Malware Analysis Report

2025-08-05 19:16

Sample ID 240526-d1pz7sea25
Target 2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock
SHA256 69aeaec4d5c9e024ff15234ae8bc5aaf97b98f410e364fc5109a7c1c36f0a168
Tags
evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69aeaec4d5c9e024ff15234ae8bc5aaf97b98f410e364fc5109a7c1c36f0a168

Threat Level: Known bad

The file 2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (80) files with added filename extension

Renames multiple (58) files with added filename extension

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:28

Reported

2024-05-26 03:31

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (58) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\ProgramData\QSgEockU\iIQcMoMY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ImkowQAc.exe = "C:\\Users\\Admin\\JsMYYEgA\\ImkowQAc.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iIQcMoMY.exe = "C:\\ProgramData\\QSgEockU\\iIQcMoMY.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ImkowQAc.exe = "C:\\Users\\Admin\\JsMYYEgA\\ImkowQAc.exe" C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iIQcMoMY.exe = "C:\\ProgramData\\QSgEockU\\iIQcMoMY.exe" C:\ProgramData\QSgEockU\iIQcMoMY.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A
N/A N/A C:\Users\Admin\JsMYYEgA\ImkowQAc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Users\Admin\JsMYYEgA\ImkowQAc.exe
PID 1608 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Users\Admin\JsMYYEgA\ImkowQAc.exe
PID 1608 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Users\Admin\JsMYYEgA\ImkowQAc.exe
PID 1608 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Users\Admin\JsMYYEgA\ImkowQAc.exe
PID 1608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\ProgramData\QSgEockU\iIQcMoMY.exe
PID 1608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\ProgramData\QSgEockU\iIQcMoMY.exe
PID 1608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\ProgramData\QSgEockU\iIQcMoMY.exe
PID 1608 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\ProgramData\QSgEockU\iIQcMoMY.exe
PID 1608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 2600 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 2600 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 2600 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 1608 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2684 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2684 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2684 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2864 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 856 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 856 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 856 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 2864 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1552 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1552 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1552 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe"

C:\Users\Admin\JsMYYEgA\ImkowQAc.exe

"C:\Users\Admin\JsMYYEgA\ImkowQAc.exe"

C:\ProgramData\QSgEockU\iIQcMoMY.exe

"C:\ProgramData\QSgEockU\iIQcMoMY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OwgMQwsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYwkgcIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAooUcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nooUEowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcQAcQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PIkoIcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hesIgowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEYYUgss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GeUcUYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YaYAQEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ouIQswMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZOYEQEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PawksEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqQEgoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMQQsscI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GAYgwwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAEUswsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\imYUoIog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEgsMcAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGEAccUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FikAsowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fusogAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiscMUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KGUYcUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMQwYwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAAIockk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGYwUsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMQAUcsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NSUsMYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwMwYAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkUAYwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSsoMAkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGkMscYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mUMEsYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kKIEccco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmoEUUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DiosoUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vEQsAoQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XsIQkAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PIEosoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gAEgUkcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIAYgEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmEckgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqUUgYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nuEEQQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYQwUsYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwEEwcQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkIkwAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWsIsYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KGIwoYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkMsgEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dkosgEIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQUAgQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUwMEAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGMIQwEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MKsUkgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwwcwIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\McEAEIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MyUYQUIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcUoUQsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hiwEoMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUwMkcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HoEgMEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YeQEggIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCgYQcQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UyQkwQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYQgkQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqkQgMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaowIgos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMEsgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\saAMccks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMUUskgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KaAgQgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AooosIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwswYscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TyUwkEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dyoMMYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkMUkAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCgowMkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSYogwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qAccUoEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NswUIYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCQkEAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LcowoAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rkEIMMEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUYkIMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWkEcMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ycAYQwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqkMEgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmckIMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14712253531599511649-1300563445-9152581221635569782-1965350524-15639560141513202280"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1642489765-18784027707190508631243807527192807403214652285471261492331360081056"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiIgUsIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQQsAIoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyQQgYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NSwgEgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jGQMAYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwAkYwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKIYokQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wicowgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gogYcYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YoIkoIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKYQMYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCgYAkko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAwgQIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zWIIkQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAUQcsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oigkockc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SWogsIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GGsUgUgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NwAQMUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqMEskgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XkwQkoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCMAoMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCYQUYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sqIYIIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\usIwoQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eYUkcQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1608-0-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1608-5-0x00000000004B0000-0x00000000004E0000-memory.dmp

\Users\Admin\JsMYYEgA\ImkowQAc.exe

MD5 5eea77f4b2b471eba84623a6aa0a077e
SHA1 1fb747a3adbc02d1290b0fd5bf588f8c6983ad8c
SHA256 8659e9384bae00ee59aa157e8fa6bb337a928612b0c276c333af8f8e114525db
SHA512 4a45765fe57d92c8864429ce043ea198b93eb4cef1f33092e9cea6a3938058873e7d15ac7a265bfb1ed89c2e874290afe3bf66ab17eb5a5b26316ee4a9786175

memory/2980-13-0x0000000000400000-0x0000000000430000-memory.dmp

\ProgramData\QSgEockU\iIQcMoMY.exe

MD5 21bdbb8c3f8d58148922de45385c360a
SHA1 b124b24a0a7928fdbc3f1a9868c0db135c7071d9
SHA256 68eb275afb2e7ff14aa84c6b556cabdda7ec5f7b2dccce25080408547ab56b51
SHA512 f6c754e7aa99699d32dd92c6922f861bd11120a724730b8c5e856de6bb9d31b1a10fd22e1331d3a0168bab393be82c11ca8eca7b4d82255bc65c0c061259ef3d

memory/2604-30-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1608-28-0x00000000004B0000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EUAEwQEU.bat

MD5 ccc9f55bbcc473585cc93d28292a1d2d
SHA1 0440d3cf853e49ddd9a24efe6050467e62aa73c5
SHA256 592ae0dd81b8322f7c69d9c05c1f8f3fd7971514f11999b83a78e1d9475f72c2
SHA512 46ce3e40080125dd779b38b5446218096a2f57854bd65da94d477e83ecb59b061c0838edf948b2c0106e89ee19a734c7b30c17152ff30ba8d2435cbb755e0897

memory/2864-34-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2600-32-0x0000000000130000-0x0000000000162000-memory.dmp

memory/2600-33-0x0000000000130000-0x0000000000162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OwgMQwsw.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/1608-42-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\ggAcwowc.bat

MD5 d94d41868d18c86ca856fa68dd9cdcd9
SHA1 4f5cde7733daf886261e7224aa9e0bf60d8cdf2e
SHA256 c7bc98ea469a99e77f2fef67b35a060298f21911f036078c9a0b4fbce61b05f5
SHA512 88343ed54512b80d94c3e80ff1aba43d28dfbbe278cf6762358f9bdbfd018478b3d93e79a4fcdf217c57242a4dc3b43751626729f74fde07e5b7c94fd6427407

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

MD5 672a1f1de82c3076688c129d2c89d0e2
SHA1 02e8f06ad6888c9fb28059f5eac065b7bbfdd365
SHA256 1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363
SHA512 e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

memory/856-56-0x0000000000200000-0x0000000000232000-memory.dmp

memory/2696-57-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2864-67-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yewMwYwA.bat

MD5 8c553f2a51a72bb75b58bf1fe5a1a19a
SHA1 5484b5bfb18cd5ea23c555c5c4f4de7e9bf7eba7
SHA256 2d2356e77edba3c1849645c800d6eec0e916dcbc3ce8316b266b58d5da7123cf
SHA512 922914bbeedbaa531f19c13618da2306cee0f461c6d37904c2072ea6d1350ded210b4a7f8cd181a4fe545e2d1645a16b2c844c92fd8c75e4216fa101282ac7ba

memory/1452-82-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2352-81-0x0000000000270000-0x00000000002A2000-memory.dmp

memory/2352-80-0x0000000000270000-0x00000000002A2000-memory.dmp

memory/2696-91-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HCocIEcA.bat

MD5 03030377c8851539efe866a2e4012f70
SHA1 fc0e7f21a0537750dd07537f21ebb3df56ee2167
SHA256 457114c769961a1f65d66184bd2f5c41e61785c946393271daf40ac41602a3e8
SHA512 8dbf8d5a83a6e1cd3f9b7d9740bfaabb92167bd5333ca71959037bb2b3fd714e9f2288f4ea8e27f6395d844e72b33eb806cac7d794c197fb151e6c570cf7c365

memory/2252-105-0x0000000000290000-0x00000000002C2000-memory.dmp

memory/1452-113-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XmokQAIA.bat

MD5 d0e34326c0d3f8c931c471615d832b6e
SHA1 541a36dc4523f477f07e7bb36088b3132ac49da5
SHA256 758df1180ceea58206ddf303299c57118f9e7bdac4303a69b6b4fdd8ed65053b
SHA512 34043f508f01355db0f59340c52c9dfd9e02e99d42b357dc7d391fe74eea0a019a290f772e9aa633ef63cb2f96b01dd9b55dee4e59a8f3af6ad422cdf11b9d51

memory/1704-128-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1460-127-0x0000000000180000-0x00000000001B2000-memory.dmp

memory/1460-126-0x0000000000180000-0x00000000001B2000-memory.dmp

memory/2892-137-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PmYooAwE.bat

MD5 f0f9af79657212bf224d94ca5e29b6e2
SHA1 c87a33d687444a752cadeded3a33520662967b96
SHA256 9c203845882415d693a43da19441c8cf592e991be8e4b0be1d4d0f1107e0833e
SHA512 8ad91674a798562a075a418a9f3bb2825dce324716fe05a1193fd60619f6df4103ce3bb4e69dcd14d5b450cf10c217845564e38c360bed37771812199b737f85

memory/1704-160-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1940-152-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1728-163-0x0000000077510000-0x000000007760A000-memory.dmp

memory/1728-162-0x0000000077610000-0x000000007772F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PWQUYIoc.bat

MD5 122b419cacce0c893ddb76b0ecba4a5c
SHA1 551ce3cfb9b0e0f1dd66076f9b9962b7f806ead4
SHA256 221ab6acdd179d6e8685617b12b7e877c78c8a73152dc20c2bbbee5d4c660ea5
SHA512 97c1ab4f294abd1a75c76d23c4e538bced1eb85dfa6e4d076b56a2133ead17c66828724279835dd2957b07b6c11024d40f6a1252cd1effd2abe35e61e1027e2c

memory/1632-176-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1940-185-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\euoQUgwg.bat

MD5 b215fa6b1e865af47d1a10d35402d268
SHA1 3d101c733e2a1979a1f00801247a395b5f134537
SHA256 19555a7a0d7aef5d56e1b1b56b54464cedee487f8e5b9e17fd3ff8fdf0830495
SHA512 72837625374d4f87ec20d70d6bdf163e9142ab23ad39f20d17db2629d913f56374d345f4273e0f2e5161156d55185846dbfd30eee9fa95a9ba832d9406db5e79

memory/2864-198-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1632-207-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mOkUwEMo.bat

MD5 4d885158becef0585f6bcd96c146649b
SHA1 c846054ba62391ac84092ee6293d03aaad7f7e3f
SHA256 0416d04e91c60070aaac525164fc0e01209aac89a66f2c048ba1546facd0ab8a
SHA512 d0a50f0ee5508d9ad2595bd008ac836a6c82a9ab9560632e87d284c30111723eb40ff3797893c9fe6ac2490aa40e310af9cae957910e8e9cc9d5eb202b3c1d85

memory/1176-221-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2028-220-0x0000000000260000-0x0000000000292000-memory.dmp

memory/2864-230-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\saEsYskM.bat

MD5 57a3fe4094d4f6ddb9aa91d776f8a36c
SHA1 2f875293420d15e9054096c0d8e1883236c5c344
SHA256 3a126b96ece3b4d256716f1e416deec52bb3762e942d13d92e6f06aa55476ddd
SHA512 3ab95faef78a3925297bdd942e62a27dd4c48902929ab4917851422b2dc6119ced16d3dba93ff60e7e6479296a250f1b9fc7485966cf455e2c0b98dc4da4e181

memory/1340-246-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2784-245-0x0000000000310000-0x0000000000342000-memory.dmp

memory/2784-244-0x0000000000310000-0x0000000000342000-memory.dmp

memory/1176-255-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yScEoIQI.bat

MD5 9c6d8c2f3c7b2c3604b222a32124b0f6
SHA1 21bb0563859ad82d1bb082b755e005fc71252bd9
SHA256 df3ad4cf9f4590b4f92e744005e86c67537fa04012fce996aa74d5daf1e7d695
SHA512 741cc452e9d066338d738a8238627ba0f146a342633c5a1637dd95f03cd7b504f404a547330974e42d12b4907eaddd0336ea53f94669f5d427295cd3836c4b30

memory/2240-271-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2892-270-0x0000000000180000-0x00000000001B2000-memory.dmp

memory/2892-269-0x0000000000180000-0x00000000001B2000-memory.dmp

memory/1340-280-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PsMQswEI.bat

MD5 baeabfd2a7b24940b83b1a5c8104dc27
SHA1 ded36071af2ef0620ea6e9f73dd00dde7995756a
SHA256 ed677315c1163bfdbc33930a4a52822b08ae53442935ae46aa27b5223d424856
SHA512 ee7d4f80968ca6a033e35a2dbc8f03f73e8a4c20712bd6e1256a3d3e5fce440eca63933f9f5efaaefec86a4ed4af3b5d053f73d0f6ca4f72b9f173afabb9618b

memory/2552-293-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2240-302-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMIwQggQ.bat

MD5 f11d8367c3525d5eb519bca68f3912ba
SHA1 0ebf6af6382a411ce7679bf2a6b4607047153fd3
SHA256 41addf2b62bcbd476871b1908b658f3d4b7baad6705804c5ab9ff7d8adf886c1
SHA512 ffca99c65d7cb24f6f7a1115cf8c0ea7decc5fe174daa996bb348eadb8efaa5fe62c3de792c2344a3f896eaeb867711ca5c9793f485ac78c1da08a71926eda3f

memory/2460-317-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2996-316-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2996-315-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2552-326-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lGwYEAUA.bat

MD5 53f6087497fbb21a10cd772d5688cdf9
SHA1 889e003ec15b341a1e234e1366777083ff24434d
SHA256 66c2b8e69b17e80fd05fd242d7a3d2fae405ad32a254cf5258a7eb9b5c950c47
SHA512 fed10ca353dd24637dbccc3e2a29e3f0d69b996918d1d6593323565cf399fdff24d4c5379f6c077093f32ed6fcb2934b4c7672a0fbd4917ef09e65d160caf5b5

memory/2716-342-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2688-341-0x0000000000130000-0x0000000000162000-memory.dmp

memory/2460-351-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fcwkccAw.bat

MD5 c5f76b64b06d143b4fe0f0ffd6f47bd6
SHA1 1049c8f096d36438caf765c56e209c309221ad1a
SHA256 c365aac649b25c15850ff3401c249d4a99b1a627799b84377523d83312163ce9
SHA512 a9daea9fac1778d99f970bba4dfb330a463c07d63ac798cf22fbec4aa6f38c374aa8f7fba23ec3b901e0013141ac34a035b335226b5103d7d5aadafe12d7fa38

memory/2584-364-0x0000000000330000-0x0000000000362000-memory.dmp

memory/2008-366-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2584-365-0x0000000000330000-0x0000000000362000-memory.dmp

memory/2716-375-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yawoIsoI.bat

MD5 e2a614a3a20723ca629bf2547a930ec3
SHA1 891c271eda658a357741a24d724c442aedd7f104
SHA256 03334eb900d910e55376a67014709dda0d938b51197dbe9091cfdbcab31e62d7
SHA512 c277dcc471f93670fdeae00f4fb5410722ce73891b587271880a6ac64b93989ac920764e69af8a20da339f43c7112a9c035661551811080f4e640a6c2ce9597b

memory/2008-396-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2412-397-0x0000000000430000-0x0000000000462000-memory.dmp

memory/1908-398-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\miIwEMUc.bat

MD5 0dab3ff9b4d03aa8a5af151ef889faab
SHA1 e3894c39f7463985f69ee6f735fae2af92889036
SHA256 369fea18f9f38dcbf321c99c98c3e3d2aa7731d270257026eadf2214d24873e5
SHA512 b773d49fa83c8143ca3dd4635f4d44771fadd1e9d0e7c85be46cd4d87e317f97ae126bebc1191873327007c17f32952be914230552d61445e0c68f8af8e9c8f2

memory/1624-413-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1340-412-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1340-411-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1908-422-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\issMAEYs.bat

MD5 dd34da00cc8c5fb24e5ba8329e0b903e
SHA1 2fc1dfb24afe190057e1067319a7df2d61921c16
SHA256 7fb4424f2e04574dcfa84758a2a20f26fc81131edbafbf6f9437ebf3313517c2
SHA512 6c0b14d76cd221f9603ac7db7ef55b275c57abaf9a99ad609d044f83e4d2e885baf24d4ba8b496b930d336a1584253d3c4ef9e65b7972ec66de2e1905436e420

memory/2736-437-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2240-438-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1624-447-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gqcIAYsM.bat

MD5 9fc9bb241411b6609862f15fdbbe2014
SHA1 e2b90acc40331580547edc29c939a0906adf6514
SHA256 9919f952dd18be9944f43ca4eb2b894fa12788293f23361e57377b178fa3c854
SHA512 1f5521a3402627bd4b5e9f75bbedd67ef871eb7d9f55d62039a75dbe6e5af84e0fe7aaff38a0048b724b64bb8899de9aac443b151a5a860be65e79d858513324

memory/304-460-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2240-469-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DaksUEYQ.bat

MD5 bf7eca33a6aa3726b6286991128092b7
SHA1 d4942c8acbcfb23d781178ea272dd104b61a3252
SHA256 fe7728f98100bb7e675bd1dbef570f8ac285bec4f61e66e7f38621f3c95de1a8
SHA512 73e680fd2d2fee5355a0429b87509e0f9f863887419b2e356273a9a47e9eb44bbf82b36f024560fb4f65fd8735cfcdc24095cbec4949c761f4e21446346c4af9

memory/1532-483-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1356-482-0x0000000000170000-0x00000000001A2000-memory.dmp

memory/2312-492-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCgAwcUU.bat

MD5 d378a9848900efa5f3201960a0d4667c
SHA1 5bd2e37f0fa08b38d2fce136d8b2a28acdc5cd24
SHA256 98796de4bb157b15be3c5c5f8a10a5ddfe60a9714cc1425284c9ee9a1392d539
SHA512 59a6994aa2aa0d2a1c3aafbc0028cddff325dc5ba1e66e73719d2c59ad3e1987cd6033c614e8a7eee283d94408a2579dc7b8c7f29b4e9f274207013f915f78b2

memory/1632-505-0x0000000000400000-0x0000000000432000-memory.dmp

memory/768-504-0x0000000000150000-0x0000000000182000-memory.dmp

memory/1532-514-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NWwkcowM.bat

MD5 e586383919d4d185c576231d8ede441b
SHA1 600bfbc8647a54f1485eef1b28659521c09b742b
SHA256 cfdde9c3c554690996802dc8bdb950bf457024aa720bd4ca382ce71979fbbf45
SHA512 a304b986649450fc9f218bfb72dc402b27d193dbd8a08519844db2ab34232fb81dcaad0051f39030128ae9f0f65ac1b77df7127d5c3a6c1de2aecc13130a25f6

memory/2984-525-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1632-534-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jwEEAocU.bat

MD5 8aec3f8a8da9f1a4d1c5417f0c0acb9f
SHA1 95f82012291e10542ce15a0e70117d48f535e78a
SHA256 71867ac27550e6de7ee623a68f9798ddd34360c1d925638189f37bce45d3b1f8
SHA512 9701894eecd3602d43b5d3bb6859de0611d3f776148e2f56b5a4d9416811a973fcf014f6ad2d1069d0a7a46211a44c617fdb461a1a1d47e4990406fdb7431983

memory/1388-545-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1452-544-0x0000000000110000-0x0000000000142000-memory.dmp

memory/2984-554-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uOwEMcow.bat

MD5 cd88f3eec093583f7380003e1b1cd5b5
SHA1 71ed2bb15ad6024667725238611fc8ca504a249c
SHA256 f1d1446526caef646f7c113510f5ef0d3be56355a5a957ae41840c64edc21eee
SHA512 f890a11b26c970ad07119f4029cf0eb0b38b17be959927e6a7cb18f83f19dae8db77b057ea712ffa5ccc375f38dd09e378ffc415b2da97b7a8c83ad4926b2c20

memory/2680-565-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2544-564-0x0000000000160000-0x0000000000192000-memory.dmp

memory/1388-574-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ciwAEIQo.bat

MD5 22b93e015d1bc8b0579fc41c4b0bdc69
SHA1 8fdccd699dc89479a0c307179e85b752dd6c927d
SHA256 e01382b9758dfc787bdfcdfae179e415a2727cea2818d85582f658327dac3457
SHA512 71abc7a62ef7681b46b0bc2908ae7f0c101f544a2e16dabdcf66e173832ce5e57595755c32489a8e21f1b0789de88e8299311cd4d6157fa0a4ccf6cb45819938

memory/2524-585-0x0000000000400000-0x0000000000432000-memory.dmp

memory/752-584-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2680-595-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kgoEcUAQ.bat

MD5 dcb595e52fcdeeef1b123e1403012722
SHA1 53dcfd837088faa78b597916e8ed9cefbadd2286
SHA256 a2e49c4cf16074dd984b9a73586fee2e8a260944a848b13cd65e2079aec9bcd4
SHA512 d6d76025800d464825ef64d8cc31bbe17600873d00efe787b6562c4f95ca3f57b1ffa13f31bfabee850fac366420fefb19a6b092650ff0e7c581175bc401e377

memory/2700-607-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1784-606-0x0000000000260000-0x0000000000292000-memory.dmp

memory/2524-616-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\icUYkwEA.bat

MD5 aefe3eb18f071dc24a66e1f5ff880227
SHA1 67879b28f88882625c71bfcf3bbf40d1d67df706
SHA256 3c67d1141caea187d0d80545d771ec9299d9f25849a649193d2996b5891f877f
SHA512 41d3e302f8ab9803f5bcbd12aaffdb2dcf9b6da14a5c79aee8d5fb008ceb7d8c7191c698714593e998a0c8a9918ab87581ab033bd2cd4104f2916810b003da5c

memory/1408-626-0x0000000000120000-0x0000000000152000-memory.dmp

memory/2700-635-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jcIoosgA.bat

MD5 407c32957c05e2d41225011b40052108
SHA1 07ee9d7b1d465da1bba626b5c8ca84427dee1e14
SHA256 1057929b45a1469c6167f29f8a969f60e044c694c0452a054052284521d01b0a
SHA512 19610f65887ed1644e323321b2e5179f22c69e1292a65c10d8333014d21f5d04c66a4689068dd52ee8fca2f5be605d7a926ea6d0016452912331573f9d17aefe

memory/2012-645-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2024-646-0x0000000000400000-0x0000000000432000-memory.dmp

memory/856-655-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TKsQMMMM.bat

MD5 83fe5649840183d12162e0badeec038c
SHA1 5725a87fce7729289021624c0be07545e0120feb
SHA256 89d98c598452b67cb99d6539b44b3c3f4b8264c40dfbe6c1b9f5e539299a27d7
SHA512 a0df6d7f83be3f67b7c9373fff03bd11cfddb80f193848a6475e298f5aac6d767d87f244a6dd84457019de35ba631d1adf860f96308fb5859705e63773d4714e

memory/2444-667-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2404-666-0x0000000000120000-0x0000000000152000-memory.dmp

memory/2024-676-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gkEK.exe

MD5 30d838fa9f4f54b54b69794b38e3317b
SHA1 05946ca5dcc97c85318d9d2a443c8f18ddf84ccd
SHA256 75dd186abe644e990491745d17849d7824cdb555d4b2063804723b1885236359
SHA512 23acc717d28d917b69d8610a6db6b41c653849891058f5db468a03d94ca25e57403aa2e9c19e6061c16d3aef2926cc0806768008fb122a23277ff3289b0b1db9

C:\Users\Admin\AppData\Local\Temp\rUogUQkU.bat

MD5 c93b45cc987ab61005b312b23386f792
SHA1 86920052182941d5130307f851cf7500c8056ff8
SHA256 7a4c60cae2b2c6f38120a2c17f2b0e0f0ef3b6738b06703a843d883539c0a330
SHA512 4fbe4578d0882b7a9652d5a5d5e1c117f8144a92883d9e77b9fecc0bb825eaa66028fc393f92272c98f3b85e5e8be68700b8934eea29f2da7c3d515c5fbcf6ea

memory/1916-702-0x0000000000210000-0x0000000000242000-memory.dmp

memory/1916-701-0x0000000000210000-0x0000000000242000-memory.dmp

memory/2884-703-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2444-712-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hiYIscsk.bat

MD5 5f38f0a1f43a72de6104f3e5795ce38c
SHA1 226ecac789898a959f5dccc4278012ca02bc7f55
SHA256 b8aeb802ba7d0c958b72c5b7695d26a01ceecf2d70e5ee599fe8b156d98ffaf4
SHA512 366970fa80de105aec4096892b5c6204dc66e24206f09989196c030f4c709b81f266fdbe4b65f3a42f49f9f1e42e58c1694b84a22a6c573cb08a789428243a86

memory/1728-734-0x0000000077510000-0x000000007760A000-memory.dmp

memory/1728-733-0x0000000077610000-0x000000007772F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aOIoEwIE.bat

MD5 fdf79165610bf43680444e604f0bc0eb
SHA1 79d30a0296c144a5841ce8510ab83d23b9a908d9
SHA256 3d01aebed31b07a41f7e90c0d690e0afd88623af9866c1f898eb7a0e0864efe8
SHA512 656263035579501d7483ff5d241c6cdb0fb7286960209b088513c0b2912e5e909a8dd0a2b27fd2bffc7c93770eaf23528ce965d8704435bea622089b538ec590

C:\Users\Admin\AppData\Local\Temp\ccoIkcso.bat

MD5 f34769b4374bb504236e60f45d3ee530
SHA1 26372666ddae3b739c91ec18405617e929c4fa81
SHA256 0c644254dac00c848dedf391e55ceaf13679b687463a07f39813d824dc02e11b
SHA512 40893f10b970b0412aa5e5d91448bc81e4dda7193c40ac66377b162294c69395cf637f45dc68bed40c75d03edd8bbde14ffab59704313c1c882876dddadea98a

C:\Users\Admin\AppData\Local\Temp\QwIUgQcU.bat

MD5 2afbd2760bc24d21856f1b67da74a82b
SHA1 84391dd74059825490dec0900a955a94595ea3c1
SHA256 b74a0498fa276694b1ed04ee0987d17c2954ade9af9d8a39069c25e27a771f9f
SHA512 fb68e41ff6e3b6101659d2e164cd2a3ead375be0a3f36138a77d37af3486944c76efcf26a021418c8260a037ddb45f0da8cb947fc130619ef0f81cf5d7d3917b

C:\Users\Admin\AppData\Local\Temp\mMAsgMUY.bat

MD5 b7b57c732d5437ac16996399d590f733
SHA1 2c46b8f9da8641e70a539199e8aa3bcb591e9263
SHA256 c4dd8573edf76cdedaf4fdc8a89a533b5ec7caa2dbd8afb9701c23c182bfd93e
SHA512 919b030e670a7322fc1b79f86f493c9661ac78b21627f1f87c1bca7d1bdf9f0c46d944ba54b0e1049e722e7b950bfeeb83ad589ff091ec2e190b422432e5a566

C:\Users\Admin\AppData\Local\Temp\sAUYwwEk.bat

MD5 cc5328215febf34afffe92da2b84714a
SHA1 4ddeb0a116d9d14daf896e0cbf9b4223ad21ef4e
SHA256 3d9c2304f4a968a11e0a7754f2573ffb9149432ad7e7f5de39a0da149f478eca
SHA512 08d9b853d70f3ccab0bcea953544221c660028c8526933d3a536df2b8a0655bb4dd667630463ecaf96c8c7009b764ccd18ded85b4afd3ea26cec5c4162e77f8e

C:\Users\Admin\AppData\Local\Temp\pQIokwYg.bat

MD5 9d796fc8312b6544c5f9deb1979df5ee
SHA1 b7ccc1848ca2a548ec589d5c9d6529fd1ef728a3
SHA256 af2267d1e0928f11747cdbe80648bb5b9ad01c68df22e7cc7b1a05154acdd2d3
SHA512 adc935c60f37af2001d1b5d5d5ac659a6ae6032be949f8a2919b6082d842bd8c59de6c8edda4aecc1397a23523f57903ddfc56cd1e669ecb8bd6ce086b95af3a

C:\Users\Admin\AppData\Local\Temp\vGYIAMsA.bat

MD5 f8af05982a646e37be67ba5ad936c963
SHA1 7ae73a0aaaaa9ec89ca88dfd8d6252b7066e95dd
SHA256 4a58ea857628318af88586ec6ff257b3d8305d5f287fe2080d42437aa78a4d70
SHA512 1512f6b1aefc66da9ce3cf4f15392fa23dd1a132ad1f0c57c4e7d1538307390edf9e496c74900047399d1d4a176834cdd832de01ae07d3a5f4b1d1642325accb

C:\Users\Admin\AppData\Local\Temp\NckAcMYQ.bat

MD5 c7d74f2e68ff38be23d5a171209422a5
SHA1 bb53f6aa3b9899326bf42703ab1f55366141ece0
SHA256 e4e000fbeca6416c69f3463c7630743f406c157a0e9187894516491068662746
SHA512 111df46266fbfa8a76c98eb9c2d634aab54abf6aefb7bef44ec5c9d5df791a4dd731ffff300d032d7b20b5d83564cef13e2342ff8be0a2a4a23497b5a38baa45

C:\Users\Admin\AppData\Local\Temp\PWcQYIEM.bat

MD5 e13d61d9dc2544ca64c4153d7d481d2c
SHA1 c247d0d84a90e3750f9342dd950ffc8c63d35ca4
SHA256 3ec79e58c00e925b2e61d4be3f5fe87053b437c125cf16b0eda516cc796b1da0
SHA512 b4cf15f352ac15f0e063819b046468d15d51e08e12abaa89a3d3c43abef5b18db6243aade622f4d9ce5d7e7d36e27404533e120ec380f62ce91061b4585d15ed

C:\Users\Admin\AppData\Local\Temp\GAkskYsY.bat

MD5 5affba909f3fc6962b7f77e7b40704cc
SHA1 7c2a18ce361e9e1a124673f684603e3c890eac6b
SHA256 86774f61ec2198c07637e2c6aff64b8e2d8df26e3d55042966f95b13cd00c175
SHA512 dfc0c442d336bdd504bf8172ea3595ddc48adbb2bb88facdda18303d5c302ceebcefc5841963426d3e0fd39abc7fb030337345436e4f26a88371f7e4a9e05b9a

C:\Users\Admin\AppData\Local\Temp\gIMAUQoc.bat

MD5 cfaf146ef5bf641e1e768402caf7648d
SHA1 c4ac10fd3f49c7c457345362c1f4dc758b524da5
SHA256 65f3636186b1e1fd81f532619c8c0cf7adea575b2c3e9594c06ba08753663234
SHA512 93d707f3186e15dc640aff776ffc7878376d66380eabbb13dbb2dd653661f326ac0f2e7ac71cae7fbbfc7375f177acb557959cb951552968508326c47d94d9ba

C:\Users\Admin\AppData\Local\Temp\ggwgIMco.bat

MD5 d33e1b310a7c5a922491db297cf26fb1
SHA1 a90a98300f8136925b342d95efe9387dad1a17f4
SHA256 bdfa3078a194d32fad5231b5cc464bd506f18d18fd2b4a62a336fe82bd54a329
SHA512 582f4b4e3ebba25b1993b4fe93ad411259639540e047e1de18a94d922e56825d6e66ed5939843238bc8f51c2e2d2e6beec4079673c49ccd77e67806551f8e30f

C:\Users\Admin\AppData\Local\Temp\UwoMkoYM.bat

MD5 55195c1d6e6e35727febb7808cd3f4b6
SHA1 5d5d00d5f32f65a76d201e165ca89e699a57dfcb
SHA256 c45fc9f816e3f79117922a5ff1fc6829b7535216c8d7956f419a3f6b78d5344c
SHA512 cc90ad159f93eb8083bc69fb1099610e250bccacde4d66bdac99b2dbedc28287ac26b448a281a824335648d1d64f39d259f9bbb21e28b8e067e559befb080801

C:\Users\Admin\AppData\Local\Temp\nOUwEQMI.bat

MD5 8a9a4140249da054022781e2246bd3f8
SHA1 6ebbcfe161e74f891ce062819a9fc34ae7ca2b0e
SHA256 3242a7af384171a4fa3c372eea4c0b6db2786f45a35b5d6b27949d4d46b9523e
SHA512 87a35b4c3b9fedbb01f30912bdba12205e1c04d416ed513d4570cd9465a35b6754d8c371029cd6eda08baddfc70496c1fe014ae6221ba87e269ec2e2ecc2af46

C:\Users\Admin\AppData\Local\Temp\XAEUIgwk.bat

MD5 4a2b35196e90154866b0ff78b784c383
SHA1 70418da3d0fecdbebc810143365b57a32aa2e855
SHA256 c3a067087b48b0d9f9162f9c659304757280d4f38f308b2f742b4b2576814116
SHA512 074b7c1a3767cd35976a420622a6892fdb985c3e6585937c1aa935f98cd045ddb97e9e76142b7368454aaed4f60887ec876f981f841f92d5521e46bddab5e1e1

C:\Users\Admin\AppData\Local\Temp\xqEUgoEE.bat

MD5 f894473798dceb91ff54def68e96a2ae
SHA1 5cac1fddfdd85e1dd19a70f2ace0d5dd50dad96b
SHA256 7f8ab032da99946e36da4efeb4c01cb5cb39bff88186bf2b051a613d745b029e
SHA512 b14486abb055a0dec4b21d61e06a3caf50258d1344abed63470331096539011ab1facd68b962d172f43bbcc82dd34fc33877fdb4e2a7a5dd077f29cb46c49d02

C:\Users\Admin\AppData\Local\Temp\bWcoUsUs.bat

MD5 fb5f166d48bea0d87ec1c0912653e775
SHA1 4a555e62f65aab184eb916d40c47303beac51a4d
SHA256 0510d3c1df4a9db29c90c30d477e18ca0bd97772c3b2378a127c1478376d3955
SHA512 f402860cd682f405fc3293708032235250290e3d98817159094c55307af3d85bd5c449afa095280c07b171f505b65a065d771ff8c158b9d9525434253c596eb6

C:\Users\Admin\AppData\Local\Temp\gWEcswQg.bat

MD5 99726ca65af34fd9785064173778720b
SHA1 a1c229f4300d1941d9749d907aa1090e8aaf0a7b
SHA256 e85404f7b076d9ba2e60c3034a6be641ab9d4bfd9bad3c0ce6cd9b64a90175df
SHA512 1332823b618d440a1c95fa4130af09eeea7a4a6ad92224097c7ff0daa21783f713b9a831bf2dcbea6f3c3faacace832b912e42c6e47a302d688d1da68023e260

C:\Users\Admin\AppData\Local\Temp\eYEo.exe

MD5 c8858b7e5448915a55b8aaaec09ccff1
SHA1 931dc39ca777d129c147266449e34f62ad390a8d
SHA256 a2f6801f8a23d416fd6bad636ddfc66f2f4b416d4868de12978ccc41b08823ba
SHA512 e7c01cef237a51ae2f8816f345edaa1863fd927172ee2b07bda8520b1a0092fe67b84a66d0b697ee0b62d4ae7fb52eb5c734208002959ff9bb4e1fd9cc1a1286

C:\Users\Admin\AppData\Local\Temp\MQAQIYAY.bat

MD5 3b28436bd9e3ed1aa77ed819b4fb9400
SHA1 bd16e3ff31d2f72438d819e3ae18834f686dca46
SHA256 467d33ac8d79ad0754a0edf1bf48d162c0ec0a332695b653dfe21aaee5d74998
SHA512 c353978411209ad2d2fb81014b45de1e537554bd48c0d7f915cfe20a98c901eca6ad343ca38ba730fc040a281645662124ae11276febe4b84824ff0504727979

C:\Users\Admin\AppData\Local\Temp\SwQk.exe

MD5 25d6a90026538a2b275e3c11c56ea33b
SHA1 3a30716a5a64fc0f1fb4b26018131d44b61235ef
SHA256 89da6285219a90c4096df6db10950336da04f70cb099fc1ae5e88c8dc955ac9c
SHA512 e7be1c03603f20133309b6bb9cdfdc45f0181a5f3e03718502e08cf9eb78741a146e72b141cf44a50c001e9182b8fc03f08a4f2fbdde6ccebc2af4b0a1b68fd9

C:\Users\Admin\AppData\Local\Temp\SwAW.exe

MD5 446e51f2e6f853e667f97af4d31996fc
SHA1 cc59b34baaf366b9a5f12061166419faa606e6c5
SHA256 8886f2adc0f6ab4bcf2973d3a17b1949d319d97d965ba6812d47fffb3da13b6d
SHA512 b9df0e87183784ade9309b51e3585f4e58143c9980b261e3dd03c3fdbbffd1f50c0337a5b4644ccff8005a41131dba1c39e2f2e194c5156217339b8d623a56aa

C:\Users\Admin\AppData\Local\Temp\QYMS.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\Gskq.exe

MD5 3edb01cd190a24d1a5e12ead29a8d7f0
SHA1 a4eb5a143b3bf02cbd4cf8605da46f05faeeccf8
SHA256 f47f25ff7b558eff7a258756e4bca7f3bc7d73eaa4b02663a3c2a2878dd8a168
SHA512 bdbb18c6193f00f4b0efd14635d84991da36681f95017b54e85d58070d08b5b230f6924db5d20f13446fde95f01630ba63532feeb52fbe0583110454224f1c6d

C:\Users\Admin\AppData\Local\Temp\YwYa.exe

MD5 867a80982344cf01ec16313278000ec3
SHA1 2748015f8eb43fa925d70ccb89c38a322a416c7f
SHA256 0cadd201553abbc5bc17ee9912ea44694ca7a11d200596986eb6f948fcca52c0
SHA512 d4befea525473be4e75cb5c191479e4a2de2d2b9af8c79c7c7e038946d7c3b42d6e4ab124dac7a0de5628629a0223abc9f1c369a0cb796f2fd375bd514ded7c9

C:\Users\Admin\AppData\Local\Temp\CAoO.exe

MD5 48b01d61f3b4fef130014da81aadcb8f
SHA1 8a589680cab825372928a460b98f2e5242ea8bb0
SHA256 d7bbc4d40e1def54fe293ff21f8d30e06e01648779c69f5283472702a811c9b7
SHA512 dcbfaf62b1dd6da36672482c793f1420ed28f68cdddee6e1c8854e4b249425f2c3e556e5c7e78c9a025d5964af471ed86c3822229fbae5deff46ec4899668c9c

C:\Users\Admin\AppData\Local\Temp\iIYG.exe

MD5 33347eda4cdff4ce0f6e3728207449c2
SHA1 7b3f22b8c2ff90edf1315100a3a958c522aee536
SHA256 b13aa5270800eb888f28f35278c92db4690e892e075d7b87d71fb97465702c43
SHA512 eb344b0dda030d89685c7b30d20232e251b40db636c1eaf2a63f6440997a21be92f51a849a91e53d32fec4d48983eb18cb790a1f675d177dd0280e6e41e5e2d6

C:\Users\Admin\AppData\Local\Temp\SwgK.exe

MD5 d5d85bb52d44446f75ce0b32e9d3ea90
SHA1 da63482b9d34d8b468896f411ac8e89e33a49459
SHA256 bf6892bc3af8bc90b871e71e7453643455b07ca361e93933e63de189339ba939
SHA512 01b8bd92bfeee36b1218bc3e02fb3efd6155c7a2a50c1fa30984684836ea7d1c227f5ffade760ef787fac712b9492e787000df96797e476a45ce645bb994c61c

C:\Users\Admin\AppData\Local\Temp\cQUk.exe

MD5 5d393459d7a0d31624c1ec35fc1076ad
SHA1 b76ea60459abe2c448395c4fe24920bffb8e3a1a
SHA256 5fd19b3cd78fa4361ff1e314b83918414deab735f7738b2efd998c7a9d64873b
SHA512 c80df597327c02bf0a01432d8fbd8c8344ae6889521cd3a321fa25f6be79b4bb06796df651e4b5f6a1fcd9baf473bfb52c51c9f6a6195e60af1ca2781915297c

C:\Users\Admin\AppData\Local\Temp\AOMUIEAs.bat

MD5 8bfecdd092c158e859eb8ea7ca90eb4c
SHA1 c001c8a8a624b4ccc8581b8468e1a5c51934d75f
SHA256 8206626aab5c12a26cd12d92dd9938147204f8b77794bdade6151f4acf897a2c
SHA512 b4d54ac02ec3abb1c7a30807b2e2147d97953b599e88de234121f2b4770d6bc6a7976c375b525d10201b602ed6dff9fdf293f9db5f3b7757b923ed87ce475c8b

C:\Users\Admin\AppData\Local\Temp\eosc.exe

MD5 f527c36cc9c062529b5248a8d0c6a9b5
SHA1 60ec4725d07fce2c7a7d47682a09786d3ae1bf68
SHA256 96f58305b1f8cc7231077347b6e8721194e66d643677dc7366ef3a2c3e6ec632
SHA512 baf9ec9b99cee05ac9aa031e87ed8c63e7102aed51daf1d2ec7814ef51ebb3b87b632135f8f87e6e1b257d710c6e8d1368111654dd2d99d6a116545dbd8baba3

C:\Users\Admin\AppData\Local\Temp\McoQ.exe

MD5 869e23c86cedbde36e2deb0ab9d6a624
SHA1 06b6df6523e66f146b298fe29752522a3d920563
SHA256 ecf5c327c08cd7bf18e4f799b2afd8a483c5ed5b2dfc9c92784f6edbd0381592
SHA512 cb274612617463b03cc68a269b84d8ee3a22833fabfa8ce34faea56a5526578e3d2bef6b486325a0dd40d707376a44b61b859ece03149a22bbaa6607dc721953

C:\Users\Admin\AppData\Local\Temp\icMm.exe

MD5 aa196817232f4eea09d68852808e1ba6
SHA1 a001ce1ed3dc089cd92dd3f10454a96ae9654a1c
SHA256 ddef518b71e9e594b12f7e50c170ac06657a9f3b827eaae5df000ffc380e6ff5
SHA512 b9325c7bd6f3eadb2a6e54cf79e4f58900dc242666932ec3286d09c3f9a9054bb9ee821a15f112b061e375c2c84d10ebe013af528696ad80fb7c46631fbd1a73

C:\Users\Admin\AppData\Local\Temp\msMk.exe

MD5 9f0c1cc52cd41cab32634cf875ddcd49
SHA1 1a86f2fdf999ee51e0b0a9a3b4dd1de4621d556c
SHA256 a4988ea93ffa3fbcd55d6205ffc4c29d118189cc81f6dc77bea11f717b2a1378
SHA512 5d62c17a29e3e3ec41440267e62138cbc89b24cdd6a94ae76c308382cdf89e802bce366ade107e1a1f1145d5fbbc4b4bc5fdf1d46a203794a9c20f3ecf210094

C:\Users\Admin\AppData\Local\Temp\ckww.exe

MD5 4297a21c01b7a3248ddabba066ee09b0
SHA1 04646033e4dd940200ba99aa9803f6b4327f2073
SHA256 e43f33af2ba445268748b306807a2b58175be18b589d28848e98a730a34d1d1a
SHA512 4f6048ee4f9557ee93ffee1ca65782008d1ed5dd91b9b54fe374e818c7767ce953fe49d5e0d2692a5950ad9099e518526d4fb69494893b63ca947775935bc14d

C:\Users\Admin\AppData\Local\Temp\EAQO.exe

MD5 e79f4866a9c1cfae7596724104a62a4f
SHA1 6617f30cacf6463a0451a4fc7ac989fdc7f2420f
SHA256 b92dca21bd6bffa1093902569272f70e310201fc42f0630f2e5ebc591d2bf500
SHA512 399a6cc3725a7639ae5535506d34baa9204760d79b9d782e52d62ac26dfc75eb73f3bfe92ce6ed94f2dd48cf5a58c59c91d4cf3200993444cdd3f4db44162b97

C:\Users\Admin\AppData\Local\Temp\AEQu.exe

MD5 742cd631362e7993d10780f6d88cbcb7
SHA1 5f6c439b60c94fdd7c0414ec9cb999efda4fa52b
SHA256 4387b662c30a0c4f03ccfde763e0fa1a606e57e82618ae2a57afa7f9b83c84cc
SHA512 ceba1c89b71d746c389678e720520895222a79a80ba3fd4eccbdaa7b549173860b92d4b827fd2e85efe0a1695099a01d7199cfedaa32218ca3206f373a266712

C:\Users\Admin\AppData\Local\Temp\zQcsEkkY.bat

MD5 34811d07d4a333cc6ddaff13e51acfa9
SHA1 052ed475f23373cd539dc24b61f43d8e0a5467d4
SHA256 1da202a05fdb71bcae32d7475ccf056d9113b9cdd585322fb00c990b62514fb4
SHA512 966edf96c9ea1b15aa1b11a73d6c267360c653a9f027d1e02d2b2924df8e5a020e0082ceee696e9a11a1b7decacb50927a3391f20ab8dce62a5b102527584dd4

C:\Users\Admin\AppData\Local\Temp\SYUc.exe

MD5 55133f8c189e2ae16af1894099762a48
SHA1 214c71a3c547e0a40b9f79a972b63895925c8306
SHA256 9afbecb082711a0065c6ac57581b54e86975e195f3898c01e0e6c0c9e6e4bb80
SHA512 8a01e66ab1506943a12dcef45af60b80b79b2afac198068b7b553c1384d0242570b4f872aa2ae3a126522d17f38c34a9d781ae0c77e3e98cae19283bdf53ba99

C:\Users\Admin\AppData\Local\Temp\IYwi.exe

MD5 5b96bdafc960482e697dfd2d306c9b0d
SHA1 a0b7928d6445d53abd62f532004a7bc59918862d
SHA256 d2f28eedaae8f03b95c9204ae1a36064a56126228c2b20ff53ed9a6a88672930
SHA512 9fd3e2d049c15a0b78b948d60a81cca7e6498d1f0c466474a72421b458c3c95159aeb71271a2eb8144af158cb837a8d1e812528ca93cc2fae3482d003735d5ef

C:\Users\Admin\AppData\Local\Temp\aEsm.exe

MD5 16aaa21db91fb72eacc4c14dc1d93645
SHA1 2089e7d2f8288dacb47128d2adba0ed4da8ac1ee
SHA256 52c9e5a31fe07e48103233afb845baaa8d7dc52b03b5e676def89e5b0cd3cac9
SHA512 0a04e4515f93a452de2d1a124a9648fd0977c9276ee9e7e6661d6b50faf897dde774b6c8af06e3167839caaa86653eb33ed6f28a43146479d5ae3bc222d2fbb8

C:\Users\Admin\AppData\Local\Temp\Accc.exe

MD5 8f2bd8acf3aa37ca1c76c16c26a086c7
SHA1 71c04395018fc3ff8d384a3b2b9064bd12de10ad
SHA256 21961372b5fe09da0d7035285ae67337ca43703a94ed1919c83638adf3792272
SHA512 da95bf35ffa1a20a8d177e6404506ac0120a7c1466bbe33519c1df3dfc65659d62d3d9b5a871078df8eea721a9943b8e74072092ac65d986223ef75db2444416

C:\Users\Admin\AppData\Local\Temp\owsu.exe

MD5 a2b299093c074b57ecbd7d1c4c1dd330
SHA1 ada4194c45de0112db4176016eaaf11d4f891220
SHA256 a2eb683d9e02c1873210c0eb13b410f22a2e774fce415873a64614b581520c71
SHA512 76cdba160787dedf7ff6a2f24fb5b6b9bbaff4c8790194341a884001fec6cb4393d946a3a74217d389ca3601ab79d403996b528716c8dcbb35ffc1e0a5d50dd2

C:\Users\Admin\AppData\Local\Temp\kEAG.exe

MD5 eb3cead569f3cbf57bb4fd1fe5fc9a20
SHA1 45cee2f8c3bfca59d1b21fad416147be51896c9e
SHA256 e3162ebf155861a7e95c62f65ffc928a7c4e1fcb0d6631d2909c23f0b7c7d108
SHA512 43a8a5c15c6f08d057a62450443aeb545de7ad5660501a3740042928781ad1e1cb2f73c00808405794c6763e9ba987fdfb69f54e72d2c4b3955c3aa83f52e9d7

C:\Users\Admin\AppData\Local\Temp\Cwca.exe

MD5 b091395880857879a3fdb010279a3c62
SHA1 707e35b75bfefcec02e50fa0375dac413955c57f
SHA256 d29a07a73009195db22c819f6fbb41b284cc5c3c8656bb683eafc1420703c3f2
SHA512 af385ef1ead077399e1f4ba10f9c275fae121deba5a3baa30e933ea779be78945011d4531be90d060fd7c182eb61a256d067f2b44a2a0ae49102a44318314a12

C:\Users\Admin\AppData\Local\Temp\QskI.exe

MD5 0ff125a205958c25f43a39cfa9469173
SHA1 4192789404d46cc46fd039576086ba04f3b21b14
SHA256 e8ac28cbc2074be418902ad266ca134292feceb5697a403ffe719787b01c9863
SHA512 459183d10fbb0739fb3f13c2afcc12c1eef7907d4ffbdad4dfa45667c1789690a93c9efdb5d165842c825f4e1a4c68b18582a9738aea8a9646b10a7db848a57f

C:\Users\Admin\AppData\Local\Temp\hasYgoko.bat

MD5 db132b8efabe15a2237a4bc9e8a2402f
SHA1 420e22343df494f4a369b59ed37b0efebaa97fb8
SHA256 0d2a275db4d68c34653e5cc921c970b8fc91e481e289d9e50a3bbaf43b8b31df
SHA512 a6ec852fb803688f0ffbb636555cbbb362531cba25aef2d02a15daccb25dad7d6a8ec6ac13cb74ba8bbe54b2220947d6a0f21049935de1456cd022d26a24e6c1

C:\Users\Admin\AppData\Local\Temp\yIIu.exe

MD5 41be541af0fc4af61bc9502a95222d44
SHA1 e509cb67fb38e193208be15fc85258bbbee59f27
SHA256 4c05bae5f411d6b9cfddf6d0eee6665050c632ff94b522788ccca5d304f65ba0
SHA512 d9493480cba92858a76ad007ea0812cf4c364d58dae8e23285bfd8a60a4b4c11c8c2f64004e0f7ced82540e80113c319c10cc2a3fd9e8297ea8493a6dd9daa41

C:\Users\Admin\AppData\Local\Temp\aIIO.exe

MD5 dad7407340c51bec9e329772e80ed23a
SHA1 2e4f664e3b801a34639a3d298ea7bd6de0d8ca2a
SHA256 c7a161e295a76527e68134e499b0e9e6b57e7a894abd7cfea86a04ed58db7c97
SHA512 79b98878a99e4f5b9bd8eddd34a024be7eee2839b510ba30191106ff73682b86e16a45b9bbd940597faa7547b4b18a43157dd1a8ced4bed36ef9a18c9c8c9280

C:\Users\Admin\AppData\Local\Temp\qoQy.exe

MD5 ce18f3b004723acb41f54d4e5484e0e4
SHA1 02a8d33229757128b5d95e12af5ad8aa0ff73a1b
SHA256 c530409d0fba07a5dc851df761d6d62d6df8104099cf0319750ec8162a8eb2a1
SHA512 92925ed5a24806a7550f1ba1cb6f3fcf5b8571a4a453057fb8198108327ee5498e145467152e01f148cd1fda7ee59dc7dbd7f25c0311e089c9fff70a9e2208fc

C:\Users\Admin\AppData\Local\Temp\uUYu.exe

MD5 483a5e9ac49b3b0191a714928d1c4a86
SHA1 1ec4880920c5d14c3263a6a9327285f92575736e
SHA256 9f92510d3a81255347cfcdb801a28b73bc136795a984e0584954b28e01f16375
SHA512 afc7650c3b2cca71783f49f778cc5a9222d2fbb2a17d697ef61a78c416b4cf4bb5b5fe0726e80872f9309f07f552f4843dff2d4523337b8acb788b35b1bf9eb0

C:\Users\Admin\AppData\Local\Temp\OwAC.exe

MD5 22f401684a61896f02781df524b5e42d
SHA1 93711d65295eeab79e6adff503f86bcf29b3600f
SHA256 eff94961ad34b45193f3826cbbf6bd5396b751c8e04c8f1b33c06883bc158bbe
SHA512 f9007fc1a815a796815a390acc8966f25bc0e299d09e6e54b3b8c75fcf68ee0a495eb1711d5cc4ca7715537fa37b320dacaa66ebae0a853bc527bb3914b98fd2

C:\Users\Admin\AppData\Local\Temp\soAs.exe

MD5 94d48bf511b95d84c288f4eda8106927
SHA1 c1aef05666aba88ca911ad9645c7d93ffeeaab84
SHA256 bd0765c2eeb82ed7ee39b97cf61a2c56445688470ecae57082b5b769b25aac68
SHA512 0ed6e9f554de72117231f16f99a7f990f47b1595a5d3b4506edb1d477cf775a79c485bcd5c5ddb0ce89cc0fb93d1ca4ab10feca1630bc12b01a6a3d14b33fa34

C:\Users\Admin\AppData\Local\Temp\wkws.exe

MD5 881f8cd3197c0ec22810ae4723be0b7c
SHA1 bb382362ff4dd738b64b12a034120605c6ac1590
SHA256 de35998d0111371b08a240532e44feb3f902a730f0d6339e3fcfc0df43d07d41
SHA512 a91ee77b28b951d06f650cdaf2224d7905888408c1bf33842d6bffd7e3650f5650d06d2c2783eba995fb0c6ce8286b009ea0fcaa7cba32e65c571376936e9295

C:\Users\Admin\AppData\Local\Temp\zwswIgQo.bat

MD5 94e1d8a202606bf160407119a22fa189
SHA1 c2a68e6b676c78bdc404beeb7f08f4661f3749c9
SHA256 92b0a6f1f293a4a6ce32887112379c8049f8808639d23b52fb8273012345ede5
SHA512 39f1fd148b99fa791d29247ea761159bdf763c103a582dfa6ec01b83fc3eecea27ce6a576555547f2fc694418ee97e6dc4a53dc011a64759f42db528ec32c47a

C:\Users\Admin\AppData\Local\Temp\Wgsc.exe

MD5 d437693f36acc5a5b1eace9880b08009
SHA1 e329ccc80a452b22493742afb62cc0358e345f3b
SHA256 b1ff6a9db2682ed812a2a0d7421fee234145203e004d2ba1cb611158c1186184
SHA512 64e8aba3fdccb1b7abe3490e69fd71f88b4b4776963be89f1d69436115caafc66df229c0eb1e2ba640a4aa895113603023251b14631a42b65c3cc6f5020d32dd

C:\Users\Admin\AppData\Local\Temp\OAQS.exe

MD5 f8bbdc8c215f3d6f23af8b62d028bd81
SHA1 161b89016817f40bfbd16cac9a4c2946246a9e91
SHA256 1e828c56af0072de2feae26ec38f45e3a421f4f82e7a36ace25142a2ddd35b5c
SHA512 17ad0f518415b516bbd15f5f859e70d76cd358208d300f9baa665aafaa8d86254be82bdcabeb174f8d8d60c761121a761cce98038f38695c02840fbf990c5d90

C:\Users\Admin\AppData\Local\Temp\Okkk.exe

MD5 631aaddbded9538df1c7d3d47ac3c26b
SHA1 a05892dc16e4dad07cb1697c14d807fe349dfed0
SHA256 50fb2eb95882cc032f4ec0428d1b675f97d5f2f97050b8ec931670cae7042940
SHA512 e53bbe71028f84e8f7bbeb20e92ce98a5725bbb4ae32c757a80ce992bfd5db350794fa9ef7d8408c539754225dc2183b96b045026a0e0d1c579f9ab43d34c91a

C:\Users\Admin\AppData\Local\Temp\WQMo.exe

MD5 d5c9b9defbd30d3e8320ccb88a9cf031
SHA1 9d7d1b4a903d8206bf614667e10b40db90ffd41b
SHA256 e93e6355cabcd7eefbf3821b02b64b400667e735f8b8357a0794c2d493be54c0
SHA512 03c28f82672038066a6d15c576170c9d745a8026f8d01d84a6a983a8615faffa140828a99f843243545445c2e4f73f0153222a4603c1acca61afe5fbef59f102

C:\Users\Admin\AppData\Local\Temp\lEkMogEI.bat

MD5 9ef8d11565f0f3177742a74bc3a02d44
SHA1 23513f6237b9dbe0401f09495167952e23d5d558
SHA256 eb3157e0036020175bb1d603cc22f34b4e051414b9a37991c30680e31d963569
SHA512 3b952f9217d3afe328f111e6a2024c26c50f642014ba185a6992c027e357c6ddc542129c68d248a6e1340111db3a16e0c267ec80d1760ce0da6aafe67ce80173

C:\Users\Admin\AppData\Local\Temp\mQYm.exe

MD5 28eb06de1e33378055aee61bd3ed6579
SHA1 596d67a56eb89ddfe8f1bc2ff4acd0ae5ba96208
SHA256 7bf3c83fd84745fb81944d23ef3c6a3e5eb8842e1547613d233b23ad8585a294
SHA512 17c12a56aae02bcb1e2c4d94054508183f81d217c391f4e890a76c2ae6fe5b4ffcaaf75da3d2d576b189e50c490570c09db453f773af0f8cd706adbb53d8c10b

C:\Users\Admin\AppData\Local\Temp\QEIw.exe

MD5 6b0bd2482f6227410b0989187bf126fc
SHA1 2ef5e5693985f7ecdedbf5dde73c3b7cf2e1dd62
SHA256 6cc26c417468c33c3551f741fd8e3f145e38cb55b47a94123888d12831d27e31
SHA512 74481cd0416347296eba0a3dc37ca19190cf0be2c6da41b4ed1ca15ad746ed1ceeb5aba4b003a865255356137d1b6f146e4918bfa67ea4a4fe76a547b7732d10

C:\Users\Admin\AppData\Local\Temp\MMow.exe

MD5 0c51bbdc7cfcdb4ad160d53978a3069b
SHA1 e012436364141401e218de87e512952e73f74904
SHA256 eb81b038d11ec63ac6936bce133e899fc8855f9286abbdfec6b6466f9bc6ce78
SHA512 ba95397f83e10bdfa4cc083c55d3de15389c093374b81a596db726a5ce82b7358f265705691a45c6c934790d947b1ac080e15b9fcd710c1b5572bc2e732d6d85

C:\Users\Admin\AppData\Local\Temp\gcgw.exe

MD5 66b9c303b368e2e1b1a34b56e1dcb8d9
SHA1 b8ec670241efe46a16d1eea6da449a9fbe82c897
SHA256 22255f19d0db575e9e500200cbc437630a5def476115959fec87ecbd57755d18
SHA512 84741add9ab5b2a8198bd8f21ba329fe8fa62b94bc38245e3b10ab636ab572c557b840d0c7dc5664ea9d2c0ba7a328da5199f31e9e697f8788783cd2338f5980

C:\Users\Admin\AppData\Local\Temp\AcMq.exe

MD5 ab39177ebf6c2d75a730c8b17acc2bcd
SHA1 aacadbc9cf3f2999ea5c807260228a1a1ea1efcf
SHA256 78599ecbbc626b63bb754b7a0788836afa83fe654926abce024d0f6bb43b7fe3
SHA512 e2d7f0e9ea009411ddf0e13c0f70ab4aadc02159f7c681c11ff3299f0e3638c0cf8b1fa579613e5ed1f7e68576453b2bc63cc29495693fb8216cbd1192102ac7

C:\Users\Admin\AppData\Local\Temp\XAgkQsks.bat

MD5 09e9e6229d8f3d1a3473197cc5f39d95
SHA1 f0c4426201a48f2d44cdd5c1804683ce1168140f
SHA256 29407c5d347a8e9fc0cf6dc8fb4017c7aa19da95a336fe4f3fcbad0acd73ef1a
SHA512 a30d1b1715433d2eaba2becf6e0b36487a5ca9d6215e57be32b7fbe43679084b8534955bae037f4a052ab5c2fd5586d4e350be18df7ba7c076a2757312a85930

C:\Users\Admin\AppData\Local\Temp\AwkK.exe

MD5 d69b052f822baeec64453d90967e04ab
SHA1 f9c073b476771da8193d1a5befbf65bfd65627c1
SHA256 0ca51ea9751cc90bb75f9365975c13c0544fcb894e918ca9a7bfd338b51b26a2
SHA512 2fddb600d2d882da06c7ad3b53c323929e58e263024562beba9e83b563f9ad098752c57b74aa1967d55399b0542fe02338f9672cfd894339f2822a48c9b09fe9

C:\Users\Admin\AppData\Local\Temp\UoMA.exe

MD5 0ab296fd5c3e96271c18058c52b6df96
SHA1 7e206d7427432aea1583227ea0bd625260789f12
SHA256 89c4b31f9ce33ac79fb0101d8a30816c3d84cd1ce4fb128cdcd055e62b1e0b3a
SHA512 0e0ada4ac0f5ce067f96de7424bf8174b9637b6c684fe773bd4d44e02dfc2dfaebfbb90af4d8d99d72f51a0ef938aa80a0afc38e045ca053f6886c03f0ae23ce

C:\Users\Admin\AppData\Local\Temp\IcsU.exe

MD5 4f603f0464564027b6336c731958c5d0
SHA1 004a12bd7a6f810cc7dbdee086432d9b8de1b61c
SHA256 7ba773f7d8e9aa5379e268f9c365d985b9f10ae251f0158c2d1219df158202e9
SHA512 85a6a371fd5bac30481f5a9e20915ffc396234ab62f2e4ac58bce7f0354b7d8c2ca3ba2c5eaf70c46ba8aefff07beda2e674fb15a64f389140f62ba342966e93

C:\Users\Admin\AppData\Local\Temp\OkAM.exe

MD5 52bab51eea03fc18f2ca1acd7b618b9c
SHA1 fc9de1378922cf5cbe1542bf3ce55109a0503ea7
SHA256 764dbec57fd6f6b6f970ea76e7d0d0c489a4d849f01b3184e7beae7edb35c085
SHA512 d60b1496027bf3773ca061c05077f374d42934c42164b27309a834a4997a4ae845cc20c439d6310da29f46b53ae7e43e528a990611c5a3865052cc6f9c4821ed

C:\Users\Admin\AppData\Local\Temp\Kgcq.exe

MD5 462f0dbba7fc772607cfbf91d7daf33a
SHA1 9633d53190d427855bee31e7cce1ebacc57b8317
SHA256 dfae5467f70aec2c54d2f1430150e8a39b1f5878f4b7ab46faafc44f3121df0d
SHA512 38cb993f64796abb9138192032f50c4dc376913f7940acb98a9fe7ee8243b50b394a2420d92f2a0e9778ca50245f898ad3663ae8b9e71d6c03cbe76faba9755d

C:\Users\Admin\AppData\Local\Temp\ysko.exe

MD5 659dacf72eddb787a826b1ca6e02da60
SHA1 ca5c4de6079b82b12444cb2dffe5f01703ce3f28
SHA256 b280fd8e8bdeb1e20623066baf4b372d51442d80df2186c37dc731e0dca447b9
SHA512 5d62e5313c77d900d20119ec994efb06e8fcfde1eeed728b884d112bc961fa08922d37a9a26708dd17f1b32d39922e749ccf8c6dfd63efb7a97d67bc588c1006

C:\Users\Admin\AppData\Local\Temp\gkcA.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\mokG.exe

MD5 ac87c263106b5d4aab0df12ee574d9bc
SHA1 d7b3d14639b490e660c475c9d8fcee54d389192e
SHA256 b0dadc76402aeaaff348cd36d88ca15a3cfdd6209e3a5bef865c8bb93bd121ba
SHA512 4ca070c488fd5a6446b172e2c7aa0144368d01353ba779b8602df4f3f7340ab53ad01309fc8d9a9671ae88cb51a90a43225c9c3101130970f0d169d3a1c154e6

C:\Users\Admin\AppData\Local\Temp\sgAoAsIk.bat

MD5 72cba8c574e038550c199cbb5f83457f
SHA1 8ed6ac93bf1789638f9926a0aaf76204c86e38e4
SHA256 fd8dc301e932cd399676a1ee806b7c0eba3bc90bc324a3a251ac8355cf1415e7
SHA512 5140854241417e4371f40bf8f06dff2584e72598a8c894b1c3e883bb24fa1fe12538c42cc65cb0986138e49c9ab946969cdfa8782a477cb0de9ae1c7ede03e0e

C:\Users\Admin\AppData\Local\Temp\EwUM.exe

MD5 ddaf1b5afe423c984ec438fdd08fd201
SHA1 fe6255c1b81b0d9542f9238a461161a46376d936
SHA256 5a53d43879e2aa9abead1642854ddb0de03c57c041708f791a88cbd871083891
SHA512 1f6e9dbf6da34c81e8ea765ada1ae8b92477eb6266f690d99a559e7876d18c393efa755f13f98ddd2dd6c7812e8491f3a6431c6e4d2cf2e0d7b73a15a9c0d00a

C:\Users\Admin\AppData\Local\Temp\qIkS.exe

MD5 9484d1594d446456338b74f91dad1727
SHA1 bb36c4b7dd7e15708bf441df9f77f53d684647f5
SHA256 20464ee1d327682bf1bab494c100813b036c04f3de802bf374ab0cde94c622cc
SHA512 250f184fc2eeaffa4e9bbd1a30b84e331a57fa959e1979e81d3324dd6b456f1553396c0f3ed01fc0f33fab7dafc78ad001b772cda23f59e1e2740a32c6040d18

C:\Users\Admin\AppData\Local\Temp\GAowQUow.bat

MD5 af3f568376875aaed11cab00ebef7d04
SHA1 6fd9a1448dd569b4f321949f03e35510c168be13
SHA256 5655fbd6e16a74f00eaa2b0b64e3083cfa49a9bc9fbb7117c491edeebc0c8315
SHA512 34682f673b7864ec48dff75dbb43ff1d6ee9119654727703f21da1ad341eb6887adfad7892d3e5f555b346e2f77ddd63d0ba90f07075f2e3d4009d1142349a58

C:\Users\Admin\AppData\Local\Temp\sYAIgYMU.bat

MD5 33e53aba55ae8a0a537318069e81d858
SHA1 b24ebe171d261706107709852f0a8ad3c21d4f76
SHA256 10970c48286ccc9fb876d8412782f04c7ad9a2eac4ee56fb804e297c774a78a7
SHA512 6fc56134c82deb0b8ab753fa69e1acc6f5165fae7a62b43f82880839e35e306c873924c880ed030b998f9b417563a9c6bf67579932dc7227b21a6d23f59c092b

C:\Users\Admin\AppData\Local\Temp\TmQowYMU.bat

MD5 2b6133dcc13f08c4cd730eb50806c37a
SHA1 e6cadfe4a6ad6632d2c0170f17e2948658c1fb24
SHA256 f2255fd927ba3934a9255587551f97acca339997f7136836c4400d6aeff9eb1b
SHA512 b99d27980e46402b8ed85022c68a0b9a47c6a1ca6b8c2f0dfc47d42d64e618365a9ef3e5ca4b46cde3a62ef4d0ef59d4a3c4bb01d5f6e3584e272042cd2a77fa

C:\Users\Admin\AppData\Local\Temp\xIcMUUIo.bat

MD5 e0476b36ffb58a1de5008f5667fb4569
SHA1 cd7d7cb9399cba9031f99b0f4a3cd5e68bb90c72
SHA256 17dc86dffc94e4426b916a6d707438ff2cad6fbff81d9e002883b27297795d71
SHA512 3d3d28ab07d85ee70de50520b1d170247386829ffcec6ee4fe9a0eb6a3527a34018f6ec0ec5d65724e3280bcf5fe72e1bd47257f11962af9c74273b0c0723664

C:\Users\Admin\AppData\Local\Temp\TEgYEUYw.bat

MD5 2c1078a3c9f59015edb8d54784330dd7
SHA1 f18ae04422ce6030097f09d70f58f9045f1263d6
SHA256 2f79385a76bcf486cffd430ba131991d679c66dfed66f137b782c5a8edddc52b
SHA512 812e6c8682ea61b0d8f8fcc8a93c1ed217f3269f537be1a6373fbbbfef3ad27dc858c4b0c9f7ea12548cb49704d764e171b026c264d014178ba6c3d4e7647f92

C:\Users\Admin\AppData\Local\Temp\bCYAkYEs.bat

MD5 a9656bf33e2e45dcc32635cfbd5dcec3
SHA1 fa88b1a86c0d8ded5e63446e4b2ac09882f3431f
SHA256 4240809da87b6767817ad10131ea4a3dd79c3aaab84f3f449a7af74fa79856db
SHA512 6075e5995b51e86be988955da4885b30c1e18071e048042b727878a7846083917a154e185c7f096d65820145d58f1b53044dac10580ccae8bd7faad6d56310e7

C:\Users\Admin\AppData\Local\Temp\uKEIkwwE.bat

MD5 66f7cbf43eb934e2d7dbb9c690ba30bf
SHA1 f2b7794f0c2b79e0a8e1eb3d684a06c9c2897d22
SHA256 04663354e3e77475075914b3a0793f79f23f3fc8f501db6fd0930be479ba7fd9
SHA512 492df01de6b7e110d3c7afb82e0f2c89eebf1d0f597ab1351e738977000ca46c2ed56d474c529a3fd06241c3ef3ee8c9ca363f01796047936d25371fd0a8900d

C:\Users\Admin\AppData\Local\Temp\GYgcgMMY.bat

MD5 d3f9fd1a6ac601ec4e01dcc44253a030
SHA1 ef91b29cdd18bc89a43cfaa4927ea83a2dfdfa53
SHA256 88606e73ea2a3310593ebf53f7947c895b020d5dc874b10a8d347ce1d4f4a715
SHA512 f296c5c27934c93f660e514b303f0a3a58d23c11360032136f85e022d52905022130a9b5bfd316e0aae24af4f053fb16dfa3be06b37c399e6a11422e1fde9c30

C:\Users\Admin\AppData\Local\Temp\iwUW.exe

MD5 4b209e5bcf0a3e2df164d00a56047ac5
SHA1 9de495dd523081aff67a45e81c5cc7154efacb36
SHA256 8133f43495472a7187cab345acf3c6e2b7ea60ea0febb0feb3acc2ab8cf42042
SHA512 8f1805c2f04abd4afd5e7afaa148d70ef2158ef54330e2277ff3988a7bddf56c8955d6add3c2635cbc74b02b285c196af12da5fa609193de10779136ff178363

C:\Users\Admin\AppData\Local\Temp\gGcoEIYo.bat

MD5 da9ea9fc98bc7c26d8b78c3c85181ff0
SHA1 8877d0244bfc77c95e588d0fe9869930241d10c3
SHA256 354e5cb0576d2b5a8a496e20c01a05c82ecaf756184e657e75264c3333a4a684
SHA512 04df1fe3871e8dfd1d95603f4c77417b6a94bce56ca244711ebf7f16305ad00ade62c1f813b4a1e14f4f8555b01df90f96ae382a0137d7011703fb7c5ab1d0e8

C:\Users\Admin\AppData\Local\Temp\CsIg.exe

MD5 b50785d23aebddf108f5f3f7ef483e2b
SHA1 30db7996968b75bdf6c88236c4877225654e88c5
SHA256 ca25a3f7a56cac04eedfc053ab0cad15668c43d32386e6b4c1f500e40ae0fd8e
SHA512 c5640ec3fc789dbfd86af02e46f3ac09aea37188b02cc8739815218a6d0f3c66d903d8407b9850c5bf686d0099e85e2146e6fca9c73f517154417cd73d41f6e3

C:\Users\Admin\AppData\Local\Temp\ucoe.exe

MD5 70fd65353b875a1662b2373c1947a65c
SHA1 bf6ee7bde539f9dc60509ddc91424585c5c2ef62
SHA256 f47e06a446d4aa8ca5195e5731030935e210be28bc64556fe07890e467fe4296
SHA512 503e4df39aafc818039f6370cf8066035a6ae4ac802e264fb613efd65ca8be198beff10d9d4fb7c46b716a37a5b17630e04e753e00e4da84b2c0048ab286735f

C:\Users\Admin\AppData\Local\Temp\uAcw.exe

MD5 3d93c86cce1cc5e32a4412525632c1a6
SHA1 f8b94e9f7d0720a18f27cd917b1429a31a972776
SHA256 cab5607803177836c822aca04d1fdfb7b508a95d4b314b82bba0363b34422ea2
SHA512 5647eb367f262423d9f72e1c40aa35e44bf9f8d26c5eb56df1f6ee6e783ad58601aa3793eaa99477065aa857a2ded28a3770128add8501fa569d6b8c819b0bb7

C:\Users\Admin\AppData\Local\Temp\ksUc.exe

MD5 211ad84ce71a7314fcc1c81197afacff
SHA1 41a694e12a43ca57b6b70578669d7c2c381bba35
SHA256 aaeaf816b0ec21a4976880d6eae44c22478dc73683a5513b86612b968d6e08a4
SHA512 dc8b8e8a417fc791d103057e5af82ea888957dea38292bb02e0fcc96ffe0c45c6b8baa472e18e34d576d8ca691b3a3515f0f9ba641f89458656a6a91431ec8fd

C:\Users\Admin\AppData\Local\Temp\Ukss.exe

MD5 411bed405455d85a5b7fb16ef04b45d0
SHA1 ef66db8c7367ab56ca9a226f5e1b7ef75011b826
SHA256 f612b60a9e3aefdbef9e4736f7e09e0eb3d51fbe6d913d5eeff6c507f6ce3ad0
SHA512 3df86536b4f0420571c68bb4e1fe5282166004a0e2a7559105a44b522f6e393622d44c145c3cd5f5d7c22bafcec50900ec79da33761a818abac9bb3dc7154ce7

C:\Users\Admin\AppData\Local\Temp\ucwI.exe

MD5 63f730c45130b1aba37a7fbb9e8add8f
SHA1 44e92091f3f79f21cfbb7c39bdcf341af510b941
SHA256 0a581f9bde59146539dcf265218d0608ce0e68d08f108650114fea3df8e89a63
SHA512 7a74f4eb51a43929dc3f63477f98146969eb712e69640ff34fd18716f2c124dac9a7bfbe3f3e0fcbc49bf70a4ced6138891dec87869942d8b5bde74466f3d4de

C:\Users\Admin\AppData\Local\Temp\iQga.exe

MD5 7102924f71b4297af47ebba213fb9682
SHA1 4ee581973e2c4bde4766373e58ee38fce6338567
SHA256 6668403dd8d49683b32e6a252905433c2c98164f33d9be35add72d4d2a1a4df4
SHA512 e388572f6ba125531f68ecf146bfb24bbbc6fbe83e4810cce343d753a55232be5551a7dcef5a8623c3817ef7b337cfdfadf69f04b7ab80d29ffff6584cc2ef81

C:\Users\Admin\AppData\Local\Temp\cQAA.exe

MD5 a05339a1e28ec54eec605e8fd64f47ef
SHA1 3a252921dc1d3d1581e582519d9d428bc43428f7
SHA256 a2124228b96a5be4e868a91eab1f5526b78f69784efb43271d8817bb36da7696
SHA512 2d08313d8568036395393e975b73de540a9f9481d414f244d2fdaa23da3504c15ef0a5fb203e6012e69a039a78aa3f561243ae55626d4e63905654f7b64a00c1

C:\Users\Admin\AppData\Local\Temp\ASIUkcUE.bat

MD5 2848477952754342cf8765023a13988d
SHA1 1799f6124bb2198625cf79964263ba966518470e
SHA256 b1a997c5cdb836da9eeababdab0e8478b3c41b3c8bdd9bd9b28c904d8dbf617c
SHA512 ff2600ce98e028b25f3953be514bc3b4da281f6ca63e24accd6f9539ced83bb12afa227fa0a69b0deb8976ac54e27887657baa39eed972e39aef5e3fc5f501c5

C:\Users\Admin\AppData\Local\Temp\iAgc.exe

MD5 db71755c06d4318a66ffcac7543974cc
SHA1 4e8124072b4b2a12a5d7d687e6f375c01fdb0164
SHA256 9216f2d98403de471dfda6d1cb0d38f513b33e42f4337d51cecd57311d340273
SHA512 67a80889ce911281127ad4142c425708f99679c513eed6059b2e444d5c2c08fd1c0ba0873b285357e7c4869a3cb11394663d9f5cce55e9ef1859129f11362840

C:\Users\Admin\AppData\Local\Temp\UoMu.exe

MD5 2a2dc218eb2a7351540a7950a35e1c0b
SHA1 c4159f2c205d3dd88f0de9ef57d1207f1a7c8c89
SHA256 570e8bb119ea48d703a3643e8f5ae869694430f623ff6c622c42f179d0e4cf4d
SHA512 9a93444bad814b256222bb68ae111a9c9a1c43a057ce1f3237654d25b4644cb66c11b50b0b075ecf1505be8bfb9b42e843aa46a8d229d173d2dfd0f6fda880f8

C:\Users\Admin\AppData\Local\Temp\ywQO.exe

MD5 7211118fdc4959372616aa96ac8e8f76
SHA1 de1f2d1911deef2ee6dfd88eb92f537ec75edb76
SHA256 bb844c66297b2f58cfcb97c34ad410c0b0d132fe8b8f0f249de6ebb51200ad0f
SHA512 c57552da06241f48c47f5028dce43cbe32c37191e044d6e815b2cc151111c270c6f25a6b8f3db9d3c2a68fd30b863741878761b5b8f3fa41f95d16baa6727772

C:\Users\Admin\AppData\Local\Temp\wUku.exe

MD5 bb68eb33dc274e91543f18e15e3c5932
SHA1 c9cc7d2d060e43769d685efb3c6379d35adde452
SHA256 1194a04e04d1a13755f83a7536bfd4b1cd24e8cf19b2e0f44d4c0b111a7ef3da
SHA512 cdc8e5e02630d1d52d53509fbcdaaa20d0da526515432103166d24a2dcbe7e38b3f09c44ef10f8026f8f76342e4e50752b08907791813f4135ddfe9fc00a2693

C:\Users\Admin\AppData\Local\Temp\nKUYIggM.bat

MD5 7f1dddbd74187475e20f2dbde0da7db3
SHA1 2050e53a52b84786fcd03fedfa7f6bbb0f6a6d19
SHA256 4ce09ce0cadfe43fa888af2fdb7fa5a3f4cef4a93afec2195639a0dba060b1a8
SHA512 9de789e7d77310bae5586a36ccfa4ee7c5005a33a35c74f4bf7934c57407b2035be683714f2bd672d5d0e6fdbe07569b180f855944dbc5ac7f40419d21432eb9

C:\Users\Admin\AppData\Local\Temp\Eskq.exe

MD5 5bfe361e4e6a5ee18e9dd346858be363
SHA1 88a45465fd863ec5e3fbca4dfe7ee2b379f98392
SHA256 74610f20126bd437ab6423e07f16342e58c955b4aec6a20566805dab6ed15209
SHA512 f22a0c9359f7cbcf5aeeccb92d11c88f1c95aecc78359396a44901802b65455e2a71399599496da35c5521cd75b9238c1275a6ef9e28115a1b7823c0c03729af

C:\Users\Admin\AppData\Local\Temp\Qgcc.exe

MD5 b0c237388823c7c5d805deb734bc84a5
SHA1 4d7f20878cbba4ec1b1c03d4c93c4d755042ab62
SHA256 a5f5ff044c19b1888b50c70e2248d918fe121ca084869df473b1c48e2a8fd486
SHA512 c96dfcf00a5fdab1df958928474d4350bf5ece6bf5ff0e3fa17f5ff2a9da03c50ad411fadcc9e029fa3087acf323a36c466bb6abdd0fd82fe0b02ab3e7bb37a7

C:\Users\Admin\AppData\Local\Temp\FsUowYkw.bat

MD5 17d2ed2876c23a40803c4ba59a089bc1
SHA1 d8f69ae9e2af6632b1975cec0071ede5c9879a37
SHA256 85d284ee2b48c07081137085453d55373335790acce744d1db271bfb99ff0001
SHA512 f34a5f63042da7f5198862964e1f59165256cc5d24c49706d5cd666310b528d862b8c96557a2aa8f83395ff7a456e868f089c781b479103af011a423c05cc544

C:\Users\Admin\AppData\Local\Temp\QUQo.exe

MD5 3f4c7d975e23d49efd6cea9d227e067a
SHA1 5029f4be5a02f2bb02800f7c9768e4041b28019c
SHA256 3e691f832231827f698a64f5e9054a5d94059073c7cbeada1423224b51e309c0
SHA512 bf2639e4a8b8e676c01493bbeb6ae94333b93fb1eeb5f3623290d22191d6e8e53c04eb0e1a66144043e10e79e38d4c1a5a71f0536a3321c6948ad206339b09a5

C:\Users\Admin\AppData\Local\Temp\QYUa.exe

MD5 f29771f59fe4e908e4cc3fe35205e96a
SHA1 56ebec91d56045bfd481627d1967f793d7872f2c
SHA256 8f8d7600ebe30cf15cc3adcba88bdb7c1ce6fff177ccead52c5d9011584e57bf
SHA512 924e2743f77c09578018fe2689cabe543cab71ab484d7239ec64525b6faab37a612ac00dfb59b65e85b9b0584a9414e74f8e7ef3c797047c866569810ceb7676

C:\Users\Admin\AppData\Local\Temp\IAIk.exe

MD5 b8be7a4f373abf3ac68d24e58438e72d
SHA1 eee0daf6164d9e4659c1097613755e9e62439904
SHA256 0a5e20f8e9a8b4ec24e513851a226e8ff528f19c0547542f4c66e249fbf237f3
SHA512 5a981971fb7a6e3545646e7b6cfbe374607bf654f54fc6371e79caab60c562a06a8ec6254b0193eb47781a30b04f6877f019b19116e36cb8f096a938f4af7314

C:\Users\Admin\AppData\Local\Temp\sMQi.exe

MD5 6bd2e81020d8c20af2a86453ca0bbddf
SHA1 d91d670e15d153b88cb8c6b796e03b848879a9ac
SHA256 310b9bf7246c6bca00582c354e6df60c9d72c86703edd547409a9b80f6ed51b3
SHA512 42d5ee31976ae2ea4c1cc051ab47e29f5267025c936e00b0e6114176295b8c100b5dccdd205fd23992b7d101554e421bc4472e8320b6ac230c7c2e8a77ecd860

C:\Users\Admin\AppData\Local\Temp\KIsi.exe

MD5 34ec552e7592f02b5aaaeadb9899220f
SHA1 0e660f775ce45009de3254c84b6df9b157e1f307
SHA256 2078136b95582a43af7a4e8fd65dbed404403d132775a252770e61310fa0c0b8
SHA512 750897c90805d30192c66c3d157e074e38ac8ef22e5f938605777767eab05ff35d4e6fe7420b0825019b3077a27eb36bbf7a0973061182ce6cbfc7ac6b873494

C:\Users\Admin\AppData\Local\Temp\LIsYgsII.bat

MD5 2040f394f9c01f5a66ce010cab3e66c1
SHA1 7076edbcbf10a750fbadaee06983a3423cf61755
SHA256 de327a7c3cd2a8e45275ee8960177409a53232b06ca267ffb927fbdea6941fb2
SHA512 d447e13dd72245a5f1bd08926224518ea59fe7cf8f54a13d4bbd9bdea062690c6efcb34138e6666b0466167fa19729907c4d26ad5eb59f1221f88319f9b1a744

C:\Users\Admin\AppData\Local\Temp\iAAo.exe

MD5 f13c89e82fe1fe3a2e38d7461fe544cd
SHA1 260064b703e33b1ec762d3341ebd30248c48390f
SHA256 030ecf3869ab01e51b8160b4488cf24d0753b0e2540014dbbbc10c90ca071853
SHA512 4da36a9bf17b419030a21f581dafd9bf7135a9f84e905ffc8e5a71c897f1b143d913167b39bffb00b2f8fa890db9f85ccc24840f9ed958e1b66b734b0f32ee54

C:\Users\Admin\AppData\Local\Temp\eEka.exe

MD5 2ec173f71ecc0b253553eec3020f68ac
SHA1 bceb5262a4f35ae4e2c44f40dbc7d3e68345c805
SHA256 1e67fca88efe45d51e03b1f417a08cf91ed24d9cf27fd8f3929526a3db4bf0be
SHA512 fc7d8fff375cecafa5cfa86608de1f05136007b8762bb8363acfe3cf65b0213571d52cfa8be3d9eee536fe3d198daa5dc2fd4b779be9a15ebcdb48b43883c79c

C:\Users\Admin\AppData\Local\Temp\AMgI.exe

MD5 84743ede8d9094031e46b5244049c410
SHA1 7e5b73534768db64c4e1273622c442ef57126065
SHA256 d918297614ceb98463973dc52c48490d72117cc745917bce885bcdf63b9f0608
SHA512 144867b9059cfd4e3bfe3cdc178779825067811db4040e4f159c51116f009e48b961f8c9b76a8696561c13fc0a3c2c5a24b043de5a8cbd8250578a765ebb58a8

C:\Users\Admin\AppData\Local\Temp\OAIm.exe

MD5 61f6cef26e1ff18829dcdd2034e022d1
SHA1 4cfb71f0cd2d9fa0fe523295bf4b4356423fc73e
SHA256 33469318937b4309940a0258c23f2c62d39eda809891909ca29acba3514c24bd
SHA512 90b43b8bcaaa75a2d839e21a3a4417e2a9728065dc9a647a3443a2c2c7cb9d178b1ef6f72cc214769591c2b323f6b73ff94113c17af15254f3e0febacaa2646f

C:\Users\Admin\AppData\Local\Temp\EYUAAwcI.bat

MD5 31b5a7ae340d3272abd647f8a7032eca
SHA1 ddef8c4dc93cc13df1a8c79b9011573104c0a67b
SHA256 b931769451465eef9293bfbf5491e111085fb9c81a122cfa70e003c43dba5cb9
SHA512 5ea4d5d95f9dde26516f80ee0ff401f2715f249c54e60eaab67aef570e05406961817444e2dcc017257bab6506e14c9a1230d250d6dbf5cc11af68ba68a55ee8

C:\Users\Admin\AppData\Local\Temp\IEsE.exe

MD5 d68f5c7cd0ae8ca6dbb0877c557ed0c8
SHA1 b71c3764f7f5909dee2948bc2f61b20a8174327e
SHA256 c67535ee0a3d7396b22c252f2a8bc1d0f85f4bc5ddf11e97bcb91ceb3326b5c9
SHA512 8f956ce770839e8b20b54919fc214d1fdbdffce96275999a454f18cb0ad7d312c765e045e94650badb34afa64389194226d6d1d2066932d0a6c0c01e75e4cf91

C:\Users\Admin\AppData\Local\Temp\UUscAMIE.bat

MD5 c38ec5bd7d638a4faa0238d5881e59fd
SHA1 edbffe7b98b7007ab8d92173c3ee1b4a15308fc4
SHA256 8e5f8956db72215a93db2a172488dcf9ec19ff2270eabf930f7279b72252025b
SHA512 f1fdcd4a3d099a67c3106b262a4158c975b11d39b3715de8b96b94cbfe17fe9d8426bfac41b8de9af0e61ca7e2d574879fa3551161cc890ac7db69a28dfc0586

C:\Users\Admin\AppData\Local\Temp\essw.exe

MD5 ca79f92d46e70524012c9910e2c49186
SHA1 12b64f684e2ebe3c6b074e38a99e47dd6b02e2e4
SHA256 3967f344772f157eac0f1607f5ef9503bc18d7d20d397d896ef9793b0e030b07
SHA512 775657ed1aeb5a53fdd9838d3440fd3b2e2ca1aa46e7147e39a1ae3621057d92afee5a0d4b31ae351324c783c61f0bd7cffbbe762c269dfd5f1825ddd46731bb

C:\Users\Admin\AppData\Local\Temp\OUYC.exe

MD5 8d039dd0bf8cc4da672c0030bebf56b3
SHA1 6354e0c64606e7cb06dab76448288d1336e66bf5
SHA256 24314ade586f8c934c5853ded40bf7900f46ac0fe803e0607a8e30b5dc9641ae
SHA512 96e708972a662334cd74ca3491323788d02a4256c3268ce0cf88f0bcf30a33ec1e3be2aad407a4a6eeda3d9341845a58b51a55997660389d6103e33a2eb55115

C:\Users\Admin\AppData\Local\Temp\awwkIsYA.bat

MD5 ba025be3e8e4b1e98cc09f8410a89e39
SHA1 d2a66dfa6d5515d19451a4d7701e407257ff35ae
SHA256 355a1bfc36f74a08dc42bd6b375629bf3a08cadb857367ba3295c849a4883852
SHA512 173f6dc6d1562da410929124a911686a980afff14440e79e49e1828a370a64886ea8c6665fbdfa079d9df17fe417dc2ede3fe6ec6a312cc89361875b7f35064b

C:\Users\Admin\AppData\Local\Temp\iIgo.exe

MD5 b7304b83461b706f3c80168004858c4f
SHA1 d435916ca7b4fa9a04d6f35ce4bc377e8c22a8ab
SHA256 cbbcd378bc0732fa197722234201692dec56a1bd81fffb9361c8439c320f2b99
SHA512 c616b2d3cd7bcaf15726d64e0977b00ec65ecc6f6932894ee16c7c5b075178120f150e3037c07faa593fa802343554905a16fc635ec6bc25a711fe229bf2b7b9

C:\Users\Admin\AppData\Local\Temp\CkgMEwUg.bat

MD5 4a9dfe55a364b8ca5b555755074158b4
SHA1 b60576ca5ffb3c8446c58ea5a65cf582355e4867
SHA256 b9c1f260682dca133caeb5f82f712f80182e471a9eda9f61cbce5cf3b97a5543
SHA512 b5371b916a6a49910e8e184982317176ec2ede3bda14e897a8d33ccf774ebb22b710b89052b805d101bd1af47fc16f0303b4d9c8595f14d147a91b165f63d578

C:\Users\Admin\AppData\Local\Temp\mUEg.exe

MD5 bbbc9d2e0d6463f7c44074a994bac023
SHA1 a906c0b10026dadbc9723c605533aaffbf50987a
SHA256 56dca971ceddaa64999d17baa9d47ae6f2a4faa7f48bca25880e127379ab0530
SHA512 5fbdcd8fc71c09d68414ad0e728c39d67d94bcb43c7dfe2934cdd190805794648b2c94c08782aac8f70d4f1eba0fc64b5724afd33b23df40c1dca3110e2b7626

C:\Users\Admin\AppData\Local\Temp\akEU.exe

MD5 35306823d212f598b248f52f97a0e751
SHA1 04a0750865ddfd689e1048e523e631cc8a18783f
SHA256 c49c5d71d410d2b112ffbed2bdbe9b71e3004ad17ceca660d451d10b83856677
SHA512 0101ed7a784b06f2ed7c2ef570cfa4b7a6ce70833629288f5548862a5ec418883cb6ebfe4bf75caebf2bd27635b679d3b32f5bbd09b542c574c204303087ca3c

C:\Users\Admin\AppData\Local\Temp\MYEs.exe

MD5 f19f92d4ec309825b42327cd2f1c9e9e
SHA1 e8fb3880e694e5a560287b3774518a99ac526cf3
SHA256 a1825c6592bbdf79a6fc74ba4215dbef8eb76c02e9f4e68fa053fcf3db7a680a
SHA512 3eeaae9e244d74c53af0dc7eb0c755421660d61bd8d2e083402f10041070ce4126a7d636159cec32966a58f49fb694e28a24a7b517886ab153d24049522ef9f4

C:\Users\Admin\AppData\Local\Temp\ccIE.exe

MD5 6a85d0dda2de958c7e2b4273981071b3
SHA1 3cdfb0a44869a59513b8cb3b07566419605403b8
SHA256 d24de944f90c91c296b051ba4a5dfde635e3f7078bd8e0608815ed898e31af29
SHA512 838f60a424090a8249f3549731a7e446bdae9ee2a9cbbc1320da1a22b385976ee1f54dccdd9817faa16dc81ff384bf889d1683e18e59609ffc4f1378df6df9e3

C:\Users\Admin\AppData\Local\Temp\wMwC.exe

MD5 e4da7539d196be07d1d95cbce92ace5d
SHA1 fee39ba02b55dfa99da9d2f64b670a4c55436345
SHA256 453e4e587a4f8540a39bd2c81c59e59f8bc5ee2b25391c068aff6ba76e9b2ef4
SHA512 636799a4e5bc98c7c439d34e37d9818ae8f33a2da3ff5e43281130bbd399160580f69d7d10e1d16b938c148222c75a2fc04cd92ebbfe9e0febc9a976fb243cd8

C:\Users\Admin\AppData\Local\Temp\gQAg.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\cAsy.exe

MD5 7313abbd524a9530ec7874da2bb66bc8
SHA1 e239b2e271ebf83a5ba77710c138fa813d694891
SHA256 eda03266fa219ee936831cda13f8b2b91a5c1a857ad12b57d30a046d40a6e786
SHA512 7640088aada13ccaae792a87ded2642387301810e1fbfa4844a9ffd54adb3fe4ec10a7d8c21b500d26ee60b2e79960143a9e08aa650cfb4c9c27becbcfd74855

C:\Users\Admin\AppData\Local\Temp\XyAAkMEU.bat

MD5 9a2fa89f3037d51c85600d106cd29ba2
SHA1 fef7c4a96501dabcfcc4638e09bb8bbc1bafbe3b
SHA256 3f69b09b8e8e7036ad9cf2fd33f5cd66e4e3f5dc4c41b8f99dbf80c34da5a912
SHA512 f7da67a241e3c6b07b50b4b89aaf164b0f46454af3d139258f275c0067dc474e41647b8046840fd470b30da6bce4987f09562ce3fca995a874962d4c65aae8f3

C:\Users\Admin\AppData\Local\Temp\YkYO.exe

MD5 3458bffcb8561fbdc5e923606d3d6c02
SHA1 f74a5496e3f220fc96c5f4da1898ca9b91cf7c07
SHA256 b04c4331ef106471711d160cb4ee10aa088ae4ff19c5767f9da26d5f9411cf6b
SHA512 39ab4a676560f5834c2be989424ecde6c86c3977c8e7dba6b5e2bcd5e7b328125702bfa72f51dccd61354c82e1741afd1dbe9a0c489ea39b2f9d0bab75d51693

C:\Users\Admin\AppData\Local\Temp\qkcc.exe

MD5 9ec46bcb1972fdc1abe659a08a5bcd0c
SHA1 9d1aefa8c08466205341635ae4bec9ac17016a4c
SHA256 b57a6764ee5d733721ac70b85b7ea38c51ccefee7a4a812d59090131fca5051f
SHA512 975a815d2c25fa6b3c1ad0765fb23a31e201778ce2def30d9c95889268fae8bcdfa38b37e8d4f0b9acd9a942a03335ae0cc1c4bd90effaf62b9c95ec0f8f4db5

C:\Users\Admin\AppData\Local\Temp\iQEM.exe

MD5 79b2b47bb5375a6a5a40c5aee1b21982
SHA1 71144087bda88c5551eaaa1c846a8fa604628c84
SHA256 43c0ff30409df7aacd6db6b9e091083b7a92dd4842967c2570a15679a82feb1b
SHA512 7821f9648c241f019d88820b0058c7f4a1196409811f157247393950767b8dd4e41ec711a061b7842c067db4035125585a1a947510134ce4c9fc731553cc5bee

C:\Users\Admin\AppData\Local\Temp\AQwO.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\SMgw.exe

MD5 359c5ffcb9d1aec33668a2e956840f5e
SHA1 e70cb6827d5bbb5829e87c2427f39e39789f1d7f
SHA256 756da295f8afcbadfd9886d371fb59246b57a0a610b5f93a4bbbd7c5c8f52389
SHA512 f0c2642497cedcb59a986875c33c606e5b738e4b1910661be86338750fa0c28d3f86b92d2cb36037df3fe7635641859a3ced4f2a8dea8101daabbb6eafba59f7

C:\Users\Admin\AppData\Local\Temp\gAoI.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\UQMk.exe

MD5 91cbd1d3410254ce561b4310eb368570
SHA1 9e4be1693271d376380bc88df99cddd81a433e91
SHA256 cf29aacb777988ee7053505ff50c02388a74ba3dff2dcf573b70fe33cf70ebc1
SHA512 ef3cbb6bc97ea495a790cff3fbe8a2b22862a509da38b3c59299049ea47c8e5f5a7505c700aadcaf11d3d0980ab2cd4e212e6d4daadce398867672bfc34aca04

C:\Users\Admin\AppData\Local\Temp\HeYAwkIg.bat

MD5 a1c348b84120fcbaf0d2ca774e672425
SHA1 cb749aa09eea5729540e77bbf7438df893674291
SHA256 3f7ec5fa27e62df720136f35017b5ea2be56a805f458d3457a852ae3c1ce240a
SHA512 a2fcaa9fb847d713944390e21f21c7e3c8df4495b508fd4736ad68220cdb344e81061d433a7bb8cc111d455d73c4aa4dfb4d7c77ae758bb0d46fe17be79ecb09

C:\Users\Admin\AppData\Local\Temp\MgsO.exe

MD5 9848f756f02d3c10ff01d1f10484e5a8
SHA1 5c683a3703f98be1ca3b84ee3a8487eff1da1e84
SHA256 544646df1b18e61d878a59b658d0986c8dd3c832b97ade8314df757a1aa20582
SHA512 c0f13140901e34856b47d7b3dd34c1884b57fcc842d1b07b3cd60732d9d4214380ba1b1bf1c8ab8dcf1a1ed57b7868e733d95e00da760f764921e5d019265750

C:\Users\Admin\AppData\Local\Temp\skMU.exe

MD5 baa9571cdb07499b0ad0c42604f40ec8
SHA1 cfd3051008fd858f91880fc9c4178361e032e397
SHA256 cb6fa03d1deb64c760c2f6b1d2253d388680d6992c30b83a392334ecd689ecb4
SHA512 0ec14e20b0cdeeaccc0fd4e54ed687d7c079c4fa66800fbc4ac76dfdac638a7dbe1058bb21f4fc983e4514c6b0a53035a4048fa8af8d3da64aa2d137d51890a0

C:\Users\Admin\AppData\Local\Temp\Gsco.exe

MD5 9039550faa1e1982b6adc6cdfa6a40f9
SHA1 daebda76b4be28399d177e57095cc9262c230793
SHA256 f712bcb77d8265ff0199a414be3c012eb888ec44bf242eddd215ed6e71d56154
SHA512 b7f9affac04460e184988e6454efcd3a9085b884e666b6840a8a1fce193a7554bbf0e6b0ffa61935043060359e00a64133a3b01959d71be055a1562eea21782e

C:\Users\Admin\AppData\Local\Temp\nukUIAEA.bat

MD5 4675aa44d62d12c75e5e4b3826dc3697
SHA1 a3d5946b3f3ea330d0d825d02c42bdfc3fd46a4e
SHA256 94ce122d19e778d9f0f97f4cd37c4d0d439b2521b5349ef68d51132a1fc6104e
SHA512 4a4fc4dfb5d73e628bab8ff822eadbdac6402453be13691270f2be55fc7e8ca00f09e91c64e6e96028987c00a65141d9152619256263118983a0a0b835684c17

C:\Users\Admin\AppData\Local\Temp\IYsq.exe

MD5 680b682bbb8775dea713039de9760283
SHA1 25d813e40be838e1a157577c52318959f481bdaf
SHA256 6e5a9fa8c848e767f717bb2736374ec442a4360169433f5be3cf9326f008e964
SHA512 55b7021a20f666e668184da99325fce92ea8c3a89cd7ca075dd6ddc866d28e78b25cb603672baa33b594d0f6f844bdd43ab072bdb1419056e331228221f5fab7

C:\Users\Admin\AppData\Local\Temp\EkwK.exe

MD5 bc2bbe65fa9d592b2aa7c1301d0ea0b8
SHA1 8dc5ee884c8e2fdf9feef5bfd48735fe9ce89b48
SHA256 d459cc49678e9a8cf4001733062e4afcbf32d7def271633c90d535142f0232fd
SHA512 fefd1a2618873b88683419340fa57d42da839c71d8d412c9a319f9a3691782a400b27efabac45f39415a7b4e078b81205761c5fc5220f9d78231111c09442999

C:\Users\Admin\AppData\Local\Temp\KAsG.exe

MD5 b070f05ae19216b4a80de5bcc2ac5ba7
SHA1 4beab28070d3734d30d8f8c8f8c291b9fbd98104
SHA256 446ef8d7735711cc5d7977fec847d80c1baae52478c2fcc7b6c0536e979b9e97
SHA512 3c55724cfa30fe06963ec0044525136155dc9362763424e781a1dcd6abd180088198d2869cf2acad8d7d6be276ab60593ed481abe7a72322dad70fc9671b8137

C:\Users\Admin\AppData\Local\Temp\iIEM.exe

MD5 5b02490c68dd40488fb4a3a408a9678c
SHA1 a14baf608d53d934b29cb4c0d36cd1ab0e652005
SHA256 a9035a689da8dade604ecbdf606b97a61f9bf0a4e499b88a7e4ed22208e9ecad
SHA512 582b40b79cffee9314f2cb2802296f3b51fa20af48403599ac0fea18c8200543aafafdb60b42468a76ca0681f5955add9ddd41146dd0b82eab2c8c5627246911

C:\Users\Admin\AppData\Local\Temp\iUwe.exe

MD5 329478221a51fdebe0d3206d67c72613
SHA1 1f5525f7217fdfa92dcee05cd89969d9b7198d52
SHA256 07044e71194a87995e7ea3e19fc760eaaab2a281ff272bb710c7fd173ae74d89
SHA512 2334797880212072197d4be8a1cd69d4a0d44e1289f9f47385b7994182ef8fc32e0d40cfea9504472b5c0bc1eb8e458f152166a2aff5a772b4303146fa221bfe

C:\Users\Admin\AppData\Local\Temp\KkwM.exe

MD5 25e284be8cb9217aac2af8c9dbabd6d5
SHA1 b0b999539dd6a5342675e279e6482e9d9d7ca707
SHA256 1e6cb4f8d62cd2fe7777da29bee383c8cdc607f6f067741717215048e5d3db48
SHA512 4db3deac65a1e5f2e4e42252f28c2076465c5c25734713763d848554299700b2e7cbc4cd11f5bf0206c2520a9c20cd63eee70f2370c2cf89266db51a18e2c2de

C:\Users\Admin\AppData\Local\Temp\vsQsokUE.bat

MD5 ae7e47eb15622a5c67f13441396606f5
SHA1 b76e3aafa7da3cd0dd16feeacf5c083ba2c54e74
SHA256 5479c91b04431ca11c207a4884d6801f50253cbccdafa28fb4f40e39c05712b1
SHA512 8e745acf0493e61d8de8b579b97536bc163b6c8de2057fcadbd9ab6e353508d061e606a971ba02af17cec7846e87ffea55759c27f9d9027f1b029618438f1674

C:\Users\Admin\AppData\Local\Temp\WkcO.exe

MD5 2442185842545e578bbf1523338bd5d4
SHA1 54d72c03868504b189298be338dd36b0a4d3ddde
SHA256 b11297b6d0e03290e068220766d1507597e11a88fe1e8ecb13114cd00e364f79
SHA512 2771fec168e4ef5d91326004b22cd6a2786bce0a6bd1c93e5c438b8af95c51a3182dc1c576540fcb974623f196e8bb6362ecafa062abb5d3c072b079977c2d72

C:\Users\Admin\AppData\Local\Temp\CYQY.exe

MD5 15044eb07ff0c350b03d6a60cd2a8081
SHA1 da7a37c8028bc422b7c84cfb266f74ed5b66455a
SHA256 23b277c05262ead58fce6139478f3cf6dddf470869b7e34180e7d3f12bc138f9
SHA512 fbc38ec293ce34f55b3529a7461e4b3d38d5412da5812c7baa202af18f173c92c482cacfe8dee3eb8eb1fa33d08162c1afb63ae4e4be028c2030bec18d1c11d1

C:\Users\Admin\AppData\Local\Temp\cQQK.exe

MD5 ee9e57b219f19a9f85c5f2ace63040bf
SHA1 f843b54c851efa5f1b7f1e062eb4cdf21d266fed
SHA256 37196fb6e12b0bf96d1eb8f18fe31e9f408bb4fcac3f39639684829536359615
SHA512 cf20af2fa5b9e1d6ba66b84a3ecf4d0a3480b7e76394da22fee29d1b40b1975bb384c0a01ba51453d6c8039dbf828b63b68d0b0cf8deee9fd90f988873df5cf6

C:\Users\Admin\AppData\Local\Temp\qcYM.exe

MD5 43c21f3cbf34dddaa6e58fc914369981
SHA1 caaecab5753ffb8f70d3d6ba0df1fdc36f2990bf
SHA256 3cf0a15f5793d5767a4ac68618f17e70d29cf9e66f4601b5b337c9e91e8a720a
SHA512 7d8933764cb107d7efd21bdad5d9848d502f4b523674f992fca1a4d5eaa4a20ac974b9b7fb4f1f229b51341340f956c9dd3f9b3c372951c591c2dfc8c2bf6fb3

C:\Users\Admin\AppData\Local\Temp\gEAIwMcI.bat

MD5 88d0b1049419ad73f3558a1c220abc78
SHA1 d738c1c6b1196b1b77b0f569e0276bc69be27f88
SHA256 2baf5c03379e256c38e9626978d2a89d19d5beb1f2797a05bf13489df14eb5a0
SHA512 d0497e5f79820123e0e03dd6cea5ed1d1e6c474532558f719532b7530c187357ce6905eb96d15ef7785b76c784b5b3ba662ce6d5df0fd23754e299df36dc7e3e

C:\Users\Admin\AppData\Local\Temp\cQQS.exe

MD5 aab3cfae3eb263d4c263723884afb0df
SHA1 634dc9cace5de4fb3d40a9ee870efed463c34e6a
SHA256 cc1a45fa2d0b843bc8e6f7c36288bd1cde60ef337b193b6bc312a671ae42d4ef
SHA512 853be98b70f8f776a1efbe3875b6b462091f8e53a3b643e7a78772a285653ecd5c319d1339ece29ea5822183f587e522c115d9288a0a7fa34f88b60eb31c7cb9

C:\Users\Admin\AppData\Local\Temp\GIcw.exe

MD5 8b98215b931faa2a6643b484f639bcd6
SHA1 bf9d93ee43978dc3b5c81e8df30d4825caba23b9
SHA256 dfbfcd172dd1d3de8df0bdb12a907ce9e747ce97968456be79c470af47661b90
SHA512 12d724a9967b00ec2a2c9bb9423f9dcae92e33ef7fc83ec8379dd906de6bdea328fb97d8da6a14199267bd3fca158495916932184170f809c4b5658f33388b78

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 45e1dae3d37aa29d1df512a2863859f9
SHA1 d15acb74bff0c1fb4ebbb9fd90d9bad73aa761a8
SHA256 0777909ddf427d07efc7b05d6fa647fb486887af6ed159df06a47bdd8335eb60
SHA512 6efecc44ae31c3195cf9d16e38c995af092e7ffda5fa7b59fd42440fc39c5495f45e8d63de1439fd85af4866e34daeb92c822ab1d6a0330c55bd589ff27bd254

C:\Users\Admin\AppData\Local\Temp\Soko.exe

MD5 c95c245943b75bec8795fd4e664a860b
SHA1 41cf1c2be3aa2aadd3d33cd255500020e84468e4
SHA256 c183b9d6e0ea6f02eac02995d8e2206e07cacbbce1c016ac9f5e1ea14b1b4f92
SHA512 52400006ea41f12524b207e2b1e8290e0dd867ceb83975e76db1e06bc25e429d9f236da05948e4594ae100dc1be4e852e08196afb740b67e1250d454e5e2e59c

C:\Users\Admin\AppData\Local\Temp\ccwUQQks.bat

MD5 cca755853cc11ba109cadaa0be0516eb
SHA1 72c1b30d72432034eced706bf3c40f6ca345c5d6
SHA256 a2e38efaa51ed8605aa8f0cf3c4e1f55449bc623f4499ad3160ff8ce61cdf364
SHA512 e3206154d10c70026dd5697a31c0fa6344333904dcc4cca586827d67aa8c9a76de0c38ad9822d4dbb94a99a404d2f9be2ae5283dcdbf7409daa46f7061052b04

C:\Users\Admin\AppData\Local\Temp\kcga.exe

MD5 78dc651d8b9e44b976a0ab75a886917c
SHA1 7f5f237ecce0feee3d514309c3b97a0dd57f1258
SHA256 647376e90a5325ee8db1c99b700ff469430fd597618b566094a5d797687d67c4
SHA512 2359b74f891a3ba67513d0d7c08c85b308856e17d6af8a7835b431647713fad13155d6d1b2b740cdfdb3faf7cdcc317621133b7df3b8721d760c44792fcd2a0e

C:\Users\Admin\AppData\Local\Temp\sQgi.exe

MD5 34dbff9a692ecffaaa7892f182c1b99e
SHA1 4a888183e582e10e9a7762ee350948c8da25e253
SHA256 affdd656fa69b79583d3d453921f93b7c8d58d2246794e3d7294f44f3a67c91f
SHA512 9124dc860775cf2c51680a60cf57b1a1b0d84676d5507bfd5766c7278a31ca33413b0515eb975a95270036ebf0d864ecbefe6905013e3f82bb6dcf6aa392a9db

C:\Users\Admin\AppData\Local\Temp\CEYwAAcI.bat

MD5 704f4f503ae47152b8c84c14019ee1c2
SHA1 8793648b99eb39533b2e9c47e856b2ca8227bf6e
SHA256 950b5246684b291c4c3eae86167b7c3bcb08dd350ada138623d8bbfcfe11a2b1
SHA512 2d3e0b84a851d0cbe3c1738639442056ef6365b56d2cb0fdbfb86290a833d62bbabb4fad9f0835b8c6ed321aea041c617b655317029306dba735419606bfc977

C:\Users\Admin\AppData\Local\Temp\gQYi.exe

MD5 b52ea2692f6b2f29fc0f6976b2323d88
SHA1 0ece1631b04ade28838398d379e7c752b5fb2d33
SHA256 b14152ab49c83261667d55508209cbfd1ce5e8fdfee35e5f857c35c52afb7d73
SHA512 36f4453e825935995e5128c3659caf6841e27fba3ee6a4614f7d2668e8ce182c6d93aa3a6acb05470efd6a0490a69bfe742162c4de3b8d985a84a99239229f52

C:\Users\Admin\AppData\Local\Temp\qUMQ.exe

MD5 19b7a7896da0dfe6d9b94a25c8b834e1
SHA1 51fa6fdf2fb1c91364b032b290303b3c5bc413d4
SHA256 c9156d0cae5d8385eb5dab9f4d97b26ef93070dcecc489fe1a10721ab1d57473
SHA512 789c571c261e611eba954e19a5c74ad01df943fc11a1666b91357b02382d70d2c1b07bc169f4a46af783d58bc54f00430532ce6453b2b0e88a61e1a0ad3bd2b4

C:\Users\Admin\AppData\Local\Temp\UsYE.exe

MD5 58424a22c88065cbe96853623c5f69bd
SHA1 07f1e472c0eacd4291e99e0ac5fab1b1917b8f3e
SHA256 42163cfb03aa5e8d97d400f91f6a01949210a9ecf8780875031e6b67c56eed68
SHA512 73c54ee8075ede699da9aca31dc19cd4fd079af027debf343395cca01a0533ad835621de1be4573bbf6e0fb6b3f62785ab72c93b11bd3650d7e58f626afcb753

C:\Users\Admin\AppData\Local\Temp\AQsg.exe

MD5 2f410ab4e810f84d86fe5848cf55bf56
SHA1 af4a35185921c4c560865d0de4f21a2344161d6f
SHA256 58f025b2288c065493c275f46ea9ac3303597e0493e72f9d1d672fb550a001a0
SHA512 db218ac1e2a906d70c985a2467dbe6e79ee90370e22d05adda0d5e311f4efab79b2ee87967666d2a7f02583591cc3d635fe229a96ac20dd7d5c73a169f18608e

C:\Users\Admin\AppData\Local\Temp\AWgoUcQQ.bat

MD5 1e7c64667338b0315567b2714cffe673
SHA1 01d713a423fef2e6023daaa53e0a09bfa10408a0
SHA256 a0dcd31f5f12321109810df89ac35b027cb4aad57bdfe29af5acbcbf4fe96d65
SHA512 731d75b59e8289f4fcefeb07bd9a2132a6e9e3a17ce105364f8cadcec214ce30b4b09f58a142e6242af62dccbf15205ca60bf41f1a30fda7dd501400e506bde5

C:\Users\Admin\AppData\Local\Temp\EMkM.exe

MD5 f69f303b4aff8eb201354a0f05e71c0f
SHA1 23c1e953a7f6c5ebe01aef39f30549a7fa379d1d
SHA256 8fcc8a0c9081538ea79b6eda851c9602f6ad1deb9f985fdbc4a88ef15f1d11d0
SHA512 e7607bf33dc00b229fede53ff9f0c9adac8e6c8401e3be0b11870d6a1adc07f61e320afd4bc6c7f0b2aa6179cf51901af855591ebbd4bfaa97e63cae08bc556c

C:\Users\Admin\AppData\Local\Temp\OcgA.exe

MD5 dd9e6e41446750a98d7483da282b9035
SHA1 de0962aceadc43c1043aafb4b82d7dcefe2c2a86
SHA256 aca1aa0ae75e29542d4d3a672eef95f29189214caf7b9a7043f5f56d101f7904
SHA512 47a6170b30ea7f721bcec4b9bcfc2c7643f48933fd9129de9d07f421e998f44df43f0fe620555097495769a0af041592989dbcdffa43e85c45ba6f6e930abb4f

C:\Users\Admin\AppData\Local\Temp\ywAu.exe

MD5 0a16a4edce55ddab6591fab7e5450eb5
SHA1 c0047bbe93ec1d8ed50f97e47ac2243d8b443459
SHA256 ac88913d04ec175627434ef420c0e8776a36576446d48f52a983f344f7abf9d4
SHA512 49d3f5be6e7c1f5853f1c232bc4a309bc1dde992c4b2f46694065149bef7a600644fab6c2359f554c2fb6731b6d1884aff7b0d3e1d0db55dec058055083cc27a

C:\Users\Admin\AppData\Local\Temp\QEwC.exe

MD5 64ab7957ff5d694e15d843a4e74463c5
SHA1 849545baa0f4eafd81e7e41c4fbb6ce88043830f
SHA256 a690d643c26f83c6a44ef1bbf10cb535aff2b92598b572c35afe253810f001ac
SHA512 4eda3b620bdad4773d0ed27a3e0d493566abc7298dc599daf048abcbdf2be17b46526ec8e5b825fa92e712dbda444b7d646c2e7f8a7fc94cad200a1cf8f88bb6

C:\Users\Admin\AppData\Local\Temp\YUAq.exe

MD5 a838b4b83f7ca7c908c1e5992c2d3dc8
SHA1 5248f790679cbf2e22785a3b9f98da800118ac54
SHA256 8a23d83a5176b75c7e96d0364a929a8ad2c47d2805b1cef91fc793f9ceeaf00c
SHA512 4ea72db2035a98fa0d4239361ad723497b948f1d858fb470f18adf629485c704d207d57d392bce5952e7d629b435b6b59a9b5d0dbc6a6409d881ad9bc215d6fe

C:\Users\Admin\AppData\Local\Temp\VEcAMYUI.bat

MD5 4344d9240c54f659ec0a0820e745f63f
SHA1 d799ad38a101a194bd3bb96f58a39f2c84f3743e
SHA256 c97878fe20ed223dc39ecd8c36363b49782f439fc05a1aedd5bee1aea052d291
SHA512 c2346ea078a8fd7e7058fb54deb625410cbd010dfd6042cd9ceaac963bb606492fcf939e73091643518be606a74063212972416c45dac872b73e427863ffe092

C:\Users\Admin\AppData\Local\Temp\mUgW.exe

MD5 62c5084e73226bcb474f659f48153a92
SHA1 523e36653caf786899eccf8dc98556c596c56e9e
SHA256 bb4e66a19d8bd53d769ead9ae3373dbdd1d90f417bbab46a1468c9813633cb4e
SHA512 73a2fb069a4fe3209065702c8a8da240003e7ffed1ce6aec0213e2bbc4761823728073e8d981e5f181b724728777144d62d47531f59bdc13431ea961352e6864

C:\Users\Admin\AppData\Local\Temp\yMQg.exe

MD5 1a41a41d1fe96bed17bf9af9e0fb209c
SHA1 cb822d9b4d2ebdcaa3c759dc106c8881c23060ae
SHA256 e3e969cc4ec804984c5a9d8bc6e81f17907d7a3f25ae417e0c121b41b3cb3c81
SHA512 2d0e42e83404434aa204144dc689381e4877643fbe93018406df54a4c37f8f0399f6b52fc146fb446abb9d362fecc53c735851f3c99def0a5dbb4c5887232316

C:\Users\Admin\AppData\Local\Temp\cIAC.exe

MD5 2a8f7968faf3defb919cf158b292114b
SHA1 4b2304101fb72c06356b9c23e58bbcd069fe0ec1
SHA256 ac76cc3d74965fd06da69d4ea677041414071090701b643d40fa6e02371a0be6
SHA512 06210a7cc991cfa59f3e386b8aa5e98d5de77a32e06d8ba9108131300b97b93e64faf60da94da0615f4ccb9355453f528ec45f9db6bcb4ffc734a7b3cc4d4169

C:\Users\Admin\AppData\Local\Temp\mwYQ.exe

MD5 27992d186140ec6fe62a4780841d338c
SHA1 649b14432d0b543cb2722f210eebcdbb891c21e4
SHA256 3e31ce4d88ad83bbb5c3148f666008e6891c9e8617fec674dcf2b8593be5b1fa
SHA512 830559d23e86e6ef88ed0bf38d447cd2b9711d83cf95c6233515150d86f35f000fac861b6b1b8c030e6eb729425ee576146bbca2e5ee3e538b0464e1d809f59c

C:\Users\Admin\AppData\Local\Temp\jswgYYsI.bat

MD5 57eb53d7b4f86c2df355a726712a8a30
SHA1 873f8561433becb06e4e024d5447726104e05e34
SHA256 7b1697acc9702769941df7ebb6739f2759b6e10f7d36265aeced6d7d992bdbed
SHA512 83e5ced787eeea26db0d399c21c110039adb23f6487b75a4ff5a4a04adf629901520e67193fcb732b7e45701fe884897f07cab3ea1e5d2a5594a699d084b1ea6

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 5a3de54fd72b4a6ee2c1b9e1ec249f63
SHA1 8bb6857154509882b8b73e7fb0698e4475872e75
SHA256 1f381f40d4c85feaf667110810e80bf71bdb533e09dbc40ef7f31e5f3847996c
SHA512 b7bc54b55fe4b9800221e29e21f65ab8f4c5a372ece84962893e5632a9867e7204457ba4b71365368190e3ae7997b6be647fc7844eb805a8519078ee091661cc

C:\Users\Admin\AppData\Local\Temp\aQUW.exe

MD5 104344a370916a1606a83427681967b3
SHA1 85879033764d90063c4a312c25ef1625269f4825
SHA256 6550fd81dec3a2c41bf57186476b48a350600c023df1adb348989c8fc5574aa2
SHA512 9632b295b966c5e100d27dacda368787d29ee1945f017e838a8b5a5f580de3ba4dfa776bb14e767ea989cff0e2f66660918c6669c25989b449fa7a4825da2635

C:\Users\Admin\AppData\Local\Temp\GAIK.exe

MD5 ccac0d2daa0f42cf9f99950e76c11501
SHA1 311daff61f6521a7095201f39f9d84ae7613e01c
SHA256 bc4961ead3f9d16807a990e9cc63e5f4d2b41f48887a7e8ae2c09065f5f634cf
SHA512 69ee77ba6388345ec4b483d7b726c41774600256488b133b942361b66d536be2b31bd450ecf17554f726b1172d847b09244c99ec20cdc46a31e63cd83bba815b

C:\Users\Admin\AppData\Local\Temp\WYcU.exe

MD5 109d29509172083c6c5f55a4f27b4b1a
SHA1 50c575cbd835414a0e85b8f8d6ac327b4ad47d27
SHA256 39197d243cdb1d0202b27b4c64414af84648224b6978704970865a661fdc0dfd
SHA512 a8a67427d0ebda6d90ce3fe93c962c91c335b01ec0a7d08c990298ee3a88cc69d38de3bdf852e2121e8fdaf1b7e2c2d4b0e178d661650980625c69f5e1d5d332

C:\Users\Admin\AppData\Local\Temp\veIIkcAE.bat

MD5 7b43f5f4b17924966b4bdd6b145f06eb
SHA1 42619e0b70d75c81b6a09db3eec98ab538361e1a
SHA256 984f99cf1a7e4174fd27a474e70328c119a196a1207aa1cb6a5e7f4f321392d9
SHA512 5ebb6b155d2da7eb74af6bf0d1417647acdfd720683e3dbb20415bed2302326afce012357edc4c1257d01216b8393d562445b9c3d201b1f9f69fb5f04523d9be

C:\Users\Admin\AppData\Local\Temp\gQMO.exe

MD5 e58db6201b5eba3d27cd24a652f0ff3d
SHA1 16525f353f79b9833bffa30d00d35ea02dae5e21
SHA256 95725081f9b6fb4e54f1cec956b92bbe6ffae2dc67e3438d28b0e15d0291223e
SHA512 153fbe9473fd695ede456f30d1a3d7a69f5aaef02a8546915900dfa57d0c3b4de7acf0dc33e900069a4ba55e6dd9dbaa43ea1dc86ebdf9b3a8cccff7db9c3913

C:\Users\Admin\AppData\Local\Temp\eckE.exe

MD5 99db0f1ecc4435ee919658354bc90092
SHA1 fae1b205fdd6c594847257a851723b3669121eb0
SHA256 8f35a14306cf236cac25c832f555cae92f59ac08ffbb509f2ab64139b0121a61
SHA512 92069e68cf2ce4b9421f8466c314d3c01c5dd49cd16577c04f05e89538eafbba56c15515cf38421abcb2099d60c892439aabacd2e980493329a878304df96fbb

C:\Users\Admin\AppData\Local\Temp\MkAW.exe

MD5 241f650dc31492bdf87261cbcfec214c
SHA1 a498cd303bdc3e5926d94d0e6873e4c3d91261c8
SHA256 a6ee833da5e5508233c3cbd96bed070d125f0c871853154dabee55a39121c603
SHA512 960183d9c027ed53e499ec8fa63bd76e56319c05d3aea6e139a030872e77969b46ff557d7328dda6143e52504dea79beb8cc82466a6c87063113e658f39f315e

C:\Users\Admin\AppData\Local\Temp\WGgQckEk.bat

MD5 65a16da20f5f250c781b94b73e3ce2b5
SHA1 5c95ae445359283c2e43a27171807b29232c2b40
SHA256 a840f051697080de9dec549ff542ddb0262326d2de9b7f34e021899c478c99c8
SHA512 b930d1b5a2e3ba7e047c0424ee05afb34a7d8072aec29cc96eedfbf64333946b77ae9a781f19bb8be6b97f7f2d56e3800c3030d4909a414c28a5355ef18b496f

C:\Users\Admin\AppData\Local\Temp\EwcG.exe

MD5 975fbfae20cdc17a59c9450b1cc119cf
SHA1 07d5cb8780e45d6512b51c1338bacd2037e600c0
SHA256 390ad258a2c3255b78ee3951e2b076f0a4534572c77941ac3e1cbea7322a01fd
SHA512 b1e8d1e23ef3af28c5bad92eb6a00f8b887d640759c3809f43c378a0b54ab7f538ed78e339cca7d1aecc70b2544a738f42bd109e6134e0afeead7d1f3a8add31

C:\Users\Admin\AppData\Local\Temp\OUYY.exe

MD5 ec4710f7d8cc65e3fb7b63f6deb07295
SHA1 7d977ceaa7dbea22729e4f777ebca160a948f144
SHA256 73f5eb2670cc4b274fb9535b9c0b40edef9f17d7c2a312516e2a76fb23a3888c
SHA512 0a6a8d2ed51ea346c4f797756c200d21db12d9259d27f90e909d0990650c4d9e2067ffd2d469d602afeabc1ceb9c706534a71f5757f6f4e90148cca1dbf09c85

C:\Users\Admin\AppData\Local\Temp\gMQM.exe

MD5 d2fdc7ac9ffad1cc1fa0b4cc0a7dbb6b
SHA1 39e9e396b186355fedcf4460ac5d3ddb7797f005
SHA256 9933e4eaf80f47cab09e552182d9cabebad5ec22efad54ef7c4511266915b535
SHA512 9c0f5980373d45ac868720f2c53a5a65f57f3672da5e577be3feb2f01ab843255175735b8b6e19d32a8b95784a7fb3ed288f377a1e0c8a9bb6e874cb0cc2e1cb

C:\Users\Admin\AppData\Local\Temp\EycoIsEU.bat

MD5 e71770b978d8fa85023b04952f406855
SHA1 3786a77528eec708195075a9087c703897738b83
SHA256 47358f1d83f880900d139db8c7abcce9d26b686a21d7dd659798e9de4e1457bb
SHA512 f0b70a56f5a1d87e846e7927da0199792e2730e290e65c22f52132bd6f4a0bd88cf258d727fa8dfd8a364d25a4b46c43fe171694a0f12c5831744d7c30fe5e02

C:\Users\Admin\AppData\Local\Temp\wAgW.exe

MD5 aa3d88a78e1f2bd5185ab7e251e2d217
SHA1 80ae746de7efad22b26beb101e88cd2164ca74f8
SHA256 763d5a402f0b9c2b166591e7378b42a89455ea199694c199491f934d37e6a3a8
SHA512 48930ec4d4c0c9cb69525fa0f4afc27925b4db07f135d5d45c85ba6e51f003349741fdf7606d642b713c44d02d14fb011fe8db1251478e531dd9a6ebbcb11176

C:\Users\Admin\AppData\Local\Temp\EQUK.exe

MD5 ab422bf3b22112e7fe52c6a6726dcea8
SHA1 489c7c80fde9fe93a55a79b9bfa49d0b246c4dd0
SHA256 605641640f98a05518edd8e5663414fd7aa1bfab295becd3e43f77f8533ac6b8
SHA512 2a17917987929e16ea693836b2c8df67b1ba329b166036e265fac7145455b310a55b70e89855d793fc077225a57e8cc8716263ad3c79803d9d172d7c90142e83

C:\Users\Admin\AppData\Local\Temp\iqIEUAco.bat

MD5 59449e2e75692b74e4f8237eb7a63c22
SHA1 3023f211d7008792919fc1ade96aefe468b6276a
SHA256 71b0712cc944ecddf09a5887abe7f08a2b3b132c4002a8b49fa3e7d01d6e2a3a
SHA512 89581bdf40c4d67078d9728094b12b502b1c8ba5fff29126c0f492a0ee467a23d951bbe99398b210ff68ac416ca2db8c2666aa8d53582c9898fca62e32605920

C:\Users\Admin\AppData\Local\Temp\isoS.exe

MD5 dfa7728c99175bb5b90b0357ce252dd3
SHA1 b661219a586f55a5c5405d28b57ead4f9502154b
SHA256 0fdb4211fec297876d6f9133c9c78e7964d27e5319273d2bdd9ce0d5232988fb
SHA512 f27a717c5f4cd20cd35dfc3b26ff1b4f38c97a14f910e58329b428a8959c4ddf7d64ed5c8b3209b2f42881a03c43d9978e5b4043cb35bc72a149000ad3c3c64c

C:\Users\Admin\AppData\Local\Temp\iQQg.exe

MD5 9362285aeec00415c43d76da06cc06ea
SHA1 2364b94d23efce7637f01ca36f15d62dcfd1a389
SHA256 be8f453d9de1715c93caec298966e1d15226a0ce31446c64997c19aa2992b947
SHA512 014fcaa62d7834c3d1d3906e4797eaf6aa07bf32b1ed1291ceb092447151e59b979c9e1c31375423a95f76beb4f635aff448d11db681ba3b911c5fc0cdf61a66

C:\Users\Admin\AppData\Local\Temp\UcYA.exe

MD5 c9f7266f8eea36a0816334c906e44ac5
SHA1 1ac5b6246e447d50ae0a76338b62614cb4d47dd6
SHA256 12f2fffc6feb6c5b04327f1a886dd3f98e851acd0c5c3a9522fbc495d396b7e2
SHA512 1eb17ea2f7bb651c77897e11a20c3472ac708d1916eaaaa46a3be19b078fbb384aec5bea81ac1e2ffb3409738fbdf46181215546ad331fd7fa3d9b1029d0fcb5

C:\Users\Admin\AppData\Local\Temp\CWsYgUkk.bat

MD5 c511674d754faa9f10999db2506d80ee
SHA1 c3cc4d76da598b71099586b33268af0037c022cd
SHA256 bc33b4ea96b14fadc9173cb9199e51d2bddb7e68c550ecaa0a15339c32ca42d4
SHA512 83385d4175b7f0e259a5317c2191050e67c3a5c5ed9d49893501759a64257c8deb8fe270c320ffc1acce54d27c149b33b72ac5722f7067b885ff037801e85202

C:\Users\Admin\AppData\Local\Temp\lGQcwMcY.bat

MD5 003fe03a88e62b24477af990fdaddaff
SHA1 44743cd708322ccf3508c1615dfdb0e699f657a5
SHA256 3a1950c23c44647e3f7b9c5c53c8648e113a75c213bd613252040cb42939589f
SHA512 ec39e73c870b61e0e4915587d07540e70e6a6ae764f20a2e79d00288658e8b1bb353970349ac498b1061408bba446a79a855187ffd25fb1bc73f775cac746f5f

C:\Users\Admin\AppData\Local\Temp\QsgW.exe

MD5 05c6e7acd65a302b1b18e79f22c815ae
SHA1 da227cb11e75a70284ef9be579c007e6e4c2e44d
SHA256 e5cd058ed32892405d87f6e57a68bd4e0807716c7ccaad4f5ee24c492b645d04
SHA512 04dca37a0fe57cb7f81a68b6c1ebd5a984067183c981b5604fd44382878fe7bce26e1b5521d3cac3769aaeb88ec19cc1959b01e69091e6b06542ad6136764703

C:\Users\Admin\AppData\Local\Temp\Acsa.exe

MD5 08c95aab57433ae247dcf8771b75a7f6
SHA1 64ed267f04326c281d2f5a2b04d448fb72309ed2
SHA256 000c5921eeaf3b271dd8eee34def93169588d83ff2e4fadc4715f466f6bae6fc
SHA512 ffa354e8d38e77afa010a35fd44cf802d640652e7d660a30c776503470995309bb4d55af3eaae6e5346ceb7902c56a1860d461ec37359f05c009d83ed1116589

C:\Users\Admin\AppData\Local\Temp\kcwe.exe

MD5 9866d7c93b80bcf26d6400e8f74990a6
SHA1 098d98e1b61e9d00340b5e373bc59b7fd629eb3f
SHA256 418c5ba0abd6a926eef8483437a30b05736bf1256ee6459fc5875b1b827e01ac
SHA512 f5f1608949c619456fc5b6756ff8c1080acf9b2dd8f8bbe35c645510cc88dc4d8e682c4bcb9965536b1b1b8f3c2b52a824f7a61db363e273977f9198f832c2dd

C:\Users\Admin\AppData\Local\Temp\CQYE.exe

MD5 973f7f9634eaf3cbcef2d8d44b23ae93
SHA1 7295b14be4634e5eba583876018ee83ec5379c1e
SHA256 889221a15261749400af2936b9e4cac31db29e135d01a25554f1f9441b802d3f
SHA512 d4628475ece674a806576b41631cf2f76ad94efcfdc7454222a135cdb2311f3fc3ff12ce4d3f5a869108fecc8872808c8160cb8f2c19c0c9afe2a84da7815492

C:\Users\Admin\AppData\Local\Temp\WIkW.exe

MD5 c94b14c874ce78f4ea84c848c2fd3703
SHA1 d47dd7c8773db7b64ce2e46e0631eef72f09c1de
SHA256 0014c78b4cfa7d1067ea224f35fd73742439112af6eee043d443a3eaa926165d
SHA512 7d6a8eb5ac3f7c63e3fef2e002d587406536205b51b79435f0539c636af15eee573060bca5e74cc031aa25d2bb2eedd74803ca8fbcf63b6fdac8163d67996d49

C:\Users\Admin\AppData\Local\Temp\kMsq.exe

MD5 dc7fb8a2ccd68b77a4924a283cff13e5
SHA1 d915d8b3872eba973b2df03e2881c2ba3b1b4943
SHA256 e327deae85eec09ecbabd7f638a8853fd94e79ce076403224a7f7179bf012a77
SHA512 7fa1f2e82c39139c80353a0337f3a8da729948061a311f308f57769df97db11a88047917f0ba89d9db1ad96d0484b89ea292979f86ced1559c4f3f6b2fac1db1

C:\Users\Admin\AppData\Local\Temp\mcUU.exe

MD5 7c0b4fd25b4b2df6420a01b3ef5d0838
SHA1 364fc57665b5b3f7a0bf834a97169c4eafac48e3
SHA256 8239d8639157f1155a47a27da017372418962b810eb2f6b59a3be60fd6e94b34
SHA512 594a3817507f232c13176e1e7c43b5391cbcd6cd6fe7d1d5d603d827dea00c6145e4bacd9a77823aafbbfaca322056c04f4ce521fa626a4c60c40a298e5e2482

C:\Users\Admin\AppData\Local\Temp\gUMC.exe

MD5 f9e060345f38039e971d9408b483ae6e
SHA1 d71cea93997d3dd6df3ce39cce2b3792dade509e
SHA256 4ee2c7854c63cb6b55287f1257064dd053ec968421e87a84bc5e7882d55cce27
SHA512 2f27bf0b728a8b59e8d0264510523ae89632756ede78da8ccb3f9d0d7a0b75e77e24c6dd1480d9a8acd1f7824b623dcddfcf27b4b25e4f4b54420ec2db288e54

C:\Users\Admin\AppData\Local\Temp\gIsa.exe

MD5 b4de0fdba2a48390910b65522c77b0b2
SHA1 6d3b3740e238498d9267fce305ae1aa267657880
SHA256 667f48689e9a905dbad2c02d89e9e4cd16f181543162ca3b98f86aa8f666f9eb
SHA512 4f2e974d33e7af5e6dc646f1763a476556cb643813f62d937479407936e5a381943161e478b39724ee382342491298041f98693e5404e1b73e6528c67ec571ed

C:\Users\Admin\AppData\Local\Temp\IYEm.exe

MD5 b688b548192ced1ba0b57214168caa9b
SHA1 a13e01eb6544a8642248d40422b9edcec93d5d37
SHA256 c30f57a7c50d45d6f87e365d65cc1eb2488867ee6605922fb5d20b403f154f7a
SHA512 9463c196242b7a19dc859c02d3b2d899470b413b05d1ca3a3949e9c0316a00322429303346a8ac218b210d05615f56fbdc23ee048618b1131dba29ae56a2ee4a

C:\Users\Admin\AppData\Local\Temp\osgY.exe

MD5 b55f01a17d197b13ee40cfaf799e80dd
SHA1 35303df42e470ab45ffa729cbdf9eb134b419a19
SHA256 9cbbcde6b31386d626b003a1d04e7c6f737b842565c39459e0f83cb067dc0b02
SHA512 a5de30a38aed0289c0c869a986e1402f8f4626335a6d90b85a571b421915bbf7f5539945cfc3a8acdf6f2ba6964c82ab8f21c76aaf5781a8e9406b465a71255d

C:\Users\Admin\AppData\Local\Temp\GEIcgEsk.bat

MD5 19fd537c867c6300432193137b10a284
SHA1 456d757b01f0fd5112a0336abe3fe3d9f69c4feb
SHA256 3d90689c159dbda57d2d7949187c9f237871cd46f96056906fabdd275edbe80c
SHA512 f972e7539603d9cd4daabb8e696f38b2a137e423f35d27be92d261d6b6275494859d83fd53c465988328c553a76f81aa920e4be9b52ae040fa42b58cd3a4321d

C:\Users\Admin\AppData\Local\Temp\WAIsscEc.bat

MD5 1a534a842c3feb6a755aadec13390320
SHA1 dbc6db998b4b87846da1ab29e6c2eee98ae5cfd1
SHA256 c7b406a2fbeb8c984d8f63e7e4c8019a0778fadd7f9372c18630c03114037e48
SHA512 36057de39ca46fef4a4ede06a23b9e015abd3632e1b18bd090d978519aa1c9f3617588c95a6e28c100829d63225c7f461a10bf95798fdfebfc50cb19945a21a9

C:\Users\Admin\AppData\Local\Temp\wqUgskgw.bat

MD5 953710e5b9fc6df0727c9d6048a11c0e
SHA1 06f602eb9a9de7e4f1b68d8bc879ccba521f53d3
SHA256 af252db302872a099a1253c5fc20d21ee0a07c6a1cb532f6f66293d9421ff0fd
SHA512 363db60af270acfa4e4b2b817154521aec0af0c3962635f86f07777b5ce75d66dd06de7d72b4b02d0faace6d3967a80cba00da1bfffce9ff39d4dc2fc4ad2f93

C:\Users\Admin\AppData\Local\Temp\KKYsMcsg.bat

MD5 06ae99ed55cc5b8a19281218d01e4202
SHA1 f7c604f6b2e9de9e93e23b21374381117d1cd992
SHA256 c5d20a6ca895b3c4e6dba0661ab2baa961259a03d3a88605b0b7c72395e81dd9
SHA512 fc826b9497fbe8a9710b1523cb2b26fe69014c7749a5b327833bc4bbbbacd48946d6a90e3c62849f02c698c4546209e668b735bab9a04eaae89f6bb40b21ef8b

C:\Users\Admin\AppData\Local\Temp\NWMkwcUY.bat

MD5 a8a0a0850c1f7a2db953462a35cd2bf1
SHA1 0638bdff2eb32f04b9153dc1614d7188472da3ae
SHA256 9b0d21f31f40c9f5f20dafa4f97626f835c00c869b640060a4d8b47a13d307e4
SHA512 87cce2858bb89bc1ab94056b72b9231f897aa584d479b46e4ba997002602297d838628c17366b331cef9c2efefa9bb34830c0df0f7c335a64635f30286511066

C:\Users\Admin\AppData\Local\Temp\RcIUUIwM.bat

MD5 b400783537c1346684616df46c682aae
SHA1 38f4276207d18e80f740652c095d33f61cb576d5
SHA256 e274fc5370e61813ce946c6312b638efa589bef4eb2656cd25420db0ca285d15
SHA512 d12f6672cdd69547edd4c9d401f4ef960a31b163f36927b49e74fd8af43d3b5b972c5df4e027849928e303baec26ab1c79371f0456bb36f3a4870703e08ccd5e

C:\Users\Admin\AppData\Local\Temp\PsEUYwwA.bat

MD5 8c29dcc4d031831742b88a2ba8612765
SHA1 ba5709207dcaca01ce125eddf95b7ea6f014a57c
SHA256 5655c736d74db4bb7dd33c48f84e2e3de8bda7309bef6f21791a0d0334d00586
SHA512 663996137d8e23ff50414ad2c414ff1f990e8d57642bd3a1b5dbc60f9ec87bca08b42fd515e93d5e31e4b531380cdc83b96fe9d51d7629fb72164c6176e3fd7a

C:\Users\Admin\AppData\Local\Temp\qiAAsMgk.bat

MD5 c942333fe62a1f7c46a13cd7feefe95e
SHA1 1b8ac8b26fe4a9ad1a2e875f0755da010c5c16a6
SHA256 acef4c75721f8e3cc7a07c2050d92ce80ce12d40c59d5f05dedbde222df138aa
SHA512 3722bffc9344610abd9fd45e82cc21001f1d19d4d7203651cfd8bdf263667b5aa58b7686d74838f42bb4d0458ef22435439c56d96c33af8b12e35639d7621101

C:\Users\Admin\AppData\Local\Temp\aEQscUYI.bat

MD5 0cb84e7341a5fc04dc4e51c40b9eba44
SHA1 a7532638a7a9c7e29650de4958178f9f85a9e039
SHA256 35bd405e44967fae98268b5e7e4d83b713b38edba70eb9a814f8219ab6ece7ed
SHA512 d09e25684d27c45a69de1d2acea3a2613b91a1e38d6f6a07e1703675f2de23220567d15c231cc6f03e15d507ef09d5d36e2f05fffbdae6d0cc49af938d749070

C:\Users\Admin\AppData\Local\Temp\SqMAAsMw.bat

MD5 0246e4b1f7f91edcb80e8f57344eb009
SHA1 843d10522f5f4852b90df4247b38e3490e71ad8e
SHA256 4915d2ddecf27b50f5740c8381a3580226203ddaed23e5ff280553d279877614
SHA512 51c773a77598c6d033d4e2fad221ee3e047e761b5f67eef6d4869af986f92eecaa3fb431c2fe3148553703b7f148159a4a69a4af3bf5723a244ef57cb345f48b

C:\Users\Admin\AppData\Local\Temp\EQMcQkQI.bat

MD5 3120c6494d211de4033e7db5d5a34aff
SHA1 ba180a9611fef382713e977a8ccdbb167e9790a0
SHA256 517de6d1f94acc62aea7d0955e92317ab9b6afcac80124d2269fc1e9f2104cb5
SHA512 f396adc8ed1929253bbfc65cdc291701ac8b6cdb7b1c42aaae4b43ef796384f5bf34045bcafa91f6a8314e768789a336111383958201195d267dce3bd3dcb6c3

C:\Users\Admin\AppData\Local\Temp\zKMcoYIE.bat

MD5 8280df983dae4d8786fc91a8815786f1
SHA1 befe04bac0e7e0b8a4dcb181e29c8e0a9d205f44
SHA256 70d691268979e305230dc426b3e10192ae66ced98954851d64923b07f1f63076
SHA512 21a5a4ea353009f32e3f758ab22f4d46e29f288938048d62613f8c6e23977588af55ccd90c90a0ffbf4fb595f14ee2daa2540f0fd5455555cec3dfc7e2df82d5

C:\Users\Admin\AppData\Local\Temp\jOcYkkgM.bat

MD5 6da46ec3da67064f4b02562e6a0bdd03
SHA1 52acdacb1a5749e25b20b4a5ccbb756fff2beb98
SHA256 ff158d10d37fee00fe12555243f79bbd02233374e2f650150f59783c6c991c45
SHA512 792feefd485131063aa5b6a1ddf5ba9cd4e6a0138e24f6456379239173c01dc80b7430d7458b8cb25ab9a4df210e2531f74780aab0dfae65317447b58d689655

C:\Users\Admin\AppData\Local\Temp\rWUUEkEQ.bat

MD5 ff0a4b7b9576b3a998786a57220070d0
SHA1 df600c4c3750c8d68657bd5d2cf195669458949b
SHA256 a9a2762ff574a341e87d8580fa4b576502b52f430604d288467335562be24002
SHA512 50e8579b61059943fe984f2d6d6e53b458bb2efc97cec9f460f046fb208f30bad823aba8262b948c46b11251a3ae9615bdb89216cf5575e4be846d9731c4a723

C:\Users\Admin\AppData\Local\Temp\DOwAsoMs.bat

MD5 ca4ca46dbfb1014c1cfa5d0ba64cf83e
SHA1 ad0eae2b2c20628eac3d19346628b322e0d716b5
SHA256 72867b51ebc7b50fab68a4d5e6f6b0928bf9c7acf94de92dc88d31955afff79e
SHA512 0b0cb7fed45495a65f051fdf5c069fc558ab381d1e14ed9aaeeab31177b7382a04893621218c691764d3cbd4d61c13f9aa8786d1dd276e6cf2675b16304d32d0

C:\Users\Admin\AppData\Local\Temp\aecAswQQ.bat

MD5 7d07c63be34c3e04dc4c5923b7c02e53
SHA1 144105df843e06c78d23e22275badf3094073159
SHA256 052414227595c54092df16faf0f1e8dd3a16528a8119368ecc34e1245157d7e7
SHA512 d15410207cd8ef98dda745baec5f96a2175586d91bc96c5855c0ced130283f68a8f42034b0b554ea0a1632c5e3984a41fbb611f7e38c6d2aef54840d274a76dd

C:\Users\Admin\AppData\Local\Temp\mmMMsgsc.bat

MD5 4d86ff7e3239551df816d6bdecb2a5f2
SHA1 c946a4f3077873d77734f5bd6a3c02340761c9a8
SHA256 71102b80a535d3c9e704358d1729285ad775248bc11a81617ca4ec5bc9a4c033
SHA512 56f366c56be9a26a3d430c3c2e78247d99c7b1f4200e415315ce5014fd11b15bcd6edeb9ffa738a700525f207c7dca160b708f9ce7b110699bfed9ad7be31bf6

C:\Users\Admin\AppData\Local\Temp\ICwoEscE.bat

MD5 461115f8a74e0f00ff2b873ddcbccceb
SHA1 91148d2e2292d93d6edddac410148ad6a6c74fed
SHA256 7b23003e6df79447d57904c1f34d532115638a165892cca25ac8821f9837b105
SHA512 e9e605690bf8b9a6db4cdcb858bc96ff032f81b9ab62fb7d221d6d315deb14312cbecabdae8e439820d022e0bf9e1c238abd6d1a958214ff0c348d11e4772e0b

C:\Users\Admin\AppData\Local\Temp\DccQkgko.bat

MD5 a848b3910020a99570e338422ea29c13
SHA1 1c4daed30f4e2908b7b72cddb963d341a4ae51ae
SHA256 84b73d2e6d004511743e6d68e3542cad840932371c4d0aca64d85564e9b33893
SHA512 3492a81f2b6b3f186d335963a0cd280c7a83a2316fd48cfc5b01f6c1641c84b3cc4f1b08e8181461fc800e57a19d3a3acf363a850cb9ff4fb13e6ed0396d96a4

C:\Users\Admin\AppData\Local\Temp\RWgYcYwQ.bat

MD5 5d241dd8ee23b75a82b0b139bc923407
SHA1 cab5e01ea8e14275fde9c467604e5ebcb1b147c5
SHA256 f5d1b47e1c750e35317ae6f98759df6ba8815937e5910dd8322ab007bf1baf69
SHA512 3f168bba1f0f6f1399bfa9d08f2608eba6444cb91554fc2217b78f1e79c2286c169b100e439132b96ee98d1703ca46e8eb8760eebe9b23827dfdd68c9c3f625f

C:\Users\Admin\AppData\Local\Temp\vyUcUAok.bat

MD5 6fec3f429958fd86235745ffa556004a
SHA1 d3bb46d229ea0981813f675a5d36e96e24375f40
SHA256 d83f94243a6cd3246dd2996340c69cd8363c512bd263b791fab0c2a512d5fd59
SHA512 a81696e8715f162b38b081aab760495d495f6a0af8672f274d34e1a51888e5725534b2ca9826dd191e30c75efab9a294aa3e1da3133e33eb121b25e207906145

C:\Users\Admin\AppData\Local\Temp\BeEQEwYk.bat

MD5 e08d8311e03e2288e098d88a50e9f092
SHA1 0e2a76f9bbd94d6a601ec75f912e468938206362
SHA256 68c120feb74654810e92ca9b143b6f0a96530fdb6a843e8ad4651181b17e07aa
SHA512 08dfa122294ecb4e22cc51fc970cbaaa7769017b55184128ae33b53baa1e6776503ed7f3d7ae19079aad925a05c0c5320f9291434c0fe431e2ab410981585b44

C:\Users\Admin\AppData\Local\Temp\lGYIgcYc.bat

MD5 efcedf87b8a6b1f28002ef641aa78771
SHA1 30e53bb95e1147e3a62b15f16ecf393fda99b986
SHA256 991737abf77b88b1bb6b7bdfde8df19394f219879e880dadb904407c75bb281f
SHA512 7a738eb9418efc0f84fd95b0ec0be33eb2c6ce285b0dd1268b6292305836d5ec460e87f97e7bc768379330389bd5b0b4ca67fa14a1198872c0453110170a219a

C:\Users\Admin\AppData\Local\Temp\OEwwAEUw.bat

MD5 7e6fe61606c2783e4e2c94f6843e7c1b
SHA1 ce6c052dbfc93860a6ed9dbd98a1ed34d055d229
SHA256 96b7d8a20d1289181bf5dda58fac5519c90d96fa80f0b1651890709969950bdf
SHA512 9fb2f1eeb820b7608c1313cf7cc7fb19d3ec7f4837ec05fbeb3f97263c9ef350548c1b1b6e9703185557fc81587d2bc1d7d922ff1abe61291a38947b5ad40a65

C:\Users\Admin\AppData\Local\Temp\AWcgQskE.bat

MD5 39e1667159507be193619b32dffd8bfd
SHA1 66bb9db6ab456732df21ec809e0b3d4162223693
SHA256 b8057a461659eb83c203d4aabe03baa2088236df57d1754aef40532ddbc9e72b
SHA512 2c79d8be6dfb81009d1e282765e9a6b904c37523f3f66c4f801377f3c7945079cb28b3fbf2cc8e6ad0031cc13f8d1b05b32174655870a83eade69ad8c2089986

C:\Users\Admin\AppData\Local\Temp\uSYAksYk.bat

MD5 ebd7872efc0e44b078b0d6bbe5320668
SHA1 943a61a0f1b293b6b29c9f78137c52899897d0b8
SHA256 0c53661d12551468e165c5818c1a5a51d6849b796c042cdd27f21695b80da697
SHA512 99e4e6b663335fff1c0bd862339c0b5addafb412847f00c6426a329afe7d052305b984546687c71936074ead7508b9375d9781e71e5b4ba701b848f246763512

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:28

Reported

2024-05-26 03:31

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (80) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\ProgramData\lgYgAEcc\WGsskQYE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sUIQkAwE.exe = "C:\\Users\\Admin\\lCwsksAE\\sUIQkAwE.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WGsskQYE.exe = "C:\\ProgramData\\lgYgAEcc\\WGsskQYE.exe" C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sUIQkAwE.exe = "C:\\Users\\Admin\\lCwsksAE\\sUIQkAwE.exe" C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WGsskQYE.exe = "C:\\ProgramData\\lgYgAEcc\\WGsskQYE.exe" C:\ProgramData\lgYgAEcc\WGsskQYE.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A
N/A N/A C:\Users\Admin\lCwsksAE\sUIQkAwE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Users\Admin\lCwsksAE\sUIQkAwE.exe
PID 3364 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Users\Admin\lCwsksAE\sUIQkAwE.exe
PID 3364 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Users\Admin\lCwsksAE\sUIQkAwE.exe
PID 3364 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\ProgramData\lgYgAEcc\WGsskQYE.exe
PID 3364 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\ProgramData\lgYgAEcc\WGsskQYE.exe
PID 3364 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\ProgramData\lgYgAEcc\WGsskQYE.exe
PID 3364 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4960 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4960 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3828 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 3828 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 3828 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4896 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4848 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4848 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4896 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4896 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 3912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2472 wrote to memory of 3912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2472 wrote to memory of 3912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4500 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 1820 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 1820 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe
PID 4500 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe"

C:\Users\Admin\lCwsksAE\sUIQkAwE.exe

"C:\Users\Admin\lCwsksAE\sUIQkAwE.exe"

C:\ProgramData\lgYgAEcc\WGsskQYE.exe

"C:\ProgramData\lgYgAEcc\WGsskQYE.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUEEkosM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGcQcssw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmcksoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feMcYgIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GykksMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAEosIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgMAsAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGoIUQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkAwMAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMEkYMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwkwQggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCswwwQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqgwcYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEIUwoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQUgMocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGwIEQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmoEMIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSsQQAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQEIQoIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwYEgowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYowQAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKsMwIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEsUIEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSsUgEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEMQEQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wooYkMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wosYkgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmQQQscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKEoQgEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYcUgwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeYMEsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYgYockg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cosYQsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWAAYoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIEEwQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DssMAcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcEwUIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIEYEwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKMMkgAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUsUEAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwYAsUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqgwUsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psYcEccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmQkswQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKAQQsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQwgYYEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIEEgcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAsocckA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okMUcIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUgEQoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwwgMQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuQYEQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOgoocsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcQwIoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmEkcIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKYsQAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIsIAMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqAgIQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEgQAkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuocMIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAcYEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqAsYowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaAsMYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqAgYIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqIcgkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgogoAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmUYwMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYQAIcMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgEQsAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaUcAwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYAQogkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gugwcocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQMEAoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmEMMcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQoMIoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkYUMsAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwEsYgMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEoUAUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMcowsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKsAAkoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaYkwUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUUcUosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIocoYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuQQMAAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMckgkQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmccQoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgMMgskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGcwIgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIYAooAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycYAUEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGIUoEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCYEIocg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAooMkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqYsAMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaEsUAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWEMsQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkgEYMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeEQkEws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqEcwwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAoYEsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\byEgYUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKsMYoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcAkMwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\magQwkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIAswwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCcsossw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sooQkgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGYEMkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGsAEgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCIQgsEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuUoYQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAIscQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYoQsgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iogQsUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmoswEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgUgIAkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeIoAMIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGQYwMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGcMkMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIAAoIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCYEQcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoMcIIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIQcMUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqMUscoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKoIEEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASEMIEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeMsQAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqgUowcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIkYUkUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeMYEQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkAoQIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYkYEIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGQIIocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIUMYwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waoQwMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwMwAEMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWQIcQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYEcIYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IioQUIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQQMAEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/3364-0-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\lCwsksAE\sUIQkAwE.exe

MD5 62de8deb65263f37257f0516d6442362
SHA1 379a53dd57e7d313d49090b55f25a96322c0cc97
SHA256 3292336536c67141895f451f0d8b18589360d84c3a86a649ba63f2c1bd4ff7a1
SHA512 681f37a8a0be8e31de5fc36c57518c4f464ea25b2c8bac44ad540761f031e7bc2523200b00d9355a14acb4ad167e6c71f2ceefaa5441cee345f051bb87c7320e

memory/2372-11-0x0000000000400000-0x000000000042E000-memory.dmp

C:\ProgramData\lgYgAEcc\WGsskQYE.exe

MD5 fbd7e5774c2bf7038539b2e350782081
SHA1 d15a2f265e586792150bec7fd3e86ae02a608ca4
SHA256 bd048686366c62c2d91ea96aa401d0d2ae57e8b9473bb8f7e954981f777d76dd
SHA512 93ab0bcfcf815c9d4f1ce71a80a32ca2f98a6a4727d3c390d88f1ea0b81c6935112be5bc68809ea0eb6aa0657b998dbb4cfc4899d93ebc0c6ac85e95789e059c

memory/4616-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3364-19-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RUEEkosM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/4896-22-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-05-26_213e54e8e0cfc370f9c7839facb48323_virlock

MD5 672a1f1de82c3076688c129d2c89d0e2
SHA1 02e8f06ad6888c9fb28059f5eac065b7bbfdd365
SHA256 1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363
SHA512 e2a10f2636cad8f3fe790d68454b929831a0d0b23b1a8714188ac23df2d4af4ff134650050cc1bc9ce870d5200c7b5da41b18fc1a300a86556049879af78fb90

memory/4500-30-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4896-34-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4704-42-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4500-46-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1800-54-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4704-58-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1800-69-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2844-72-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4700-80-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2844-84-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3988-95-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4700-96-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3988-107-0x0000000000400000-0x0000000000432000-memory.dmp

memory/972-117-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1264-121-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4288-129-0x0000000000400000-0x0000000000432000-memory.dmp

memory/972-133-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-141-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4288-145-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2664-156-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1092-170-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4460-169-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2812-178-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4460-182-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2704-190-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2812-194-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2704-205-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3048-206-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4952-216-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3048-220-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4592-229-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4952-232-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5088-240-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4592-244-0x0000000000400000-0x0000000000432000-memory.dmp

C:\ProgramData\lgYgAEcc\WGsskQYE.inf

MD5 380ba586bd197cec8ffe8538f46b606e
SHA1 d41d50722927824cb31b48fad97488db49f57d47
SHA256 e6a6bd1cfe72fbdf57a22b37560fab1421bec180b9364249dfdc1a0f5a3d4d2f
SHA512 23fd377df5c16110e867a26c395e543748bd9c848310e9a1775f85ebdec51435e86ddfacbd232291c41c160b008e16227da3f665a6f62a5e785b723865a15bb2

memory/5088-258-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1852-257-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1212-266-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1852-270-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1212-278-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3684-279-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3684-287-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2804-290-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2804-298-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1852-299-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1852-307-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3036-308-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3036-316-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2604-326-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2936-327-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2936-335-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4608-337-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4608-344-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3912-354-0x0000000000400000-0x0000000000432000-memory.dmp

memory/740-355-0x0000000000400000-0x0000000000432000-memory.dmp

memory/740-363-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5088-371-0x0000000000400000-0x0000000000432000-memory.dmp

memory/368-372-0x0000000000400000-0x0000000000432000-memory.dmp

memory/368-380-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2252-381-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4280-389-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2252-392-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4280-400-0x0000000000400000-0x0000000000432000-memory.dmp

memory/804-401-0x0000000000400000-0x0000000000432000-memory.dmp

memory/804-409-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3528-416-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1176-420-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1692-425-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3528-429-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3116-434-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1692-438-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3116-446-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4804-456-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1832-464-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5060-465-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5060-473-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4608-474-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3948-479-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4608-485-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3948-493-0x0000000000400000-0x0000000000432000-memory.dmp

memory/996-495-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1852-499-0x0000000000400000-0x0000000000432000-memory.dmp

memory/996-503-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3908-508-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1852-512-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4944-519-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3908-523-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5084-528-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4944-532-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5084-540-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1852-548-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1372-556-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kkUM.exe

MD5 a05dd84fd0c5bc441ae9006774ef4ab1
SHA1 5adba4a3033f6d4bd2aec44657caa3b6b5dbf86b
SHA256 87e99b9ce47bc16eae4be479205106c967dc0a54e119bf35a035a15e0ac2cc96
SHA512 b1f62f3732b9b40bb24e0ed175460ea9eec62eeed003b1408720100a97b9991a6d3858bf7e8f2ba24599f08cbe739f5f4e6fde3841bbc0a8dacee7b6c705251c

C:\Users\Admin\AppData\Local\Temp\IYce.exe

MD5 409e4623481ff442e9775c34ac19b14c
SHA1 cd682038add5cdbe7be4b5a87655a59e4400dbd5
SHA256 61909d2748999317da07f97a736ceab9067901ab8336eeb5e021a959761cf74c
SHA512 3a2c1940df289457e580ded62bcbcb3e33704f038fd4534f81be7f5d72fdd35dd6dabf311b16c188c26690dd68dbd4f11c6f7a9ee54a4d9ce8f7e1f225dcd94b

C:\Users\Admin\AppData\Local\Temp\gckc.exe

MD5 fd8149f477cf47e22e179d6d1354c64c
SHA1 e335c836f24c2e4ad84e574600b381c500852172
SHA256 1cd8edcbd3af20f47a3935c0238f4730232968c84172d9aba6d772ad279445be
SHA512 567b489a22bbd3a193407f16513fc7018327965b62886621d90d16d2937ad874432a37e551578a93c75be1827d5146c9f2a42f645792391faeeaaf7a3b3da1c3

C:\Users\Admin\AppData\Local\Temp\iYUm.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 c724085431acb05a0e1e90e284bb2535
SHA1 ecdf4d987a28d2b6f18cfd1d2290f3d37a97a92d
SHA256 3f108d9be62594d488177627cb87e2f240abe6bfeeb927fd1ad260c346c482c8
SHA512 49a45c882b7770a8c1b2e3c668ad6680fce9988fa8ec6437800c89f895a9d6d458eab6ab6188a421e06cfe961eb0f8206cbadbc03146e9599f15a8da2b84b9ad

C:\Users\Admin\AppData\Local\Temp\qgcA.exe

MD5 42cc4c48bd4c67e2aec0d2b9404fa47a
SHA1 4de0a552e68d4f0814dbb007d1e45b358ab1215c
SHA256 59f5e72afca8f6495b84febfd3f222d137855abf5fd6636e8a39a09b34048c3f
SHA512 1a839bccbc32e5c8bf5f21160d41df4d53386560707c964f5191a240c4df092199af154ce385b0c9110317fdf1d2f4927e1c977854d5808a91e4da4dd90cb93a

C:\Users\Admin\AppData\Local\Temp\QgAY.exe

MD5 9b0ea57beca0fce36ff2adfe21443969
SHA1 8a0d4f93d9dc89574ee5117da5a2d607ef5c91c7
SHA256 6564514e1d31e847ae22e8d111e2527abcf7a9275753e9ae7a66c296527adfea
SHA512 edaad78fad328dc4d527a3b61dfa5a5a00d22a8a242784120bd8f57d2716ee7e6357d24f8fa5cdc4f3ee6590c8eaf67fe6b5fa20f80440a382618541eb2334bc

C:\Users\Admin\AppData\Local\Temp\oQcW.exe

MD5 9b45c0bfce631ee37a9637db9a82dc33
SHA1 c7f7480781c98835d31d0fa8c20e795b23e76eab
SHA256 d058473eb1483351eadc1afbae18379882c5e447d82cb31bf6c15e052acdadd9
SHA512 fb8c16717b29bdee4cd439b8ebcb46f20ebdaa5370650abe87964382c66a323c223d7b60020ddacf5f84dfc673131f461c2d941be3490ebcb309d54d9de13602

C:\Users\Admin\AppData\Local\Temp\cAoo.exe

MD5 cd28826a63db728bfacba350b3d5b5b6
SHA1 86fe8ab2257eca436252e4da33bae0a0c5a1b4ec
SHA256 a806896a279031dcb3256ed1f9f58aed6c00ed9701206234e8e843d4c64ece45
SHA512 4de11ec5de2dc7be77cfad3999e2c107ea69d996e56288d0a9b4e9dccee1fa799164f4ee6aaecb57a35c0c028430eee8b0949391935076fc4907bfd71e2200ee

C:\Users\Admin\AppData\Local\Temp\QkMO.exe

MD5 c55147619bd34eebab95ec3a858cddad
SHA1 cb0a595a0096ba02a807a39c0fe7a62f9067e220
SHA256 79a6918d6f848350ffd9b7fd3fcf85b30d0f712aa2e61a62b9cf4a4462780039
SHA512 e896d3a2b1deadb2d270e978bd94369a6e2a213d58491b70eda88abcb10e0522a2a283f2b7d411da8de9c10092cb9ad1b3db3520574c44a45e5e005b35f8ad45

C:\Users\Admin\AppData\Local\Temp\gMMc.exe

MD5 1e84f83b5ac4e27530af13ba96292d4a
SHA1 8076cde37fb76f028bc4576f2a693f4e96ba854a
SHA256 ae725f2f554b9c4ab52f86b51a4715174e7710d1e743f8bf7f2dd9ec48e24a5a
SHA512 56ddc81257c0a6be74020295ed4a660523b60430ccfde622fa97bffcca25da1d1e055ac60ec01edd574090cec70de17a3fef8e30a930a4e8f3a10095f0fa925b

C:\Users\Admin\AppData\Local\Temp\GksG.exe

MD5 8c582a3e68e6c24b2b4de6b8a3dba48b
SHA1 f7fa7fe16dc0d3b2a2eb8bb7a4f1199b2ea59c8f
SHA256 f443f34992921fe1e28f5d65af8d2bbf5ec6cef9a11b30280afc6474c0e63937
SHA512 f4854b32b1b69cd24248c256c91623453868cab547b54bf509fd8236897b48b1613858d3628a8e7b9dd06bd120306b9f62f8044bfc206eb03b16399cf5780564

C:\Users\Admin\AppData\Local\Temp\wMcE.exe

MD5 565c3722edaf39e68af5e21ea561f717
SHA1 4e06b8643571aa17053de0069144284aa3b10c4e
SHA256 24c6a5a080a687a2c7c8f9b293c7b30b299634d8f6c74d21e37afe377497889a
SHA512 7cac132150cc7f5cf7007b563a635c952ca21ed6f8b3e4599ce778a16ddd62f2ff221267cdee1a05d19d6e29b764a6c96cd3b16bfb4478c6cae4bb265e9f12e4

C:\Users\Admin\AppData\Local\Temp\iEEi.exe

MD5 4a0cfc7144f0e5e2d2d6830825db9344
SHA1 81c50463103840143b1d55cf6ff39094389e3d17
SHA256 1688691de0d9e335a02e5c8fb9ad91f6bfbaf0c74f912af2e61e0351974b11a6
SHA512 bde7852e03026a60156e8d73b66481d8ae8b8a95f8a97b0bc70561e277a24353f5a836f29fc9f26f4507a7fc313828f9c29c2222dc615944a3bc601c94e4c2d3

C:\Users\Admin\AppData\Local\Temp\EEgE.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\qMQw.exe

MD5 220dfcfaeeadfbd3dac61d1b1cc6f00d
SHA1 151e1072582e93338d5c4da659ac57b42f9f1c2f
SHA256 4f534fbf6ee8080aaefb946f97251aad73994049e8fff33d62bfd9a5477acfe1
SHA512 afc4f1276d6bd9731b34087afea5bde323de3ce448450bf2bd6a447a1c7e210826f5db8669e5c9d95d6a0a7e5889e638d020dd24201b58059d13943d13fd8062

C:\Users\Admin\AppData\Local\Temp\occU.exe

MD5 57d73a8f0e96f6ea22b0c9050dc0a69c
SHA1 ec86e1485744b7e5549ece58c282add2a9283c7d
SHA256 313e6b662ba542d2f0e2126dff9a0fbcf0597dbff4d1ba542d332eece9ccd689
SHA512 2e2adc622bee16c4b893278fa94bb4c8051dc562c6541ea8dfbd32c3d76c8a73c4b69ff28988550a68815a83f2f415708f83235d7734672597c326a1025008b0

C:\Users\Admin\AppData\Local\Temp\owEK.exe

MD5 515960044dd0d75efb548920f53c33aa
SHA1 cdf5c0fd375d7781d1eef39702b00845db68b8b7
SHA256 b70acc64d6fddac7eba9ab934a53598c746ba8712ea32d63e5d435e9cb662368
SHA512 cbe25e95e0eb5d263cdd632259a9030f7ac8d0cd14e596ab581f990b69ad3743edc54acf963f7976987a5c5365821906fb8a5eb4a2b875207c4020178aecc377

C:\Users\Admin\AppData\Local\Temp\EYcy.exe

MD5 080e27d174e9513a68803dac0226f890
SHA1 76baf34d63581a197515ed345e213802f17ad033
SHA256 0ba0337044e684dfd968d7d8dba0167f660bdc4aca40d18a9618eb4f5fab320f
SHA512 83b42709154ff2338da506bc573f9f582ad61d441301b77b19e70215ed3541151f4378f1e654f2cf5efb15018ddbb277eca418f24b78dada72e765a7ce5b9dfc

C:\Users\Admin\AppData\Local\Temp\gQsY.exe

MD5 f45936e36abe8d39c20a88b1c41e4af1
SHA1 473750013e39f8ba435837625e0018faf09ed426
SHA256 3c262de570cc21d232b12577aa65a663dfdd42a17917e97b0105315a47ded49e
SHA512 2e5aaa38465dbcabccacdf33acb42af3cb214d1cd8a7eb68efe6a48413f15d5f7ae3a3fe931208ddfd3a051e224b4b164488d61133724948ca3a6862aaba755f

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

MD5 835d97c0d6a05e40fefd3f6e6db8bd39
SHA1 dfd70b3a151bed6d7f5d3c904f998e227ce199d5
SHA256 5bbf8e084bf883108429471222336fe0f538d6104102685464e0d62d51067861
SHA512 efd4892fd84a62bc7164d519917aa6345b8f9ab5d65657c65f219517df218118bea257ef3ae7bb1507183360f5b26584df18ce678b4b80ce63e2e2c1c553fd0f

C:\Users\Admin\AppData\Local\Temp\scwA.exe

MD5 48a77b1342b76139b3663983a0c9915e
SHA1 de0a30d6fe252a15716dce769d49e37e9812fdea
SHA256 a3d3d5e433c97f55169dc1ebdd8fa3ed7c3225e9801e85e737c9b75f17025e90
SHA512 1a974ec7556bbae7573c6a73ebafa718011312584ee63fc0c24c99ecf360e02e0f4d3974b1bc2feb0f253df36c6e9e8f5a81c97cf020e2d8ea223f31f8015f47

C:\Users\Admin\AppData\Local\Temp\sEcs.exe

MD5 4bd457aede676a1809a91704ca258657
SHA1 66986394b40f6e696ed4742062002d1c0cd6a365
SHA256 bd8b85db4e221d942933c1969180a3cfc6a2aeb5d47ade96c0913bf64dbdd325
SHA512 f1819b9007ea224a33c2b732d31ff2e36f8af83b6ddae118cfc3a2f08364ba26791bbaa7989cf127b20ec4305a9d41c196491473a28f3d2c300af7f8eda460fd

C:\Users\Admin\AppData\Local\Temp\ysQA.exe

MD5 6a98e101817a198b2a080a5eea7e3e0b
SHA1 ec7e0bc21982a299f7602ad2469584e131d8f41c
SHA256 da1103f834365f14bcdadf8f93f064985618f33c477b368ae036844f1b80449e
SHA512 477a37a8b838a66549c23f08a1261aad4422f3ffab03f1f42bee1141b7793db993a31e0b93b4f16819946dd949455f4e5fc0ae27a5fcadb37a4e3851613d22ee

C:\Users\Admin\AppData\Local\Temp\scsG.exe

MD5 5d309fef71a9ca425d76790aa37da0ce
SHA1 a8cfa9d78823bd9223b2cd08914f8328943d7c75
SHA256 1d20edbe73ece3fa63b6a0c61831a31ce8e414d74e28ca857572c30c2363bfb8
SHA512 5c1fbe47d7db957a9cc6dd017753b0f3d778defd0505980f806a4e5bb16088ac79c59aa45639890744abbb11183d93255c4e6380b6d54a59b6953010c03638b1

C:\Users\Admin\AppData\Local\Temp\SQQU.exe

MD5 f8408edf0da1d2218609c2763ad5f185
SHA1 1ea3b020e1c27da99ce3f0abb81ac5d6b23b6006
SHA256 7634567469d9974bdac4e58b0c28c7d1aa7df68b1db93d95f0aa749b3ea676e5
SHA512 b85ce39dec1c06ed000b20f2bdc49249211719b4c34efe0c66d17f4570068fd5cfef0c2e0a1c9fa5540d0c069dd8269abc2c651663efd7b0cfb3cd3d9e5617b2

C:\Users\Admin\AppData\Local\Temp\kUUy.exe

MD5 c4245d435a53ef7ca0a758ddfbe54b6b
SHA1 47aab24114c04ca657e28b91438b6617beafdcff
SHA256 7ee2cc6d45bf72393e55e336b561e524e44ddb1a1e7c7a1318fadbdc0b547455
SHA512 557bb079683dc5f4fde6d628962c73df3a70a365b3ef84b4f7fb2b785225dee4006bebf1c0e43555baa5adef9e464d8e61636e61fabe34db4c897b30b74ce657

C:\Users\Admin\AppData\Local\Temp\OoYs.exe

MD5 78d5b57b9c0a5669359176da0ca96c99
SHA1 cdf5ec70a45d583fff0b16484b1507b7ee006b00
SHA256 26c23bec22cf8ee123a4ef202aed5effebcb5e879af4f72ee6f44f1de8532121
SHA512 88f7c36bfc6f020cf96ddc18df33cc93eac99a8bb23b40ab48cb80dbfd39e997b786b5d2adc1556dba01eceb82ff722905c3dcc2d692a6047606344ca623c503

C:\Users\Admin\AppData\Local\Temp\MEEg.exe

MD5 b6a7650569b7d4a2e1e9578d76db3c7b
SHA1 ca2ca67a7903f4a3fe72b6c891b38adc4ed61604
SHA256 b8b41d88d11cad16cb0b42994094e5441e0c8cd0b367bfecba4100c6218c1162
SHA512 f00ff131824d3c58b24085c90acaa5301dd50aebb1f37c25a752e69a60c14e62621851c4824166c7539a26e564fc68d92390f99e9d0e78df57675b96b16af754

C:\Users\Admin\AppData\Local\Temp\qQMi.exe

MD5 b8f45516e912cb8a0b8d7b2b7acd192b
SHA1 e3ef1ba850d07b1d1e7d89380d73125e9b994d2f
SHA256 fca9cb022eb878df16670bf0edfcf30a5b6bb076e5354ac6a86f07f0a7916eb9
SHA512 297114a345f89efd29f2433a74b5033658413531387e607ee68cd7b1d8a8c19478b70514d2e345a38bd817fc971944e90d26edf29b277829cc478d387c625148

C:\Users\Admin\AppData\Local\Temp\EcIm.exe

MD5 e3f5a73c84630c66cafedc84960ac95b
SHA1 366bbd6fdb67c34a50a6f34d2c98dd11f3dd604e
SHA256 9a7708533f8636973be30c7055454ed86dab78842bc5f2b516ccffbc16a43f04
SHA512 0bfa7a0b2f95eae7d6317d389bb3c0e9f53c66c44ae67ffb9de52a364013becac20cc3b8e0f46be56bae117b3bd88435a54b083c7cf5c0ae329f46218bd8c367

C:\Users\Admin\AppData\Local\Temp\GQoO.exe

MD5 ed6830574e169a5f64d1d8267360261d
SHA1 b4f20c8d76886a433c9344e2ef1764b55933c883
SHA256 d3c057606729ffe330193176987545385d32de040adc60304d028f8e3c9c0e83
SHA512 485db60858fa23a01e5d6e8f76314c0ca17cc504efeb7d2d8b7a466d900955bb4725c0ac4b0e8cde0e6a611fc0dc30d2db27d984eb333836431e6946f6d293d6

C:\Users\Admin\AppData\Local\Temp\CgwY.exe

MD5 63e7b37f42c3eb26f9771961d3ced6a4
SHA1 2482de767c234a820691a89cfca482379c8a4309
SHA256 6a5089f6c6fa5d0aabc6a61492ad24e2170cf131bb4316a67277c433b1807f01
SHA512 328c1a3208f220e05f6d16cb2b2d6f43eb8b53247cb43ee7c4a0c31754f5bc82df381a1d0cc231732fb24fb074ea0877136685f96ff8d51483142645cbe4870c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 cb5a7ab6d23519dcd42d0920e7b3a6b9
SHA1 f824663160e63112d6ba6469e31310e2bd5fb139
SHA256 902160b6a9ff8bc160004dd06077fba9122ebac821b1497d4fce666bb86a7a72
SHA512 6412bcde18f45386281470616af66d277dcb6115079ca3a24bbb2282f9ad764e76ca13dece858568d50aace39730be24cc4c3c8fb71b5703828407e54efedc36

C:\Users\Admin\AppData\Local\Temp\gMMY.exe

MD5 f67f8a14a6286433c95a45dabb7efa50
SHA1 34add9a767b97a1099edd196e90909794045930e
SHA256 831d32e6d191ed8edaf83ea628b6d6601565c66e27e28d991efee4bebddcc4cd
SHA512 bbbae4830ef0d5cfd1a4367f7bf98d1fb038817eac567cece380545c9c162dcd22bd82235f500906a3976450f6d3c2966e48f34334e5752896d6867e9c2da766

C:\Users\Admin\AppData\Local\Temp\wUkE.exe

MD5 daac1b5b26a4cd2da2efd743fa4310ef
SHA1 3f9c89a5f985140a03a38e774cf5c72e7fda0c52
SHA256 03399a228fc28c53212eb20354ea07a9eb7dc9e200539408c96afe42a6fe436c
SHA512 dd83ebbe5a670859d40e7af371917d8c869c96dbb06deaeebff6eeee90a2272d8f4ffd5c3db5fa2ca11fc22aeb9c2d9235265bc1dbd79e521953514bd58bef6e

C:\Users\Admin\AppData\Local\Temp\IIgE.exe

MD5 5b134a9490b0d725b3db05ba9d77558d
SHA1 4f27d544d10d543582717545d8cf94635c39aa1a
SHA256 715ef1791456e059bf781f9742bb477b23ca192b0df512a18ac8a6d961ee8a14
SHA512 fcd2880cd19b7b9d968a12cac06b4a6318c4fb3446495c67a0586a3ae3106274f0c0c3246ddc30e5d36c2ba97bcd283edf9d47fe9e2421a3f99fc5908c920908

C:\Users\Admin\AppData\Local\Temp\kQsS.exe

MD5 b6d6c6602c4ba315979d71231bf68492
SHA1 603144b3c9c36268fab9ea7bc91fe3f30b81a56b
SHA256 0a8b9ca8b32f88e2feba365a7290083fdd7148b2059e4c2caf486a0e39ab8328
SHA512 b1fc335363417960027cc2f2b247b4700fbe80ff6595d9d671f3e357ade0983f87f7fb3ff165c71d06f8eb5f8e038ffd0c46cbd7ddcce050f6d33ca176654de7

C:\Users\Admin\AppData\Local\Temp\gcYC.exe

MD5 fa5a3ad77cd79af5d441d0f051842c89
SHA1 6740f2afc379546b1298ecf2d76d7348da9fe131
SHA256 295dae555082af65d1f741f25a2da18bf7ae815c0bd7aadfb10a08d8ec63b453
SHA512 33e6f4385a655f4bf85aca235699df23adb018192ece25ed3323b3ea6df0b74b6eceacf37822162ef4bfcce476e408d34d5f4194418a1a9800a4e69ae22336ba

C:\Users\Admin\AppData\Local\Temp\eEAq.exe

MD5 09c60cdb009fa6f964621f86085b8701
SHA1 7c60b55b1028cb80e7eeb7aba70618a5b854c57e
SHA256 b06508cf06192c2458ee359a9710b28ba44c70b452d8df62568c6a9172d02381
SHA512 d5f104f474f96112c75ba4918415a894bea022b6003dcc98ce60393679702955e538a3a4691b99d742029deeded3d61a115f61da12a541b7276b0bb09ba735ef

C:\Users\Admin\AppData\Local\Temp\Wwwm.exe

MD5 ac811077e8c7adfb9fdcfa16bc332202
SHA1 5f315473f7588d8b5bc591c06ff9ded16850ccf0
SHA256 bed317e9fec72169122807d13d81bc79a601d536125dabd318a9b8aab9812075
SHA512 003b62459db92331b38e2d5b6897be4c71ad38b746c708c09fb585814437ce9fa4ca9fab0d20d352af5a0fe1b04ccd3152d6a3f1071df92b3793c6107b304b99

C:\Users\Admin\AppData\Local\Temp\agQu.exe

MD5 283713b9fa65ad809c90804f140a46a2
SHA1 78ddd1bf95e23b05ac142ffa398a66a8a8e7b0d8
SHA256 09cb9a61791fc4d468f4f2c46169058ba7b17310c48acb85bd5d61c585c68ebd
SHA512 77e603dcb45b5acb960248e4ec57873cf8272a5860fe769b20255e9a5d0eb55584f0c084dfa9d5db0f4cb9309e083e92d05ff4ec914dfeaf69b8b01089ceaf45

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 d810b3750005cbfcc21fad60bfd5cd4c
SHA1 07a9e83e121f0e76ce95fde8cbec9e0ab45cc13e
SHA256 d69a1c667b7f73c1c69c82fba1f54aaeb0c99c67098c194a0d4ffb2896e94475
SHA512 ff28c532e75195e0c8a678b47da7c60e869939046518b043b8db369c0597d7ffa4f807847ea2aaa1a00e338a17dd24bed7fa7d15a9924299407ef77531d95ccb

C:\Users\Admin\AppData\Local\Temp\iQcq.exe

MD5 f94eec28febe844ce22313a583790294
SHA1 4ad569eaf943b7e218c5d135625f5b87cc28f999
SHA256 a9b9a390776d93b7929733ee3bd39789c115dc621771af4573e74fe72d3c3343
SHA512 c9be1d2463e941a7349fb72aae807c8e2492b043a0c1571f0ce318959612adfa071efcfe5f19aa2b9cb849388222dcddc3c5b65fd53e5fdf7c52834143faae3d

C:\Users\Admin\AppData\Local\Temp\sEww.exe

MD5 56c670d2a2d55e2b313eb89372b1283a
SHA1 138adf841c37e9173a57642c65ea21c6020f8fe7
SHA256 55c0383f09775a640b75406e46f502f4ad28027ef119f0fa6090972d0ef6bc4c
SHA512 c7ecef0ac09b535f47373e6a1bdc203c99a2c0ca6a8d5f3f5b252afd0aecac5f3a13b18b3e6b4d3726bc91ebbb5f3c7d3c4c29c099c8baa2d445c642e8e8af55

C:\Users\Admin\AppData\Local\Temp\UgQE.exe

MD5 0ac0cf8dbf92254d3a852290da49d32d
SHA1 7625584a3a7e735d9e214552741ac3fc052744b1
SHA256 1a956ad9b0df5a5a12de857cb872b0ea17678aa9eedd2ae72fb3bced6cbb223b
SHA512 8a15ca6cc7d7a28d1c913ff9456d1e854581820f70cec4beae078135a45205f811fe9938b2cb36b531fc8e521bed6c245f6cd136ff23b0f681c319e481dc758a

C:\Users\Admin\AppData\Local\Temp\AQYC.exe

MD5 8047ef3ecce5bcfab6bde4d0599c148e
SHA1 225e948bdeaf9b50d290b471f760f334d78cdcf0
SHA256 dcfb9d7ea2b5739f1d7cdefa119bc39476b43ebf861d4fe6fc33221897c474cb
SHA512 31e565f2a9ee8a10dbacb545b07da5a5b191cc7cdb17b0c1a41873c04f17552fdb86cc0e93cde7c29c31036ec37349b3556e26c1e5180408b411aa3196d6c5e0

C:\Users\Admin\AppData\Local\Temp\kAEe.exe

MD5 506f0a4bd381c9cd9268e8622302e515
SHA1 5dea03576c876b2e32b10adaa1e92db63f3bc5b2
SHA256 fddf4aaf5a86acaaffc5906ab999ee54c168ddaf48b357f3b25e8dc4b8d97220
SHA512 ec1222a75bc0dbe956072c4f52bb90ef45a7427642910a8c21bc7298e5566c80f247f4bb65dc687c513a2b14d89b993a96bbe9c03be0bec13c04cd743f6f06f9

C:\Users\Admin\AppData\Local\Temp\UcAk.exe

MD5 b967ccd07dc7712620ab9ed017eb595b
SHA1 ee6c52543423abdc07d143f4acf262f0d9e39686
SHA256 9deddf33f542bcfc6006244fe5390256e67a5b0105e8543335fc790b1c2b375a
SHA512 557d8bd5ce5741ab86e1e829ef5ea2e8a65699c52ac9279f57b70a209c2b8276306e5898fbb2e76d97cc44aa11ec6fe9e9f71500bd726d13d548d76e405c763e

C:\Users\Admin\AppData\Local\Temp\esMm.exe

MD5 97c876599445a374b22da87beef38270
SHA1 6baa02c0cd67afd62dd7f8ef894422c3382529b4
SHA256 4e79c19c71af402c0d5651798fcf996f1f85d0369aa2fd77e264db9c45936b19
SHA512 0539fb9ce919305101b1afea57b626e57ead3f6a2a3ce822fcb668617125fa3103cb8868df5ddaf5907da7852010305cd8cbf3284cc872a73159ff212a3bfb24

C:\Users\Admin\AppData\Local\Temp\CQcc.exe

MD5 6501275b8be6176e840d49f8b203e7b2
SHA1 a17a6c5613809463c3d354770bbc66b712d66aaf
SHA256 e11862f41e0d295c62faa3f80e5622fc913821dc8f4666883b0eb1b261d5bc1c
SHA512 120bcf751d7b269e01b6fd52b8c06ba05f78b4b5bf8a6f1debceb449fca27c47968688cba8a84fc39cef424262b29992f86e567c0d882c4eba52cbeb54cc6c6a

C:\Users\Admin\AppData\Local\Temp\ucUa.exe

MD5 2a92cb9720381a2e7c9677e35fa6409a
SHA1 6a2e1ddb0199b5531587cf7bc0fc56ef3a64e30a
SHA256 078ec5d49e398b0c11dbb73aa00f0b70111000c51f9154f857601c90945cfe67
SHA512 2120b3da3a0a4f5a2a039873799483830daf6ac9033b63771280d8e00fc66390d883f382049aed213afe51947c546a811e3c6eeece208510410b8a65e5e10dd1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 65b621e47ad14255a0685e253d8c9a94
SHA1 5097ced65e6e8047c37233b24c5006e34ee8101b
SHA256 300da980d51cee10fcbb9b20b00b3640c87fabe18fd10d2dd0c9eac2d4a8c2e0
SHA512 661a99859c39ec35680057b5a16a14923c938a77e97d37bcba271a79f783efa079c7a2d183377bc2a9da635ef10cc7df5f100a44d5964882109b416b96710551

C:\Users\Admin\AppData\Local\Temp\mAkk.exe

MD5 f3cda372f03f5f8b78c2eafce8b7f0d0
SHA1 27c706c151787f658a91c8cd1ec5fcd0f0616575
SHA256 f4e8ff58d6a8c0b2d0dce461ee82ef397bd4c7ae8b72ed0796127a14433f4884
SHA512 410be8de5da9d0a6e5f74e32f5713a0c4df670d11b92df132e8c2c155368d0a698431c95d497c7f898cca97b72412a697f4fc2bb17f63dde0f64322522a8b6da

C:\Users\Admin\AppData\Local\Temp\kEQS.exe

MD5 dabf109bd0542245404146b5167ec08a
SHA1 91812ebe741cbb492179936653818e77952f44f8
SHA256 c27801e6c5b3e4d0cf3d65c288f5446ec4e0e7a35a35b694bb73551529c46397
SHA512 686c72b4ee8792e5ee04c4605f002453e139bdbbd2d4e5fafc2aab65bc2e647be32335f160562c0fed30d0dc850b622bfe64cfc767240847bc7361c1cabbda8c

C:\Users\Admin\AppData\Local\Temp\mYUU.exe

MD5 aa34f8de4e7ae1634158225f2557c408
SHA1 235e497e56174571365ba5ee7b934981f9fe49da
SHA256 dc43f68452bbf11a8f8498be65d6e0a2f514ea5749a042c1a9568559cc70538d
SHA512 6bf4076098eb6bede01c51857326be19c0d7909b00a4f36d04705c4a3a0d78f61e9fab95e139d9d3d84e6ac50070685a9b6584e7f74e423ea1aca266853a6d75

C:\Users\Admin\AppData\Local\Temp\GcAG.exe

MD5 c733260dfec9339bb8c95cc6d5c12e31
SHA1 89fd76c9e3d14756ff785a21a0ee7aa4ed5e517b
SHA256 2f79cb8b95e799f3eae3902981abcd9f7c44203e17c61642eb4a48b88f749947
SHA512 69d42194fd575e3f3eaf5dcc037e5c9494cd6026eb1b9314d5ff64d542a45ce76570b3625892d9c080a337b059f308b16af5681b1a9bf377f2cb1720f4e5c324

C:\Users\Admin\AppData\Local\Temp\CIQM.exe

MD5 9079e1f681046a2d46199c0bd5801cc7
SHA1 df757700c21846d811d87621894ed8917fe8c453
SHA256 2a0f5b86d3dbd00fdd1a6b3984df6a54aac33bc0d993ce8257c0f357a6c422c9
SHA512 de56cead7bbb21e94f2db52290414150864db1cf17b64e28276caa0dc8881defdea9839babb18f1485932bb3d709276b3b6cdb719a5e6740344f41fa98bf30b8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 3e783b3714c410ea317579d2b6afd52c
SHA1 fca33b194a71069a7d918e617332609c8ce90f55
SHA256 53bf901da8e2236d9a4cf27aac84e6c75aaa898c385c4582d75fedc4452f7f91
SHA512 fd79969676c4bd1c4ec499720b0231bcd17f4329f8a4989acede24fedc9392074bcdc4ee69a023c653a064ef8f832cf15dc752089ff7427d4fdd9df05db5cda9

C:\Users\Admin\AppData\Local\Temp\mggW.exe

MD5 ea524904fd423e1e9e935e9b6f2e0049
SHA1 216f5af00234b5516dd990407b36ea55a3c84532
SHA256 4f1ac6e5069ce9961e28a40bd8f846bc471ed5aabfbce191fe0f61a12922bf57
SHA512 52325daa5f2daed9923a9ccdb8703a24d0c81fc4b7f85b8a47aa9c364a51f488241a360249ea16d3ce02f61c205b434864db3a5e491d84e11cfea11ff5a41c27

C:\Users\Admin\AppData\Local\Temp\GsAK.exe

MD5 4d8f9df5081741fe4023452e432d9879
SHA1 3287ca5af4a2d1c4cbfdfdd64d6f245758850525
SHA256 e5e203ac146114e7c14954c2a27776870c40da9c42179092566e523b84e9c3e9
SHA512 cff71d787b889597e7e8771e6c7aa7c3bf1ce07bd900a0c63cf3774f007555b26cc5901241656989752c7fe62bd73b6dd4c67a18df99c53299a473954c135d88

C:\Users\Admin\AppData\Local\Temp\IkUU.exe

MD5 467b3c00c58e37088c654eee1fbfe284
SHA1 1586b20ab6bc10ae52ca0e7ee5b8418d3ade278f
SHA256 05c038ffc0c84749fb4a824ae879809c787712d668b2f0159a71476b48ef15f8
SHA512 0188dc1a06cfa3e61eba457231ba85641bce707f357b77d290da0c51d74f287a8ed4c685f6ee071f07d1b52c402e3080af2bb93630913724cfb13201e80034f1

C:\Users\Admin\AppData\Local\Temp\AUIQ.exe

MD5 808c850b6c1755ca4a17e52480fb53d3
SHA1 e0a875a18712b6351487b6eaa692b094a43f7ec0
SHA256 8195fb1f2797f72ef63e1bc73da8ca84837b36a81d8bb02bb18656a4d895fbe9
SHA512 7ed99a312a3dc0e410f7e5c83321db0d8956aeee03b0f56f8e80ff7e0ef53c6ff326a49b190cd2f7e967d8411022ce828462e3e900d378683649e6be61711456

C:\Users\Admin\AppData\Local\Temp\cgQW.exe

MD5 e84d6bb3e0f5f856a6bb150f56ac0727
SHA1 f5b3d5129ce548fd98e75ddb5be69a064c919d1c
SHA256 b617a1930e0441146a9877caeddd8ea45ed5909b755bdb2db4e9926ae4d3be14
SHA512 083fbfffe9dadedec033c7616633175236b8e285f5d60d38425f6d48092ddc2e05c19eb405603778b2e9019feff3bee8dc6728855e5ecaa21b90516b9faff902

C:\Users\Admin\AppData\Local\Temp\qgoG.exe

MD5 065f66435ccef4cdc0a960023722d101
SHA1 08714794c85c521a0c95d8f876bf5da0c47b32fb
SHA256 5409b69ee94b78eee126a5305dbb3f69c03b4995e489d1374a4ce89f3a3ef12d
SHA512 846aa3a1c76832bfc7dcd0a364dbff5282bd242e54bba10594da495bef9483e2f23a3fff6390a06780474b5d0f74a1cfd850448e81c7cc878d4c4fe2766a7b6b

C:\Users\Admin\AppData\Local\Temp\yMcy.exe

MD5 7b9706bf8afcf5587f1b94cc6288afa2
SHA1 3f67fb7a945a866df9a27df075a8efc4b418d1c7
SHA256 aca92ad49fc977146bb50134669b07dbb21467b44e1b05f726a7f81758859dcb
SHA512 f6d4ea9da488c6bf4117eda4d569d8af90ac255c4afe4dac89a63933ba424db9e3c7223f54eb709cf8221bbbda2601c391ee43fcf9d52d2df489e8fac10450f7

C:\Users\Admin\AppData\Local\Temp\YIUc.exe

MD5 e982aafc5126306f90a96e323b3ec015
SHA1 1621282e7a73314bd8399814d83bf64ba8bca7e6
SHA256 6764fda83523ec62975065fcd3ed87dd0aa22d094f24114943e903c297fbdb85
SHA512 f0951d8f618c608421e2cb40b65550eb93e42d4faea99e826de829bfb3b117c73b124a1e477e6448b22cdba61e65076399b8f37ccf2fa5fa675994dce34df837

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 1229323a9e6a2c7c7e075c0d9f7f6b5f
SHA1 1ba55e4d7bf0ac6af282167efd8ffafb6e57651b
SHA256 c3457dedb212a5aff05585e1f041ce1d2b0b07cbf68ff24b920c9fb611cf1574
SHA512 bf50cee6f17789a44ac87795429ad8973cd379d00f8143dde1394b09669450a221ac91fa4123e96d5faad00bcc2be14976c2051648ff06027e4d43a23435e46a

C:\Users\Admin\AppData\Local\Temp\isIS.exe

MD5 3eebd63041879f9695aa09cd3e77c62c
SHA1 d04a1fb6b5a04ee5f745be0aefcf73008bc7f04c
SHA256 bbce5600eedeb32cffe3b3a85ccd15a7b41106fdb9d3b20938fd0035d471b4c7
SHA512 3d7497f13f1894e3f3f192a26bcd6fdd612dadc3aa7247bfe2fc15333e53b98e98abbee2987e468a28b525923e08a4fb301c39a4408ed41cc178bddff50e2d0d

C:\Users\Admin\AppData\Local\Temp\wAwa.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\AoIw.exe

MD5 7a0d2073ea0ea7d1b289a477b5145866
SHA1 2abed85b8d7af99c0e280de1e9a524bdf572b725
SHA256 12a60a169fc13d59fdcc683da93b5b7c4757ed446d61f39b76e3da4cc70aaeb8
SHA512 5b7ab26856afbbbbdc6c42374aa28429dff9e7fe69aeefc3781e50f1a9cb392c5d2e14b02586135df257effac75e9666235e27f345abe89fcf882464889955d7

C:\Users\Admin\AppData\Local\Temp\QYUg.exe

MD5 7ae2cd0ebd705afc8e34f4f554a5bd31
SHA1 bafd44eca43b5e9fefb42a1f4f47ca59122108a2
SHA256 d05bd4894ae853fdd8c7041093fdc5133b21d6dcae9c0fbed5389495dc100086
SHA512 b5665d6a4a242ae621876b5482f0a5bf01a339482a47577b29c92c463f9d4beaf60c0c116d203997f9a45ec18a9043e65584f40c1cda9535b0eb05b9e5b3ebe3

C:\Users\Admin\AppData\Local\Temp\UAcq.exe

MD5 523d0762432de77b14fd646d69cc8eaa
SHA1 b3e1f7e5a0ab2dece4a06618683e7dac2871bd95
SHA256 4a7a0a1f85e6b0de7c458acb86fae506c11fd6d5c4e06aa5d76290a752a8ce8f
SHA512 95c9511ae8099bf6106f11b98fe7ded7815f55230434c7fdc40e007a275944bfb0e2e6b1c8cac91f7d7519e2828a617c77366c9b1e2a71fdf36f89d2237926b3

C:\Users\Admin\AppData\Local\Temp\WQMe.exe

MD5 8a56dc199e5aa5baeecf5f686a22ce8c
SHA1 b46ae53253f82c08c02a651f2af2a1fc61a89b30
SHA256 99872ea96620240036c07dfd54ac070474c00a80d846c17eab881152a127af1c
SHA512 bd8887c1d3b5bf882350f80af8d89ccd371a86def1da7fced42d5b60792e36654f81bd2e5ae1f1b2db34b3826f73d6911a3199638204988cfa38bdfd53531ccb

C:\Users\Admin\AppData\Local\Temp\gMgI.exe

MD5 33c217f6cec62a013ecab0adc0cfddb6
SHA1 6185ab24e20ea294a3e01dcac6999de1ae1c3882
SHA256 a281dbca31927e93c386e7828c3623d6eca00052ebd0493e6a2873908b4df9f0
SHA512 4352c4352c941c9ed48c6540b2a08faf23b2e779660998ba6f942a4bb35144267add0a3cf4502f9109e64883ed93797f365fb4112708e7f82464910a1772e611

C:\Users\Admin\AppData\Local\Temp\GYkk.exe

MD5 e9f4afcd4ac0220fbc93f25e6f18c702
SHA1 f2710acd8b6a4249364a1bc6e5cc7b66f41bd934
SHA256 f9961119cc63de303c7d15dd895ad199216e3d10f9481942a16ffaee982ca10f
SHA512 9dfc0d355fdf066963cb9a05d94569e449ac392edf2bc9d9e54bc0c674ba9f6e0b9ff6f4da0d31eb4835ac8bf7ad56601a2c0d04b656b92d5a62adbe35dd82a5

C:\Users\Admin\AppData\Local\Temp\UMEW.exe

MD5 3022f257839121d4edb757d87debe7ab
SHA1 2141497a3c522505af88eed75f40161973b04dbc
SHA256 5bc0a0009fc4bf5bd451468167134212d67106c7bd245ed5a1549f9232f849d4
SHA512 a97a7e18993176b1db9ae41c3a9750f1ddbfb43bb098104a0912a1c04311435afbcb89e0204e612ba9ea7b19bff5a0117d57138bb8830e072d7b10a89ebb6a9a

C:\Users\Admin\AppData\Local\Temp\oEUI.exe

MD5 e35ed3e2331dd443ceae13616407b8a0
SHA1 3ec5864ae500da66a425900d4993c6d2d48f095e
SHA256 6859a7faf3e9f5f3201c93e81af93a6a9874d8215fac755a3b55b564c79134e8
SHA512 dfd25e6373db5325c9fd4581fe34cd901889d812adc5bb62fad26c816c7f6b0f7e43da966d6254721d8bcaac5c26b7e9ef1b5168ab5f1a7cb268241823c31022

C:\Users\Admin\AppData\Local\Temp\YoIM.exe

MD5 88495ec032577453135b58f2bb82ff5b
SHA1 484073077fcb069739a85ba68e464ae420ce5a93
SHA256 5e7b85c8fabb19755548442f5ee497461c3b9e0c1eecf6f5c27d4a6a3b9175a4
SHA512 3dd4f751b634d59fe5e57c4da4b51c146153760c7fb0f1d1d0c4868df956161701d1a210020ff201691cda6f3eca70d97b0b87ed15bdec2601634cf6dd81c174

C:\Users\Admin\AppData\Local\Temp\YEsy.exe

MD5 5d5548e4c21864c389daa99e6b774955
SHA1 0fd16f27f1516c49953922fc6df01d1140a85e7c
SHA256 36efda70a3ff2f70970c26e49dd045fb6166c2c840bd4eeeab9d34fe6cf30447
SHA512 93ecfc588d66ec1f875251aba1d9b6d683b51013c404d13c50388aee727b32cceedfb4a19add9d358b5486fb56a40d08b9b5916f0a87b9c735932bdad89f622a

C:\Users\Admin\AppData\Local\Temp\EwMe.exe

MD5 1849ec73b3029922c1b4c7ce9e04acd9
SHA1 8a33b43d8458a6fcac09f9dd1f3df657af6323f2
SHA256 9ea796fb7a67fd533f552e8a71d62f55c13612f7fc22b867a43059e7e07235df
SHA512 4ac90624840d0998780febb579143dc0ffd61b96f398e55e98b840dcd0c39472b96e35c98a6c62521fe54d1899689a11191c5e30ebc03afe191753b54d8cfe80

C:\Users\Admin\AppData\Local\Temp\OQIw.exe

MD5 dfe6fd06779a6a1d2a9d5ec651c17064
SHA1 546706e5fa3f5d3a1932586d6713ea06affda67f
SHA256 b8cbbddd2f9cc6b10bd34f782242d6ecac69674a7ef98a69ce830e8a2027b58e
SHA512 5a8c1da866e5fa5927a9584f0a9f87a8ee3679a69f412d06955f5c1679b73d4ba10285e789064b7fda153a3698ffaa64f93a00a97f5408b889741c3e98393b48

C:\Users\Admin\AppData\Local\Temp\WosS.exe

MD5 4b1a09b890567a659588339c66e6da46
SHA1 30479385812d12bd736f0ba63579066088531b8b
SHA256 a12035852fc7f100272192c0cba6a0d21025d55a66ee104d45ceb683724c05ed
SHA512 06a5cd43ff33184c15ae85d6861874d4f7a4df091eab1657efcb4fb5b811fe816f51c2d20fca78ffc80a2361c9e83afb7c9720d90bf5f25e6dac1b1050a4aa24

C:\Users\Admin\AppData\Local\Temp\YYgs.exe

MD5 9f1d4d4dc114c114e3643503f0abb6c6
SHA1 c00a51683cc41f1832bd52897114086d74be8c2c
SHA256 d7975b7b7b6fc835ff5beebe5f881c0185cc09aa00b561deed9c4da9dfb5e963
SHA512 0d35759d5ca472f45486bb5db323f6d52ed9602cb16e25dccf727941af15febe90ba63cd9ed4ccde7d94b4e1450a994f8e473a1f6b122c8bcce7d7e1e0cb2dfd

C:\Users\Admin\AppData\Local\Temp\sMcm.exe

MD5 e9b52690677f0ffa27343c730dcb39ed
SHA1 7a66e6797685f1aadbef800a17667a5611f3ab79
SHA256 3217ee6c14ae98266cf9d5b7c9de794f356e2e85540f703a551b792d9291bb9e
SHA512 f5d4220e231dba8bacbc4e8eb925d1e7ecd7d7c432f22e54586495b53af386b32c2a86baa805a507dea6bad14bae741be54378e5f843eb70a1a861f504761f27

C:\Users\Admin\AppData\Local\Temp\ykUq.exe

MD5 69cd308afbec297865ffaaaf880ce093
SHA1 2c8780f6f748408dc5588d6d362684a9a52e2deb
SHA256 3b7c27795879a3188303978d439d7c33d324ddd7956aeb11154d18c387124f37
SHA512 6904b7c823eb2de4b5ac16a08126c8ee054d4563c45c726e2403b02368f0a90468221087f8af7c6ecd605eb1b64ecc90604d3d753b8c28abf05dcd12a63827d2

C:\Users\Admin\AppData\Local\Temp\OkoG.exe

MD5 449a7b879b1bd9e6f111f9b1341869ae
SHA1 0ed266655f0fbff473e6edc3f9796925af26100f
SHA256 3af801d29f26d69ea74a188f41acef53f351ae4c6295d12cf932a66013946c83
SHA512 2dec6b09c796e968a383881efbdb44820265e1efb37fbdb18baa5fda6bb3afa7bf96bad212fd9917d8d2a1fe53b82748fa26bf063b0d15c947ff4e807dbcbebc

C:\Users\Admin\AppData\Local\Temp\YIog.exe

MD5 1d7dc4bda9bd51d3a8a43806e3702bc3
SHA1 af0dbee94c34a325e5a80594ce0be6b174ae9009
SHA256 8bbe17d5d462969e4d35dfb9ea36f933cc2bf8cc78fd8aafe45484402c631020
SHA512 5658b412f3e9ca14701027a62f7624f4514cb413e05b772d158bbe82f74adf8b18184f4982cd9418ef4e2e9086c6025685f68da38efcdba18614fdcb3c780b28

C:\Users\Admin\AppData\Local\Temp\gsgM.exe

MD5 add078017576d02e90670f32585fa19b
SHA1 be3b8b20137f2b1bd002dc64695890fe2511471e
SHA256 9737433820c99d2f31242e9c19013e2d29e2178157c460f90e9cf55906c708e8
SHA512 bdc2c4e2293dd1f582cdb8d8b3fb98a3917b244794b04b26a8e500a56e18a1a853e79e80cc9c25dfdd8f3f0b2db1188644d12987a7e556f0e320a6d74312a6fc

C:\Users\Admin\AppData\Local\Temp\aYwQ.exe

MD5 70506b76ac9ba435c70273d13ceb7871
SHA1 8802ccfe7764fbc843ef61f63071ca3c30951324
SHA256 7f8a5c3ec70063994ff00a6357a8f49eab7e91c04942076e50321bf62c2aa57a
SHA512 bbab120a9fd8b3c1ce3bc5e811719fdb5a1c3487377039afce79d6a83f413f437e6fad3c88ac4e4579ac2165cb1dff71ebf6f05a35c119daeed9f169ac5b67f6

C:\Users\Admin\AppData\Local\Temp\GgEA.exe

MD5 182f76c65ee93bd01a97c57152fc25a3
SHA1 a58d0a16af46dc89efd8d1778776d03997a843df
SHA256 e26f0d6ba2104eec3ea6637f53c890d1b81a0ec544e1546f5cd3b808f45e72c4
SHA512 f86347ef0d9d0d8d55776612b5ffa87346ce9613a147013e54712853d81d235638307af74770cc1d66d1a3ab7fa197ab6e8463fb45345c776fc10a5f171c91f5

C:\Users\Admin\AppData\Local\Temp\cwsM.exe

MD5 a1b7b74f6eaeecbb07b2ba5a4854fcbd
SHA1 8ae40d6da474fc6387ea4bd24daed61d603aecf2
SHA256 0adee830efe1013f5726ed21a93f3a6d2c7df2c97e08893b280703712249ff12
SHA512 2673181edc891c628384b0830de7ed5c9f8a99850941418c6ccf3687a39ab3cf1e6027867c6d76c5cef83db3039a7fe454bbfdf2edc3e05bdeb9f32500797a14

C:\Users\Admin\AppData\Local\Temp\GYoe.exe

MD5 67ae53905af543fb77a17c52c745f761
SHA1 82280e5c9feb020a7a3c58c1ee5de9b5495e8242
SHA256 bc29fc542adbfc2adcfa58477fc0eb7db1b101f284a9a3768b9f3a30b0b2447c
SHA512 dea4e283216d17e52235325be9d8ad9c87d22bd0f058833fb7f8ad741b6901e47ebac592ccd1a09990e47f943d97545cd52d5e3b7963d93591bfdd8f66aa9e6e

C:\Users\Admin\AppData\Local\Temp\sIwO.ico

MD5 915b89b32206268168c5789d7c55f7f0
SHA1 37aa8ac4a21bfd3756457063f300caf5150d9cbe
SHA256 1aa540b0acfa68f313963ae32ca68a5b3cefb49217cbf3b9e0b9eb98b9b94b6a
SHA512 35ed5562ec9fcefca9bc1644dd8fd7c28ead223eea2100eee38c51224332cc071cb7a122f750144d1d2b38b3580dfd8025cc59e0942a97f729ac39bf3fbfb9ee

C:\Users\Admin\AppData\Local\Temp\GEsE.exe

MD5 132e7e6836c0bbaba59b898092a3d957
SHA1 fd05e253c6fa894e58f5c0cb712ee89751637805
SHA256 a858c5a92d83016f1335d74689794b56142fb991da4d62a8ab148181b7281649
SHA512 4782d297769742baecb1b5c8baa156d945bc3980cbf9c7cc012f7ae7e6bfa5b0c45ae74de9ed40a9f7eb1916c626d3bdda73cd8d2620a720dc0b421ab11c0d5e

C:\Users\Admin\AppData\Local\Temp\ewIW.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\ggIa.exe

MD5 85383a09e36826ebe1a35ede9fa3d4f8
SHA1 049b43a585db65624779feefa586ba65b04f34e6
SHA256 f58e575f6c19524b8dac7cbf9b918f74d838b8ee4dcbeba37164f1626629b6e4
SHA512 215571ad9f4ab2280cff57f563dc2972060dc1cf72fbfb86d2124d0651a9cb87ce8049627e3887ff9e2fd6f32e816b22117d86c9071a6324b50bc4cc37a4f4c5

C:\Users\Admin\AppData\Local\Temp\AMwa.exe

MD5 fba70f743895c869a1555ee71a500ab6
SHA1 5c87b891eb9fba25e5c97fd1cc1e1e617f859619
SHA256 a8211a21e06406e6556e3b8a896d9400e9faa064a0b3061c54a7acf005cb9c74
SHA512 65793abcd3b2c44d9641edbe966b27f15d96635c06d95f1f3eb6a641baeac0cd364e4aa995b58c068c1d8df7c8eff8d541f8674a1778460ee2b8bb3574169c88

C:\Users\Admin\AppData\Local\Temp\iYQs.exe

MD5 0d74ae643941b9b2291d660528282fcf
SHA1 16532ebb008f722a5fb48c862371b5a976bf6162
SHA256 11f5a59c52bab4fc0cd3f6fadc63b66cbeae68ff7cdf555b929ca3898919f34f
SHA512 377c98a993a4e3dbb0a90b67066cb96daa5f76ffe924e78fe52a92a85687227aadac05be61ae530b1343a09215506c6428d35e45a2910848dc300a4765cc25fd

C:\Users\Admin\AppData\Local\Temp\Akks.exe

MD5 c535cf9b52ceb037895bb203a6e25620
SHA1 3963951620aee6dac5f88e45e92efe71ce5c0442
SHA256 10fb2c82f75b98924d92e9e4677471e4740050e8140e55e61759305017141b4d
SHA512 0b850479f794721ad089ab0a3dabc33aa46d79869f656e79c220b2d9c13f1ecb11565db6d21058f653346d7463a926996de9296bed65be55272c294b54deaf09

C:\Users\Admin\AppData\Local\Temp\goIE.exe

MD5 d6073f02b424d504ff5bf648ddaab146
SHA1 191f62b16584e031788605b6883535dbb1f2ad4d
SHA256 794172ff9db9d6cd85bb22905ec886e8428ed397cb3528730abac9409d5f14b2
SHA512 ae3b2dece6b369da2e17ec4a853e12bb968ae66b0a5869fcc39287103acdadbd117bf8df17e24b3c03eab5001abfd2b2f74437c802cafc1fe9a2e98ac20f8256

C:\Users\Admin\AppData\Local\Temp\IcYg.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\wokW.exe

MD5 2e4293a210f674e10c93d68c4d578da5
SHA1 6b8b6dcbe541ac587b5b57cc1475a8b802cea724
SHA256 a3c8d22c31a4fca2f7bacb608f3d1ea5a265939cfa93417c1a79970ab92766dd
SHA512 7c714361618494a86bf3dcd778782cde25faa33174b05c4cc9a7f5377b4d4e1860e10938ea2c1e42b7db0510a3764b8c21c506583f6aae085f48fa63f8f8229e

C:\Users\Admin\AppData\Local\Temp\gogE.exe

MD5 100d17f54ae2c0ba1557b6e3e8d26170
SHA1 6ff4486661acc1cc4c913525da00ea7c79fb64af
SHA256 84acf441f199805669f3e41f9e4478615870a07b845a704efc57aea4335ab211
SHA512 521c76c41319695d706ac45e8803a6046ff4a0fdff8bd63cc72c451b8c05ceefaa5d49ec67cdc631e4c36209eb05ea9fb5f5621132a2965d5426bc68c411f00d

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 cdd365df7da8d4d0bae51c1824bf7ce6
SHA1 44af0668c1fc31f48146137896e340e74570a223
SHA256 515bb101d1c7fc9f53f77add4ae3894165307bd4f61a3b2e4a6137ba2da72fc8
SHA512 106389a0237a9c2f3c5957ba6d4119883a041fa480be2a800486614facf33f08a1f8abfbda25bda0012e6ca27c4d335d06a66ce26810422f53ae8c9cd8c94cda

C:\Users\Admin\AppData\Local\Temp\qIkc.exe

MD5 d604483b0f3946f934ac2380ef477bdd
SHA1 95fbc7f23b3e26469ee280443f0b5963312cc500
SHA256 982067988591789c44d822b1c0a62f9c3bc1910273bb22f86a223f8981080e83
SHA512 351edf47c8e1dec1caf8a0791981dcd4d5890dd129fe659905c36ae405a703e1219b86a24abce0563144a1af38a216cdfe046b41fbf5075519816683e726a367

C:\Users\Admin\AppData\Local\Temp\ogMW.exe

MD5 a5505a5d82d37c265ceff9c3e96b2f56
SHA1 5f68cdffe2814736d602f4074a8bf8bf4982a34b
SHA256 4622ff3b726ae342d42193ba7acfcd5f8efee4b98d5121f37cb832047943e913
SHA512 a11c77b3e6bf09c6e2659ecc64291214ebfbb9de6c5a0d023c9396c5de04b0cd2a2491d85e97069d2ed317ee2384eabf6dbb6f68695e25628171bae4c720cff7

C:\Users\Admin\AppData\Local\Temp\qEQM.exe

MD5 d6febc49fab81247e99d86bf2e967ee8
SHA1 14d50109d2443010ffa6a9394e1dc38cedf3b8ac
SHA256 d12ed2d810301716665aecf96c1a13f238ffffe5db671ae3d9da5fda48f68545
SHA512 b07e56925b897c018847e3e223b52b4d9fe77f4670f75163798b36c9b95924cf0bae0ecb731c4c952a0393b7dc0ddcb40bf9cd994c7e48a7a3971e37e0ec5d22

C:\Users\Admin\AppData\Local\Temp\ocgG.exe

MD5 3297bb52f89a1600613c4c88cb7a3007
SHA1 c4b0c1ddc4dc87617097b79ccbc2043beb414d5a
SHA256 9afafd9bb958250fb156a6360f001c39227f325f83919fc8f279f2d8f8b96326
SHA512 62cf81b5867924fb0e8741bb41f2707e121c9414b5656422a8b050e3121b4ce4589e325e03cd4f82ddde3810918068e989dc5a4af9103a630e73ae06863d599d