6707907c5e93b57ee8e635f564be614e81d8e238a9daf42e9a8e15261

C:\Users\Admin\AppData\Local\Temp\hogk.exe

MD5 59b8fb8b4ae4b47f778fcce938ee103b
SHA1 f2605c28d70307215525572deb2f70f461175824
SHA256 68527aa63b504651bd03afecb740b69b8a3e14a5447ed3a871d71be585a0612b
SHA512 515a61c7bd803a4d1e52aa74536d65b24da006462a087b1974a6b7a4a5fd570f1e50fb4fbbe22cf2df1b9ad0774bb1c9f10549df98ec45982b00c359226bbe51

C:\Users\Admin\AppData\Local\Temp\Ioom.exe

MD5 11cb4314f256aa8d50159f92d78e6d16
SHA1 280fb6442069dc68da9ae617e0ebfd7d28ee77ad
SHA256 16ee9a4a988a517fa03d78d3c51ce4d4d95f5756df591627fe548ab128eb71a7
SHA512 ce19c0ac0c3e7098a9f7571e4a3b49abb122e683ad58d490ffe42adb9e0d17c24c090a33b7cdb95b3a91b91bf7d706aa2c3c3be4a88d35ab6d289337d49c5091

C:\Users\Admin\AppData\Local\Temp\MEUC.exe

MD5 c59759d1dc75246b8cf85927b6fc28c1
SHA1 a3cd0c758f9ff1b23f148a41c3c1d05a288e74fe
SHA256 0b94868b23ac0afaa0f4e9b2de7d3a16c129d664811c3fc812da2c21f08a1513
SHA512 6d7400c70dcc06752f292d387a6c8f1e025a5a61b7a9fff256ef6df52572c412d2f691784b202c522a7fcf4996d8b92816c3d51286c6e5ebe4e654bd0f5bab55

C:\Users\Admin\AppData\Local\Temp\HkUy.exe

MD5 ffdd3343446e2cd6534870a093be90ea
SHA1 f97e17c193ebc2716e0e0b67c6ce6e00d453dfae
SHA256 cca5133b89c72a5082d7114e2359e4c0852b0931a93d9c05fb60b26b494dd8b8
SHA512 6ffd38f68885acb77835f68a49469e7c5923c4ed853a0b29fc74756f52abac85061520526e4ef7d6afe3ef65c9c9afd1af431ede5d5981b87f1794b0795dee2d

C:\Users\Admin\AppData\Local\Temp\rUgu.exe

MD5 2a8bc66ee1116fd518a5315eda3b4562
SHA1 081095a42e2c39bab57bd816c67ae2126e9ca623
SHA256 f153c5c61a8dfbf4cac773f5e0c52991d2416e33a2ac3ce15abdf2650812d379
SHA512 65f1fc7fc968903472be70dffa2067877a46bfaf09ff638b27c549072aa8c2118a2a5b8db9fc093b214eb98b7c7b8712c3645f4224860bd79704ede0ca03c21e

C:\Users\Admin\AppData\Local\Temp\sQou.exe

MD5 c6a30f95e6a4545b784054eae9338759
SHA1 f644ba3f735bca4715693860ca0159cfb175718c
SHA256 6db76c210cfafa47844c46d5603a65aa84d960764e5a99a92a14c23b0376f4a3
SHA512 8777d841c1f230fa871d14b9df6228d70dace9721f49314bf1e3f03e1ebc7b78ce86e1d9f3a957b06c1e7410882121b48cc7546dcca70a91ca9a48a6e4434612

C:\Users\Admin\AppData\Local\Temp\eUUS.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\bIIE.exe

MD5 ab8ff6ad6e5375ec7e94b911c35b9dcc
SHA1 1992312d0a67cec6185642e8ae1bcadc19484027
SHA256 78de537d5ecfffcb01223dfd692a03b709e7c9f805e49847d7da1cc1a7193d52
SHA512 c2f94459472b287825b7266c82ad67edf3fcd211c97e8a75c0702dd72aaffaa5d7bbed01bfd2021a1e84fde4036898b80c1f3da8a39994a68a1c51f4b297cbb7

C:\Users\Admin\AppData\Local\Temp\mwku.exe

MD5 8c0ef4eeee51ead7213bbd036259830e
SHA1 5dbd051c7adbbb07f0dffa86e4d18f325c65a637
SHA256 8da99f6ad632bd1e4896454bb7e9cf628c9b44fbe8cf0f12dd96202202211d7c
SHA512 c30c606c417e82e83de927c8ff9e802de25ef419ffcc268432cd401a2553beede0754c72f4e293d7580e214a4e0914e6636dd585fe360738841f767dd315a7bc

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 6881f505e76dc66d8c2f0e879467fb65
SHA1 e4336d5b3a52593f73c5218b31f1ca12fb279680
SHA256 13d379a79246f691070e874939a25deec034dd2e17b34acbd09125bd952fd229
SHA512 24c5c96cd70c102893774b80a34d0f900d2d89edc7e633adf3c9e2b598e1944353d231dce20692aea5285159adec102e088d6a17b67f48c11b672ca8b82806c0

C:\Users\Admin\AppData\Local\Temp\bswi.exe

MD5 7770798637fc504d1d7f6f39cd24eab6
SHA1 ae789753b5c11554b435c78f27e5d1e1d1bb1089
SHA256 83bc13b1e00133653f857b8429f1671abf3424246a1007f391069660d7b36ded
SHA512 9305dd2fceff0996830193940c5b9a5101c033326c0bba413c6636731482608eeb513d09df9cdc288f67edcf05afe94ffe3bf72e56778f5aa9fff830d7db4c1b

C:\Users\Admin\AppData\Local\Temp\IggO.exe

MD5 03e8e33e87508f4dc8acef1b20a18b51
SHA1 9cb739dda37d9e7aefcb68f8be0a987ec099acd0
SHA256 73854612fadb016fd5848086a2d722394e9aa2b0553d22ca70a0c7742df202d8
SHA512 b32572a792b64042bd61ea3caf83be2a5a02f0fe87c2b03a6de1869bf184d0f81953f65afe58d4c28e5a432c3d3ffac4f261982ebd2d9a5e2f0c99cbb70670fc

C:\Users\Admin\AppData\Local\Temp\lAog.exe

MD5 5d4a1232e8533e28156656c274ec20b1
SHA1 817785e054c3a3c8f78c9024adbd36fadb6e708d
SHA256 ae2a306fd8f303e8f5482e6b028fa589b9cc29b202714f0a68313928117e9bb3
SHA512 319b7cc3be18256053078f80d6af738fbd784ba467a863165580a3f002ef3792e601b5fa3e99a0a87fdd4f337c8acb42f2ae39d3da8d71e277853b2f62cfdee4

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 a9faef2fdedaa9d72d4767b4364f59ae
SHA1 708686dad908b177fa5733eb67170b875a355818
SHA256 3b3d8841f2cf2ed526fa9cf29fc8cbe6eb116c7e57767aa15a1c9bf94f768996
SHA512 dec45506c2799d4b75a89163be81df3959394c04e4cc9a38455730c036b56f87a41d1acd0a20f7ee4277b1cfe9171120bb3713b5ee8e1df324c48530f15d8f22