Malware Analysis Report

2024-10-18 21:41

Sample ID 240612-n37cdaxejm
Target 2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock
SHA256 d1cee50f03156dcd11a2c062aa55667e057bca0cee3515d5234cc83225132b60
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1cee50f03156dcd11a2c062aa55667e057bca0cee3515d5234cc83225132b60

Threat Level: Known bad

The file 2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (78) files with added filename extension

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 11:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 11:56

Reported

2024-06-12 11:58

Platform

win7-20240220-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\ProgramData\kkcsoscQ\KgUgMwIw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\GiYEIYsc.exe = "C:\\Users\\Admin\\NcccgIEY\\GiYEIYsc.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KgUgMwIw.exe = "C:\\ProgramData\\kkcsoscQ\\KgUgMwIw.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\GiYEIYsc.exe = "C:\\Users\\Admin\\NcccgIEY\\GiYEIYsc.exe" C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KgUgMwIw.exe = "C:\\ProgramData\\kkcsoscQ\\KgUgMwIw.exe" C:\ProgramData\kkcsoscQ\KgUgMwIw.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A
N/A N/A C:\Users\Admin\NcccgIEY\GiYEIYsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Users\Admin\NcccgIEY\GiYEIYsc.exe
PID 2856 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Users\Admin\NcccgIEY\GiYEIYsc.exe
PID 2856 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Users\Admin\NcccgIEY\GiYEIYsc.exe
PID 2856 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Users\Admin\NcccgIEY\GiYEIYsc.exe
PID 2856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\ProgramData\kkcsoscQ\KgUgMwIw.exe
PID 2856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\ProgramData\kkcsoscQ\KgUgMwIw.exe
PID 2856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\ProgramData\kkcsoscQ\KgUgMwIw.exe
PID 2856 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\ProgramData\kkcsoscQ\KgUgMwIw.exe
PID 2856 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 2592 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 2592 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 2592 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2536 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2536 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2536 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2524 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 1440 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 1440 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 1440 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 2524 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1300 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1300 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1300 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe"

C:\Users\Admin\NcccgIEY\GiYEIYsc.exe

"C:\Users\Admin\NcccgIEY\GiYEIYsc.exe"

C:\ProgramData\kkcsoscQ\KgUgMwIw.exe

"C:\ProgramData\kkcsoscQ\KgUgMwIw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqMcgUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsYYkcEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsQQgUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TSQwIYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEYgIQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\biMoIgYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jaocEAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oKEQcEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WkckEMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uycMEEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiwMkUoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwIgkccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmEwIIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMEQoUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pAYMMEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\daoQcMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XOgMAEAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcgsokok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGUkQgYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\umAQwwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IaocAoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lygIEUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgQkUoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tEEYAMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGcAcsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tIQsIMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CiIIsUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOkIMYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIEEQoIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCEsooMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsIkcIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jKswUYgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyocMosQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-432152601823027014-774366149-9698643651289123404257404629253348682-1504437297"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lScMsAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEEUUkAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqgkEoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\imcAQwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWYAIEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\scoUggUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGYIoEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmoUAMIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\niQcQEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUYQsQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwswgAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMIUYwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIMgQckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kMYAYsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JCgcwcQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FMUEgsoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGoocwMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eowwMAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuEYIcog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqQEQwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yioQocsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cOAQsscI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuokcsAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMUYAkww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HoggYgcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FMEUEUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ceoMIYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WaIgcUoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KSkYwQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOkYcQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgQwIoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FmcYUUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dwsEAgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VCIgQosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGggMwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WooYkwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IKMsgwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AqoEoIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MykQgcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LSUwEYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2856-0-0x0000000000400000-0x0000000000421000-memory.dmp

\Users\Admin\NcccgIEY\GiYEIYsc.exe

MD5 ec950cf688b47772e683bcb85ab06b1b
SHA1 e77308d8ea96407df05961a921c7f786138ca512
SHA256 e4d2d3bb528efff121394b7b8c789436b37105c3a2f848967eb560d400dcaaf3
SHA512 7b26d1c34633f7ffc2fc0004d2f9cdb93e6f070945de49d4817fe10b61bf3ee0adf193d55df831f0cc223011e8d400c920cbead65c22b995614960dcb1ddc0a5

memory/2856-6-0x0000000000310000-0x000000000032D000-memory.dmp

\ProgramData\kkcsoscQ\KgUgMwIw.exe

MD5 bb5d31e1501449662edf27191b181cd9
SHA1 466bf2a8fdcccc69ca8599017ea5593062d05cf5
SHA256 4adae98536e9657190eb8ac7f40ec921da0a021f309f22d2baec320bbc3e02f1
SHA512 d530b0c9ed7c6cf8d4f744f9708b17ec77516bec27e4ee49287798610b207b6679eb2d398a2a21eeb3d7a77003254477b5a232677210c1988b4514460b415db1

C:\Users\Admin\AppData\Local\Temp\qwgQQEow.bat

MD5 3cf3d84a4b02bcd847b72be772b17ef5
SHA1 ae5de214c320584ff220e044b3e268c9c5694383
SHA256 21a38b36a0ef00c26938a11946cb08d556a7d8e4338f6dcc88a44b9b558b7d9c
SHA512 01e31f12c7d2a513e581836bec7f5c203cccfd8343ca4a2352ef739a41b8a7126d913d851369a930244d0c03f2cbbbc8ccddc2e582fd2e03b130beeb8f0b91f9

memory/2856-21-0x0000000000310000-0x000000000032D000-memory.dmp

memory/2856-20-0x0000000000310000-0x000000000032D000-memory.dmp

memory/2148-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2924-19-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2592-32-0x0000000000260000-0x0000000000281000-memory.dmp

memory/2524-34-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2856-42-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KqMcgUIY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\GEsggwoI.bat

MD5 a309aa0ac98fda5172d3cbdc27b21f8a
SHA1 c1d6f63365414ef9a423269630da624c523fbdf2
SHA256 90ef913567c9742c08b9b733093356f6cacdba01eebcb9692e814930fd62b4de
SHA512 0ed21813081f85e8417d004efdc9a5a1094fce1644a327aad09907fa2512ba56179af3e9c235327efef641c3f729af8a52345347b816c4a16e2ed4a5ff3a9be6

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

MD5 eaceccfe7af04f19a216c26f2791a458
SHA1 7b9087b51c7dab7be798a4e6b1c128d204f1de84
SHA256 0d792889bd18fbfd06914b1314fc632108f4d284a6147a25b146fae82ffb9171
SHA512 89579be17b6ec7a69b5d8dfbae36cc09b90711429a4362ab8b6a0281d88fcb0dad2cc6e9c3f3a88bb5be91310a9b67cad482558db0bd356ea025c07561a768a5

memory/2660-57-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1440-56-0x0000000000260000-0x0000000000281000-memory.dmp

memory/1440-55-0x0000000000260000-0x0000000000281000-memory.dmp

memory/2524-66-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KQkgwEII.bat

MD5 7dac21acf36d925309f400332b4d8341
SHA1 b04a658208a7e45980d4b86a30b5a44226964a24
SHA256 b8268a88d936af7b01763fd837fde9295bb6b62da90681c848f0a02b1de654bb
SHA512 b123a500f52eab92144c17a832e812965ecff8f97a6a534c5c0e4deedc7759890928384011d7bdc807481b99f05f54dc6dc6be4ec64f62752a7fcb2c9554a6d8

memory/2132-79-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2132-80-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2372-81-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2660-90-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RsYEIUQM.bat

MD5 1ccfb0531dc7d7b14ffb4b7a1881b337
SHA1 c30da0421143c6e69e62651da3d7468912ded208
SHA256 1e9a1abbee1abacd1bd965eaa76557d414ce660a776a2b20363d98435f340ef3
SHA512 84b4d57c206c2650cef3fba57987ed53aeea29d44543394d42a9c2ffbecd727fdd3f8cfb5e7d05522cef6885aa972107cae83c6181212c02d40bfed042980009

memory/1884-105-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1832-104-0x0000000000160000-0x0000000000181000-memory.dmp

memory/1832-103-0x0000000000160000-0x0000000000181000-memory.dmp

memory/2372-114-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FMQIoYUw.bat

MD5 f82eeeaaffb7a9562f35bee249468440
SHA1 f330864e87fb2c5e3ea95ca85be0a7e769ddad44
SHA256 f4f74721f836b32169494fe4641ef42b64adafbae6881b2cd542e718c8633246
SHA512 8f41d8f3c646cba3e7008a6f2c90e52eb109afc97c225fc47af1f1748145bc2c1273d2b7551b1575f7b7d37a86bbd17d99c29f8ffafd81fcbb732b798d56d365

memory/2200-128-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2200-127-0x0000000000400000-0x0000000000421000-memory.dmp

memory/452-129-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1884-138-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XaMkQIwA.bat

MD5 290a142aa0c13bbe4bc84a8b79f837cf
SHA1 13fe43d82871b059f523500d776fb6742c0af3b0
SHA256 730c26c6fedb3b3ead67ae52d635a7944dfa4bb8a06b5fe19a23561501eaaea7
SHA512 107141aafc27781378b13b1eadec5f822752db094367b3c9643373b6a75db7df61444e7b49822b33b7ca737d8200b4f83c10d0eeb3c6b060534f677959fb9a5f

memory/1492-151-0x00000000001E0000-0x0000000000201000-memory.dmp

memory/2840-152-0x0000000000400000-0x0000000000421000-memory.dmp

memory/452-161-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lkIUEgko.bat

MD5 c3d0ef028121f80a25bc332a9519be54
SHA1 27fb3de1e57e6420fb793636c46785a117da190c
SHA256 5ef27515f9b81e90a0c1d8384dc32efdfc409ffed477327cd5e4bb207c2f9db2
SHA512 5b42c265dcdf331a5582efe267c66dc4c64f24ab23a17de5fce24fecacd9b023da0f3cff4816c8f70c7a5bb7c7a9d30c1bc8a15d6e2f37249258ac33f8fe6881

memory/2324-175-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2692-174-0x0000000000160000-0x0000000000181000-memory.dmp

memory/2840-184-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BioAkgwM.bat

MD5 0e99f21b8b242f476d51037301e64684
SHA1 b0d3d18d73564f6b9c9a90837e34b3ee6782b9d4
SHA256 881b616ab36bbfc417c84fb31339eade454df8d0a481b449c06e9e2202e8c529
SHA512 cbc986bf73b6e017199aa8f96d2125747324f267c91633721168c03b295d8165f59f1708dbe4569942e76b30d1d631e5f2f2a9580a76338ea3efe4b00f3ef5c4

memory/1540-199-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1948-198-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1948-197-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2324-208-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kykkEUcI.bat

MD5 5f030dd2639805cf6ed91843c2836c91
SHA1 4d0b84ee0c727b45c8cafb2f7082d4bdc555e5e8
SHA256 d5d6f16740ed1e7d639bc208a9e035f1172aa3b774d78aea0566f5dcd4b7abc1
SHA512 a91eb1f479d39a525a48ce1a8a32abdb323beb2648ca07307a2fded2bfd5b5f67f79909a58af726b78919b829b46941ea62103792db54528fedf721cd56f70d3

memory/2016-221-0x0000000000260000-0x0000000000281000-memory.dmp

memory/2016-222-0x0000000000260000-0x0000000000281000-memory.dmp

memory/2028-223-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1540-232-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uOksocwk.bat

MD5 fdd448396b522aa4b772ee6932ec0495
SHA1 7b603ea0f058fa8d5e32b8f4616462a4d0eee161
SHA256 16b00f3f10d486225fdd3f64ef2085e91c9cffbcb7c13c06caf47db5da4f1998
SHA512 a3854bbe8788e9740b6442d4a0334e8c6bb7ea389b572c3c52bd69bff723546b5e1b2b8ac3ec34a1d09f64f222cd789fc04f14684830e15b3bf143c353975217

memory/896-247-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1820-246-0x0000000000180000-0x00000000001A1000-memory.dmp

memory/1820-245-0x0000000000180000-0x00000000001A1000-memory.dmp

memory/2028-256-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\giswIcss.bat

MD5 b346d898000676c3f2744b87ad1cc746
SHA1 069960c958b0d52576f440a9fc119ffa3af5f796
SHA256 6f648dc856386c9d98824124d3d2bf55d78055e4548063d704105fda8f95982c
SHA512 28cc4beac0209c4623ad5d2a51b110adf332d0289a848f18e731379e8ed66a3ee6e6754b89f4557032d8414715c364b1ecc37e29f0e30499a9d092c629392095

memory/864-269-0x0000000000120000-0x0000000000141000-memory.dmp

memory/1884-271-0x0000000000400000-0x0000000000421000-memory.dmp

memory/864-270-0x0000000000120000-0x0000000000141000-memory.dmp

memory/896-280-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GsEUkggA.bat

MD5 b5e39220e94869ce4f082f09e66db19e
SHA1 7cd597562832efa57ba52d20a75f7af8f6daf5dc
SHA256 2d429a96322b00ecc76040ad4d27ab0edf5927624b901ef3a513627c854ea3c2
SHA512 0ded5dfb4917d8d8193e654a47eba3430745a538dbed876078684307d10ea0862a6bc3ebd35ee578dd698461b23b13765ecffc154786127256aae0feb6a4d5cd

memory/2484-293-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2484-295-0x0000000000400000-0x0000000000421000-memory.dmp

memory/992-294-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1884-304-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dkswkAkY.bat

MD5 627c50d431d1be993d2b1102502599aa
SHA1 1942339d3e99c6c8a3b076f7ef125e23e69b4768
SHA256 4f5213fee58c2387da5520a6ef5a8a7ea0447b8555cd21bf418cd9f6761cc0e8
SHA512 08387d10fdcb8e48c4a4ca515eac47c54e3d8c34d60fe58088af8dceede5ccdd87a178a796bf9d6c1a8740a0ff368f8da80433e05be1b1ddea6970c1e95ac0c7

memory/2404-318-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2160-317-0x0000000000180000-0x00000000001A1000-memory.dmp

memory/992-327-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PsYscwsU.bat

MD5 c85cccd9a2e8ad0acb96713386d91ae8
SHA1 6e2c071efdc2de12fe5e5f8b5ee30d8f148a4cab
SHA256 53a286570910f79f4ae651e33293d0f5126a9c4647166e28f6211d9a1aee5e24
SHA512 bb646b8fa1f4e09a34277487700ba01e98de0734f9f76d5d660b1aa9cb34de581658ade23787047b9b1e8c3e0118548ecc48d8927e838c5e67144ebcd4466f65

memory/2656-340-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2404-349-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TGkUUsEo.bat

MD5 d22094eaf6a280eedf4d1c0151b2ab7d
SHA1 1f94abfef147e4e73e265202cde392327f2abd13
SHA256 e08634d548fcaa6766a1f7f5f8e5f5ab6f5f6153dd2caff6ecf300a5380b6327
SHA512 08e4f1638b7c980365cbea9b6a972383bee51254d10da5062bf54c545878405b4dbab9dcc92a22a07619e82a8845e13e0153c73b1e722add5d18d4ac311eac96

memory/1268-363-0x0000000000400000-0x0000000000421000-memory.dmp

memory/832-362-0x0000000000120000-0x0000000000141000-memory.dmp

memory/2656-372-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCwsgYME.bat

MD5 72e019b74ff9f5d95eacad247eb93c41
SHA1 12996b0a38d40eff94a40fd703045327a6fb6f01
SHA256 71f21faab6ea0900e3cc23bef8050782adcf3e9f5cf673c2a98cdee032611793
SHA512 68992df53c341487461ebd89929c015a673a6893ea2c19e6682cb1d92f7daacc60c1cd9cade064b036b99ba6abec5da42e638668c80b194396293cbcf5df5c8b

memory/2040-387-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1404-386-0x0000000002230000-0x0000000002251000-memory.dmp

memory/1404-385-0x0000000002230000-0x0000000002251000-memory.dmp

memory/1268-396-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DsEEcEkA.bat

MD5 b516cec7716d63766495c48f18d470d3
SHA1 03723d5d7d548d316b09bc667a972880ae56ef68
SHA256 4486bcd8df5d9268b6583ba990abdf59ca285e348c33e9b0514d6d26aad1416e
SHA512 d0bc276113247aac1cd8de58a4328a253e1d352180c9c5b101b8f19c619f98aab9cb781fab137f30ba2a42bcd8c8809905b222788ef506eecfffbce684892cd2

memory/672-411-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1832-410-0x0000000000120000-0x0000000000141000-memory.dmp

memory/1832-409-0x0000000000120000-0x0000000000141000-memory.dmp

memory/2040-420-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aakEUgMQ.bat

MD5 6d9538d7aa521a4690108fffb392c4b1
SHA1 fb9efcc0e103916337376e1ff77fb2c37e1cd9d4
SHA256 f95d6c2576d5151dcdcafba231f54e8ddb2297bc875cdb40c2d64b15123d926c
SHA512 bbaff0dda7e39074f9fee526ccffb10e0089a1401c427c6d5437a48ca3514d1cda99428cdf012ba2ac41d74695e46c311b3e20b4e34736ae99d0a6fe9490aa0f

memory/1868-434-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1604-433-0x0000000000400000-0x0000000000421000-memory.dmp

memory/672-443-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iWQgUsUo.bat

MD5 8858e9bc331d42c743bf96af9f644ea7
SHA1 10feb34ec9fb6baaddcd1e2b9778359e40186300
SHA256 ee8adc7e34226e5edf1d7b80bd1631be8e1dff85d5bf31dc14bc403518a0903f
SHA512 5b45829b421b5fbfa4a35100deda29aca3fb486fb80b89f5bb675f1bf2fd1a24ff151d8e49bbd916a784164065ac34c5797189843bb098a3fd3be03408ba6f98

memory/2396-457-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2532-456-0x0000000000160000-0x0000000000181000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

memory/1868-467-0x0000000000400000-0x0000000000421000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

C:\Users\Admin\AppData\Local\Temp\CMoy.exe

MD5 1ed13c8c0890c50f19ad7a31c168afa3
SHA1 4a6e5ddd4ef85db8e647b48baea87a380b83327b
SHA256 9a840929b4bd60cf3c7e5a4705994c5a855b62a6ef3290758ad025c9842b946b
SHA512 cc0257ebb1a71653eb81855bf4a5c6100e3a2c9a9e1f436de553ca97d51680ca5979280bb8ea554325d21695d09710e469c7c850121604767ece67b5ece08b17

C:\Users\Admin\AppData\Local\Temp\AGwUYMQg.bat

MD5 d0f5f977b5e9b839f0ca9beaf0a0e836
SHA1 93c6cd20b030f4adea4107c086e274a97474781e
SHA256 34d48b2d095321c05cd9e01e135daac1581e069c5b32b88718edef7c941e4db2
SHA512 4ebbfeb4c67cf0241705d5dc7ce43adfdbb2fcf7b5f91be1f0dd5d2d90de5433121040855ae000e7b397c92d04714662d19bf0f4c4b2bd10acb9ae85986b099c

memory/1408-496-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2712-495-0x0000000000270000-0x0000000000291000-memory.dmp

memory/2712-494-0x0000000000270000-0x0000000000291000-memory.dmp

memory/2396-505-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MoYY.exe

MD5 1830653ae6505ccb1b7a0be0ec757a2d
SHA1 cc006bdd76964893147d6407a5ed595321ac4cdc
SHA256 ae3e61f4cd8a69ef224fcf5988ef78952453a559879cacff1ad9fbc6f2e218fd
SHA512 44ad56468385adddf9f54181915f4f2f11675c5445073eddebbb42b88aed511f1e6741a5c350c14def837c8a6b675144fdcdfa1526e3071b4aa4f80224c047fb

C:\Users\Admin\AppData\Local\Temp\Kooi.exe

MD5 3d247787c54d7efdf70f4a5e13c94dfa
SHA1 0fcad0579f387a6ed6af6607882019124a843b42
SHA256 d8f437369c06c7b901e8908d0d295f463c438549c89ca06dc33e71534f073f67
SHA512 474d04bbad967f2a52de4079f4c6a9a04aa1c210e14ffe16b7e1f8161f33862adde80c505415edb9bf57f1c39278cad55aadf89518377787342ca8f7a36cec66

C:\Users\Admin\AppData\Local\Temp\uukEgYIQ.bat

MD5 478e522032950b3deea06a8510928fe8
SHA1 c222548f875afb63128f3eb94e6c16f33340dbde
SHA256 6209bfe69f67b1498dcc240a9edddf551f98dd4798f082d38fd5cc66d5bdd463
SHA512 9623694df13e584709ae5e2471dc96157f6c82b856ae5488d72e966aaa1c53863f21fad7a04c47fa8b97886e037fe01f0a481dbcb1e86fb604d8ee03a205eb01

C:\Users\Admin\AppData\Local\Temp\gwoC.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\aUoo.exe

MD5 79655aec7fb4fb1912766bed0b687da1
SHA1 9f99143c686f04eaf9c10b2b13a319de1c17203e
SHA256 a75f5d4e83f121c8669f669ad298080956a031cf0963034b21270212c85c85ed
SHA512 e2f768f177a5b8924d905ccde0f4186e7113fc0b4197a700ac2dd87b2d97bb2517ddc3ac88f8c157b33282ec00dab049f023ca0effcc71260dc6f2f7ac541403

memory/2016-556-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3060-555-0x0000000000160000-0x0000000000181000-memory.dmp

memory/3060-554-0x0000000000160000-0x0000000000181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kMYw.exe

MD5 1b7f768645ebb0361213829172eb6dd8
SHA1 965127c9cb46b869d479bb153aa78b9f33b887dd
SHA256 fa0f1c6541b85d4334e23999dfca0b09205cddc746cad8783024d671d905d5ce
SHA512 c001c76fb18c9d2e3e049bf0d2304e8c17021ecc2493645bf16ea29c59385260a311b0a5a044943de3d99a546c1381b38924d6caf9b3dc4bda36c5779ae39ac0

memory/1408-591-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GEou.exe

MD5 5971a579f2e986d2a2876eed7d08db77
SHA1 ae73a927f191de9172cd585a2e2b013f3b96fe4f
SHA256 de375efd87caed6bc25c0fc37d7d7ba708dd7cb5aa13dd7f8e2656ae6b49891f
SHA512 8c8ccddfc660cfc0104445f63c997ba3ebeb76e7dcb82091f572b290729ad1313e14393ba61159d687138e93ce42632c1b2268b873b43f3ee06b28452844ee76

C:\Users\Admin\AppData\Local\Temp\sAcC.exe

MD5 22b7ad58ed041fdcbfbbc0731f29fa49
SHA1 a5f98823d7e484670e07ddb4e3e3f6701fcd3f00
SHA256 229c47c843f9b61052006c852dce32fb47b977a94358792e71829da92819a22a
SHA512 799d03cd1e349c88b892e0304258c48b45e5de44d4312023ccef410a9bbd3ba1d8f2dd3727976a567060719f57338524df83522fbb5464fc7ae4ad1d2b9a479b

C:\Users\Admin\AppData\Local\Temp\aUAq.exe

MD5 5a3ca2cbbc7eb87fcc8858a1f43dfc73
SHA1 adf360ae511a3504ed343a873cb759196f5e18d4
SHA256 faf54fcd64f306de8030ccebc490ed3eeefbe530271260c2f1b1510944f465c1
SHA512 7d5ce72000e3b22a55a093fe5346b7e54467b03590b82384e4bbbdc3df78390c56d795f795a197b105376c809bf5d4bd3578fe3a46eef328d80a70b0dcd63b31

C:\Users\Admin\AppData\Local\Temp\agswIUUM.bat

MD5 5e80ce5821cac9685fb020a8f5fd6c02
SHA1 88b0e0e6173e65613afd37372222e735226b5a5d
SHA256 b12b2fd124fd125f61550e0401f93a655df366dc375a35af3b603aa981c0de41
SHA512 ff87915db479dac3ecf8f56d387786a9bd325b645841ff3227e63f3af37172840b1cb152c7591d91858e725ba1ed6047223213bb8f81bb8acbc6baac9f92985e

C:\Users\Admin\AppData\Local\Temp\qUYG.exe

MD5 4ac2c986ca1583e22e4fed028f59fbfe
SHA1 db4374d8e0cfa7cf4f49735478cc0e7e24b17d2c
SHA256 00e1ac8e2e30537471c5caf2581f969379adb56c0eea96299e83fedf86f89434
SHA512 94111cb48af1d22151c6ae20e9584c7e22d46b2a1b777357e7306ad3e8cafaf0342c3d1d3509fd2f56f6db4a2087c4d552b3419603317809ec09fdcabc7ab9e4

memory/1172-641-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1576-640-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kcAE.exe

MD5 1c54f59f3540394102dd4818a47ee144
SHA1 879549ea7668a7b422c6bc92841941780160ec20
SHA256 46ebda3cec26cc1ec752653ffd2a6166f88b27ecdf729cb7066a0b9e00771093
SHA512 6458fb51a8df6397e92a5a467cffc3d9d5fe0c1bcbf1ba4e7a43afb4445051b70e1793533f1359ef6853296e262f55d4b3307b7c384607ff63ba561012b40e9a

memory/2016-663-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IEYu.exe

MD5 afce57ba5fff05f38834f0d0d0c382b4
SHA1 0eabbc00c9646f5621aa136d181808212b84483f
SHA256 18d84a9f8eb5d9f22819c5cedccdcea79015a74574f4d5902370951fc215b3d4
SHA512 a3285e65ef1f3722ae09187ebe1351ff29269a59e3e6b9c96fc977d5f4e21332fc15de7e87ac6e146cb700cbcadeb41bab87f39b9e35c511d645ac39087ff654

C:\Users\Admin\AppData\Local\Temp\KQoG.exe

MD5 647fc7562e5de09efdefaf98a037f6f6
SHA1 e5853ead71bc16dc073b7b9df457b8585ddc82a0
SHA256 75bd7cb40fe97be44655b4c0a495a944a4ff92f7ae6fb0f80674d1bf58dadb62
SHA512 7b579f8b196af2355c5d76eb49072ea3049890dbdc1f9d6378755e1b16393b61a04c3149573e7d35fda73ee1b6af4bbe66f39754ee8b2c5983e63290386350f9

C:\Users\Admin\AppData\Local\Temp\ReYIgcoI.bat

MD5 fe31fd3b11235d3c32a0f2d0156bcb5c
SHA1 5cc486f1e405e5b8e21e50070a53b98364f5e5e3
SHA256 27a829a10c400efaf94e4606f96412feef79026224a382951ccb21ed3362e180
SHA512 7fab99f47757a9f9384fcae3e8c39a3d263bc317e602f72d874281959240e476be91227c2f3b59b09a804914c7cf91b72ff1081a7e2a3f80c8816af4fbcb97b4

C:\Users\Admin\AppData\Local\Temp\igIk.exe

MD5 5dc7611773d1bba48593277c9244355b
SHA1 62c391c4bc679b646bbe81a01b5108d0daeac723
SHA256 a81f6f4d4a7e003066a6d2fd3a541cf6893a5e2d912cd9424110fa131d35b67c
SHA512 cc50e5c8d9799b8f9b286aeb814ddfe67874a508795c0a6a2466f1633ab3c404c4ea30a0c0f9b8e457dd788e459c657225a77c7bd722a89bbacfb5a8218172f8

memory/2560-712-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2560-713-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2896-714-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gAQO.exe

MD5 fd0ea550590a40af6483853c36cae2a5
SHA1 8459ea219f84a489d4e557b6941d3b1bb5204f2f
SHA256 c233bea10ed0d395d8d1dfb91d5b1990671ef52d24e2a7f93deb51a5ca9c3d00
SHA512 b8beb1bbe157b4289624f17e38575a796622c7fcd18557e8a881ab45b321428a093b29c43a1b39d2c8c26eb7dbd1430c3cd2523ebd5fcac96e896b74feaaa3cf

memory/1172-736-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uwEQ.exe

MD5 aab0360348b5cd2f718673b104b246ef
SHA1 88323d81661666557a5c34a00923f6af804cabea
SHA256 55f9206150fb893c852e6f5ac455797f78275f8b79461eb528d3d3a5dd9c2a1e
SHA512 ceff094a1ff691ea36a0b6565d490aad9f53f47b88cc4e21ce7193c01822239b178207158480e975cd2c132df1011be76ab28178a75ebd989cfac26c2401e822

C:\Users\Admin\AppData\Local\Temp\egku.exe

MD5 b76a61e3fb44a18ebb9b245de7310531
SHA1 9bd00e1506fe7afd1529da5861a24e62b95c4061
SHA256 d333b50eb42317e84a00611ec7913e7e0e55fe01165f93a90807ac5975836c7a
SHA512 15a9389c6bb35f6efc0c95fda182a7ea50840b842bc9c786e090825adae2156db01b859f4d9a2fbb11ea635a63801b02e36e7a92013d8f9de01f66a482369234

C:\Users\Admin\AppData\Local\Temp\YQYG.exe

MD5 d704c21bc50a4d94faf0904e390b582e
SHA1 8aa21a3fef55b61511c2fe0878263428fffcb71d
SHA256 a978d38985866532e62313d83f83237c954ed906d267bc156bde1872ce2e2b04
SHA512 f99670e048543a07ec0be758766fb44301f329cc39ad363b5791b1de613db3ad437e43e1968cd4a071a814deaac21663e590b10a2cc81f57d91e9ed6812404e5

C:\Users\Admin\AppData\Local\Temp\zUocAIEQ.bat

MD5 5c06bf9d8dddf7791e158eb6b3f13aa8
SHA1 6a2d45f299d594160af2d76150c5ba0b1d3412a5
SHA256 a2f7cdccb9e3414853cb8c9e7bd7705f8e3ad662aa7f8c71181ad37728b26d31
SHA512 d58d5121c26c88f2a6c62eae24917237f9b1200b967cb042d91ff4a43d913b47373dd394a497bd9063d1064a2a7aeb3c364f282490df93c171a3233b14cfe2fa

C:\Users\Admin\AppData\Local\Temp\QMoI.exe

MD5 2b84c6d234ed5d3023e463b598a1f05d
SHA1 1ed90a30a8449302c550253cce53b7a0aad56a8c
SHA256 36f95c209e52a9079a1fe020baf7bc88ba99e8eded04aad1795ae01fa3cd520e
SHA512 642398af3beb58286d24cf9b7280123b50fd063fa77d9ec30d9a779d9b975ab36c8ec241e6b7c777fbed797417a4d6d7a43f3d7fece13687332bfa4e3573d670

memory/2580-800-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1704-799-0x0000000000140000-0x0000000000161000-memory.dmp

memory/1704-798-0x0000000000140000-0x0000000000161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qYYK.exe

MD5 657cade41a5e8e5751307de3f21e1b74
SHA1 b44e99a930cfa2b5573c6ab340fad317a57a8f72
SHA256 7f795fb3b378bc6086da3d088919af781583b3ec4bd66c4a989b2ab44d8a7b8e
SHA512 24316551d3d83159e0597573eebf04b9735f077863ecbd774af294abebb03c0c362ff7fca8176b123d8457c8f441f45caf28869286a123a74127e9d5c3b5cad1

memory/2896-822-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oEcs.exe

MD5 e7bc9fec3c8ab7fc9e817c8ad37344d6
SHA1 2399efa7248f2aab369c720789b0c0eb6c948221
SHA256 af20b63a9e3e05c151d2da80f2ec9b1382087114f633e36d8359eebb21413048
SHA512 753d6f8a2ff8ab9f30de4f478ceee5a5ba861f1d35f9be4a206a285622e703a5e26be548fa04faabd92712ddc04e3976db31de558705b9936563262626b56496

C:\Users\Admin\AppData\Local\Temp\kUYA.exe

MD5 905cc123d24185c30afb3f9b7a9c5c94
SHA1 127475d9cfe1551a476e8e9d4e83284df1d16469
SHA256 fd60e96853b6f6478719143eff89aa2f580dddffab3f2dafe2479ffb9858c367
SHA512 328d28eae71532fd1fb20db5e56a2826535aa79adea568700234b3448707101b8b28e1c302254ee9b3049b81aaed347670c3392b875f1fe6008dd93413092e3c

C:\Users\Admin\AppData\Local\Temp\JwUIUkQM.bat

MD5 ace60b4be1927ab970331a703915407f
SHA1 e28d654bfa97c60a43c9376a54a6dbea310fd3b4
SHA256 f5b129e5986ef3ee131f269e8c4209d531466c7d2438b5c1b588ccaf84884ff1
SHA512 13f454664b650a39803f8a0e6f193ad0db726b54cb1943cbdf6ece2fff3aa2140db36f11bf0207767bbb720085665fdcd083a327eeb6409fecb11d3d623faaf0

memory/1648-873-0x0000000000400000-0x0000000000421000-memory.dmp

memory/800-872-0x0000000000120000-0x0000000000141000-memory.dmp

memory/800-871-0x0000000000120000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AYgA.exe

MD5 9d0802720f6a045205720299cd011881
SHA1 3d216534a35b1eef61e7639987025ac53aa49d8e
SHA256 6658ba8ea3efb72954fe2c9f416cb1dcfcfc199216e012c058747ddc61bddca3
SHA512 9a8153c5803fb0aa2eada8ac317b306e7cf0830193ae0ff8a295d4dbd95a85278d308bdf94192f67cb259111b3801b2cf2ecb21e2c1089e9a1503e504a246aa7

memory/2580-895-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aMIq.exe

MD5 a591b6930a4d95316e0f52ffe4b1e680
SHA1 9f22d0a90f745dbd086dd88bf0638eb7d0057fc4
SHA256 42f8df2ad730dddadf85a4ea4dc009c484ac63771b97538078f9def688a46ad9
SHA512 bb6083b50bc9382982b69ed440708794a4e665c4d8da9c436cd7bbde42cd463f6c40fc9ec821d7fe506c1dd72570d2c52f1785de50cad58fcc631f1fd5caf483

C:\Users\Admin\AppData\Local\Temp\oscq.exe

MD5 4701e8ca6ea1e6fdc87188e8279b1974
SHA1 68f3f1aae5b4e8ca27d51e06f0603c0b3fd3f6c9
SHA256 ebe24fb704463263be92b35871199d53000ede4e2a274d2a428c02201890dc40
SHA512 dc5398fc0c36e1ff9f144bcb630d04c171ddaadba1c97587f3db1893a393c2d0d55856fa0ed6bb3727659b7b7de61ff3b4967dcf3fbd5217b2a96af5cd0cea29

C:\Users\Admin\AppData\Local\Temp\QMMe.exe

MD5 1c36ab02ba596c0c3b6f79957dc2a0cf
SHA1 61b0ba1d4057254851598a62d0e9ec266b73f3fd
SHA256 615df3451fe920835c989d6afe9f8e547471377d5c09c4a4d92c3fa6071d4c76
SHA512 29bfdc694a29f6a624dd686260f5153fad2139c37a6388c9079cc4d0f6db398b0d77c24e13fe711ba386964b0a32afc93c64c022401b2cebabe1f11e3a4d9220

C:\Users\Admin\AppData\Local\Temp\QIwQ.exe

MD5 cdf64fc1d6b69ff957d822182bd009f5
SHA1 6144af36829a9948a88bdfae3e8ccdf99757c0ed
SHA256 02d83917e8747f7bf9b17c368f3719e54f23c2fb4bf7d33c7dd4388c1f55e1be
SHA512 5faf94d5884abe5405bd02fd4d66a04f2426b34f87e144d3dd4d4511538b32b1d63a0f92649807285d6a06b7d13e26d06520eca2a0f6408a90e80f18b0845bca

C:\Users\Admin\AppData\Local\Temp\IEkW.exe

MD5 78553b33e8cc460535bdfba9da4af4aa
SHA1 a4730c91afcf00f7cb0f497b2f0de66e16b63958
SHA256 91ebf655bfcfd6f1591424f0c44586748d1c8d3bad81a1137d93555b69d7ed0c
SHA512 9fa8dfc64825748abcae19432ccddee45efbfa19c81094a86e18e436ef654c2afb96fb8f1d48638b21b78c4c47750997ac2e5a1c846a956a3744c446c27cafa7

C:\Users\Admin\AppData\Local\Temp\jCscokww.bat

MD5 ba12f69588bb73793b19e8234eaf138c
SHA1 6b78dcda4cd644ab82a2681391c1b1d0b07a6e64
SHA256 8877b7de8fa48b4a9266c6ff2bcf633bf063067f464eb5acbe6c77197bb1f84c
SHA512 ca6b57fe646711ff3aa9d1f23f2bc2fe95038f8ff18a8229bdabe3dfcaaf072027b7b17d589c32f2b488fdf556c8394708393929d51007f65ecbb0d5404b432f

C:\Users\Admin\AppData\Local\Temp\SsAS.exe

MD5 0c8339617e27d2df4f0852fea1da70e0
SHA1 3d904c9a41b8da84826afb19e56428a2b9fb2b97
SHA256 222311a9409a041eb6c1c1e3ade7d2fa6a09922986a0688c418166ab3925c776
SHA512 f075e0046a516ed5dc2bf90b895272e1ad600a13b6cedf61deb696f8de0a5250499f76285b436c6635a471b6f51e6a39eaa65e86a0ebb8a9fc41c07c623b2183

C:\Users\Admin\AppData\Local\Temp\CMwU.exe

MD5 83b54859f6b3de90bf5d23d4b063771e
SHA1 3b85b6a2ff66b4b87767834366d9019f2aeee791
SHA256 3038918e9be507b9e10cc502e6dd04675adb956501cfa0f522f085a44c557ab6
SHA512 6b8ddc0cd196afc0e879e138f7c5bab493e9f9a94bdde2360432d69d1ecf16d9c9674e1bcfcd63a728e4d2b0dad66dcfdc9358c5ad04e56ef263ba40e2fa7841

C:\Users\Admin\AppData\Local\Temp\aswS.exe

MD5 46799b321c8c17b39ce33abb0f9c2913
SHA1 09356ba7c0409828f4133c4702d6c1dd8583ac51
SHA256 f04caf5bd0ec5386faf3762260ac5810eea9524c93076e73cdb5c9638348c45a
SHA512 17883b5a7b83850d82d2e3511fd1c3acc5447427daa13731b2510018e6e2ff3ebb5202697c9d03b31f1674f3073695b13a8fe792b540745d25d0ece20f8a79a5

C:\Users\Admin\AppData\Local\Temp\QIEI.exe

MD5 0933d19a5e59084564f94ebfad277ae2
SHA1 61be45b1764e808d2779dca83603cd1a80a0880e
SHA256 2099e0ff6768457978d07ef4f301a530ca1e55189605e73ef205cb7ce799ba12
SHA512 33085bfcdf1a44dc6bf8efb2b2d60d5f67356ee5fb9bc656a2b6ad0bc2bc2bf099d49bc0c32b0c793264315c01af740bd3e581526d0cce66c43e94730a1aa03f

C:\Users\Admin\AppData\Local\Temp\aYoG.exe

MD5 03e45827e275a18c845282b21633701e
SHA1 f089eaa0817a39467466f77018e908ffc95b88e4
SHA256 5d8e3ef7f6e21dc9366ad113abae6e00dbbcdfac012ecc5dcad529c24e20a087
SHA512 e877d8ce28039a5d5a47f3fee33456b6834163207b6f5e012787d7b5c7d83867675528e2eb96aa7f66b411274affe8dae8a6421307426841e825cc9ad81a5ddb

C:\Users\Admin\AppData\Local\Temp\XSYMEMUw.bat

MD5 242415fbf27d98d4495141010024eb8d
SHA1 c3bd5f7b337912498ff316b796342c3f2352a8d5
SHA256 132208dae1443587e47150459f508995e0ac32fa4b973a5d4a0bf958e764cdc4
SHA512 848c8e091752f29fb1cc4686ed7b93d0194179985362ce25eceddc007a7e0ffe54000e308448826e90c39d09e6831dbeebf16f8be1ea2f14ff041dd0775dd58b

C:\Users\Admin\AppData\Local\Temp\YsUI.exe

MD5 391c282bc0ffe4280e60e2ae53ce3910
SHA1 93da8a30a79f4c0334c517fd436583d76eb5ea8e
SHA256 de0f7c8824c7cae3db6920cd0cc2a237ca41b3240f04a8dcb994e7990fe719c6
SHA512 b39f96024a7f8205a9561e2cf28c0bff4c4a6d90535f2600deda2534db4ffac5a04c8310f1d924392f5b00dbff7ddd95877f3a95b319b801aa92b7de4949dab1

C:\Users\Admin\AppData\Local\Temp\AMYq.exe

MD5 cfdb4d53eb65be85df8e96ea0bcfa1eb
SHA1 b46f7aaa31f2190b7664bde80d1e762c803ae23b
SHA256 b730d79b7f01bd9a32c90664f462975ad13fb5b366fa6e229a81ec74fababd01
SHA512 adef056e80e3dccf532972982da9650623ea4e7203ce0cc8256a3fd99c261822b100a06389f90024e972b7e0fedf020b2681140fcf4e7cd8b14e0338a8adb57b

C:\Users\Admin\AppData\Local\Temp\SQIs.exe

MD5 1ff3b6f96c13961f7fb74b327cf87583
SHA1 6bccc3bd40be2220430ef2a46cbedc4dbdefd2bf
SHA256 0c85aff5ec4aa4666c7807763884de311ceaa1d57168c58e507621b863a1fd62
SHA512 13fcd1cfdc7abb736b36a961c3dff64e184f55cb15a1993f25d1dc2688c17f42f47eeb4a9d91d5d8f107d3b7e6c3fbaac5d55cdabbac92669b55d7d3b0db7b68

C:\Users\Admin\AppData\Local\Temp\GUAS.exe

MD5 ee05f79092cba06bc2ab1b3b7423965c
SHA1 b90dc4de0c6b0eaee064cd645c4b26ff2f0277c7
SHA256 e93de2a4e95ccf97d492fe702edd17821e2a06e2ce35300b0fcb3e2322688258
SHA512 56cae7ec7b158d1d69d9236468a229375d5b968d8b979284e5180c13a125ba49acd412fcceae1e97dc0a8441f9918ce2ab1045a0c9a17c2ad2ec3cb8f7ffc8e7

C:\Users\Admin\AppData\Local\Temp\oMMY.exe

MD5 98f26dc257d801a68bb6f8bbef58cefe
SHA1 ba62d77d8767ead6dac33ce0b6db4f88357e50ae
SHA256 ff787b95fd794114fb5e57c075668d75b4562c2c6ef6b0c8b4b61b11e7f5685f
SHA512 8d48d2b02bbfeeba339111feeb27b3d299887dfd2a9638442f478b0a1a3bc27f4ad83cd71394893ea28d36a28394cd7e1a48d78e96d762cc34b1bbe0fb1e4a9b

C:\Users\Admin\AppData\Local\Temp\agUw.exe

MD5 8a91fd79470932aa90239efcc078302f
SHA1 fff6aafe04f987ec1726d4d26a83e7ba602027a7
SHA256 8e07e8acca67ff7bccc864a6cf286208cef921ea87af0bdd8ae4a3ad1487a0f8
SHA512 feead0a12fd155f258f89ed5012d4830ec010918c6945bb386361e339e1798465d3191fe7705a1f80090e3977993acf18157b12f584891d49108becc2d2f47eb

C:\Users\Admin\AppData\Local\Temp\mOMUoMwQ.bat

MD5 06709f2a3cc2e9d38d65bfc1bb85d6bb
SHA1 2232a905144d812c2bc5c5aeb2b69823992d5873
SHA256 bc92297db537afb3f22315ea4e230b4f97179d77d89cf2b3b68ac72897db558e
SHA512 046ff1ef9c3a6a0fbd0fcda4f807eb8b42bad48b93b0f7e6c080bfecb758839b2fd72c864012a77939ce4d3c3f519e58041a2631efdc803baa76e96db90319f2

C:\Users\Admin\AppData\Local\Temp\yUcQ.exe

MD5 f128d2423b2617fe4626cf4f22534859
SHA1 f20996d1bd0d32ef2bd1fd7ed8cf33297db68509
SHA256 352c3e21815ed8b19f51a742b8048ede299783e43f1a1aee631ff1241240c7a2
SHA512 25b666ec6165a874f8e54c4e7ec8fc46d2e3a38a0ef7836b2eb3315ea66a51adef783ee175000717cf648c3058a791133361356904c2abebb6b9755f18a85284

C:\Users\Admin\AppData\Local\Temp\eYAQ.exe

MD5 dc9339f571597b65af3660623cd0f4b4
SHA1 d66f2de6324085c81fc3ebec4bb04444f1597ce8
SHA256 b5df3c56ce3172de7ebba4d71df63c3b77b0d7a3cbf692b91350e3b542c7f310
SHA512 c425e7e708b7ea502c025bf966368e162dbf2892fbc4d0c5a305c9fe20d0bdb879b57fcc3f86b564625f3deb661b52c9d2f3469913b11f5098d575b5d21574f3

C:\Users\Admin\AppData\Local\Temp\GgUa.exe

MD5 52621ac0f66944c723f52ba106a4336e
SHA1 ba3271a3cb847f6c3b085c38c9b899fedee73a57
SHA256 6eea9dffb81d11613ab19908a50552bc9ff5496d0bf4614593b9d302be351fc3
SHA512 3055486fc45ba915d0bb713dbe24e8a4298a04336bde9049e56cb0b60f2d5b4bc84b4143bc43fa647c9f7016a387065da78d9892648db08f2ac8a609df32a76b

C:\Users\Admin\AppData\Local\Temp\yIsw.exe

MD5 0273f73ac3e7eb13a0e6ba3d0e9f4737
SHA1 53f57db3dd49b78986ad414f0757e582c831d10f
SHA256 23a5d5ca4bc093339778c4928106bac109750b7f3e5759e49439c5ded6709a3b
SHA512 ff8e27265804d107e21d40a9f130d789a1067f407300c4abdf678f29ecfc443f5ab4f35458c7f4d07d55afffa553c0abe3a4d1833df011a8d93f7a6c4620dd31

C:\Users\Admin\AppData\Local\Temp\GscO.exe

MD5 88d389ed22991a729f0b528bde67760b
SHA1 2fb6a095341a10660036f61d978c06a46a833cba
SHA256 5ff118aadad8ea91d3a5dbf2797ff730518f7b21cd5efb6b76a3e13d64f4c665
SHA512 5c8550378ef1b137f82fd94c4b583fb3e266e0d9757fa05d2f4bc8a7920819985cf56ec11f33cabd3759d63a6739770705bc68451ac7ea30efd03b1ff3e3883f

C:\Users\Admin\AppData\Local\Temp\CAAc.exe

MD5 21bdb5ecce8f4c35fd41310e10486676
SHA1 90a3166f84efe0daeea96db98e1e49a17a66bbc4
SHA256 d534295ee8bbd3acf6e57b915fca1ee3c66a64726fd083783fe36b7ff4b887da
SHA512 103c06006225ff746e5894b0dd9589f2d8e61c7755d64a133e0b9a74c17589e54fb1bb8adeceb142ae1feb38790253fb56233feb95e46bcd8827a6315911ae11

C:\Users\Admin\AppData\Local\Temp\UEkMkkkw.bat

MD5 cbf7c0a57fa908cba1f8aef007203ddc
SHA1 0403fdb9f89cbed919fb27940c4ad5be73d4eaf4
SHA256 49962772d55cb80099b08e3fee4112c0d4be0c352e3e6278183720d0ba5f4327
SHA512 2b5f9c98a33551faa5cdb1a25772a34f3a6fb9f56456043b27a8942f41456fcf7e46e25345258f4f65788cde1a3d9b9b219eae793d0e681b90d0639fece8270f

C:\Users\Admin\AppData\Local\Temp\gsgu.exe

MD5 db3103acb60521936a5de74e0811b3c8
SHA1 a765320184f91ce85742a4fb4076761514b427f8
SHA256 f33f4030fe5127a250a5ea575263a36dba67ac18c19d129cf222a0b6feb88753
SHA512 eac99e6f3a3ed6e48017b9036a75ecc8f1c520bf53e315f3e1ca8ab2edd5984dff0d870645db174cfeeeae5f08e92d27784eab591ef57d7911f19fc82a5704bf

C:\Users\Admin\AppData\Local\Temp\IkUK.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\aMMe.exe

MD5 d670d4805f1a9c1a3beac6e476aac97b
SHA1 833f008d62b00fbce7c1b1d375ccd42a1b604a38
SHA256 052677b1f906e221b2a62cf42b2f494ba74342ab956be3a5ed0ed90ef0f84659
SHA512 b83c6a7d6820530a602055fefe649342b19165bf7a93bbc82b98ced2b0d5f967bce0af307996da0445e55ac700e13878ddd148d60fcc43232b5ad8a5cd9eee17

C:\Users\Admin\AppData\Local\Temp\OIYg.exe

MD5 d21b41a960c973f6a9b7ea1268514f1e
SHA1 07aa6cf4a819a48efc35c506aece53b8242c3683
SHA256 f44b3e997fefbee4538a0e384f20dbe1344211e09b888aca9089b110ea566832
SHA512 6b07d6abbb7d27de5051e3f3f713c4af8f07a3743bb4cfe6afade7693a2f464ce84787f9e8a7852d2da4024cdf05fefccee7c37cf8f5a5282387bb8790be2fdc

C:\Users\Admin\AppData\Local\Temp\wgwi.exe

MD5 75bd4798718f0b3ffaf1d69806cf7789
SHA1 8c1a19f4d918d574df1f6fce788cc0590c443f2b
SHA256 0c2a753f86a4ba0e9a48445462d5003b6b14fc506813c973a4c87385892cfc72
SHA512 9a0b767a86ddcc71685aa53f73b3ef354d816ba233577570419aa98fe0b371a9d6922bc48fad739e2d4bd32dcef1e5d56daffb927f8de344559bfc2c6c1d8a78

C:\Users\Admin\AppData\Local\Temp\siUoMsYc.bat

MD5 ba1d002d81db60f0fad0ce55a20fc4ef
SHA1 56a631fcd50e9bc0b2c4fc3f1a9d8d5d9d4fef2e
SHA256 6d9811fa87291e701143ea2a6b59512ba8e7066ea40683c90d8ec975e0e70c69
SHA512 aaca1a4ee23fbc589de7d30e1fbfaaf05c29e08725c9f2cc0b0461e9a0fb9a5d05b86ae361bfe01bad9c429de91504e71a0465efc2f4fd19a06c655f1149d92f

C:\Users\Admin\AppData\Local\Temp\GUAK.exe

MD5 25dd77d6169264b5a60de03fc372a4a3
SHA1 66179b04525b395a4275ca014611d9d99f9d893e
SHA256 bdc2e7ff0b732cc8c086eb8711c8bb4d98f7929ca3510ac77de564306af870eb
SHA512 21bfcd006692c1d70ba57a3acd9859d53551153443ddadd34826f10f121e9ceb18eab8562cf8285c4f7021b6fc9a30e20c4f8429766305b628020b65aeeefca9

C:\Users\Admin\AppData\Local\Temp\GQUI.exe

MD5 b9403dfd1d7f43cc5b015af0f7701479
SHA1 3fd9bf2551ec2daec2c7e1ab013436071641b80b
SHA256 be494b91de2a1e5812ac2c9dfc6e4d54048a6170c3a52c976299b0b936330521
SHA512 f722609fa2dbf6fd82ea74a386c6bb08fb14bb52b6f7dad70d20d7c37725a41e218c201a80890371c655fe60a389301c93565f0e5c73fc1f8eb06ea2b4703c3e

C:\Users\Admin\AppData\Local\Temp\OAka.exe

MD5 119c74ece0331961b75fc9610e05facd
SHA1 7eb0364f9d09def920880b34a09a1617e6690e30
SHA256 84f5a410e3bcb311d47bb7a4c93f55b1b11d8dc9d3e4ada7db82e2e714e2132a
SHA512 7617920a5d171bca26810efbfb7e1ed90726849cef9a448a7236a2110da44f5264605f2ceec9820892bf9b58f53a0097b96e2dbe65a32d49777ba473296eeae9

C:\Users\Admin\AppData\Local\Temp\IIgYEokY.bat

MD5 e46d7c6eda1d1714d21d46e7a9852d25
SHA1 0ef98897e5c44741a9231dc227e8cd5a95576df5
SHA256 c6a077635b6513d236c34423ea592fb3017b2b0ed5a67940f94650081a748388
SHA512 c8e7d2c496289cd34ee7d42b8f642ce92d4690e425aac7309ee74e5b0f3ad123d6e1d31fb72a63b169257a0097490f924d4d30a25245a82a841daf82d23e64ba

C:\Users\Admin\AppData\Local\Temp\mUYQ.exe

MD5 8fd42508cbe8237a92b7c6e2e331e9de
SHA1 dcf443f5892a3e0caa9011e32b6d735fc109967b
SHA256 dc3077a1ddb633fab8a64c6e91fe108d6554865f1d2083abbc9a013a2d365146
SHA512 4bea8cd16fac7f99dd2be94c8e83743cf722e672598e9440496fae67d469abafc68ad406ceb6101be975e7630d4089ba5727f6e508a6904d03940f44126c45f9

C:\Users\Admin\AppData\Local\Temp\uAke.exe

MD5 7fc286c0a4b6c4386036168a9c35b7ff
SHA1 76ad840e2b8e5913174081f22bc35b259ad73cff
SHA256 de2639f01f8a956c63c1817c047fcd225cf68fb01bf9b3c203c7435b77b1bc56
SHA512 958987b51e3027328674e4e8f1af3a2c37ea4369b46cb6878b136ab0d0ddd7b05e48e71623c5dd58ab79c53089f45b6eef2a1d8c2ca04b602a37fc41ec2eef4c

C:\Users\Admin\AppData\Local\Temp\EkUq.exe

MD5 d84d977e4ebbcddb369f758c02e6194f
SHA1 9fa0342dea5b0feb942d086359536bc37c60cd31
SHA256 7c6aa3e670741f2a679909360ba24257f4a124fbc7c9a0826a97d0bf28ea1921
SHA512 cf70c52af15a0ebdc1991936b3625211228596488d974e11052dcb65d5bc6fc7b35483b3aff673966f73e30f5197fc6db9b68d3bf1581a29d9ce1e862aad29be

C:\Users\Admin\AppData\Local\Temp\WAoW.exe

MD5 51882d45f23cc1c29b0ac279d48548b7
SHA1 7e7a3256b2d751febb0d976362054ad7638f4a7d
SHA256 9409ddeae6451403be4a8fed28c3b07fb5ca02867b5fb248e66f6a38bb6e3e16
SHA512 b692437fde67830d5f5fe603eaf2e444e698e5d9b895efe2a87b6322587e988df6a9e55eab12c38b02d8107cb7096ce336c47d41321d7e6ef9c71c400568033a

C:\Users\Admin\AppData\Local\Temp\eMYE.exe

MD5 027e81dc163b84cdf051e5f9d8cfe21c
SHA1 525b3dbe30aee424d82b69fc0f772f244730e37c
SHA256 8b47b74a56a5d77f58b2533409bcad58447c7a4ee5c39d2d31f4f6a1e008b200
SHA512 2818f2ca361b007ac2da940f300f0a53779c528f79fe644afedf88dd3e02132cbdb3e9230bb7c800af6c2930390214568d1f13cba991c84ce7f70edb65f30bee

C:\Users\Admin\AppData\Local\Temp\ZwYcgYQo.bat

MD5 7bf9d69fdd199f0e8bbd5e1256e819b1
SHA1 a67eb572b36fa675dcb0be5e73dec7b74ac7eb6d
SHA256 3cd1f2ad6c60857585be682772211580de72fe5f0c0705c09a1a2f8a70227218
SHA512 78ea1f53120a3429a455f03630004bfa385c00ee2080d91c2a82e8cc6e190d4d80c687d0ff13a3ada5e931aedcc2f237836fc50c96d16faf87da8431d0ab30ef

C:\Users\Admin\AppData\Local\Temp\wgUI.exe

MD5 36416db4c12a3eb07d094456feb67de6
SHA1 cd5f86fd5d94efffb083960ba1f9a3b710b31084
SHA256 a9a3bd3e731b85cc1ce5ec383bebebd2b37d66a5dc4706cac02742e93b77b23b
SHA512 60de4f7fd38c5f29b1e9cfdd2162ede9a9f7c859eac85c4504905c8f20ca2337c67020468423f6aaac50ae6e7b1ca084713dc180a5dba9d28a8c85e63b3229bc

C:\Users\Admin\AppData\Local\Temp\uMII.exe

MD5 24a76fdc50ae15d8db68f159a6d9ab75
SHA1 936a03a87d073894c5707b06a0f433b825f9199e
SHA256 37469dfc50b5eaf5f54ab48675391d2c5b6519cfa2d7507fcce6d6f603afdae0
SHA512 d056beeb6d11ff8a6f453c7ef3ed579f50e010618df0e16c527a12e9932c50827f04c855e83380afe6a81f528d8f897e2f441ac2080a38765a064d5448c8ce3c

C:\Users\Admin\AppData\Local\Temp\QQka.exe

MD5 6d10f09e0118ae3626091680df9034a7
SHA1 efc8bdade991ec45a1f800c32d24e6426afaf6a5
SHA256 744ae423d5aa6616a58c852999cd655a31b74396280425e1b9ed99bc1e162ba6
SHA512 d1e53a5764e49560b43331b8074ab62d836c34664554195cbd5bc2cf518e4a28542d6de536cd1e517a6e9d34c12419c2183673cd69a07abb40994fe50607b91a

C:\Users\Admin\AppData\Local\Temp\IMkc.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\KAsA.exe

MD5 b526dfb46bfb064d20ed82936d46f1e8
SHA1 bbf03f0239b99968feae92b4f3a7bfb18bd4c97d
SHA256 adcdf72a8de28a13795b2b957a2ef84112cb29197b5f068a085e2d9e4ddf8a90
SHA512 1235496259066a56e2420e25f50fdf48325d6b4655bc6e819e6b634625395c8ee219b5711d2f8a4cbfae28206fa6dea1385eb1e0c68c7b13dc4a0f00849de08b

C:\Users\Admin\AppData\Local\Temp\csEw.exe

MD5 1a8379434c4fb768c1bf48e926c3ebe4
SHA1 a558676f14399b96efeba5d4808503b7ad21449e
SHA256 db4d75d1b2fd0e5d42aab9758f6f2d6900bdc6f8605b07fa86f531177a2351f9
SHA512 d60226e70543f8a800b88af9875050dcf39bb80dfa3c37b69ddd126dee78318fe92d461e5564af56d385ebf0b32a902e626ab2e31853a2397049e2b9451484f8

C:\Users\Admin\AppData\Local\Temp\SwUI.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\kUIG.exe

MD5 c338c3dd4b0a229519faa8f3c1641a49
SHA1 18c4629ec155f4ed7149a8ee88f94c4b5e14d8cb
SHA256 761bcb271d39561e9fbe6eb42dba3f0df93dbe43ec928121da93c1f9fc9890a1
SHA512 e851976b54f5b1b1f7df18370540b4bc1013e018e722a679d2cc79e7596cdad0a3098973901af5a1661b335c4d8d7c4977bdd2e5933c7e0a2a1dc6ad336004f7

C:\Users\Admin\AppData\Local\Temp\ogEO.exe

MD5 6081554173dadf2f98ab98531f73cfef
SHA1 057ffe8b6a68d34526d2e65d42ffdd794bf2656b
SHA256 f5ec55b8c3a622a006c72ac4f6dac045552b8b445ff1bced09fe88a21777a0db
SHA512 665b65600629f8083f8ac36f37ba4aca8ddb4cb030f401d2179546ae110d219e21bf7b58da18a445ae34aba16d5d45b1624072ddd9551a5000e5859a1877d7bc

C:\Users\Admin\AppData\Local\Temp\HwUosAsk.bat

MD5 1ba64a53f92503e2106caf656181cbdf
SHA1 11247ef693205be807983eacc5dc58e3ad7f31ec
SHA256 a19d57da16a1624746759af0f287b624644e405ed9dcf4c456fc119529fc5fe5
SHA512 404a7b403aa8a3850dfd038aa0c6afa17849fd5b6b3ade1692537cc1aa348e0a3ba87ecbe65aa6102c3497a2b0996e583547728957f0c1770f3eeb97cd21c2b4

C:\Users\Admin\AppData\Local\Temp\EAAS.exe

MD5 8c01e94a32f7f6a5f3dea2ba36fe1dce
SHA1 619afb4f3cf0416f1a2cf3037455022b76c05c0d
SHA256 69c6f52310e0cfdd42479c3c671d4c665c25f004e2022a7970c1adf9bb9d74ee
SHA512 aa4ff9dfe40e101fc106c7f7218b345b2796c4c55fc48f053e4cf47e977d696ed13bd4da40d34d9dc09092bed46d1de8d26a05ec07fa76559a78543fe92558df

C:\Users\Admin\AppData\Local\Temp\OwIo.exe

MD5 0bc86c15e551507ccb40652533329cb3
SHA1 7ea47d703b2cd152034ceccc31a5186953f03f36
SHA256 e13ff3e9d1418b17226174be2ebef80e3daddf2b0cc2b4a256e27175a36006ad
SHA512 812273d60fbead02639152c2fb60de8332d6473183b2b7a9f8dce2e78c43c5a9c0eaa19c0cc3ace82e9c88967af5ac693c08cb037182fd855842e09e4ba1aea8

C:\Users\Admin\Pictures\RenameSet.png.exe

MD5 97cac1ddf3b71b465b504ffe9c381d6a
SHA1 85558ea863a3ef07f7944e904ff1ecbe5775082d
SHA256 84ebb8090f8561d4c3369a485455e143c2c50a51be47990425e0eb2abdad19da
SHA512 528e07b8aa9702de58b14a277895ea77d31c14147176b71f0109dd3e92366747bab71ea0794cda2fa029d04b833473187e918587e66f06a1ffd396fd9103eff8

C:\Users\Admin\AppData\Local\Temp\kcok.exe

MD5 d6793b9c3479d4e44e8afc7528925c87
SHA1 631e4ce6e1b02d51237eea702bc2d5843b8cd305
SHA256 2afb2cf720562976092aadc33a8e3af89e6367e9d707bcfa0d240f35d717c64c
SHA512 8a3454a547ccdfda102dd2837cd89f53d7e655deeb0f2177bc9d390405ab703359f36dd961450d8e000e1decac5bad7c0177f8500767b928ebf2da11486cb731

C:\Users\Admin\AppData\Local\Temp\iIUq.exe

MD5 4105937eba4c2833fe58804480a9ee78
SHA1 0727ffa331b4afc6eb59fdf78088ee68ada45cad
SHA256 b9ad69a2712d6de516fbca72143feec07b4078a32e3688fd5d4e94d4c138f48a
SHA512 2a8a22d87d389de88293257113aff4e8be16a9ecfed2a0342e7d5849ac656954181c6341a381213119c87a9387f0fbbc911c0afb62e549529c7ee58d27e02a6d

C:\Users\Admin\AppData\Local\Temp\PYMAQYUg.bat

MD5 be7dba39474dfcd60af843caf4bee78c
SHA1 a116bde80650bde8442d34338edfea7a0d221423
SHA256 e1878e1ded0d198ebb52d415df58237631ffbdaaa2c9b773ea8305faadb8f90b
SHA512 9dd4250c70d3a5a83ebabafe3b570098df434a45934571b4d770dc9568a127a36ca456aba499c4b33ca55554ad1699b10e29d1baccbe63a256460e1fd6c190ef

C:\Users\Admin\AppData\Local\Temp\kIoM.exe

MD5 ad81fab9a7c37b0dcbc5a31bbdd36ba7
SHA1 307241b391a89018a17102e8281fee2da32b4462
SHA256 6f529ca9f8d34da20220781a4d8fbc1a0958fab7e423ed488e60a6ace253357b
SHA512 7c05a06f7fac1300819e188681721e11cbe53c3e14014ab394eaab33665f87bfb54232ee049090e648acfcfa333ee280c5fb2a993a38b65cc423a9fb2c04b4c4

C:\Users\Admin\AppData\Local\Temp\SAog.exe

MD5 e0e11cf2804904bf6cee8c58d418a8b1
SHA1 5bf8a2daab3b6fccdd3d6096cd28ab9d9c0074db
SHA256 489340d58f923001772efd4bb899b0163b750ccaaf6407fb2d87c2d9dae52d14
SHA512 ede45142296dbeb15340721c0760d4aaa9ef4d7a507a9c91fdc9c457533cb1a1ff6eef501685f2756d2aeadbd5cff06d9686b6deb925972366e37f6b71e8ce1c

C:\Users\Admin\AppData\Local\Temp\CAMI.exe

MD5 769073b4e747b5cf2523d3941d5ffdcc
SHA1 96b4f2c85c42a2b2eb4520e7badf95a6a3bef7a7
SHA256 346e44cbcdb6bc07d5e9280f5f84efc878cf3609a90e5d288d9b9b1bda1b68cb
SHA512 b347417a5f3d877ef6ca0095e69e275ea66369b751fd3693ce67c246cf8b09692e82ab63ac9f4847960c4c0e8cc1907ad209d09e7764c2cb5d70f7aa7948bdde

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 f96df3f25eca1e2e1d7139d526f65d4d
SHA1 e22d8a0ee882ae994398b62dceadbaea299e4721
SHA256 f51883af3a0bf2f3b4f5b0df5ac548544f53e64ea0779bc59cab8604f5b1a223
SHA512 0fff14e1efd7bca4fae3e0225a15ff0d1f28b420323df0c662d6b78477634a63602184f1fa28c2c27db6f69b3faa3f6c14ff33d17429d6913fcc5fded2a5d47b

C:\Users\Admin\AppData\Local\Temp\CEcc.exe

MD5 517420e09698f6372422c24154b28ba9
SHA1 a72e6b9c34febcbee5124cda37234fc0f835fe92
SHA256 1de178fc5e800230b97efbb49d0d9646dd4f062dac22062c6b2d4d543517344e
SHA512 4e87b979a17b2d140dd0839b1e60c18345ec32c673a3e85a15b7d77b219ff0d2bf686fa9e05912b920a228a99b9f2e8fdda0b6a6af8835b95b3277e3e5c267e2

C:\Users\Admin\AppData\Local\Temp\NsEgQEMc.bat

MD5 2432878dabbc1d04cd1e5cb62e989ba6
SHA1 c3796e4586a53f5e2133a8eff4b3a42798eb0ccf
SHA256 16fa9c8ee2f794fae2cc0b6f0c630ac9bb1e7290e96cf3568ef4a0ed43335323
SHA512 a0a210c75d25391d56a6064d54189a194a0e555b2daed0b03824ba7400cb3123a8ae4ad7d83ecdf1a10ae2e686a0f0960567d9a2d9f17bd8fe7d7747d0ab29eb

C:\Users\Admin\AppData\Local\Temp\SQAE.exe

MD5 83794a57f0452e450f3d9ab49f59ccda
SHA1 a494eb883350765ce5629e59b5c87e0888bad38c
SHA256 90ee42831ab0155935386687f340ffc816b0eab445074b8a388fdb4359adbaca
SHA512 7056f98a18dabf8f9a747c1a5069b9efa214c6221dffc341f972b56f831290ff56211110f0640a954df0be141a4ae5e8f3727d00c829a0d0b300f8885f490d7e

C:\Users\Admin\AppData\Local\Temp\AsEs.exe

MD5 a3b2fcb947ba6fe788a9bcaad782f167
SHA1 e8883bdbff55b6da1df038a086356b0fffa1f557
SHA256 42426615c15ae2556396fb9ae14c82ea80c4e4deb4ca332df7a2c590f13e67a1
SHA512 0b6493ae1bfb1bfbc0619e830d21237a5dcfa4e8b4d3f0d2f7c662edc24d45185a58008ad494547c9ecd6842a786ce5eb2ee751d67026701d4a784d513e95e48

C:\Users\Admin\AppData\Local\Temp\mOwsksYQ.bat

MD5 d51807e84a38b6a518af20e5e77f056d
SHA1 273291095541cf21259cbdf2c5e125e4320c0d83
SHA256 90e197aa407c68f8526e594db8a2082d0a25b170ff0964f46f45cda13a368746
SHA512 d6f8c92b4a1ac9a06038a4661097e482e6aa8d44d811fea0d6fe7bdfe6b9f19354c566efe140455d05be6e2a9318d925aac4736c6da1eb4523557beae6331cbb

C:\Users\Admin\AppData\Local\Temp\GgkM.exe

MD5 29fb1a36f27a244e3a3b5a1f124e5442
SHA1 8dabf880df079633803eb02b4323cd103a6d62d2
SHA256 fdc4461226d0b79f7471d4b2a0bd78c4346150f47081b8e7e002b217a0cabf12
SHA512 d93dfb1bc28b3e607aaf6cbb1f6baad8b504b603cd70432b089f6ee5e471b00dd04cb90b25c9a4a853c3530a4e37773ad2b0505f65d2691ffea03ef036956533

C:\Users\Admin\AppData\Local\Temp\mEQU.exe

MD5 d09f22e2605e970152f44cf6dfceeb69
SHA1 7d3d2d5ee1cdbadf3fb11a1619324498ffe71b2b
SHA256 c58d1385e9b884c307fe9e8488a102833fa9320c9062cb99ee333c63ea1183f7
SHA512 4f7a994f0243c1fa9a8751ad3e8a3c3bcab438adabb95ec68f0d2109d8f9968f0918520af72edaa84311b0a48335ceaee56989dcfb4a1a7b8cca41dc2db2a3f7

C:\Users\Admin\AppData\Local\Temp\eAsU.exe

MD5 f554a43b15c9fb1f4f3aa6195996f14e
SHA1 477fb3730d42bcfbbfa4a2d34e100a1882ead415
SHA256 13667377534e23061ffe0dc66eb15958515de320bc2a7ba0420e0e5385119e4f
SHA512 d0c7c1e872aed88b03a9be963ffa8630e9574576ac5a9c87e105dc62d4d7b7be49bddcde988188a9a7098cf5b2ed91859ff2029b6ae8e0cc19943edb4ce0b751

C:\Users\Admin\AppData\Local\Temp\SEUgIYQI.bat

MD5 5a4fc5487202f123507f441431b0bd11
SHA1 2973a79e7d488d3ed6e06f24f914e78b9d4b9d1e
SHA256 28d66b10cca5b4bcaec208928017d6297f24ed47b6f31e4c84a7648264d5bedc
SHA512 8e7bfcf17ef9c0f91a299f2b3b805ced9115a9f397430a90ec9a84ce3fcbdc592360180896910ceb76debbe26145dfc0c6d0c5e354f153f73cbf1a0aa145b3df

C:\Users\Admin\AppData\Local\Temp\sckc.exe

MD5 e90815eb34af258f8f54b76e2aaaf31a
SHA1 ec3418c750e42a70c065d595b776d2572aff8291
SHA256 2f5979caec3490d33ecf04bfe467a4705f0bfc5f8a9e10530df7a8c17d94275e
SHA512 bd0a4a36ca9c6c8a36fa3cf2deaebafec0e2a862614bb9f58faf31536a1d4cde02e670a0644bc17d6b201270faf7e41c2fa090aa4e41dbc1814763c7c6b0af93

C:\Users\Admin\AppData\Local\Temp\ssES.exe

MD5 e08ff891f910bd2b15d79a1c01e3f037
SHA1 4909330c4c95adeb9107933f64d98395160f8c67
SHA256 24da92b7dc780ea5f18e4a061e64a070ef234a0bb9f7739fa96080b0fb6e4e7a
SHA512 8dc040afbe440a724be680ed02ddeb2cb5531f949b89de2dc10078bd94fb558306932be2aa65b92aa7e61ddff7af556a2651870e74580e2b21c1e712a3ffaa62

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 136d04b6bedc5320c0b8c625666f16a9
SHA1 a5ae560200e8a17e22f0bbb9d2bc499b25fd6950
SHA256 84cb5ba8fc2a805a905d73bb1e49cfd73785ff97ddb6d62dc0b4b24230637259
SHA512 b198bdb86f7ac5102c664e809270bd07dd3d3848574429eb744b91acaa9261c83facef175479d34782fe3974a6516e580558527c47bb4b123414a1a4a46847da

C:\Users\Admin\AppData\Local\Temp\AsAW.exe

MD5 5b7224938f2ff8b3ae75632ee3b32c99
SHA1 374aaef6f93f8387b85775725e059e68ea5c44a4
SHA256 754dd69d6d204052ea7b07306785f1caa1da89d291151f6edb4d6ffac99e0afe
SHA512 cbc56c00cc22d0e9ae43c6eb5e25aa68462ec81c15498b915040d34af97b003d49a73d1fa2b63eaf0744e65024d73a6219cb1ce7b5454aed10412e5348c3a70d

C:\Users\Admin\AppData\Local\Temp\OQkgUgQs.bat

MD5 8c5f54fa090dac0e7dce5dbf9fba7cf0
SHA1 a9fbab1b0c2b5f1aca1b40627a782bc79a57fed7
SHA256 4f7f3da567f0da4484d6b397ca1874f342395bea6ac989dedc14452078bb7389
SHA512 1f2ecb6cf49a18cfe09262accc319344520babcb2420e0496ffc58ddbbc8fd92e493c633c093b8fc113d20530a0cca9461c91f53ec375ec052b3d212ac6e78db

C:\Users\Admin\AppData\Local\Temp\kMsS.exe

MD5 0ceadc10fad8d64f238c55294c020fe2
SHA1 b60e904d1c4873b4eb25134a4dec636920e7d2d9
SHA256 583271610a84e4861688d07c124727222d93ea2c8ba2dca8001d19c19b39e2ac
SHA512 0072f73625ed9c6dd5609a9b6925826cea372741caaf53d19a8395096f70d53b09dabf8a757e1cfde1003b2bc4abe7948aea935f6f6eaecbb8a370c19a752cc8

C:\Users\Admin\AppData\Local\Temp\GkIe.exe

MD5 7ab3f25fee65c84db1f235a9cf356857
SHA1 76f92b89d985344b31735aa94c11f0566a646bf6
SHA256 e1634bac54ce87f7a931d5b017212b6ed591b384b4ed32d0e9b083b76465b397
SHA512 25eb4c8a475f4ec73faa70be4f0a8c0f655c883b57e39d9422c91e229a0fa1bc8eef674e1b876df722e1f8b8f57a39eec5f8a83edd4ab3eef6710d1a9911aff4

C:\Users\Admin\AppData\Local\Temp\qEkE.exe

MD5 4eb0dcca7718379b0182056b8c22f2fd
SHA1 1f5fb4a934e2202a7193bec7e89eda9207de59b0
SHA256 634c5b34bd2ad2f58819a71a7c1257c095027ab7f6d417e5424c143ccb1d695a
SHA512 e9c8e88894649dd52b5fbfa0602de2ded6d3533a6b688ef92e6332cce26adbb1086e030459b9b1c2a19170f0d428733ecac3407179157aec0048bb8178b4877a

C:\Users\Admin\AppData\Local\Temp\gIwq.exe

MD5 eba1775a15af821dc0d70041af424852
SHA1 07990bbd533becb45856112a51ba561c76d23649
SHA256 e7afbd6ae545d7406ce179b7b7d8aeab1ae42999b0c03979d7b4d8aa6062878b
SHA512 59dd41390c653042d169e5190de210315a4a5753170ead96c70eed88ed4fb4659d8555a7c86aae46101f23c3b2a5c9525c8933b92267398323c4b8d407109591

C:\Users\Admin\AppData\Local\Temp\GCYcIgAU.bat

MD5 d8b590928ce8783847336d3c7f5bf4aa
SHA1 ddc5029df576d0df72cb0586b81bd8218dd5a7c8
SHA256 b7aed997e59204c80e5c16e14224f55fa28264a1a9e3cb0e872e2389707ef5cb
SHA512 aff37883a804da8c723ae3af45b6d4fb2b4be585bf98d6a51dfb4cac664a4e1adf4d98fb5de7690b10040e4e4c22f09aad6bcbe5655240c4d6020960e4a4ed91

C:\Users\Admin\AppData\Local\Temp\oQYC.exe

MD5 58fa1e146f50eb4f1ae89d0037148696
SHA1 9da82b197fc889801cb8a305aef969fc2f35503a
SHA256 00ce0b3196b10897d609614273331534f54a8b581b3d42a580532c702429c080
SHA512 e9a9d37ca7e199ac2cf32c1b52f1d982fc3a4a65f0eb28e63f0ea8678ed276078e3986bd15561491bcf1be6a938305a8f724b7db4f4aafce12b50c60d16a2e3b

C:\Users\Admin\AppData\Local\Temp\mkwi.exe

MD5 e3ede1c17c593a4692888aa4810105ad
SHA1 d148df6f98af606ab9f8a87f6254920be231bbdf
SHA256 30d4442744eb6a5a21c4a57cf56c9f63aaf0356e23889adf990e982b2a402046
SHA512 9628657703ee8c5b92692759d8e1ef1fa6a0f2d90a06a0c08b7722aa12bc68f67201e3b7a30f44a693d4475971fd7cdbfccdf7509f7bf781b1c2f6614cea7039

C:\Users\Admin\AppData\Local\Temp\ecUa.exe

MD5 8cb4618810f601aec7f32252ebd7d00f
SHA1 380de1f431f5c4417fd8c4179ef5b2b3b50c1877
SHA256 4b422207f63e6a671128dab4f406cb77b5b285d35e8b1d0be0052554f6e93ef3
SHA512 4c2aa0bc6823d4b500c6913de378d62b97aa0c0440c1e8f4f51e6246e4d433417c53a4dd457b6c54e849eff4661baf53a8f9677c5800608e9cb3c4a507b74d58

C:\Users\Admin\AppData\Local\Temp\XmgssMMQ.bat

MD5 5ec3080e3e8638087bccf55ab931f801
SHA1 561943c75c645536c76cbd5b826e8f8877220022
SHA256 b37afbfcadd41d3af84e4966811b4115da00c05de12ea43ab06bd9b886141fc0
SHA512 596b4055a6b2c20251e74a6b0271566b13681936c8eaf6ca45375fd609ffb6854aa3d462401a681440e45ec5cfbed581938134165fa5eedd8b351c3990fba6d2

C:\Users\Admin\AppData\Local\Temp\gMoC.exe

MD5 ccfbf982450a54a243cb44c218227acc
SHA1 6b631bd88106fddfcd6747d3b8ed9dbfb1e2b9ae
SHA256 2abd8b2066c76ff6d318b9b7aa8f4d52abca9def4482efd8f19b85bd30371897
SHA512 d5f325f30ed22ab0a71a6cd40ee76b2b2c03b3fb767819431156651422b2a26081387876f83fe0123cd2dac3c000a583fd356911bf69b9ee98a5d7291e4172b9

C:\Users\Admin\AppData\Local\Temp\usAe.exe

MD5 8342a08705e3cc036f178a20c5969876
SHA1 3e04b3ca0d818daa9eeb9c8d9a366521ec6dad41
SHA256 6b85ee56ff7756fb437d2fe4b97933976e91d896f6a9dccc1943d593f44500c5
SHA512 e55e41785f2a7b8b2a9929852884c078801096ff2c5858525adf69f8c3bc5b03e770cc7e3080c7fbcc3aafa3aaf020242546c8ab1b8d031b12dedc60771f4c30

C:\Users\Admin\AppData\Local\Temp\WQIU.exe

MD5 a01b8c058af3cce7adcce073b9a206d4
SHA1 09eac9bb316e3e3e007b48a47bc37bf17e131637
SHA256 10960c846ab39effa676e624f2868422872aaad658c4597116278fdd35d2d516
SHA512 6aac6ba231d48fee1f9092e7bc1f517617f44111e7342d8cc79ed5c01762857261af16b436fe1940443fdca8cadd70f0f6fcc4ad0c81febc321d6aa5ba5587a3

C:\Users\Admin\AppData\Local\Temp\DcIYcsAw.bat

MD5 308b5a9fb84b32e6ce682f776c4efb15
SHA1 7387116d7ec0808fe6e0af060b8b4c0e98a2fe47
SHA256 a52b28bfec1cf9a872838aa5a0d8aff0e54015ae921485693d77dd75c7747d45
SHA512 cece8ed98b3ea33f704f8b5ff7fe8c47f5ed37249cef8476234128f94b26aae918d1dda56484e301b648c0759942ad8b3a9f48173dd82d1d6d5dafad297c0d15

C:\Users\Admin\AppData\Local\Temp\QYIA.exe

MD5 59eb692731964923ddc2a02ca13b055f
SHA1 6ac4a3a417eba8f60a7db46efb001df7ecdac1c3
SHA256 af48db6eab4a7ed4d05ac6564cf95597da467095ad4fc357a2dac46fdc5dc0cb
SHA512 528dca7dd05abab0f7298daba333aae18ebb2985e9b93dacb347fd9fc2da3ecf76370f863fdf0c990f1b0fdeedb01b9e35cf37b86c451efc3e0ce58625b02cf0

C:\Users\Admin\AppData\Local\Temp\ccsi.exe

MD5 2ffc75be2de362180ebec6096fc26a55
SHA1 032216da8b4e0b8c3772fa59a40b536b2021452a
SHA256 1cf629943cdd4d3f701eabcc1120fe946025438fb20c53eaa1852fc563124556
SHA512 64940aab2ddc5a19a71adb335382fc0a118540eb1bcf26bd453639b261d3bcab615cdb4e842ee34b44b0db2d42986993ae5ff6fe1525227171ff4a35eef9918e

C:\Users\Admin\AppData\Local\Temp\MIsO.exe

MD5 1d3d7351d669bb8f77c2872d52b735a3
SHA1 d089cccb650f42d0575b864b01525993c9990fc3
SHA256 846e3fba53ccb247507f06f76a113dc51654238e532697d5c6c3f6ea487570af
SHA512 62c811d20104cdfe9909c92acc0fc271d227c19912c890ae643d29dc4f4bdbf9a3bded130b2315b9646827812f5f69caede826138d12cb5420b51215bafd2d3d

C:\Users\Admin\AppData\Local\Temp\FCccEwQg.bat

MD5 3fc55e528020111d21bc5c9e5617df66
SHA1 05a157f4cd274324432bc15ccf4dd1943421ef0d
SHA256 882d42d10fecab77328db33f72dbfa8f7031b00f32ec62278d5650502e30d1c3
SHA512 a721b742516614ed8033c72ebea560123c57d14ece368c743dcf3dd8182930e508154efceecca0473126c1c808166456da62582617c065fdc3fe8cc5041e034a

C:\Users\Admin\AppData\Local\Temp\eogQ.exe

MD5 f7ce008b1801b63e7aaa422e9e2125e1
SHA1 9ef00fbe4e74a9c21154a295b1e0063c131154be
SHA256 5aa00c7f96afb8f793d5e96527ea4cbb78f0b1af8c077c752393f2aca6c2493b
SHA512 884bf08bb4a63087ad0ec18c00e8ac615a5b13ae1ea5eca30ae707d38423e825c8748a86b2ffdf098d60bc33f83d54152fa89db32cad1912e8cd4056cac02574

C:\Users\Admin\AppData\Local\Temp\SIcA.exe

MD5 10c7067ece86ebf0b1d8b37966331290
SHA1 687aea9958fbe3429f7e47fe96b2090af53172a3
SHA256 fa2f669c742c44f896a3f2896f5b80625839b0d4e428942eaf8f653fe507a283
SHA512 02587ada267ecd7ee99749bde5a6940841d4316cf10b8681485e3b58f2015d29f883c1cb31ebdbafca5b51165b6f2938fd4f995ba8e31697da7e2c60dcc7fed7

C:\Users\Admin\AppData\Local\Temp\AAoq.exe

MD5 bbe807a190395ac16df71643162523dc
SHA1 22a4bc36cefdddb49b5ff86134a1a35649efe730
SHA256 ad9b69824c5f1e6a9fc600bde00c940f8c20bbbd79aefcb4c6d6d4f0968de671
SHA512 7aff641da0106aac0458049248d987322c9343b7479e705135c4f9c343cd24d3d28fd57f639fe5ede9d264e8ef7f2a4f5b8e71c2c28b2e77300b5ecd4c259683

C:\Users\Admin\AppData\Local\Temp\tGIYskAQ.bat

MD5 00cb2464956350ba5b9fa089f607558c
SHA1 074de1bf5b9625da2e49942d1e42951b4feace7f
SHA256 0bbd7dd3964275535601681665f92f8c69c63fe3561506b15e39c3c607545b01
SHA512 02519afedaf0b05e4139f55c46d0d9d560d48c3e9d999262f2a6c390144c0d5bcf934f70df8c3b72a1aa6027855cd8e60da04da217fcab8c0220186163b3ab48

C:\Users\Admin\AppData\Local\Temp\GYcs.exe

MD5 5a6d5c91c97721d3807fe5b3cac53d56
SHA1 af294bbb2e9ef084481272088041a617be87482c
SHA256 6055fbc3673a4be543c73951581b70ec059cdda0e2292be5122b24758198e19e
SHA512 1a74059e6b9b2cf66fc214cadcf73869071ebe01d60584b199ee7d2236002104019d1788e3ccec7e9558dc6cfc2d9825816d2aec0af5a6e96d8743191d66f2bd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 087d3ac8877538414617a6c3b15da96c
SHA1 e96865ec8ee50a9946bcb43b3d94aec62f4c90b1
SHA256 4402fb249cf2e1341f3a54b0bdbf70f6969691396d896c06ae0d2ef412d6b49e
SHA512 91c8ddec6ab2987357d2a7eea929bbb3e061453c79a8d4e0ef8fba378b371c123a243f0225433478b25783f352fa748f24fc7a010f8f6bfb83c6f1df0e14dffa

C:\Users\Admin\AppData\Local\Temp\emocEUYo.bat

MD5 3fc8e31c09a6e2f677b791a950be05d6
SHA1 bf18ba659ac3e4cc5f10cd94f44ed24d892877d5
SHA256 cfffe0ec512ac274bb98e870d10d8a6542bf32d7e8fc97d76b191adfe06ab2c3
SHA512 c180e2c79c59a2e53ae1428135f957198a3c23dbeb170dff76f21d9f92f67ce28d683b5215dc829285c64284c1fe6688c7c0f1ebb419b67c3f011bf859bf8abd

C:\Users\Admin\AppData\Local\Temp\IYwo.exe

MD5 048c8ee7198251075806e8d26c2a5ae5
SHA1 ccf1177455118818c145dc9408de171a85c60f5b
SHA256 a5fa2be760383aed0e53423ce32037acd136103eb539d357341c867d307a8989
SHA512 16e436564d68a598ffdaf51dfc77ed5b9df367c53134a2e88ac568b2604458a4b29abc4b1031c3d9166b4f8639ba2125cddd1e07179a4785d49c49b7c66c353c

C:\Users\Admin\AppData\Local\Temp\kQwE.exe

MD5 9d031aad74f8c7e7a6071505a53daf5d
SHA1 e6bc2646f6300ab0d25c4d3af0dc30badbebf07f
SHA256 16e2bc923b7375f4be8fd56166e9554993b4c9d6a6c53a19b24942160b407cb4
SHA512 fb98bb5b6902a49c7a4a71136be306ffc2a9db5e60b579e5e5d488d6443b8535c3a484b5c71121940ee2b165fd007d3965f70b4b3d69351cb34c7e9e415c3b8e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 df226391ba7f5ba04e21e076b5787c1d
SHA1 1fa958037ccbbdce0a4c8f85b5ef2ed6750f4308
SHA256 0514d009a7c27b2049a9beabbf7a7dd5efac09514a6091a64841bb2ec9af0a12
SHA512 75198ce453ffccfdbb3c398a7f67196eee5169faf6cac7c07ecf29560df5a56acfcdc08a5b13ac3ce5521a1f6fc9110b07ea5c7a25ef378487e088c339e315df

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

MD5 4a7ed761663ec45d5e2d1fc388ff6f47
SHA1 9dea55f27dc13630a7664e0502f92b3f68d32fb4
SHA256 8626a860bb9d730557bc5bbceef4c03e18fb6e78434418d82c5d2fbe3e0a0dd1
SHA512 dbf69885ad2051048422fb5a2372dec4e1c4962e332dd3ed4b6e52cdf8c2944f45574e0d5ba935bc60214e8ed1d43acaed2b159546a177308b9b38778a0681fd

C:\Users\Admin\AppData\Local\Temp\kkQYgEsg.bat

MD5 133ac42ae0be056a55519001f2d3df9f
SHA1 28c58d4891ce749a7c3576588bb6723665cd60e1
SHA256 29bbf91312c977f5156fa22f8c230e342d6b5c325874756b1b994fa749279638
SHA512 4d1d481717b2242016433fff23f00fd232c96b57405fc8f3e35a67fadc3859ef2eff70c39b3042ee70c5248baf401fe142f7dc5578403093528119ca16aca712

C:\Users\Admin\AppData\Local\Temp\aoIU.exe

MD5 14e093b43f039e7bc877ced5faa4f896
SHA1 08c1e3217bfc887b3f1ed973f6f68f0de9290961
SHA256 6cbc307ae08c8285c2c1d4b9bf67ef847a2404f049fa33e7267b0ad6ce6dc10f
SHA512 746411a92a8632c371c0817aef0b36b8cd2779e4436f92e20216aeb7256c09d099238efd478774aa6f4e3fa982b8e353c01e851022ceacc19f4b7ebf4b45045e

C:\Users\Admin\AppData\Local\Temp\SUAQ.exe

MD5 ad730767aa14f6bb1fc22cf254b620ad
SHA1 7991ab59664688cb000e5af810fbb00cb30ccf6f
SHA256 840b48e93a4e354d44e97a9f0a3a67f655a6fd1e8d218251f4607bd14121c7bf
SHA512 2c3ac3e2f2d9b1a975752086d2f526efa5351ffb6d951de198910e03ca0f1db20c9c6a772c733654cf897614ff32df40490bc7fa340b1c8e67d50db9e173e62a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 f992b01bb28dce62ac0f21bb1fd69f5b
SHA1 df9c8765525c34b9e8a58490f120fa96a6d8f5a5
SHA256 d2f035c55ef7acdd04c15dbc4c7b7026cc2862e412ef8fc60537f24be2bf6805
SHA512 946b4489a670fb448fe4c8e5ec2df6f2fd44eab817e4e0291e9d7a89eac7911f7d719b17509bffc7f09deb6a2272f1f96cd4c959be9602d800220249591a7f13

C:\Users\Admin\AppData\Local\Temp\SUoQckww.bat

MD5 7107bb57781714b4dbaac4b13929caea
SHA1 0954affa878ba08fc9d7a448580b1438f1b8d511
SHA256 b173dd008d60cd48bf0e11cb8aff93542514a40c58eeeb513f3fb36050d2af74
SHA512 d053379c18fdf6c6bbd99c1874e5ea7c97cdefaa83bfb7c07ad6b5c81153cb20371a8eb5ad0ed48487562014cdaac008ca8b29b5d96c56ad41f2219f0e85c748

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

MD5 f749363e632c902c7510f7582706583f
SHA1 1a664ea5a730fc522e0d6bdadf6366dd2c26614f
SHA256 d33f66398490930aa7dd1ab6d9a829708cb5320944b29c75ecc8f9672f69cbe1
SHA512 94956ff8dad97a7c9dbe6b835f80288e8730a11524f7982799da451cc83b357172adf1011090b8b9e82cfa0713f606dec04f9ac03ed7d9b552c7f34b2f2b25f8

C:\Users\Admin\AppData\Local\Temp\cKIgwQQk.bat

MD5 9e608ba75b0f1ad8bd686b00f432e7a8
SHA1 4df2b07afbfbe35867a517d9d2063cbda77736f6
SHA256 bf8e06666295e18571e43b6e8ce675f7313f1d04f0a2dbeeb39834a5b33fa212
SHA512 cf2f90d3c491d39c516aa5ee7b2e6527ef5a885f30bfb80008ad09431b8110369ba9cee223fb9a04c5f7e96688b5f65e2ed0d4eaaf56b3465985ca8d3b3d2c73

C:\Users\Admin\AppData\Local\Temp\zuIcoIoc.bat

MD5 6e21dcbe78541ec664b9693f2b465dab
SHA1 22c8224cd1d56d0761286c90084d3ed47497222a
SHA256 9ec2b854d8e230e3898c7ec32904f2b80ccc251521ad411c3ec2a909c53acf1e
SHA512 10e7263bdd6833a6e66175413a3c6ed6f9db06ec2954adb842ec1840ea2d63ec3908bed9f4c1df5a5a8fcd0637091fcc5f0ff6a39d8e3c59e75c5390ff055c11

C:\Users\Admin\AppData\Local\Temp\YIUa.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\MMkk.exe

MD5 f56a0f31bbae6372c6e55af661b6cd5d
SHA1 0fa102f1fa5046f0e9afcc6babaee2cfc59bd821
SHA256 13532c8bbddcfeaffb014c7ffb5682305f74d8066c5e69da15bf6ca60684b1d1
SHA512 80f697992e6764b33e98cfdb55e773b8e10a0f9aafc79365a80d654436405a0ed2fcbd60f075021afce0918823b92c88356e2c35d525534be6ca7f30c947658c

C:\Users\Admin\AppData\Local\Temp\UgAS.exe

MD5 78e24330d0437123838fdab416625d67
SHA1 96801ccffc14b386de66ed4f33393ea1dca32287
SHA256 a4d4131437f21cd30959e3e051f4466b2beea3110f3b660bf091281cedfaa52f
SHA512 5920fe51a90e6886b08e9af8a83134ca8f75ee21d14f7882af9b33991e032e8a41f141a5e50051b15c44ff582c9da4061f179a3d380d6cdb064de8afed54c676

C:\Users\Admin\AppData\Local\Temp\EIYC.exe

MD5 dbd9d66d9745bcfb5be281da90af3ce7
SHA1 caa4480c3d676c3294ca82cc6d0263dee10c387e
SHA256 5a4acb264bb2acd56ee2ffef226bb3f7e8b683bf9f1463a414467670e6cf3fb5
SHA512 607dacef043bbb0b81ff65abe40c94f675626e12de187a79455b281ac8d4d31bc00b80ec41dbc84036f77b666fdcd463e327dd3f23e5eb50f71a4d399575027f

C:\Users\Admin\AppData\Local\Temp\YQki.exe

MD5 589b53cf46c1a817ea4a617b5aa224b7
SHA1 c03d9939a99c2c924931c3b2508935c82abc5f5b
SHA256 42d0d38b83f6148e5b1b84ecee3968fa57f545732ed2b73a547c19a865eef84d
SHA512 2b3a4af5b7df25e5084e98312b98afd3d2af9ba2c86a730a99e8246268a3b2f6f808682f7f8ce9488712686ea12d9a961e92d9d3b3d29241e11b8988e33c3eb4

C:\Users\Admin\AppData\Local\Temp\rYgkMEUQ.bat

MD5 1c43a4ee7970affc286ccfb6d4a3e5aa
SHA1 09149a33208829171d31c11b43b81cf2ea1ecf31
SHA256 da92962fd14a5b0420a36d9bc36bb82bf281114a8b5318e584bfcc81504aa6d6
SHA512 7dc429d7545926a333dfa4a0cfb32a54798ae769cffc566e030be7df7ad53c9ad4cff3d7751d0d26119bbc11cb8bb927bf57a38e249b250eb8ba3089d60cc8f8

C:\Users\Admin\AppData\Local\Temp\ysQA.exe

MD5 bfe188a9b479fd83a138eda7a8f87fec
SHA1 f1a7af7535bcea323e59edba8b262b0ff4c19e2c
SHA256 1c714abf7f54e6fe1a533c2a002670101aa135c548c31220ad8cc15d86b13826
SHA512 47ae2282049df723a3e8245b70cef21b172c1d640aab5c0f72abccaa09b8d5b8d5fbc339599085fe804e9c84f2ec034c63dc0df4e8e7e057926e3e4602f0d883

C:\Users\Admin\AppData\Local\Temp\cAce.exe

MD5 2705a1b8617a145806f78ec5c55aad00
SHA1 5f8d01de734a58d28ecc269891e294c52baaab0a
SHA256 ceabaa94f71dc665baaca138fe0878c40eb4a65fd58291d669f972a7267b5ef7
SHA512 0c57ccb70b7c9543d6fde8a26c25a81496e901e116cbd0dc077b4cbab9bd4ae0214f6d12a8de40f7020611edccdd8ddfc31d89558994670787f4220ef1239179

C:\Users\Admin\AppData\Local\Temp\Qswy.exe

MD5 503c4e8dab27f2f361b841a7688a9dd7
SHA1 d7b4c153240694672b33e1d3d019f7cac6982367
SHA256 c8c93985f627c1a2ab09b2becb0a0e7147ba041a014c0806b4b649e57a0373d7
SHA512 26cfb9749a05a19db9016af7e93128376c4e25309f920d2f7374742784b52a6bf467c932a5d09043eeeaedcf2ef5e9f85c2511e1e09951b690b81644a6026313

C:\Users\Admin\AppData\Local\Temp\xowkUQEs.bat

MD5 be815d74feda9f5617f3da0cad8a3903
SHA1 b77bdbba8f5dd2c68328f696eb79ddf002687682
SHA256 74146bc7dc6caf2d1b7b5b37bfafc662e1edc3b1c86a509d987b2b883882de32
SHA512 09e33404499a20b7fec98ea8272a1fad92068474eb8105643d5c55cfba0e90bd49fcabf8207001bdbd00688462c8c434304faed1d79afcc8a8a5ef746cd9f44e

C:\Users\Admin\AppData\Local\Temp\Goco.exe

MD5 8c20b7a19d505b38118a68de579be1f2
SHA1 0b5c551d4766ba3b1c7c116d86f68fda71b407ae
SHA256 ce27f8ca253b2f80746508d57b33187223e8aaa516d34c5114d3eaeceae3703e
SHA512 7b7d83ca394568a9ba3f1ab47b677db989cf0ddd882b22833315c89cf0622f2fe49c9a026ddf3a5ebafe442064d7fbd49d056237c5cb8da3703ea63eaef0a72d

C:\Users\Admin\AppData\Local\Temp\Kkgq.exe

MD5 7b9b656610b25e0ddefb90aad2d343bc
SHA1 16f72bf444ae6f61bf347fa4a25ebe9312ab2e45
SHA256 428c014c54d7cfd7d30706701c6136309f6d45f892992dac314a24f09496d0d3
SHA512 d642dfaf07fa304ef7d8ccafa971f895802b1f617ee89a9759a2b31b996d237371505df0d8fb18095d0f5499bfee24a28f8ed63723383ba804fe7ebf4de241c4

C:\Users\Admin\AppData\Local\Temp\asce.exe

MD5 90eb5177b49031c570aa55b0d1120179
SHA1 820c146504fdf3901be8cb8cd248d6955cbd5b16
SHA256 36cc06cd50db587c1d6e5c48b06c2d5798e712e263e0711802975bd4bb23ac93
SHA512 a6c35c7818b0b7fe59819404d4786b474bc13bf16ff881e5811b3a81e5cd20e967230dc94e6513c618fb61b1803975b1a113422b22d52663884641711faa69e9

C:\Users\Admin\AppData\Local\Temp\wQEg.exe

MD5 db407d1a5452519539af1cc136a94a1f
SHA1 e1284dd24711122818eb434ffc57c975566ae4ee
SHA256 e6d82a4947e000d75e91d917d8575d0794bf7e6e7c05883fc6ea090ff2fedc27
SHA512 bc41aaef7747961b99027b1ab0f8269e721a45ed682a14c09fedff2c51ed7e453e8ae2160c2b96398761833fe6b063d2746808d82bc6a997cfa6fb24e11fbcc1

C:\Users\Admin\AppData\Local\Temp\veoogcYc.bat

MD5 7d084de1428596a03b10a6542eb8486b
SHA1 f3359e8e6866b5daed5d55d2c81c1c21c3ea2140
SHA256 0aecf75cf507f279368203b3805ebf2b262eb649e00d66e739e1829bd97263ad
SHA512 9c78e09a80cbf6adc282c48b305dcdb0265a831a30fa6cf3b579027cb343ba202d049c3823c93ee3a544409774421a6693998a999caf7e0513031062490a09f8

C:\Users\Admin\AppData\Local\Temp\oMAgwwwo.bat

MD5 0d599bd9c0bc9399054c89eea32fa537
SHA1 df07dc84c6afc0e86331b3f6ae626313f9682411
SHA256 0d3f1d299adf8169d9e3f7903277dc8d7889f9600d5dbf1e3309bf340613f7e8
SHA512 8ef9b393bfe2a340645067f8548f84dc8786a951f8700489a41f60ed32fb92fa75e3d86bfa3155db44e5fff81b7dcb39823e6b9edfeba53cd610505a26134a6e

C:\Users\Admin\AppData\Local\Temp\qGcYsQYo.bat

MD5 66ff4efa2e13aaa7a24c04e78e54d092
SHA1 268ca1299c67e3edd7acbd1b25304091e9c1b242
SHA256 8dc7576ddb271cbc8fab19160286fedd45640ab985b4896d0b539aa05f7e3aaa
SHA512 f5759092b62956aff190ee15a2c058d936858d1d17e8e92fe6509703ba07f12beac5ae70496d7f85b24ab866f0836f49feaa94bb4d390390f5fd52edb65f3f76

C:\Users\Admin\AppData\Local\Temp\KmsYwYUM.bat

MD5 db9f0aa482e2f9c9a76f0041a7064990
SHA1 56c8e078f0d3bc178df4a9da0448d1f10ea95a0b
SHA256 af34279a834861425df765a09d5fcc21e0af2e2cdb2dd27916f8b5a71217ca6f
SHA512 34962b3f8402559eecca1d6fd019c7c293144d7627fcbb12d25f87b93bdd79b8d916827d5f8ba2e051500e6a2a40be95624e7e0b5ad3968f28b3573ced43a930

C:\Users\Admin\AppData\Local\Temp\YWMsMUwA.bat

MD5 f7ba1bd58f075838ddfe4a9df5f81ce8
SHA1 623408b36020c7b349ee720a0b1e841c19ec0094
SHA256 51bcc56c5ece533b0cb79e59e287d06a223d108894e9625ef6f887970a771163
SHA512 ee05caa0a8b1f94396ebca59c92edde0bb50b0fb5b2a8624f62651b7804b180aafa1dfaca8fe3036444545a2606fa04a995924ff3b9b5ca8df469b3b2b3800e9

C:\Users\Admin\AppData\Local\Temp\TgsgQUwg.bat

MD5 fda06c207933cbd59c58910f8bba9bb0
SHA1 641da2b85d6d975733766805cf9c73382d084ea7
SHA256 533b7e2d59637f984515f4a69c4e913f21f9e14f13f06160c181e90ecd9ca165
SHA512 9cdf18f47388ad7117d53e5df764b3fc8165e8bc38724ebfdd4887914f50cb785d1a9e35e156d9a829fec74906253455c3b21b9bd57585d0ef52766666fa747b

C:\Users\Admin\AppData\Local\Temp\ZuIoAMkM.bat

MD5 61145b547ccd1adbb890c19bcd2c8526
SHA1 d1f2dced993bf57560b29c822e008c4d7c4bd5b0
SHA256 5e5a04703508c2f2e3009d68576aa6b01132ee7b0141b72c3c7429f57a27bdc9
SHA512 b7c004b05da9ae2064a1816e079b695ad9ab8cf1065d93bc9bae97aa44bde7213f76effff98176adc4b5d84c5928cfcd0166417379ba74203b9ddb4978e70ace

C:\Users\Admin\AppData\Local\Temp\HuMYYUsI.bat

MD5 76afd0a6c1a84d33d4c629dc5db27da8
SHA1 3300f58d150155517e82440f5ccba205d2dbd023
SHA256 ccc1b81ae27481853cc15f27f306586e251ec17d03b395aa0c1bd6f855e72d41
SHA512 1795c7f1ee37c43451e6e5849a2a5911f011b95f30bf1d3076ed97a60bb148c04ee127197dd06997c3ac73d067cd031825f7e3663aee2cca8694615da6c669c3

C:\Users\Admin\AppData\Local\Temp\howMoMoM.bat

MD5 4363dff9917bbe628af7489c6921b85d
SHA1 22c94faa285800b4ad5e0190732d09889aad864d
SHA256 98684a4aac3eda77a21da2d2d7cb307328cf78e2f7db28eb96fe0e3ad3bd0f36
SHA512 175e7b889f7e16193eef811f33c5fbdd157d583cd7b48376ff7f55549294670e6b2f06d1d345fd7b760c4e072d2a83e6ac639c464f11b3f93cd4b117c218baf1

C:\Users\Admin\AppData\Local\Temp\WWwkAUIg.bat

MD5 19442a13e85d6ea8a9fa6e83b49e7fc9
SHA1 facc88125185d9fe5d94e2f8c4b7c1beb04b5742
SHA256 7e27b98da30ebc6057adc21bd8d71ba8ec0f522aad7e3fc674eb42823dfcbe21
SHA512 c19954d838e8b7a204edfcdd61cde47e3754c8ffe858bd6aadb7dde7fda45bfc657fac6986ad0bdc68c5d62855170ddc1bde4d2243b6ae7f0a6687531f1a40d9

C:\Users\Admin\AppData\Local\Temp\YYowUsUI.bat

MD5 d3bc764ad9348837db8e317aa7a09ff8
SHA1 37244ee0638c7549209739ac89716a0abd33448c
SHA256 b8fc7fa111690332587a7f662ff551a7f96507fbe381262505eb3423b9327204
SHA512 d8b33a97c2f33e02cd23a6bf46020c5a22eb46849176b8e3deb6b515bce1ddc7e6e8da629c2887ddf88813a0bb6976dfe40a269b5c98c34d36d5f9085203499f

C:\Users\Admin\AppData\Local\Temp\uwAEAwUI.bat

MD5 29b6bb8a9dc73199872355609e87d034
SHA1 3b4f534d95e8aa3f20a2402cee853737051c7ecd
SHA256 9c17dc81a7316ea8890fb6c9939584115682f7da866cf87e27bfaa68b92ee90a
SHA512 e87333b03a12cdd89471375d47ab9cd74c6b65e33311a8d5b9057f1ef2af2b28ab1a059717a355359fa34340dbbd5d32abf3984078120aaad02f5dde7fd4b3e9

C:\Users\Admin\AppData\Local\Temp\SqcAMkUU.bat

MD5 bf90b5e513ebe883d8ba724d5042288b
SHA1 7358812cfa6adcd408712ce5b28cd76159533eef
SHA256 fae4bb6155756afcd649cd787b98ef9a1fddeb7a5c75cb39a8c1843549d6d205
SHA512 59f64d3a2f805a1b7ac0fd43247fb660cd6baed6942331c64a56c67a1149a3315795bba7581690f1f3a67d56a8441a5781aa7f6e136bdddaece38cffed576858

C:\Users\Admin\AppData\Local\Temp\QkYUIwUY.bat

MD5 e8bb3848a3db0bf89fa5ec9cdcf0b5dd
SHA1 d4ec4050d098ee663d4a5feff6b1f835fc249914
SHA256 b9c84d519a6346fafc9f89f8f2de067e43f139f1872a5f3e396428df6eadb34e
SHA512 67ac3e5db3babee7d8d0e9a07454a8f621eb265394ff41507ce4bf5818917dcef514f5201766285f01631df3e59e67d04aa276dec7526ca332b573d1f09bba7f

C:\Users\Admin\AppData\Local\Temp\HmEwUIcU.bat

MD5 41f01910b993cf81156eaf34048c128a
SHA1 4dca377301592a526d2059517e95bf72a12317d1
SHA256 9bd25e848e2a42eea45622bfe3de25a603194cd40cf185cb5de6e34a013ad304
SHA512 2b1c788c4f60280221bb9b82705a182d4ffa24d7fbf8e2f590ee5c15f53fa7a13f06f7da69bc901ec11ffd75c687bb3f51392c2120ec7d75b2ed8e829b4b4be6

C:\Users\Admin\AppData\Local\Temp\fcEMAAQY.bat

MD5 b45f6b0da3557b964ee37ba69b198f74
SHA1 2fd38da242429047fe428f4d49be8ff3712a856a
SHA256 203d6a7710041df27298a5b46b09e6a9f2952def039c775a789a1fb7b438bd28
SHA512 411f3a7a3423ac571d12c03dd126a355c85135679028c08dcf929521998336c9e60a99e5f5634325ed7a09a6270b18a6cea40de5156c37f1c672f982d1759edb

C:\Users\Admin\AppData\Local\Temp\LkQAYcYM.bat

MD5 2b3e3a8ca5b8fb3dc889bf96afd1170b
SHA1 1849d1f36f60e5fb5d15b16fff85d3b9225c1b58
SHA256 57133a43566da1e80af685a5f356478921d955f3a212e6709b7381dc848432f9
SHA512 cc4856984243b8e93950f546c058eb55f53a69a304cd75ebc4e90367ac304ef669399a2dc52aa905f65c6b57b07a22d94654e04e6b0f2584e42f1d5a63cc867e

C:\Users\Admin\AppData\Local\Temp\pcEgggYQ.bat

MD5 698a29566a76708cd0e5877bf8aacee5
SHA1 f102ce4cefa40c606b85ab9c594f5de799b6454a
SHA256 72539504b1f1f8c28f2cbef08691e6c6d621f521e750791b59adc226487a3808
SHA512 671b2f74209c1e317791db4c301454fdb0b77418e95060c75bc53a009cef0bff1984e750324305c3e302e828624b6680b7c5bfa0220fd6d0958ee004281b6563

C:\Users\Admin\AppData\Local\Temp\cwUcAUwg.bat

MD5 22a1d0ab83165002cd87621aee3f80ca
SHA1 374d310b2d952829a5769218c31c2aeef12c64e8
SHA256 fc0401589e85ee2ad4f0b12f7d8e279f70b8842b489bcae43c4d4d9ebf33e509
SHA512 d751864bed7cf3cd3a6c6260c16894b7fb231005625b782efa96cd102cf0e6c6b0260cba4c0f62ecc1005d628dcfbe49386126f24c495eddd7bf85d85e68e837

C:\Users\Admin\AppData\Local\Temp\AGgQUgYo.bat

MD5 d534ecf5b3eb217e02ecc878c4996506
SHA1 906a4a3799ea4b1b6ed35fcd1d50230f18c3bba9
SHA256 b03f45a58dc871cabee5bce7800fbe577a92c27206e437654eb2e79a98ace2b0
SHA512 2d377e6d6456cae091d42fb9b2facc06242384a5a76ac3980895127f301eabab76f5ba085e4f7fc444e1bfd61b9f497de5732ecec8f06f8a017b375eeb1d1af3

C:\Users\Admin\AppData\Local\Temp\UIEYAsYs.bat

MD5 e5cd5f91baf8dc34dccd78cedd3600ad
SHA1 fac38482c025287ab154adfb2257b80d5c162787
SHA256 51c1f96c731ff7ee374f2cec26183680fb08929c8e8e7396e37bcab667be6ad7
SHA512 b29a335a03c608df074b2805a997a5e8703b0232e2c23accf302a92f3f82e98cd1565c5c550ab5daf508b00f1746836de17405c2e33efe10220230b55892479b

C:\Users\Admin\AppData\Local\Temp\oQEwYMoM.bat

MD5 a7bd22872ee3ba7b25762e44b6ec652a
SHA1 c8a9053c751084a0501b4c4c20c9ba8be8ae1d7b
SHA256 0919a965ce9d540c9dec6ca3b59559ce73198f20a933cbd1847fdf6d91e53c36
SHA512 075025a72f71995f38dd033d2aa028bf143128c1cd8564a310a602880cb77566122ada91ba1c1404612ff80186c46ae8543e28706484753018d6d128d7f8627c

C:\Users\Admin\AppData\Local\Temp\pOAUcAws.bat

MD5 622a03d2f968cbe6fd6aeac09adc318f
SHA1 569ca83a2faa468729be8a4f7661a5cdf5a788ca
SHA256 257d0f414211a7dc3d25c9ea7b928d06561bef88534263edeb1a2d6b7cbcca07
SHA512 68f163218f1eb34754d843b2e7bcd33d58914a10e3295f08697360a1a2f0d1730abf0fbc6f96663b7e4c0c8f7f3cc174fcb516993c373bc1833e370f0d3f695f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 11:56

Reported

2024-06-12 11:58

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (78) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\ProgramData\TIoYcowc\JyccYYoQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hWgkMAsg.exe = "C:\\Users\\Admin\\eSAIEgkk\\hWgkMAsg.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JyccYYoQ.exe = "C:\\ProgramData\\TIoYcowc\\JyccYYoQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JyccYYoQ.exe = "C:\\ProgramData\\TIoYcowc\\JyccYYoQ.exe" C:\ProgramData\TIoYcowc\JyccYYoQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hWgkMAsg.exe = "C:\\Users\\Admin\\eSAIEgkk\\hWgkMAsg.exe" C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A
N/A N/A C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe
PID 3472 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe
PID 3472 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe
PID 3472 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\ProgramData\TIoYcowc\JyccYYoQ.exe
PID 3472 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\ProgramData\TIoYcowc\JyccYYoQ.exe
PID 3472 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\ProgramData\TIoYcowc\JyccYYoQ.exe
PID 3472 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 4992 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 4992 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 2960 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2960 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2960 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1940 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 1976 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 1976 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 1940 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1468 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1468 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3468 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 2156 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 2156 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe
PID 3468 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe"

C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe

"C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe"

C:\ProgramData\TIoYcowc\JyccYYoQ.exe

"C:\ProgramData\TIoYcowc\JyccYYoQ.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKUYIgsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmcQUAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyksYkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgYssoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCokEYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYcYoccI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcAooMEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOIQcskI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAEowogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSAYgMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAwgMoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQwoAwIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcEIEAoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAwskkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nssgwMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaIQwUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCUMgIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGswsUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEkQcMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGoAEsQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYwokwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xisoEsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYccMkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYksgwco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQwcUUoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQQAAgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmAAwgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmcMUIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGIkoUsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSIkMgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIgsYkkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiIQYcQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSkUYQkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaoogIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wogYMwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUEwMkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSIkoUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSIckYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaIYcQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQkogock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bawAsMIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PywEsogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwQsskUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAAEEcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIgokskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMoUogYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMIEwMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmQEswsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUoUEwQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKEwsksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laEocUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIAUsQQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWcUQkoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgocsQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaoYogoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaEkYQwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqkcIoUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAogsoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAggQkwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcUQkgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIEUMsIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AygQoogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsEgcMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYgsEwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoQAIAsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqgwcoQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xukcYMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IooAcAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUwwQcsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSEkckQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKgYMgQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUoUIUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeQsAMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkwEYEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAYIwQcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgwwYgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkIoYckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\macAsYgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyckIUcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCwMksMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UckEQkQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAEoYgwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMUQIYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGgUsoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOcwQEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIskQcck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoAcYMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcIkMocA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSYMMwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEAUogMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQcAEwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeoUMAws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiYUIIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3472-0-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3524-7-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\eSAIEgkk\hWgkMAsg.exe

MD5 db748648279051da35e99d0a3d7f2d34
SHA1 ed034d17d91412ce5a4f684d68df046078e68b6a
SHA256 ade19b99a4f8b906b23fe89c788df57811deadd55cb3cbb6680eac6880c532d6
SHA512 ec8350c066640b4d1f04ed4fb762a4102f740d4eed0de78d64761296c72fc171f8c4417b848575d9a37b280f5298d9d1f74b36d5d832299920078532f2741a83

C:\ProgramData\TIoYcowc\JyccYYoQ.exe

MD5 dbe76787204f908e093acadd5f150ce7
SHA1 bfd17f6a22a1610fb786aa46436d4380937a261f
SHA256 5b93f4fc33c9039fa4a40fe00842e9952337b5a580605e3c1e90a3e6096995d9
SHA512 987fd012ff385f7decfa1197a2f4311c056160d966499eb4103f30098b9453f7f463292134bec114b7212b8501dcf5a87bf14e68e378e408ecf2e15352fcfab8

memory/2604-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3472-19-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1940-20-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fKUYIgsA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-06-12_8558b6061a1e6e2f11cdc94cb4af6284_virlock

MD5 eaceccfe7af04f19a216c26f2791a458
SHA1 7b9087b51c7dab7be798a4e6b1c128d204f1de84
SHA256 0d792889bd18fbfd06914b1314fc632108f4d284a6147a25b146fae82ffb9171
SHA512 89579be17b6ec7a69b5d8dfbae36cc09b90711429a4362ab8b6a0281d88fcb0dad2cc6e9c3f3a88bb5be91310a9b67cad482558db0bd356ea025c07561a768a5

memory/1940-32-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3468-31-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4396-43-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3468-44-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4396-56-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3884-53-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1856-64-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3884-68-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4704-76-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1856-80-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4704-91-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1696-99-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2996-103-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4000-111-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1696-115-0x0000000000400000-0x0000000000421000-memory.dmp

memory/232-123-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4000-127-0x0000000000400000-0x0000000000421000-memory.dmp

memory/232-138-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3084-141-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3084-150-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3992-161-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3028-172-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3640-175-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3640-184-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4744-195-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4180-196-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4180-207-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1712-218-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4476-219-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1712-230-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2344-231-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2912-239-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2344-243-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2912-254-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2728-255-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2728-263-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1584-272-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4344-271-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1844-278-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4344-281-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1844-289-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4716-290-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4716-298-0x0000000000400000-0x0000000000421000-memory.dmp

memory/492-306-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1856-307-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1856-315-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2700-323-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3024-331-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2320-333-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2320-340-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4384-341-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4384-349-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2220-350-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2220-358-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1860-359-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1860-367-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1936-375-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1212-376-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1212-384-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3028-393-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2408-392-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2408-401-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2128-402-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2128-410-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4584-412-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4584-419-0x0000000000400000-0x0000000000421000-memory.dmp

memory/716-421-0x0000000000400000-0x0000000000421000-memory.dmp

memory/716-428-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2756-436-0x0000000000400000-0x0000000000421000-memory.dmp

memory/5016-444-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4968-445-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4968-453-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4408-454-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4408-462-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3348-463-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3348-471-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4976-473-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4976-480-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4124-483-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hcgi.exe

MD5 ccfb02473fd1a16b5a27629d2756f0b0
SHA1 5d31ae9f816123b63c89dc27f1075ad02c684435
SHA256 fe05f334f08e28cb9309072406af029c5155c3a527b74efb6450eefd86c8ad59
SHA512 38f433297ecb72b4271ada2bab5e2c290d8f47fe285e7676af5a6dc25d8082bdb72dcd7cb7211cbdd50fef51d20ea1b860d563ade3902cfe651a27f7e6367ef1

memory/4072-506-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RgMi.exe

MD5 53f02be2318143717638256e434cf8e8
SHA1 41affab9423b960c7f02947da735ee08f2815742
SHA256 18cdc95202b9a34aca82d872c2e0922778fb53175307fc666cf2def953d1fea8
SHA512 2068bf7d3e8e78abfbb01daf2df5512d46b64ecd266bcc7d71f93b01f0a77214d929a69fb60d594e0cea75e298742dc7f76eb5efd144304e09aa6774fca1c110

memory/4124-519-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FMkq.exe

MD5 ddac80a671ad2c821b0e8060925dfd2f
SHA1 9757182a6ac2861a4cff6dfdf5a0a15dd5b23925
SHA256 4fb6e47acba3386daccd33ec3e379fabb282a3724f162cd1a4833c88306e5244
SHA512 2357f9b18c6bc948eb44dfe274871c6947a27ccf4e215eaea4e5217383016dc0357839dafdcbf5222c4bbbde851b07629166475c27bbdaa4e55f05809da3059a

C:\Users\Admin\AppData\Local\Temp\VEMS.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\vEcm.exe

MD5 c0b4e5c7eafa219481a374bd2814f77a
SHA1 d124fc9ededc708118024fa6b4239d0f2c1c97cc
SHA256 aeebb6d5145cdf162eb7c42551dc19bdc8a8bea6b12f18dab845540f40b70b46
SHA512 71e5c28eb39521023314c36ea85315968883df09ecfff2cbc7c7eeb816f1e62d565b8bb529125fa172f770cf3f8314546f68c5514f5c986f4b5050f18655ee33

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 f13b91b5899573e0b34886559aebc9e8
SHA1 dc24cbf41073368fe0299baa39f795d258514e95
SHA256 57e2017ada12c9ef8122b093ff2984fdf2d6e6a16db5fb0da670a0d95e4672fe
SHA512 f10cc572a7498e2e5ad747af61a77e6834f9e585c68944b5e078f81a7f4ee2f1a3a9a4ff7809e9c6c1552b934b0034c708f280c9243fcdfa98e5dcc454e1f541

C:\Users\Admin\AppData\Local\Temp\Xswa.exe

MD5 3ce73dbd174f404ef73e53e2c3a24811
SHA1 89ec408c5cdeaf6f759475c530d651232e131882
SHA256 4765f988a974df3a351e7795595966b1671f1279e24ac03071515ddb5dfcd252
SHA512 639c9e97399be9e8d2bbccbdd31bfe92cbde7482d4fff275dcac28d84ab94ffbba3de6013a838bfa0291648484c31d92308a4e837a406cfd5efe87984b5330e0

memory/4072-583-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2000-584-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gQAM.exe

MD5 243753af3117e5a830a41c9bfda5f0f5
SHA1 a64f2f64bf7ce85832a6d486153ac1257424d887
SHA256 ccdb92b956d63bfa5375b7512620a590d477b57f311af376246f85d0d0eae411
SHA512 ce73bf629d49abd635936856d38f41c0fb9c98372bbedfc8b57ed9f55b54d317d0a0a4d0a0f42fa659ee0229ba5afbb3c0eb724a4f7155cfc78f97781985df4c

C:\Users\Admin\AppData\Local\Temp\lgAk.exe

MD5 cd89d1a6cf39c2eae586fb00b25d21ad
SHA1 854969cb6a5c0f2fe0c25b60417d47ecb835f28f
SHA256 f83d8d2dc29cc8c97463b24674747fa0c0b8563c9eca0d4644f0d7635ee58597
SHA512 63d8045ba0e599f957d4ad33b671cc661ed4f7e2bf181b919fa25736974dc5237fe14b064795dce8c04936f17b9d7bf07c6d450b55c16488902e9cf8f462a024

C:\Users\Admin\AppData\Local\Temp\iEMQ.exe

MD5 2c550ddba24b9226fb1e3f78c2eed9ee
SHA1 4b44c2fae67505e49a9a6c3d49e130b1460ccf26
SHA256 9975e69aae9877cddcdbb8443314fd19a6e662eab47c706c07443017ada0e04d
SHA512 26977e6c5ee6795c6835afce52422e983ea2b45a837e7ebe9cd89500f05c04e2dbedc1c5fc4420b55c86cb6202390db778c3a57200e7746eb12a6d795efd31e3

memory/2000-634-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4400-635-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HkMI.exe

MD5 f4c3733bcf2287d92e50fae22d04b8a7
SHA1 72ad3c01212878aad2f9cb11ac9b8c93da0ca20d
SHA256 568afe10bc8b1d3d8ed7946682301bde7f13a56d12dac49a0d162492c4881f22
SHA512 85ba90f2129735b8d8400348bed3ff28e9574c0db27efc5590c08d194087000607520bbd213d0e0eb632dc68881be77561c3b9ff456ed9be68a6bad9169f0681

C:\Users\Admin\AppData\Local\Temp\tAQe.exe

MD5 876513dd0e87de79107f3b621e866e5b
SHA1 7c75d6edbb2906abddf3ce7caf593ba8dcfa98b1
SHA256 51a803c4f9275185b2a4509b8daa41bba01df052f382df10861807c119bf4771
SHA512 407bf0664da224969bb25820633e5eaf41dcd8a87221c4846e0faac08eb1447af8560c6430dc1e3364b0d6528a1ddb2b006bf0e2eb5253c51690b20057c63c4f

C:\Users\Admin\AppData\Local\Temp\cswa.exe

MD5 a7390b1740cb2075bdf470551b434330
SHA1 d5a349416ca41e1496daf6126b3a60c814e094cd
SHA256 5b6b72b1d943bd7f34ebd948d5eca0b2e1dee2dd7458bb9fce17f90e68195406
SHA512 d28148329053162fcb90a8688f44fe427ba8daf91bbccb5b6032dce0b4c181a8452a17dd96c45501310bd70b2e8a63f7634170c8ee93be4eb8dd94e7d3b377d8

C:\Users\Admin\AppData\Local\Temp\HUAc.exe

MD5 a7cbf0d7e91689dd5a98c3f847161c50
SHA1 c48841398287f7c512cfcbef0a3a42bd787eb217
SHA256 509b293931514e4d11ade1d4e7248906ca03fd800f2e9c6a835828d431ddfcd7
SHA512 46b2e619209030499b1cc8035069eadad93d9d85757eccf1a72a60bddcbb2209262632a75fd66b90f635c0473559290b19353b3f9e0a5474236a7306145813e5

memory/4400-699-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\twwi.exe

MD5 3f1146bf4f530b5899aedfff955cafae
SHA1 bafa0e1a2d8e10c428e807e10e26213159f943df
SHA256 8455a99f87eb8d9cb7d59fe3493f4abe7550eaaa2ed57b7d10bdd72521c35533
SHA512 07a206ac1a3c1067c43759c7ca2a5f4d39c6efaa5386048af07d6ec8d2650e353e90dfe521baada5047b0b0127b9a3f5099791c71c859c738b3cae2af38ff8e0

memory/1752-714-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TAIs.exe

MD5 68ff889d5bf579675b7697270277bf14
SHA1 22824a23280a8b434f1c8b9acce52ea1f592d580
SHA256 fd0d894995f02d09503627ba15e6523bea075c2b3bf7362cfb6594fbbab3c617
SHA512 155d23fd40714ddf504d66b93b655032ef14629a854e8ae918542f3ef0c8cf53577de8a061de579c5e3ab6904e5e8771c1637464b23483f8ffe3e5c236a38b56

C:\Users\Admin\AppData\Local\Temp\VYQm.exe

MD5 8b0c0290006e415f5ae1010db1361648
SHA1 ce6727ebd3ae10b66a8fb2cbf95fee783908a371
SHA256 8bc4d27f1cad4219b968849d5fc603b5140f6bb97c17ff21ac190f972678ab46
SHA512 45397c598b6792a6e0cbb658df899f80365419ced51d328235f4a56a62de8d7a6f1518d0728930ce42c3306aed9a2b3785ac3bd5ee63ee6140a15780c5ec2302

C:\Users\Admin\AppData\Local\Temp\Twgg.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\NcUY.exe

MD5 258f6732e84d911f5effeed636eab93d
SHA1 3e775f402b17c129cc8bc2fddac8baf4f1ba6349
SHA256 ce0c184d8b9bc76cd3eaa98b54f5cd699f602ac9364eb610bc48fa182844e8a2
SHA512 4a76df7b894f07575d423c3c5fb4c923f56e4abcdeb577d0b80be30cc1f6f2dfd005efa98048e36cd2e829d8314ef3f32ad07d7affe49cf36f1b7ba7b885c2d8

C:\Users\Admin\AppData\Local\Temp\rQkw.exe

MD5 ede1d6ed75d2589d5150d3245631bec4
SHA1 eb4261eb8f1c072857b2241a365995d3c051ba00
SHA256 f13f7ae646ed177b8060342332b3f7de3a188c3c10ddfd946d372e2a9616735a
SHA512 363afc73a734f09fe9a8ec64bef94a33327cddbbece3d17c8df3be805734d7d88626346030447740ba165c1f406db6d57408a9c727f95f25fd5e614e9f6edcb9

C:\Users\Admin\AppData\Local\Temp\mMYo.exe

MD5 9a08b19cd1b290bcc2fadd7533e0ed61
SHA1 2820499af55681191e7ffe2f8daa880786af6fab
SHA256 a4dd2725aa9c0e56b43c4769eba6e0211ca626fc803d29464e24afd22a662ec6
SHA512 bf5500b507f04c2b867bfb21ed932209e912ff4b726fe8565a4191be5a725b5c692aab8522ab2176e2a2b4db093eca8508adeab47a18c8c5877fe6b75f6d0f00

memory/1752-792-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LwEo.exe

MD5 84a208608190f6682d5a0bb4962c369f
SHA1 914df0b93160809d17b9d2040007260919f7ff4a
SHA256 3aafd83b0ce9b6b28393df4f9784b6107c2ada08f89e3af410effea7c22c1005
SHA512 2f38aa4d948ac16f7d2706da0d5f039adcb63a1850d36d415a54a6d8499f492b8eb7ce1ca92fec4ab127c61c1d089670d1e0250d9f1f1dc083b9c807785f9401

C:\Users\Admin\AppData\Local\Temp\KEkS.exe

MD5 c7c62d061988f8acc86b53f2f6948a13
SHA1 35613929ef82f4fa34fe6e499e218879e852d231
SHA256 02f09da398d7fddb5d4087bad50510e278675737677bcf6d9d1d3a9e86dab836
SHA512 e9a43492cf9b68223f2bb29e21d27c0302c5289904e08d1c5bf91a33be0ceeaa325536d3a615fc55e3128ec90e80f6be6698efc3e9e45b67ee51320e7181ef5a

C:\Users\Admin\AppData\Local\Temp\ZYEY.exe

MD5 95b11288761f08a64f5f2ff34fddd005
SHA1 e02e5b43f8c9e6f201114efbc4fcff437a70e43a
SHA256 beabab70e60453ea696847257ffce545bfb0f9d40e31cfda19181d05320d1580
SHA512 a102cca3c265fda2d8a2f09aa82667952cfa6a1017f565736f2347d7fa8d2a1a63ed347b01ff5156e6feb5c7e777fb77040515c3fe3df10e3bc6160e062d5d02

memory/1812-839-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1680-843-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ygkk.exe

MD5 5b52bd1a73cc1aace475d9075c990f94
SHA1 5286e72344ac315c77b5d512e23b258d1e3328e6
SHA256 f165acc4d0a505f32766e557e3e357b529a113d564fc5735d6325cb57241de46
SHA512 b6c5366f437a5b867fcc78cce680cb027698402bee0a21e6c8303a2f6d2e25ae9067a09c5deb84214d15c8c71fcf52d853c517a18732f755aeb427a9a2c55c45

C:\Users\Admin\AppData\Local\Temp\Hocy.exe

MD5 5544a8626a82bc7a281735cdcecbc693
SHA1 f3c4fd031274ece7902e15b831a4267aca525014
SHA256 e45316ee6cc30ccc6f612220d5bc5d82c316b3187aefb02e8507e4360d167547
SHA512 54bad50ff5377ae65e38871647ae4e45e87777cfc97d5c99bc5058b07fd2f83a66d43e76a03b715bc838aa172593454400a17818c743b512c4cd1d403bec894e

memory/2148-876-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HQMq.exe

MD5 8d012e3fce16e79730edd8d1a7d39207
SHA1 c583ab33556ef0901c644ef82f2d94781e6c62b5
SHA256 f8ea9a539380941647132d63e5d0d88c70b30e8f5f9fc0454e468d0f4aae2478
SHA512 6a1426bcc4bf4826d126230766a0a3ea0f67a6f29b2e2515c34db308da2a8fe4014d1600ee28995b2555ca143fe87c6887021a48466619e566a894f64d59fe5e

C:\Users\Admin\AppData\Local\Temp\bQgq.exe

MD5 2fb9ff708fce624a212cbf1d6f2d0f62
SHA1 e4c8326db55be69502594ddb817c4aad018451f4
SHA256 25d0e10d1066d1f42d314209965c0afe3ce9f0851997fea7509d79cd50421a73
SHA512 407f4336d6701e631928f77f829b28d47636fcc2d283eae5484746946fc8562048750540fed624257e5c3343a4f5a346d6452aa1a6e758e4ca953847d706136d

C:\Users\Admin\AppData\Local\Temp\AQQc.exe

MD5 1dbfde04de92ae054e0e9045d7701b5f
SHA1 a613c166696b7babbafc34684cbf59127aa08880
SHA256 cc5cad3faecf8e5042115b890ac19b6c92fe47ccfadd23b2005279b9ab876bf6
SHA512 0130ae04e4ef9d5cc3089d7fc484500457c93a689bd054ca1f543c5c3843068bb9dc83720bd6e8f13deca3987a4159bafe1bc4c8a4991cd1dd760c88143c8ba4

C:\Users\Admin\AppData\Local\Temp\TQYc.exe

MD5 84c93571d8a7eea8767fbe104c908b4d
SHA1 3ef6244f964da07c60d7accc5a4d9bb4cb2d5c01
SHA256 b05597bebd5fc490a1fd7258b8ad726cad793a08b5aa1710e5e93d6c717dc9d6
SHA512 14a56e67285ae8998d624e95e4b6f91bace4f61ba229765266bf132cfdecdc017f91bcf04e8509548724d1d1b14d186d1f1e524abccb4de0a739c34bd9fb17e2

C:\Users\Admin\AppData\Local\Temp\JwQG.exe

MD5 ba8541d93cc5360aaafbcffac78da9fd
SHA1 72a48daae7a62c720676d7ce6b76741a10d47afa
SHA256 170d8e8ea346c996f09c44ba9060956ccb9952201a983dfac699fc558ba97d0e
SHA512 a5f63ca65ee94ab015abe33fd150864ccbb54f95930460b4462ff3241fc13a8c27bf0085233d74a7b8c4c211dcbd53215779b297a70464f5d35c59ef9c341f7f

C:\Users\Admin\AppData\Local\Temp\ZscS.exe

MD5 98a71d7966682bf798051ba181fc0676
SHA1 e8d9c03405d8ec1cf4151fc73ed11a084a03e9fc
SHA256 83fce0f81b889ddbeafc999d218077de3b361ae0474018ce50d63a527366cdf1
SHA512 3365ac59595ce74fe1e8e26bdb8d385fea3aa5bb83416321ed90ee63ea25ebb4ccaeda48b829fc68dde9f0a36217a574392c942e3424e333952d79d84d69bc32

C:\Users\Admin\AppData\Local\Temp\rAMC.exe

MD5 edb94de6f0946ef20ab4d0c863d08d01
SHA1 81b2f3b07e196b612da196de987dbf126bc0d38b
SHA256 b49ee467b9cf5d94b857e297a97c46b3adeeb6179c7247942e01cb5d22c45e57
SHA512 c5d3212319932777c9e0939c981fcb1abfb602540eb75ad1f8489b1f63de837c26615986ef9b66ec1fc2652f8f48d8020ad097907e7a9d82305015fdcc715a27

C:\Users\Admin\AppData\Local\Temp\aMIQ.exe

MD5 ad17ba5f56d57714c57c4360beaa0b2a
SHA1 817f7a31df7a464cbae31552bc994057b38f4ac1
SHA256 36493a6d641d2ce1aad0863fd4a246350e726dee88d71c2cf6409bfedb30c0a1
SHA512 73b966ebe5a9ea6bf96a910d79175b1a147517c824e67a316411e1bfa52c4e75c78ec4ce7dcd75c14649eb8d0d310c27f7f81a7d583c7bad1b354f3ec8ce0acc

C:\Users\Admin\AppData\Local\Temp\FQAC.exe

MD5 dd4a130fe7849d996f6ae169d25dfe0d
SHA1 b2f68ed8317c89647f7ca3849a03d0e537807a22
SHA256 71a9ca46669017b6a58d8682d838610c57c9aee1bb62ed0d188ef6caf158ea3d
SHA512 dfc58b2ea2643ab19673749d57b36e4cde7b8ee747076582edaf25df77cd6909b223ad11018c16b18c21623e481c4bf7cc8fe9c8e6adb81b70a1dba689d4b782

C:\Users\Admin\AppData\Local\Temp\pkQk.exe

MD5 97ed61f414e7d1a1022c96548f4659d2
SHA1 868d5cc3afff8a74394603b97f78b38ac9ee4685
SHA256 d3c90f3044b35fe8ca99edb688290220183f22b44ece2304bfb904d5f3919bc2
SHA512 a2b241b2449aab3f70deb51198a2b9526c8e993b541e8943a58b4f9f41f379a36665133c9741116b30c1ee3667d6aca5f15460508e2005ae13509bd75ec8a99c

C:\Users\Admin\AppData\Local\Temp\fEgY.exe

MD5 4821182bf299662b1586fb4a335c3303
SHA1 a6441498ca216a7c091125af1221b1618ac88326
SHA256 8ad8ecef8c8dcf4a3364b4b60310225625a9af9c013a33e2347dd1355c6dd075
SHA512 f966961c2b66814bedd52f138e30ae5ff9f18dc9956bdcfddb134fad13aa7e80ee956d672a094f4672caf03e2e035584c815418f2a68df390ced2809f668a424

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

MD5 f6f88163b088ffabd38519bd44eb9ceb
SHA1 c2eab09077dfb52ab56d67f2218fcf2abb9e50e0
SHA256 70d6771d1c7ff14c9767457970314f70f5b15724234217ea90cb5948f956ee2e
SHA512 194d7839249cb7dddd041124f4958bba03be3a49c30de7441fe34571ae9153e0e69876901413696f2391ff088c0d6664692cae75513e3734dbcc445a43687314

C:\Users\Admin\AppData\Local\Temp\hQAc.exe

MD5 7b038b91bb8b2f7693cbcc64f77c7366
SHA1 61b4423b2825872b4c20f25934050b26894987bd
SHA256 52852f02058849a00d2ec5c547561c4f5bebae9b91f2c8c72907c1829545e57c
SHA512 29de65d91011c8a7022f2cce0fd7fef01576e134d351c589164dc260b9a737d632ea556289801acb7a71691be44c2f18db21218f5f8d842a27efd20be027c39c

C:\Users\Admin\AppData\Local\Temp\CcQQ.exe

MD5 7c0384ab6259b5cf49d2dc5c991cd128
SHA1 f746e60cb100c04da1db6a5dad9807decb2c6438
SHA256 535e66a8e130a40790105582047db97aec02d0771c73e2f56d5cf70d6a41a35f
SHA512 4b1f0a4e6c57776dd83b4891bcf5918a69da08082bfd5182a3457a90b939097658539bb19bd2a188527a4c06a06f558358d3f1f843df501e0cfc896b13d9f0fb

C:\Users\Admin\AppData\Local\Temp\ksAK.exe

MD5 9f3e295bf6239b05ca3ba394285d7f00
SHA1 e7f16bd3196fda2285bc5775acb8f4422602535d
SHA256 b1621fb1d7c685c37221810d98a2cc66ac563ddd435e3318190f6ad32cdfbfb0
SHA512 c5919513690d7c8839f88824d15ff552f4405e9073baef1f48a921e7f7ce625f2422343b3e13183306265906fc0ebb63fccaf9268bdf5aa9b9feb821d722e912

C:\Users\Admin\AppData\Local\Temp\sYsu.exe

MD5 446b3a186ed5913bc10144b4eca8d56e
SHA1 b2759a0ac492e4c52f16a32bf6972e7a7be5d1b9
SHA256 c19595241ac3b13d53ac07b806e841a094e55219bf184d767bb6bd9c14077ffd
SHA512 9b47747e905cc08bf8b3067a61ef4990d13a8d64131f4355ded9ff08b2a771531953a6cbd447317cae716f87f995876dff41deeab29d3083e67118a28d12c953

C:\Users\Admin\AppData\Local\Temp\jUUa.exe

MD5 d68ece0d4a77f30614c1a8991c8c61a8
SHA1 a24530b8af5ecefc911927e4fd430dbf44caf261
SHA256 deb66e4c103d29fae23d6d780ddf40a39f375e592f0e9ce54407e6eff6978b08
SHA512 785d9513996890711642f1df90b52c3bd65fbb466480faa45d64b11597491d667f0d3093cf7440c372c01b4ed588340ff3a849574af8637b11fb3cf2e24f599b

C:\Users\Admin\AppData\Local\Temp\OkgW.exe

MD5 82e9e8e7b1d713535cc07db2c3a00754
SHA1 f3d6a89fee61eae1934c4322c7279f3bf5768f8a
SHA256 9166dbf6315a93ed4f33ff2d1f0216830ddef7c41038f0a4efbf0769aa5cede2
SHA512 ddc7714fd33d5460a77b2e4728def32ecc06ae20eefc02d72b4bbfe10bc96098503326493a1be3fbba4bd6873e193b82609b6e0d7e88be773be2dbfe2170626d

C:\Users\Admin\AppData\Local\Temp\gYow.exe

MD5 fdbb45df42b810769961646988c15acd
SHA1 26bf2c1723fd1ca563d53e1852ff9837c91a9b96
SHA256 1425f4f17fceb23eb7aaf8985bfce916053d524fd19268f462a9efb02614719b
SHA512 9cab9fd15a419f338d3c4f3a690c21d94de3ec09a6afe2eadb8d57c39a16fd2fbce05cc5e58fe282647c5830c24a8a1f78bda5a081f9bc80a37f26b47bccf5b9

C:\Users\Admin\AppData\Local\Temp\IwMU.exe

MD5 a9d7a53cf3b044ea4c2f2f9dba66d4eb
SHA1 5247986e27a4dbab3dd78ab6c297b5ed14e77417
SHA256 0a8ba0be01faddf970f7665115e579e78d9059fb9a5da99499ffd1b4bac2768e
SHA512 ffa2c2587365c4ab8038bff048ef28c3610c64f5dd8a48e1779bb028962aff24e1cac8324d3520269d0590e3bbb81ea6f31b6ab5058e4d07ee22f280d00ca652

C:\Users\Admin\AppData\Local\Temp\uMsC.exe

MD5 d812d256cf7240537ab1caabdf0c6c2c
SHA1 1a7b08108efbabc9a89186f0d73dd855807cef07
SHA256 58c045fb400971d50fd55b810d4efa45eb5367259eed244f28c3c0e296b5994d
SHA512 ac1db2bdb1ec44b8eecff3de204eb6ec3bfc4e0d9d2ecd9e91d52cd3489b7e4396e5979630c5fa41b4e2e4692f48bcfb165dc036b6c4e72d2097814226c3334d

C:\Users\Admin\AppData\Local\Temp\DoEe.exe

MD5 eff4f6dc0b51cf5303498b001fa111be
SHA1 5e7341b208aa7457746dc8e5dc64bdb3e3eed5de
SHA256 296fbc8f53e276f868ccaeb9636456761ed0e77c4ec3c4ca03cd3058000eaef9
SHA512 ee179d64e300cb7355ceb38e61dae63aaf2ab43e3fadfc558be0c4a21cb6eff3affba717cdbc126336506b41d36ed8ac20760df706287b87bdf6d365b9c565fb

C:\Users\Admin\AppData\Local\Temp\BEku.exe

MD5 bf0033e09b365b8a84da79ccd4510e91
SHA1 8f0dc1d83e62c734bb1e0f3f72804537cc579401
SHA256 2e422ce67640fbd5e6ab69513766c23b66f5a55ee6dd37af5663bc1f3c4d3505
SHA512 c3dfa1d21f8e604d06480bb6e58b6e15a7f984d503fe18f7500ed3daa743091c67c15428bd4bb60bb78a8db3885ebddddd0c1f73fbec98c633812ffc62ee37de

C:\Users\Admin\AppData\Local\Temp\fQsS.exe

MD5 e2e812cbc841cf0d1cad983e20c9f66c
SHA1 6ab4470f4d99eb51ca095c7abbcd7e1421a1de90
SHA256 8dd168e8788affad274cf3980ed23a685dff6e01ee89e2d5737b3b9f9d51e8bc
SHA512 5290cd2ef33792a73b084a9986cb9c69f79795605ae13b876a5a8abae2b3c54345713636ea495fa6170b2d93a88b19acfc97d456881a268ae09a83ba75214124

C:\Users\Admin\AppData\Local\Temp\AIwu.exe

MD5 2274f8ae8ba50245daa084bd3256f64e
SHA1 c8865d509d44fc0e7a9e373da774f6e52d5c15ea
SHA256 be9bf0bd2fb50c8a7b846c1a5edd652d00ee713b77fbf32a2d5453c8b1d659eb
SHA512 53ae8be4be0e1791b22c683df95fa5165ed76ead0ddf7890440f23780ecd2dd83334c99f161a5bb1912f3f674a319182dee48b5184ef06c048d924f731f8f689

C:\Users\Admin\AppData\Local\Temp\Toge.exe

MD5 1a7f9ab4825165562b967a2625169efa
SHA1 1f7d1ab570ab4f7ece9f21c1e7bb7cc1ce23edf2
SHA256 6ced2b7535e783417c9a040fd662070eb19712202f80c41e09afb174ee9287fc
SHA512 d2d0f157bbfc3a6a1ac2ff7bbb06f8fd2fe7b190dce4d0162d017cd372315b7ba6f5738e5697de0e58f6c9c3b3668e87300320c996b010933658ddef716fd549

C:\Users\Admin\AppData\Local\Temp\pkwy.exe

MD5 e34736e94b62e94793f04ebebfc3690c
SHA1 4418a04c39095edeb5f2933f24f78b3ec703c2b6
SHA256 749d22e45b9d7ccf584a306e33716d27ccf80eee4c67bab77d5a701794691dec
SHA512 5dd1e52ea9d4a80fa3dd61be32e454ad39c0270966788a690b4a6bff0f34de12d72dc61abb7b3ad7da456263ed92168b828df954a949745f2148e5c12ef125f9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

MD5 1a61135acee38c13f38a9fe9f0ad7b3a
SHA1 cd7b5b80fbaf982edc2a4d63360d9afb414c751f
SHA256 e6d0ef39d1112bc72449d0424948e2df2736d91c97c3d2e363506aab5de80d04
SHA512 484a68d9ee197a324e66fceed5c9d0a5fb4e8a5bc0bb1252eda333050a845ef3a96ab6418403d86656fc5a85862ac3a7dda4904e0d5aa432e863564028ae9d3e

C:\Users\Admin\AppData\Local\Temp\AwcY.exe

MD5 7b0d0e67b1609e9df72396eb9abe0a14
SHA1 f17a960655a70313989a24cc00768c934f4418fa
SHA256 b3476dceace8a1a4c2a0df636d8349a6b26553b2be7e1f472f0a225725464574
SHA512 a4b5d17a04fa2eff60e9ab468fddb0f34b71c1fdcb73dcfb8638e1a53ce6e8ec92deb4b515f6453c8efae059859f678f1dd4b6e58c16e20ade02481ff00a6053

C:\Users\Admin\AppData\Local\Temp\uAUY.exe

MD5 5b61b48325f87de0c93b4b7066a65fc7
SHA1 1364b5e86ca91768e44586f667e45ab1e580dd74
SHA256 f999b43fda96aee57558b5a3b45c6f0654526de3dfd9a534238ea3046369337a
SHA512 4c72c5899d618e30aee82e7be9b35b0758119de10a53b2c4a4b232f09d4a7f2d82669a6f01b241f7585668807c4343e43cd4f5772756b6b78a4fcef279f7f300

C:\Users\Admin\AppData\Local\Temp\PEki.exe

MD5 8f615a9db08b1ce8158ac2f599b542d7
SHA1 5f89b8ad6ca1c65dc790cf9638640fd8351b89c2
SHA256 3eeca7f746cdf590fff793e9fdcabcfc058acc5dc33016ad3bd5a4b68a04e4b3
SHA512 158370edb3a219f8017d88f36ec431691c63a4861e29df4f29a0c79789df141ea7cfc1dcaf431c94a31c62ecd9370037e64d4c696b98c639455e417ec2d729f4

C:\Users\Admin\AppData\Local\Temp\fcQa.exe

MD5 9f58c0fbd7dd944ad412e9bf9959379c
SHA1 7050842caec081d8dbc88d587e0ac57bad36249f
SHA256 9dfb01c00129e807461ead56d0ec98faaff25cd21c1dcb282537e39b544a5d4f
SHA512 bfcec4325ffdb1a911fe27135a73070a52f681cd7c7e95aeb120a7862c9e2adb44772c0d59ce9c0c66a8e58ffff325ae3fca5809218cd177a88d477a48ba56e2

C:\Users\Admin\AppData\Local\Temp\xAkK.exe

MD5 d4962785627b08c355552d998ea3ac36
SHA1 a1048331f922d8040a14e3431ea63928306730a5
SHA256 4769e81e717ae7729f50f6b9e9920fef386d6c5b4c7f4d8bc17923479f9e6b0c
SHA512 a24541200ca5024e6bb9105db606f6c318da1a110926dbd1f6c05d3399dcf444effee500c4a8d7414d1e513b258367368c28c7accfe6e6ec9e8bb3bc8a003da4

C:\Users\Admin\AppData\Local\Temp\RwIq.exe

MD5 667a00d421132abe0d8c015cff336a1c
SHA1 c173c0aeb47ebcb16d629d378465c91af174088f
SHA256 9d1b48f1dc1b5e5cf40c66ee9e434da343c3cac6b179a989d377cc333426bdef
SHA512 a21bd2be5ad55758c0e0d4cb10e649e75953164497b978dea856eea984788afe5b510dd99278cc498bceea21cea6ef0220a1653c81c169f5f6471f5200902d93

C:\Users\Admin\AppData\Local\Temp\vsMY.exe

MD5 8e8d9708b6a72445f2aa5d26c2cb3b4d
SHA1 0cfc03c5e01f4f5b7292ddaea9a4d658daaf5e08
SHA256 299d7b5f88b3a1cb467d1d71b16103c26423b8f7a32895ca17a5b139065b344d
SHA512 8d398e379d1a9156920d776888774974cdcd2ced9b4a65ba5484f2b62a7e1341d96e93f5dbbcc50a1573050be981fb00957916ac7d2f5ea991de2e1783e932e9

C:\Users\Admin\AppData\Local\Temp\bgMW.exe

MD5 64c65ad90a2bba5e1d60a464c9a73117
SHA1 0968deac366fc1fed32340816b6a943b4b6fe68d
SHA256 1d62d73b310bf742282007572b349e5f9659ec4f91a8cd2bff5d499871fd6085
SHA512 8774b90820c60c285c69099339db93b87157f5bfc823b1688c27bce64b8b47a255de09090a71abd67b76bc947fa79c603af4b4eccc965343c988dac0ca0f23da

C:\Users\Admin\AppData\Local\Temp\TIAm.exe

MD5 04e80cb09215c6fb159e2bb293e37175
SHA1 764e1cafab365463b7d94a4bd785c8c1decdff4c
SHA256 f43086734c3f05442b978b81e49706b3cf4b72ae2152e4eed865d76b2ec4416e
SHA512 70674d2905d6ddfea49d695f6ddef33dc0a84511ca35c1641fb687777ef7c38fb5f014e01185000a478869610155fce79fc87a5edf208cef931282e592cfba4e

C:\Users\Admin\AppData\Local\Temp\pYoS.exe

MD5 7a16030ab423d2b19c44a2dfd682ecc5
SHA1 9a38ac8af8908bcf3808769c43515f31054b5a16
SHA256 8582438239ca5997ffec3a997a142e20ca1429c1532c6e2d57979679159dbfe8
SHA512 bb59d668854b0f9c6b5c2414194a54eeb1f340f2f4b95cb9ea0ccb368fc2bb63c8094704fd5fa79d2d3efa28346b35c64152e1cd93566647d9b6a5e3adc5e8eb

C:\Users\Admin\AppData\Local\Temp\UcYS.exe

MD5 d6dda682698c0c563ebac5bbc0bf48e3
SHA1 5163341c816f288bc1aa655f32051a6dbe2823b0
SHA256 2645dfde6084132e0d5ffa302dde49b9f37b12b4858970735eb27a7c9521a2e1
SHA512 f75a36a444cd0135282aee91a262f1b5a279bc4094605f0421b821540b8d356cd0de8796024ca940271ee4baa0dc03f14bbc79fee7698c929e6d66d4ae72edd5

C:\Users\Admin\AppData\Local\Temp\pkgO.exe

MD5 1733f23bebfa614b3acf8389b22e484f
SHA1 f77ffc6eae0c01474fa6f6965eda8e029c6ec6f5
SHA256 97baa39bf405eaa1f846e50f78c6a5ef905f8347f097285d1416880acd520f29
SHA512 15cb906fe1a03e917f29dac80e7fdf9f3405b0d9314d9a798ef55a0b9deb3f98d401752d0024153b0ae700dd4faf5665b23935a2bfd59db358a761f71ed67124

C:\Users\Admin\AppData\Local\Temp\mwcs.exe

MD5 1865b1f7f20bf9bc498ed4453017227a
SHA1 a7bc9d9aa59d3c4e1263d4688233495d06462241
SHA256 3c38afac0c3d8dc73685798a39a8ddfd2990773eed0e468dbf99529977875877
SHA512 bc7c2c29ba61efa517df87a84ef15e257c0772fa2bbfe0e05b9d2260e81cb3fc9298451f9d577504ac65541f2a7874f218a17d36a4362a458b36b0727d594134

C:\Users\Admin\AppData\Local\Temp\kgYc.exe

MD5 f84ad5c66b3641531eaf1c7221a32624
SHA1 708350a27201c2aab134b44ce6ec213f1c3814fd
SHA256 d39d6ef29cab7faf40094ea73c185e4cfc5436125414b9d3e129cc090ef224c5
SHA512 793df8446a5495510bd3ca9f14c4b7da7d8eeafe82320de96fdf1b42044954535d29c4a54884185077fe5cc3543217cbd8bfd2d3085f310645711384edc74e6a

C:\Users\Admin\AppData\Local\Temp\LMoO.exe

MD5 e109160642675aef0dbdec63d47a3f44
SHA1 a2a31aec040b566bff683d047d79a1eb8592c72f
SHA256 9d810ddf6a6b1d443a4cf6e105e1414db4b6dc76524d7dcb7d95d03839a042ec
SHA512 8deccd931d0e15cee7ec3defbff7689a2ae52621605380145617661b9285b5d6dfbdf462bf754ddc196e820e5fcee794b44108cac0a409bced06816e9a1917d7

C:\Users\Admin\AppData\Local\Temp\zkIq.exe

MD5 9d279f706338025db415fdd34229c3b3
SHA1 4844a0540d79cf42b72532877322c8b4fd8cf1c5
SHA256 86d31334481368ee4ddc0ae54bb17da28b11f9773027be53403b6cd9a6c491f7
SHA512 c2ed4c7379c76157c01a50aabb6a4d3e52a3e79b915683bfa74e841ba309f8da418fe5530eeb05c48e19847915a3242c22bce8c8f87660fe18d9a0ebe377ec3b

C:\Users\Admin\AppData\Local\Temp\xoYc.exe

MD5 25ba16d11167f2cf2ed492ac5d544b15
SHA1 a4732c9f075eca84bd1c63da6b375dcda6349e47
SHA256 2294b1aa940eff6f34da9b25c4dd5bc441014876a9dd5b2655c3e76467bd3492
SHA512 2900918b52065dd6d3040ccd4b50894df0ef668bc01aec43a045ffa3cb58630cb828d7bbcf36c447420921918ba9e03e8d09bb32210e4d47ccf61c7429acab34

C:\Users\Admin\AppData\Local\Temp\JcAI.exe

MD5 e9209a58a2d9ae13dc49c6b000c40254
SHA1 76f33b05c95ca31343975bed42a1b8f6f4134e5e
SHA256 1dee1e5dee69786e367d6aea037ed35628fe3077cdcf34b0bcf206814d64e891
SHA512 e702ad6c2c4678ae6fc3041bc339f3463883a21a94e8fe73b9bf0268224a39fa9b24bc19af137623a176f3ca3a7accd076456fad33b07607a0cf8b556b422029

C:\Users\Admin\AppData\Local\Temp\gIYm.exe

MD5 80b7c7de2c81c3e4a7f54b093c85f708
SHA1 a4d8e1ca4a9a2cac27617c6c3cba2a8af397e049
SHA256 c7e3fde552097462b3c80597b4336c86d72d835d7b5fed3b29892d3876983fa4
SHA512 4eb661f9cab9feb3197680638f4c43823388e9b93ace42464490a1e5bfac7f628b66aaa9b7a262fef07baba756630f5633d711081ba081250fe4e68bb6858dea

C:\Users\Admin\AppData\Local\Temp\DMwu.exe

MD5 0513ff46991630419f1ca0e85761d7c8
SHA1 7d54c1b630ac99085033e3c66d5c20a3349f1e0d
SHA256 2f1721dbb7282a928429efcb1aede3b3c3b9e61ef648103cf790a181006412bb
SHA512 4d2dba5dad86569c2e0605e3fbcd2fa1930557d642ad599cda6a6ad8022c79bb9ce0037cef13b4ac32b809445df83266ebc7ae1f36c9112ac68406656f911987

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

MD5 20005c955d55fd14eb0416be1eebfcaa
SHA1 8e27cbb8f2360d4ea4aa21103eb9255ba8968d10
SHA256 794d04befcd381f1676a46e3bfd162e8b09dbd68fcb3733d4303139aade0ea8a
SHA512 76c7d67d518840cf816f4916361eb4943c409d60a5a2ced869484e1d0d78d90e71a66dc04d17f17f26c7d4b36e935861aca91b97e052c12be433355e22b3d707

C:\Users\Admin\AppData\Local\Temp\wkIO.exe

MD5 3e55ee013438e929371b68befc5d8fc5
SHA1 a45447d7c80b48c563bf75fbcbf56f276bbd8b81
SHA256 443b2e4971fa73114709216b0aa1b083c819604f98d7e30631b053ecf1e85c71
SHA512 66ce2272492cd448b17949a1f010f175a810d9a7b1926823ff2c700868f56ebd5fee58292802d3bb2fac83a3bfd45415b52694d894e6966ef3fa32b0d2eb8c74

C:\Users\Admin\AppData\Local\Temp\GQoa.exe

MD5 b73d9b276166c50f776a7e46715b09fd
SHA1 1e1b983a5ae6081dc7c1526e0c45dd8080d5525b
SHA256 626bd5ad6341f5b41abb8ed076dcc4e9c61b7313b5aacd77f8e1e15c5184fb97
SHA512 a13ca1fc54e3d279736ad5715bd20c3469f49b1a2979e567beadfb60714d770fcdbaa6e7ad6c0902f61f98bf0215dc6090675b01ee73ddd5e135771f08115eee

C:\Users\Admin\AppData\Local\Temp\bcMu.exe

MD5 ddaa38e369fddfd902cd879f82dbdb0e
SHA1 e5f423480f3b62271e3accb28810b41609f2fa17
SHA256 d21dfeffe3804ab41840c735aad69e6bd6c5e05ac277d3fb72d328d761b3db52
SHA512 780f52c618f70b65ca1240070d33504b2b496264536c8a21d5854ac4dac76c1219e25474a30b914daacda67b81f42674df447c0bd1de6857b18320c449c99068

C:\Users\Admin\AppData\Local\Temp\hMMG.exe

MD5 145fdfbeccc928f29cbde7381882c341
SHA1 fa56ddcd02586b580fbf3fe6d120f0be385c344e
SHA256 19a39f89143484acc122f8ca012cd1470c2230a703ff589d634037c48e3b2489
SHA512 89d4031c46554fdbe3ac1afc5161178480e3b5e59cdea2834edbf2b73daee7115682c68e226b32f4a08d758e029810a937d74a6a540971d8462263f45a88611d

C:\Users\Admin\AppData\Local\Temp\SgUS.exe

MD5 234c8a7483423fbb20b97fda67c7079b
SHA1 9f4536d8af3a711315c3f94b45ca44485d008862
SHA256 962481558916245ddac4e4203eac5879f030b53ff45277dc1ac1725f58f15e12
SHA512 d88541859ff0a0d4b574fbd8889ce439c29e0010b4ffa1ce7e75080b66bb3c1504f6d9d691397b536c9971760e5277a62f60e6ec1d1a370af3e0420fbe15bb71

C:\Users\Admin\AppData\Local\Temp\tcga.exe

MD5 8c7809551f018c34a7d6539e5c56d090
SHA1 f79c363e26c27bca0988593e921dfc9ac807a001
SHA256 97e31a908ff4ec687e63f2450f62208663e27bb5b9b3bba1f9b37280d0af66c5
SHA512 0996558c7775844e39f303eccd30076cbadb07cd9f4ddab77f4279523a3bce931c59f5d05ceccee78fb8c59dfbd42f44784081cae68fc9404b5a5cc0cd5b634e

C:\Users\Admin\AppData\Local\Temp\bsMG.exe

MD5 37010f0b15d0ecf3cb3d879d753f4475
SHA1 33edadda10036e27fb1487969726085f5d461c29
SHA256 5625ec08313a1b64109f1c7a1054a9894ce9e43ea9d1d190f212eb16a502616d
SHA512 92743d34f55d907a30ed6460c1841a5de96a7d0e138358eb1f7dc173082ca09f48a2e8643d118f60d384b1be7767d1edf972e9f00b74ac066dc851ce97afb0b7

C:\Users\Admin\AppData\Local\Temp\XcME.exe

MD5 9f2de801f34135cfdce6d88e55c7bbe0
SHA1 196cc2cde8c53afdbcd10bfe7387b4de7662b52a
SHA256 3c267fddac6a8f4a427f1f2db0cae403cc701439df5af200d7de8013e4a156a7
SHA512 62a3178b359b87fd48175b42cbbd2c0e6abcb91b71fe6111c843e559a1950a864d2c494bf81cabbe225cf473d249f841d96f9bef0f515810a9265c4039b020b2

C:\Users\Admin\AppData\Local\Temp\xIMu.exe

MD5 657d7627c51a99dda4658210a7038cab
SHA1 d77d99998c7371765daa53c864d19b92051116b6
SHA256 45ab2a8f5e94ec27337987f34fe0353c0ced2e90b1765f4507d65add7018b199
SHA512 a378f296d76e3b1d6bfd0a9d3245409764dacca1214de92bf2e32715b065913eafe909a7e4991003a73b7800f501dbfb2d4f0d7e189a1c63b3308a705576caa7

C:\Users\Admin\AppData\Local\Temp\XsEI.exe

MD5 76a5448bfdffd3227166c13b85174c07
SHA1 a7ab4bf8685b04b1b27cb9e2b299abbf87cad078
SHA256 71b745ce592aa3c85a1523c9d0fc41981c4998c2466af66de61cd507d3838417
SHA512 2dab2fd3d8cb3cccc59c1d45652fa18e34eef7efe16f8215c2c06def6a5cdf743e6e79bbd2e60bb36deb34296932cde14f7659878406fb2b7d73cf0535a663c1

C:\Users\Admin\AppData\Local\Temp\Rkwq.exe

MD5 6b2e5615613dca07a0ab22cc4d77abbc
SHA1 a512cac9b57740b03fcd164d5d5c2b968d3f1b59
SHA256 f86d1ed2cc0cda270c5ea380cc82adbd0e0c01f6c5afd804fe320838acdf6bd3
SHA512 7abbc5668d9246dddb5047f41187e909e38041958d4bf1ddb0e72dbbcdecbf8e7976e2ed63081e155469c4c06ae738abbcdb8f14cbac882107645f20e8c99383

C:\Users\Admin\AppData\Local\Temp\wUoy.exe

MD5 83fc1d50e78dcbada57e8dce7fd47719
SHA1 f9d3c6fe9c4722921dd949fbd44d77d3d64b7055
SHA256 ca2711969a2f6d2bba0b085100d42929b33c077ceaf18c8b885b80f266819f38
SHA512 ad5c7a3ab2bb9c3fbf789434e095ef61b3c1691c005cb75dbece1a91df586c6a157c22c71ac4409762816bd59d53ce2cba8caddcad1096e7c50f8a707b89cd68

C:\Users\Admin\AppData\Local\Temp\VwsK.exe

MD5 eb58e6add077212cf596b37ebec57877
SHA1 bbf1380933bf00ecf6e8d561b783f80accf4b5e4
SHA256 c2aa119ae7c1d0bc05d8d73702ce0ee0beb14e544df971a6224d8721e30e96fe
SHA512 3be785c826265b21b5aa5b3d46e825922ac8259308bf968471320e596f184102bd6da13ec06382d7f27b5e29aae2bd3fa8bcbef5965629c814e537a031df751e

C:\Users\Admin\AppData\Local\Temp\akAe.exe

MD5 3783b0e6a8f16cbb035939314c8abfc8
SHA1 a49b22891c69e3da76cf9da92d9f2a322e0da32f
SHA256 b9fa6312f86a7bc78a4fd3c85ca50722414e6557403dc1189ebd213939d6373b
SHA512 03d311b6b24f78efca65a25ccdacdc9ce4c7a6b16c3cb5395dde136de2eef0cdbfe8f1454d6dddfb2d802915583da9e809e72351e3b3dff13edf8a2df34ae680

C:\Users\Admin\AppData\Local\Temp\ZYgE.exe

MD5 63a90761e1627502cebc60e67cd770b6
SHA1 56aceac2c6b6c49fc208be373ae4684b5ea9f646
SHA256 75771ccab5b569ead8d46734b9ed66fc85bb0b5c26178ef5678ca90ee2e234f9
SHA512 791885eadb7cad94291bb1213bf4ba7df46c27cf2e2e939e3e251dfce00c853f8bd5fc154bb836c1a2cc6f3a3a9a8501d17427ca17e35f576695f8a21dafed1c

C:\Users\Admin\AppData\Local\Temp\EUIY.exe

MD5 e8fd9888c9faf690ad14efc1f4635289
SHA1 db841acd2d164e240f10e7cbb9e34d570b2cdd1b
SHA256 a64ec6ff9bbcd4cc48970c1c628db8da41bd47fe1af10ef01d08aef23ad6417a
SHA512 6674d4ab4d7ee511796285aac83861d770deacf60708dc7ccefc39f499dd6af503aa7cad80776f53462ab376cc43819dc142078c2b4cace2388b425dfadf57ce

C:\Users\Admin\AppData\Local\Temp\hwUy.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\ZcYc.exe

MD5 9112e389af34e1a2c7036abed2f153b5
SHA1 52a7bc502f9961407d08b541ba37103254d4b205
SHA256 5252259f5d2382a48f1c3cb47543d43752c77904d5621dd9bc89eefb8882204f
SHA512 65c32adc02b6de944940886c471c502b64982dc757a07212dd5744d3da19ad94026a5251a6b3e9931eddd3d7b4f2f532126fd5cacd5d2a8392346fe25b986045

C:\Users\Admin\AppData\Local\Temp\jsgg.exe

MD5 782e9c84716c5b3a7fe0633e64b0759f
SHA1 978e863e61764cbfa4acea4216a8d32e6248bae0
SHA256 b9f68b6d676d60d8be101ed0fc15529f1173f40ef87ff085e68904e3a64ef724
SHA512 936daa5b91c107080862e01aabf6519e6a0c61f4fdb68eb4d3ba23b4e32465332c6a04fcd3f7f76d7976e711c2654ddaa41b5fc2d26dc2fbbfbcecd41c6809c4

C:\Users\Admin\AppData\Local\Temp\NEsE.exe

MD5 457bd54205c9873ef9fdf9fcaa1e5594
SHA1 e0b06fac9b151e5a606b40aafadeb8f0007624b0
SHA256 0031c6945ab5cdaad8c1bdf4dba832e1dbe5731d35eb5f7ad140fca198fda7fe
SHA512 1f621e8cc541ebb9e1d3bc2621666c4588d75c1fc443ab06e99f045c982158e3a6ccd0105433a0a6e3b0e0e5c2b1f3ef6dcc6dc62ccec23e278bf228e7083f4b

C:\Users\Admin\AppData\Local\Temp\vcoa.exe

MD5 71eb3caa28e868ab78e6373eda527ee1
SHA1 6ec5cc4ee3cf8cfbf90cbe69637d4cce441eda24
SHA256 dfb5fe8c732972b960a42688ba4dcf202cc15f27fcc65a6e395d024f642c21b9
SHA512 7117014b5066aeec7797ebb00aaa76109b9ff81f1b60f29aac7c58c13740558b87fca4542bb31e005672c0ebb503536affbc7f4f1f53153a2a24dbdce77de4f8

C:\Users\Admin\AppData\Local\Temp\eAYW.exe

MD5 4373a6efe4e3ceee67b894730aa8d640
SHA1 69fb8614dab88cebdcb8117a77b1d461b9ea2906
SHA256 c78c7995f9f1526b283262f9847c357e1c13d99340746a8185da81a4fd37428d
SHA512 8cbfee00d17a10244fc9434ddd22b6fedc30514b75c6d94a3722bb8370dcf624b713ed2018bc7bddb34bc2c1aa2b0fd29803aedeac103758a848ac196ad85c73

C:\Users\Admin\AppData\Local\Temp\ooQO.exe

MD5 dbb78b1fa844ba478dc96add9f9bbb46
SHA1 10f93afacbe30a179beab69aac239bd64d7465cc
SHA256 ab3f5b432217cf9b89ae9f4e345126c5303edcef8df110277c9c2482b5ddbfdc
SHA512 3fc63f39cd2c0bd0b73374059276f9e0f0141df2c4b45dd7983766327566120218246ddede513ea1926d4dfe8818a817ad0172bd9487bbe12361f772a6499d76

C:\Users\Admin\AppData\Local\Temp\IoUe.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\dQMA.exe

MD5 579a866f7d3e503694d385c2f361443c
SHA1 2475c1e910ec8554833a11049057d24c68baf536
SHA256 150edb794220d71c1155e46d050fb77ac043f262949c0af8f2743bbce10c84f1
SHA512 1cc81264efdf774ce2038c1a1b7a6677e898745980e36a81a098739421c6a4e222d97eba04974d63f97771830c8ba062c6e371cbd02c8c7404806627a91f22be

C:\Users\Admin\AppData\Local\Temp\PYgQ.exe

MD5 22cb0d11c6f9062441c89ced56b4b933
SHA1 981effbe285ff11165a89cfb87181ff39df5d96d
SHA256 a08d8fc7b1dd1c260c2f3647d892789c576f650947276e961e168cf8faa7bded
SHA512 476d8c5462da62a43ec1fb7add9412ca917138aa012e9494660d7aa42a8c23c7bc0885d50f7b5f54aad536c8340db01033880ea4cdecf0beebfbc3e86ffa28e6

C:\Users\Admin\AppData\Local\Temp\FUIY.exe

MD5 ba8d4c418b89aea1ee9cd0d9ef4f32f9
SHA1 8b58a2ba638392492714f53c9b755990b857c3ee
SHA256 ba9cfa58be1144c2f1a2f996a922aa1dc47edb670edfa6d3b3d90391e78cc72a
SHA512 6720b84247b33725fc919a99c8d422578de45234e5d01bed6980457bc959b9066cd0c87dc2d6d2951769908401af162e86c615fff03e1b67099007e0b9181683

C:\Users\Admin\AppData\Local\Temp\sYUy.exe

MD5 9c593f9b8662ca12d63e9a7fbb11ce14
SHA1 b0a8a5679631d8183e0810c3d8255ece1ddb0cfe
SHA256 1e90e385cbc5ffe1f181b3ad8704181e7237bf93e2606cd7f28736cc6e7124d6
SHA512 e995e7e00e3090ad9386da8e5ca0093cfb584f3a6dca6426be18bb81230197472242f4895a89ff2dc96af10ea62eff84e744a1e33d4eca13afc28d614a6eb0eb

C:\Users\Admin\AppData\Local\Temp\kQAY.exe

MD5 93af4ed1e72aacb3c3b07ac491dbecac
SHA1 a500f00ff9caa742a3dee9b92b577655d57a8389
SHA256 5e48a3cfbb7c959a5e41a65a7a0d6a7bd3b686f490a46ff161590daa212153fc
SHA512 b4e1fb933ff7601584763329d60586107b92e3a55beef5fd194afa452279f898084aeb3c4057c543ea4b480db88acf04d6b74d19dbba4bb7374e94521d96f78c

C:\Users\Admin\AppData\Local\Temp\WwsQ.exe

MD5 bb5f5f5733a9ee27b3202619ec360015
SHA1 9867bb8c7123c94e2b07f7cbcc2437df91df0d8d
SHA256 53270d24dd760c297364c67d3d64ff1885028a8cac9b129d1586ae77153cee83
SHA512 e8fb57d451660ad9ae89bd4dc0cfe68367f60b4097c17319b361ddbc2cfed0e9703f0765c7356e45465b46c7bbfae4475af167473e97bb90514335c57531aa39

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 796361392eb02c107d03514514d97194
SHA1 f345cb50877186f65192ab76a50f41ebe692b3f9
SHA256 fca73909bb81c5a27c52ff82426b2fd18b29f092c47f724323f1d3979979d592
SHA512 c0acdb7a00c37b6b9dbf4b21d7fb53494fda18e96f3edf16fab3f038c9d62452365358988297dee79d1e1ab1335d8d2fe2e0b66cf87440d5e40cc27bc47e5b04

C:\Users\Admin\AppData\Local\Temp\SooA.exe

MD5 57a530804749bc7c2262342f4ee3abf6
SHA1 2706ef6a33c58a9f6d1c31b04fad416fbddcfa9c
SHA256 02d661113718badb9a5fe4fe27eedb400498e0f3ca8a0f47fae59f26932d853b
SHA512 1c8bd7279fb550740deae1b3e415cbb427a0d8195d61cbafd3582095c2a530cdce00f055f2e8bcae46d8ac8737c3e01890137093d3b2d553eeda47184955a419

C:\Users\Admin\AppData\Local\Temp\lAsM.exe

MD5 3e46e13576449cc8c71e2d050ca7b175
SHA1 ecb3fa4add0c470f1a8505b034805c4933c020c7
SHA256 1760ac4a5f5d92203915c809270ce457769ec2b19f467d5a1ff1e72939209e63
SHA512 764b83c770b13239604f642eaaea72346fd3b10bac8bab73ef0b17ea742f7e410b76730a24d47b4614bef0c401c8a01e7098cb4df6944bfc83f653ee4367b481