Malware Analysis Report

2024-10-18 21:40

Sample ID 240612-n6lvvaxfjm
Target 2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock
SHA256 ae80b53fa28ce550437852929dfd8e9e5b2679d04532e92da64e1932d167369f
Tags
evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae80b53fa28ce550437852929dfd8e9e5b2679d04532e92da64e1932d167369f

Threat Level: Known bad

The file 2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (82) files with added filename extension

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:00

Reported

2024-06-12 12:03

Platform

win7-20240611-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\International\Geo\Nation C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\YEAYAUMc\EQgskEAc.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wIAwAoYE.exe = "C:\\ProgramData\\lmoYgoQE\\wIAwAoYE.exe" C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\EQgskEAc.exe = "C:\\Users\\Admin\\YEAYAUMc\\EQgskEAc.exe" C:\Users\Admin\YEAYAUMc\EQgskEAc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\EQgskEAc.exe = "C:\\Users\\Admin\\YEAYAUMc\\EQgskEAc.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wIAwAoYE.exe = "C:\\ProgramData\\lmoYgoQE\\wIAwAoYE.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A
N/A N/A C:\ProgramData\lmoYgoQE\wIAwAoYE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Users\Admin\YEAYAUMc\EQgskEAc.exe
PID 2436 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Users\Admin\YEAYAUMc\EQgskEAc.exe
PID 2436 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Users\Admin\YEAYAUMc\EQgskEAc.exe
PID 2436 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Users\Admin\YEAYAUMc\EQgskEAc.exe
PID 2436 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\ProgramData\lmoYgoQE\wIAwAoYE.exe
PID 2436 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\ProgramData\lmoYgoQE\wIAwAoYE.exe
PID 2436 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\ProgramData\lmoYgoQE\wIAwAoYE.exe
PID 2436 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\ProgramData\lmoYgoQE\wIAwAoYE.exe
PID 2436 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2728 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2728 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2728 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2436 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2824 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2824 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2824 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2772 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2992 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2992 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2992 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2772 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3016 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3016 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3016 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe"

C:\Users\Admin\YEAYAUMc\EQgskEAc.exe

"C:\Users\Admin\YEAYAUMc\EQgskEAc.exe"

C:\ProgramData\lmoYgoQE\wIAwAoYE.exe

"C:\ProgramData\lmoYgoQE\wIAwAoYE.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQUsoswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UscYEwwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIcgoksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsckoMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jacQkEMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUUwowkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkcAUcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUswIAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOcEoooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WYgMscko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccAkgwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIYEEgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsEYMMIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqwAIIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BgAcEskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCQQAEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\niQIosUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kygoUAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWsoYYko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACwkEwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ieokkEck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xUkAEgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkcsQMMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lOYowAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqQUQEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sosYEwkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GIAcgIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WCAYcsEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KoIcIkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYMkgAsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGgMkIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcMggAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "859508736-5982004881479943546-1469842895-761510431484595491364280351-1058908268"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGgQIgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rQgYYMsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKUMEssM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1922317095467219431-700775955996002977-1441943032-1739771917-36286800-1713991843"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ockIEwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-432165095413056322-1514624223-234220726-575361086-9418859521130216252-974404538"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yYEksYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\twUQYgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VgQoMccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lycQQcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMUoAcMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQEYwkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkEsUscM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ioIAYcoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyYQYUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tuccUsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOEQUkUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PQogQAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PcEIggos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcIsMwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCksIosk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGIcsAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wgwEkMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\REgUkQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xeEksIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dYwcsgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lmMUAwAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HWgMwccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCwosccE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIIYwcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IAAQEEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YucIkcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oUsUEwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BcgoIIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 142.250.178.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2436-0-0x0000000000400000-0x0000000000420000-memory.dmp

\Users\Admin\YEAYAUMc\EQgskEAc.exe

MD5 ea3d1bf54fda696e2c4e579305fad955
SHA1 f79e8ce0c1b78614f7148e7c628219bcee4db3bb
SHA256 11bd54757b5cc6bb345f23f872b244301674074bc724a47fdd1d9d2d8b9e01ed
SHA512 3815bea39ce41b963cbda5cc73527b4712b36cbefef6099463a589cec32714673116987c932b66cfe31ccb291544a6e108bf4732627b3c22e8df72f0dc7b4a93

memory/2436-5-0x0000000001BE0000-0x0000000001BFD000-memory.dmp

memory/2436-13-0x0000000001BE0000-0x0000000001BFD000-memory.dmp

\ProgramData\lmoYgoQE\wIAwAoYE.exe

MD5 fe10555c35fe4fa2d3286a2557770e2b
SHA1 2145d3091d54887ebcfd265037a301b0d61b39dd
SHA256 ff1fade5c8bd12da0d5a079ffe544c76f5fc81ed2550d1cd590c09bee9e097a6
SHA512 523db9de21d3bd990fb11baabca9fb62da15a1f636df6a184846dde90f6ef9e2d88a90d1b53d64d71c142b90db5fd7cc239c95a28593bdc301cc2d5b28e0c1ae

memory/2436-28-0x0000000001BE0000-0x0000000001BFD000-memory.dmp

memory/2436-27-0x0000000001BE0000-0x0000000001BFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HaAAcgks.bat

MD5 f5ebb872190a142eadcecbd3fb290472
SHA1 1d68f9b94d99fa512b9b88860a4b627ba5b7a063
SHA256 819c23dffb8e169247c21362eb359a6e2430bbde0d7d7b2dd250a5ddd292a179
SHA512 08e676fb4c3d6874f11fb34a7a4e544b0f615339e1734b0117269eca41cbdcad17252c8eaf66380a87c317e4732d643bb414176e63aeacbbba364476b3558767

memory/1708-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2728-32-0x00000000004E0000-0x0000000000500000-memory.dmp

memory/2772-33-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQUsoswg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2436-42-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\MyIkcsAA.bat

MD5 304e499ba0b98d468a9ff676c61152a3
SHA1 8edf83e991d5cdb27e077babda8a28f12b57b436
SHA256 d7ac14cf7a70d44de3c77a19555b22cc3e37e0d2f6f74e0dc903aef6a98ec997
SHA512 3870bdddd655812d696a2cbb52f331a77cd27963dec251362d3acb70c13c39619381fa50d0d61b3e07017c6491afeabc699930b75c04dc1472844579b3b9bfcc

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

MD5 3ec5c3e607f34cc9d912e6025ef19268
SHA1 f0311c3dff7cfaebc9ee927477b2c8b97465e6f1
SHA256 7e51a0181f0a07085aefb09c3131cb9d98b9cef7b33f471345ba5917c5619f71
SHA512 9ad55ea85ca9fe3eebdd14f09147016c58bffb31c99421cfac13e93b6ddf8b28991298ac417fac663075f934884c6fd982ac28c3df85d327c97a11d45a42cffe

memory/2992-56-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/3004-57-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2992-55-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2772-66-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GCMcEwYI.bat

MD5 da4c57edf5a7174c85f6618e9a0fbe18
SHA1 9dcae6827341e12832378b0af0aaa9a7faaac7a6
SHA256 626a35d9868f69620b24cca80266c82baf049af47da62602258bc32d37aa87f3
SHA512 193b31905929198337683dd6aec1c28d5dfa8c0a7e35ee40f091f80a214af9f6a393ae0af64dc513b3c8c26dc54874ff4190fdbb6f10d2ebad68f4576fb9f6b3

memory/1068-79-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3004-88-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oKkokwwo.bat

MD5 28cdc5b09157939c6cb91e6e3757b6d2
SHA1 bb33a66f600784b2e86c640dfa9d5e665f76f176
SHA256 8790c8154339835158885300ca64420e90eec5c490081c5c3ef9db1eac4fc1fe
SHA512 ad29e1025b65a6abc0be9bcba26a548488f9531c32baaf14673a04e87036d250a7495710e746c472dbfdae593b3246d5d2687acbf5fc74ee0a9400d0c2135d6d

memory/1280-102-0x0000000000170000-0x0000000000190000-memory.dmp

memory/2144-103-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1280-101-0x0000000000170000-0x0000000000190000-memory.dmp

memory/1068-112-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FscgMQIA.bat

MD5 e1a1f446482290eae1e002133f9dde13
SHA1 b727f4ac1811759eb8c07469b7f2366bdab323a5
SHA256 cf08752852639e3bf6968fb31eb5d719897109d7c051cad984e64ca2f8496298
SHA512 a421ab63d6831e5b89222d6857d7d9ae28d26bce94b371fe2b699a7f4138a11fff46b9f20de9be212a207ad933adcb21f8ad1ddfb1467f37e2bb263a7ff44d98

memory/2404-125-0x0000000000160000-0x0000000000180000-memory.dmp

memory/1464-126-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2144-135-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lMwAUIcA.bat

MD5 f7572eeb097dc7b3cbdc613957e89ea4
SHA1 0ece7b6709e8dfd80357ad58a622c369502e4ce4
SHA256 d2302892a2e9a3504f80c5d52d81b0bfe097fccb29c4782b1bf8811f121eb0ed
SHA512 335d6fb4bfd372ebf4954e5dc8316ddc0b6f324ba31e27ea82155443dd4f72d3fec0003864e7f033a2b2564fb21fe92390447c242f06318629b5975e8be6d85e

memory/1976-148-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2300-149-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1464-158-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\twQsAUUg.bat

MD5 d124690744211b48ece6c35264beac0a
SHA1 9b1e75c4b8a384ac0da1c4d9b2ad201645fd46bd
SHA256 a77845d76431e49b6e1fd475e6c05599039e7b44ab0ca46420b938119317c399
SHA512 bb7f7d4cf5a7bb4054a08dc8f3fbca7c92c38a67e1612dd2f8eafc121f76e51a3f9d6d55b14487063c136bac0512573b4beb566071e79b1e8b4b151b42d163dd

memory/2644-172-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2664-171-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2300-181-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hksYgogs.bat

MD5 1343c786d6829d8178b6d87141f21366
SHA1 64aecd64fcfd1174dd029b0c11363c9b45a8e4fa
SHA256 c47b0625386b890707d76189653c9ca3aafc80ef3a5f6b729f4b5dcfd6366592
SHA512 c2fb655fc05d2102cf885ecd7750c8942a636769f75a967077d74660f611efb41cb053821a6a3fc9c70164c6aef121d3a96ac7dc37e716117ef4b65a5c5cd6a7

memory/2560-194-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2644-203-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VwEwIwEs.bat

MD5 ddf0c2c85948c4ef0be32643d97952bc
SHA1 85971945c5906a91095abb1cf06b3af8e312e679
SHA256 73965e30163df38c730465656c4767b183bf781713f031fc1ef99f5af47687ca
SHA512 c777f4ff81deb31d7e364f1d10985d2145ccaf1f34bf1613d7fc8f68afb4ff2fea982fb0bda9e251dab1aba877d99034ca01db7be038775f0e495b1b4049fc1c

memory/2348-216-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1724-217-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2560-226-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sukAkcso.bat

MD5 9ebc600d365d85441efcd2a7b868809c
SHA1 8fa302ca5fed84440e78be93835b208c30f3e7aa
SHA256 5539f4e1cec295c3f705ee456a1beb833f8cddb9e8c9a960e70ac3c3bf03f8e2
SHA512 cc528fa8f71119c2f9baabd8783ca6f99ea59d2f14fc371794896768e29654666603326cfcd9619261097a5612b08dbcb05bc72376bc889f0f1b1942492798a2

memory/2072-241-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2456-240-0x0000000000260000-0x0000000000280000-memory.dmp

memory/2456-239-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1724-250-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oCEUQUUQ.bat

MD5 5ed95d021d03aca45b8bbf05df886cdc
SHA1 fe05b00801e5e7454517a80ccb2f7165928447e5
SHA256 634672e68b974bb1e21b58bcc66b23c3662dc399673dac104779a0d00a73a6f6
SHA512 3f31e1b1554a3aeb94eeda70e01feae3aa23ec48a6b08d4dca7aff21a6ff041afab23c23faaa698c746f4a7b6886db6daf99ab0ac92b192145f6b3411062581b

memory/2416-265-0x0000000000400000-0x0000000000420000-memory.dmp

memory/932-264-0x0000000000130000-0x0000000000150000-memory.dmp

memory/932-263-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2072-274-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UKsEYgEs.bat

MD5 eb0f0013a2645df54c0e7cddbc4327a3
SHA1 dd4387bc46150a23d709713506ce5587aaf09945
SHA256 25ba538ec2fc0f458965ffc952db1ab628138d6c401710e4ffb4025eaab87d19
SHA512 7d3653866417b02784160017797039ab3c1eccaedff139feafa9d00819871c00a11ddab2b2edade18f34a1078c6412e52e9f8ebb908c624f1a2fa233da6881ab

memory/2044-288-0x0000000000160000-0x0000000000180000-memory.dmp

memory/2044-287-0x0000000000160000-0x0000000000180000-memory.dmp

memory/2416-297-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WqgAwckU.bat

MD5 8317217127825d66ac6e054a97afd2a9
SHA1 157b24829862683a292703aaf47a5f714728a300
SHA256 7583704544827a4ee78ae3c990d25fb4ef58c0b08dce09940fa03cbbbec27bb5
SHA512 44586fd9ad438518eef7c2b0564d553d76a23a773f4fae3422b4a3a06692d3f4b25669174d83a58215a9f37045c23d42002bc6b65438285ae8bb49d749992525

memory/2724-310-0x0000000000120000-0x0000000000140000-memory.dmp

memory/2640-311-0x0000000000400000-0x0000000000420000-memory.dmp

memory/756-320-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lEEkAMIY.bat

MD5 42ca4eef576dfd908668d6f4d844169c
SHA1 2d3c2f80d5cea92e39c8d04397d2b61ee0d9a1cc
SHA256 bd6d855d23c37ded3bdb9492d9af4e901cca1a3f6da739852d7f951975e95cb5
SHA512 321de6c7872498e197d53fb680cc696c707880140c69ef08f7fa75635549cee6602f949018c45c91f2fa3d068aef0c752b9cc93140f374e4cd924b4e64ee1773

memory/2460-335-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2608-334-0x0000000000120000-0x0000000000140000-memory.dmp

memory/2608-333-0x0000000000120000-0x0000000000140000-memory.dmp

memory/2640-344-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zGcAsgkE.bat

MD5 84453adff77ab769e7e7f30674eb6790
SHA1 b281527b7f8bb844029bc7d79074361dca5cdbb9
SHA256 2063304cfba020b2db42e3a1cbf7285ab61454d743ffedac322e3d7bf8c67549
SHA512 3338362e720f96e49037d6eaf4655987864cb4bd031fbe107bfc081ad05838fa6789fa3ce1c60ea67130bfcda560bf85c7de4c72dc5097428c19dc24a6e68e0a

memory/2888-358-0x00000000001E0000-0x0000000000200000-memory.dmp

memory/2888-357-0x00000000001E0000-0x0000000000200000-memory.dmp

memory/2460-367-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TYQQkwcY.bat

MD5 78976b20628a42c31ae35cb2de25be41
SHA1 bb8902fe50a27e46b00b38f5ed4808b81c061cfe
SHA256 2fd24daaefa4cc42f95ea9edf2d33627823c7115da53830ac3b742dcb6f33bff
SHA512 5bb2a70846c8263987e9e7885a08d19881340dfdf78efd0037b0498004180dde2c3a7ef84b77bf7e4cacdb138e70b7f077099a6cf04c8f56e8d5512cebf7b953

memory/2452-381-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1964-382-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2452-380-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2828-391-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jUYgkgcw.bat

MD5 3c744343a5121f49e8da959f8ac935f0
SHA1 9f906dba69fe907cbbb613e0145904860d83a1a8
SHA256 4c0478e48e8e1960ce31deafb2675b9eb2742c9affae90d5d5401d0de74546f5
SHA512 16d5e0639eef0e8d04c12f10ab5a05ad1e1370969625a55f5d3daf1803d0de69941631c0bb3346bd5ef0b524d31c9e3098914da42f03a9ee80b89ef57ee30b72

memory/1804-404-0x0000000000400000-0x0000000000420000-memory.dmp

memory/900-405-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1964-414-0x0000000000400000-0x0000000000420000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\IqQIAkIk.bat

MD5 d96c084b686a770865341e6006042ff5
SHA1 9033d5c9cf7745617c0154754682e7f66add6cd2
SHA256 0d986d92e734f60ce2ff45481ad699b4666c26f3f8c53e5ff4b9aa274d77212d
SHA512 312ebb5693b08a4ba01986b45a320aecca8c62257ec8cbfadaae2abf1e1574250d8319576f838d377ba7a262192ee985085d2d978163792914d1b8e2bad6c975

memory/1160-428-0x0000000000100000-0x0000000000120000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

memory/2948-432-0x0000000000400000-0x0000000000420000-memory.dmp

memory/900-441-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QYwe.exe

MD5 5521e719849b3cebb8326723e2f57739
SHA1 4ff9fb40bac3517513f526d57f1f6effd7b6a674
SHA256 00b6d1f3bf504705d32320e1eb2c9958cab7b4d2f85ce3fa1de89fda456e6df7
SHA512 19489c364609a6f07ff2a2efe818331bcc38d488722bde9cf61d0ae6f8cb9f971e5ff57b1de5f7e0445a028f51a429cff5c0646aad791a2b1a3e982086c363cf

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\CssAQwoM.bat

MD5 58192e632afb31d60ef588c0be2effa5
SHA1 b02eeb4e7c9bccc56589f7699487eb9a75cbd947
SHA256 9c0628d061ed8ab5f7b01d49c41549b47f9aeb0cfe3df2b84d592899015b6494
SHA512 70174412471be47847bbf0807d1f982c3e62eecbee2402dc56b255d3929cf15a1c9ff7e01afacbf248d139ad537da5f690b5eb8ec6598f6008e19430ff75d07e

memory/2820-470-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2468-469-0x0000000000170000-0x0000000000190000-memory.dmp

memory/2468-468-0x0000000000170000-0x0000000000190000-memory.dmp

memory/2948-479-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CwkS.exe

MD5 3d75c7937488000eb23e9b5cf06b6b52
SHA1 12adcc624c71f515838b3e2ab0058fc1ea9c1499
SHA256 1295647a438010c87d6a2b471a8c615b210b26e610bb4af6b6ce3e59298d429d
SHA512 58890d1fb119b7e310760b0667b05c68fcae541f9a698f6a84f7153a9e89fd0937ff32f71b2807420d1578a4300822cf273849aac12708b76f0d28319189ba71

C:\Users\Admin\AppData\Local\Temp\cqIoEQkE.bat

MD5 9eff2a0b3a19273e47b0bcf31f5d114d
SHA1 a4ff9f032b96889dd662abd11a9d5e061092566d
SHA256 4bf9b8cba00d0618b8158dbf165a13c1e4bc83c793a40d3f4a5de62be03cbcb3
SHA512 30d7603b086f82ae8a5fdf72f0399ff9add267bc6c88d842540a787ef1a2b825cae6e00eca9fe7e94277a2b0406cd103edd113244bf866be0f3b10045e7fbf90

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 0ed812570f3b30b067b9ca313f13f831
SHA1 5f986e1c1c27dc30f270036fb97d8d565d9db6ef
SHA256 27ff956ea92cb2457a391f3693e96c042d9e6927fc1c0338f9acafd237dc186e
SHA512 89878524e1b39a2766c9847596cc306481030889a1d8688bcac7bd1be70ed81d9dc5c8a88b999f630641d5e44e0df8afd30ff45292715b336bb07235d82a8c42

memory/2836-515-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1416-516-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AkUo.exe

MD5 804c614beda5f5e04c47a472f0203f19
SHA1 8a281a76d1e11da41b341ffd26266a35f166af45
SHA256 c4c4b371c86312c275e08853947e8b175d7e3d940f43068bab4f21e28d7dfc89
SHA512 650c393941fd26d114aadaa0c79bc46d1e59ec2fa612c601cc043932e8a9d24b9b2da5bc5e7e677c5d2e0a5ea2cada14c0ac8f5be2f038e3f0612cb9f0a93d83

C:\Users\Admin\AppData\Local\Temp\uEkS.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

memory/2820-526-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uIUE.exe

MD5 d22c93dc55243318b350be85f1a99355
SHA1 bb0268ef4727f3d3fbcf8b65f5babaa99bafdfaf
SHA256 b0c7cc9eb1f845289a347c6b425927e26ec229a259622dc87ca91cb8c6e10762
SHA512 9ce09266ed7738e9216f02aa684edba804c08184aae180ed98a1cbaeb6fed2e8033af25afc1aae74760f8a41029173ad2160ca96203361f7c2222866cf6bf1ce

C:\Users\Admin\AppData\Local\Temp\GUAu.exe

MD5 d201a1c4ef1f6798bedb151840be338f
SHA1 6510aa9ebe23a4ec7c9b19e2c4b97f7f6bd4a708
SHA256 2d10c86f27382413e109b18165f7333876e01c06a5df65dd9ade866685db36c3
SHA512 1d2401c021bdf825d57b1645658a6033b73b9f8099152685f1376d6283450715110e90ce7f6e41d2763e00d45cd37f174676433f2fb9c278c24acf6b3fe6ff11

C:\Users\Admin\AppData\Local\Temp\Aswi.exe

MD5 5aa6b5fddc3517a69ee16496dc5fc33a
SHA1 34478f62f0d92a7233f3187bd3947bc6467e921c
SHA256 f1c43e506616832852c944ea99f81a0b87bd92840dfb76e89851c42b42ed0112
SHA512 d615786b19614c67b387d553bc850961c6d557c14cc617e5f597ede582966ee3fefdf42735036e2b1131406700d641bf99904c27857b5e5c627612f2edd95041

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

MD5 d0d376354e6eb2381436eb25bea1d0fa
SHA1 cf1754f414ee0ad343e367f763528672edb3fc58
SHA256 370c4ede186cac7f4861fb02b9ba1b51e381466ca0101203baad9cac27aa86a2
SHA512 7f365c93da72d21f92dfd981513d75bcd2af24626ffd7c9f272acaefd5e43a40b8967e5cbd77cb85b1a4d7a5ed8d7b4a40b0ab5bdf64eb241ad94eaefa9f5b7c

C:\Users\Admin\AppData\Local\Temp\WoMG.exe

MD5 f567f42e2fffa4aab71d2c5caf453343
SHA1 a304f2f5b0b120b95f4e1304cef682be83e9fb2d
SHA256 92df6f9777ee253f2c5a220dade0b5c453be3f2e95d664f27a1b671b6f0525a9
SHA512 a29a207aaefcb8ee4e880318a6209209ee0263b2ce91ed1a2a796ad7a8a3bd38b70d84c543156c53ea7524cb78768c15e5c9a5d21f6f48019752a013afda09ac

C:\Users\Admin\AppData\Local\Temp\mUoIMkgc.bat

MD5 f70725d70916bf05cf7da2ab39b6158b
SHA1 0ced87b207af4ec4d2e927c49bde0e68d2fbc65e
SHA256 fc82ec8152f42a276d72443c2ed16df5738bcf403c4ea69c87957952775cb396
SHA512 46a2557c777557b83b160d1607fbb7a0e2b126f20a59f07267c282ddf09d56bab57afbecadb25c1a9b378070ad5e64420abe17b4bab9570db14b6efc4ae281f3

C:\Users\Admin\AppData\Local\Temp\cMYE.exe

MD5 03b9dda013968ce8297bf237d36ad80f
SHA1 429374ff0b340c6b04ed9370fd7d718df2d827b3
SHA256 5eb4d30a3402036b4e5cc3f43b2af9a1f314f7a07fa4694c2a0b55bed97033e2
SHA512 3a1119d61b1c07e833c2a553b64ee52093fbbe9364dff3a9d3097e0c0124dfe7af57e4bcde48e0c97e1f76c9ada8c2cd071a5c46adb0c7ca82e70b634911a163

memory/2268-627-0x0000000000170000-0x0000000000190000-memory.dmp

memory/2036-628-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2268-626-0x0000000000170000-0x0000000000190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MwYw.exe

MD5 8309fff9f901dd00874d75c2f325024b
SHA1 60daf09d8f0c51528224ed3226a1681a9083effe
SHA256 2323323a17c00d28417b8cf4ab12bb2dabe3d4cedcfda9416d5ec0ac8443f8d2
SHA512 64171e653a48e1f2b6833e56710e3a259b6bbd34bbf2ca2208de776065b220fe2db02a5d46426c6fb49517d763582a797bcedd2987616ea1e2131baf8364b0b6

memory/1416-650-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ucws.exe

MD5 9059c4fc5745d1c02274b3f244f94d83
SHA1 69aec48cd702efd4b0c9b7303361c7baf6fbd6a8
SHA256 86a6e4b1fdb8a0e3c92fcf338fc5f17214e72b159ca54f4a6636bf978a04f31b
SHA512 39f29b20ad3eceb91f6e0f20810ed5f37188a46ec13fbfd3f906c0a886f7cf7b052f4ac1d6b7afae0975be105eefbf25cf7f6ff033a4de0c12ec0a8e97f85161

C:\Users\Admin\AppData\Local\Temp\AsoS.exe

MD5 70e90f923918ca3f836e0a6b5fc4fa5c
SHA1 d898ee4ff8c631a073fedeab5119322541fa076f
SHA256 4a62a450f65dabda3cf890af3d22b4dfb63bb9eeda9a9021d7217e8c704159ce
SHA512 278491c21c2a83e1ea2f3d1275a6a9a7ae30e48725ef152faef05bf6bc5c264b49033c0e4eb7363db00f4f6a841e867d0b34ba9fa6aef2319d408979e05ad134

C:\Users\Admin\AppData\Local\Temp\yAok.exe

MD5 bd3547d8361fecfe738730b37eafbe1a
SHA1 7f6f5c14495b9af8ffd52b92a70d6ee2c73dc343
SHA256 d4130a7b30c4424df726c53565dd4d5845efa0820afe91d10a70a70de9f49e5a
SHA512 738630ee7a43d2ed8c657b7d5e646bf0546d602697233f0c478efe61217d2ddb18c9fc71f606b11001f98ff50e9decdfb7c1db386ef9b2de9cf47bf9dec07ee6

C:\Users\Admin\AppData\Local\Temp\YMwE.exe

MD5 24ea68d5740376cd29f2884eb2a0011a
SHA1 a83b3f17c9bbb1f505a19028ee6ea5e538dcd58a
SHA256 8f54607048df8706feca47c9e203add8311f2e86d7a74f6256efdcf01af8dc90
SHA512 5714e79278892c3d4c0b880e0daf0bbbfc5b776e25a8fe2bbed371f8be1aee038fa7fb3d978773dc96bd4cc036f87b4dd99c9197485db6144afa9bc927ff168d

C:\Users\Admin\AppData\Local\Temp\vGgAIcEo.bat

MD5 215a375f7a51ff6174d1b9754c9382f4
SHA1 5e08beee00011679c4af5a37024194c4c24f26da
SHA256 5ef772aac04a5856b743986ce43f49c5b8a8606bbf3589b9843f9a285971d9be
SHA512 9e0efc507dbb599f9d0cc2ffa12f06a1b45faa2ab0bbf77152a04733ad2379f7429aecbfd16aad1dece31b2ae1b9206b3901dfb93e578ead34aae0d8ef88e396

C:\Users\Admin\AppData\Local\Temp\qkUI.exe

MD5 975eba5f7d5fd98ea61f36764fdde43d
SHA1 24ff290ba6b403c69d01b2fb789fbbcbe7771dcc
SHA256 72d8b544a0b34bc93b05987cc7b83692ce9d2206fc4d9c0ec2eb80f8176a5497
SHA512 468ede3c37d6bca0560d3eb406599e75452eba9238caf665a5f17bf0af87166b84fe2c96d4478b8f35dfcd1322529a1fd7a87e87142fc485e731bdb29b2c3c3b

memory/2748-739-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2648-738-0x0000000000160000-0x0000000000180000-memory.dmp

memory/2648-737-0x0000000000160000-0x0000000000180000-memory.dmp

memory/2036-748-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aQQW.exe

MD5 bc289c6b5dc026e66a7f943f140605ab
SHA1 591f588ad5bea4f56e928e7e7d0a6c733165770a
SHA256 210bfd0892d4efe6788d926f68d314d88a7663f13b5af8fc925842492a98c23c
SHA512 0379e40d268572517d483ab56f11eaed1fde424a4f0639098c10079166b57bdf4aa232a0154b958a78a6b929fb9506ec1d2dfd2bc5787ef0d071e8bfd1a86fc9

C:\Users\Admin\AppData\Local\Temp\uYAO.exe

MD5 42eebeea3032422eb3744bdcf1aaff21
SHA1 7c1b71b40eb90e5e656a8699e8871731f1e24c19
SHA256 7e5618e88bf797c2e2febc408eb6ddab583b1348e187609dabf1e9e40f52f1e3
SHA512 9756fb314e922f840d7a8fb68ef62ae8475c1b81225a9dd5b69bd1c607a66192868ffa3ca2adc258915b01b2a9e8d9ec913cef147008bb949d5d3f5eac3ec1ae

C:\Users\Admin\AppData\Local\Temp\sgMM.exe

MD5 a12b1118f9f007bbb74c2bd0872188c2
SHA1 63111b21484ff0d3ac2f1273dcd90a3a83c8f98b
SHA256 75d6f60620862dcf46595406ca60b8d0d86234c6324a2f3c3832af66ac6446a9
SHA512 98ea670c9d1ac6e329c484e507e74e87571bd4258b8ba966cec2c760ffd7605383ebe47bc6310ef5eae00b293b7c20c34b442e191f3731f93e56f5635e76397f

C:\Users\Admin\AppData\Local\Temp\CwMe.exe

MD5 7566cf9e96c5da1fe34135bc2ffb2152
SHA1 3e48613fa96e12e39877b4f7957ce3b237545ce2
SHA256 b16a2eaab3a272dd3a4c7fda3b543c0beda0b055b4a677f94043e461f0a6330f
SHA512 db8a2f10c891020aaed746420a317b49c86bf98f37265b0970e3ece3e9a18c9ee730c8700ea42e114797d85affd06081f1780541b20f27ae9f33e8989cadacec

C:\Users\Admin\AppData\Local\Temp\teggQoUc.bat

MD5 1713bba4a025b836130aec98b640a962
SHA1 049240574283b4e9cd416121299267b5d1184ae2
SHA256 8bf8702445a81dcb794fc801196be60987b7da820b77ff49481527af8cb4fcb6
SHA512 8f30effe5f1f81360859f124d7e5424d2c5a7537660ea712df6f71327ff65f5884b586e1a3893a5c197291177eeb42094c522e26e00b53900f7c96515f624532

C:\Users\Admin\AppData\Local\Temp\gwsi.exe

MD5 d89d9f10bdbecee505279ce3bd95ab51
SHA1 48d234246147fa845cc54eadf6ca8d8baf23c303
SHA256 4061afb1dc90fbb8287cc90f0e884c1abb3d295ffa571f42b248c6f34ef18d83
SHA512 db09d45cdde4df3e5735760945dc23ad96db479698705ed6c11430163aec0b8912c2e7049b088e99838d545a90174d45835bab650e8dfbb62efc2967cf735330

C:\Users\Admin\AppData\Local\Temp\qAAQ.exe

MD5 bbae1ea6640c86734cad5a3e2b3ee68f
SHA1 8738195b4fd20ef45bd373eedaa4c990cfed77d4
SHA256 94b7b35b1017cfe56d01ecaa22fd0683e6c543342d5b1e9ea84eaae76fad6107
SHA512 e0f407ce17edc281c2c15a87b7d60c3d4e47762e183abd4fe6d8a9e978804b37be4071b933565d6f3e7e5b0a375bbd2e0bbcf243c5b7e2eaa7d588d6f72debba

memory/2980-838-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1452-837-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/1452-836-0x00000000000F0000-0x0000000000110000-memory.dmp

memory/2748-860-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CccQ.exe

MD5 d24f5b2a3795bc3208e2812fb3add735
SHA1 501f09ddd452989300f87bd1a3c3cc733e8a9c94
SHA256 fe899c6199b5313a2c2b3018458f8bb0e6d22999422c7bd08141c9f16988722d
SHA512 328a9065d485d251660d8b5690f9bd27b9ee304be25d3adc8e8e2d15ebcc2367d089dc1e33dd4b36a592d0a22557a3f766186654db0dbe7d688cb783b27eea1f

C:\Users\Admin\AppData\Local\Temp\Accu.exe

MD5 ceaade30202e9674d52965c0f37e2e20
SHA1 7da85425e2210ac9eeb7cb649fb39f3930199f9e
SHA256 715fcf21ff34cf10eb5d6985319065bbe69dc70d69b7b7eeaf999214b731efd2
SHA512 a310c2e9d59720f1211fa1d3b517841b7f8fb6f293541f1acb89c331f41be0def06652a66ef6624a248a331ac42f31f1e862525b337f5b33e0bac258bd1ec72b

C:\Users\Admin\AppData\Local\Temp\kIEm.exe

MD5 decdd8b4d37d293be574a825a4df22ad
SHA1 f351d2b29644f4de2eb823ec2dfb7fe1c779b5a1
SHA256 33ace3bc3fb7055717d283f30c962805aa62d8e47fd38e14ac81d9aacde30b98
SHA512 9c80e3ddaae8f971c63e8d58a3e104b8f7c0cb5b65a6bba57f72912fad765112b9f51f3eef6a95b70bee901a6ef9f5daf23ea8fdae90e6f75e7f4617ad8fb9c0

C:\Users\Admin\AppData\Local\Temp\sUYQ.exe

MD5 6cf2f6af919305e3b8be629b430fda65
SHA1 0f12f007a871a55880b94b3cd1c92ffdd6eac062
SHA256 944b337b66010fda81f3bd7db2098079d0400969b9ce2a8d4f56cf38883e6b82
SHA512 1687c7d51e0f3cbbd27359645d0a7c51c33cb9c40806146c7e3115efc990c1a14ffecc0d9ec89d893a4d73faf6ee3583594cc75b77605273426bdc5e06bf9a4f

C:\Users\Admin\AppData\Local\Temp\sAAC.exe

MD5 e95310ac6d77484d238f69c2bfd61ee6
SHA1 b74ea7db244328cabc18d174bc53cbfad7c10634
SHA256 b1b5868349f5a04a10c3dd0985ef99d16b8bda5cc773bad63c540a39d9eb54f4
SHA512 9a488d9af7b22928a2a596b48f5f5f5ee867a78e3cebb8fa3e51932a9261b06e59f0fd809c1a31ef0e4fda8b2851a7420be6dd276f8489521ee36e71bbb5d5d8

C:\Users\Admin\AppData\Local\Temp\Askc.exe

MD5 e133f74845be7144aed1b5f49a48aeb4
SHA1 ba61d550275d843d50be418ba8488bc548153da0
SHA256 71e58a1f5e3cfa52ff7a65a75315abb8fa6bb5438666b54bd8a76aa0b8e4e5f3
SHA512 d4ca7ed85c7f311e682ba0fe06da2ece041cda6031e2d2e8d75ee7c31a30c4f835f915d9b19942aee5433152ac0d8283aca1da0b859da3444d74b4def5020050

C:\Users\Admin\AppData\Local\Temp\xUsUIQwc.bat

MD5 dd35d6bbd4051c32735da72c4e72c346
SHA1 532622ab365169b02fc65a9c8e15832b1794a38e
SHA256 f42e19b1d47f1126c722f33af5078ace939b2fe4ccd83123b366b3981eebc5eb
SHA512 cc9520f395fae0c18b7df0120fdd0d69f79dbafa56f3be14d01e8aa3146012b19da9d6d41c7a21e3ebeededcac6c00ce26ec64e75837dc812aca74d51cdfac9f

C:\Users\Admin\AppData\Local\Temp\MoIo.exe

MD5 00172265b5f50268483e57f9f0c4bfef
SHA1 0bd6ed4e69492e39a0ce13b1c90c55a2f50c26c7
SHA256 af2c757de544170cab5b0d1b9943b86de45fe180786f2b640e4c0a54617373f4
SHA512 2d396fabbdcacf4cce0b106df487f3c1900fcc4557c4578b0480ac3e542251b7f94b3723d1516b16d0ad99a40c9acd2ceeea3f3bbfa763d355def691e280ea23

C:\Users\Admin\AppData\Local\Temp\oYgS.exe

MD5 ca36df2b313edf9669d0819e696985d7
SHA1 a24faccd640e8168d4fd46f1ed4a7ecdfb2b5de1
SHA256 dd5cace7a28cade4192709304d1386a4876b69daf588035d713682bf555e7a95
SHA512 cd31bd65018a7edc106148bf93c2b1ab1854df4a651d15b02e194f558ab34f0c42020a3dd718079cda5d2e358478f77940cfd15e216b6a82341412d88814a1e3

memory/1176-964-0x0000000000400000-0x0000000000420000-memory.dmp

memory/532-962-0x0000000000160000-0x0000000000180000-memory.dmp

memory/532-961-0x0000000000160000-0x0000000000180000-memory.dmp

memory/2980-972-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wUYw.exe

MD5 66011f64f5bb66033c6a0efb5e5edbe4
SHA1 d053faf680e607bbe72128ae640767e7fda870b5
SHA256 2e655fece1d10dfa16f5b9bb83e2fe55f27a9ce75594272ea91a91361ac1f382
SHA512 74fd620a3a270703fa142b71e1a454dbec27ea603b9f4b1d7f8a9098733d6d36b1bd77577a2d4d519a380aa605641d43257be2acdd3230af5ab63bd3e815bd4b

C:\Users\Admin\AppData\Local\Temp\CUUQ.exe

MD5 016ddf182e3757559e1133b8fd892771
SHA1 79c24cd3333467ea79161031d57068222508ddb9
SHA256 b7a2d0a1c83273f9806ea25ac7143c8e5c12f003fe594b4ebd56a002859b0cab
SHA512 f75f9094ad10abee6cb2723d8de06ec3dc4213460ddfabdbd83f22e15cc386b769fa4b88406c85c709cf8437f5479c35d7397e176bc3be3cfb8d96bd858bbbea

C:\Users\Admin\AppData\Local\Temp\aAcq.exe

MD5 7d0accddbe24a3aac5d4da0e34ffc6dd
SHA1 f3576afab7226f9728479e3382840ee9a4a45e73
SHA256 c6ce7b8682b830142cbc456ea4dd99d00833d0e888fa42976a014fc576a8edae
SHA512 fd24a493dc569a3f585a31ca961604404e3bcbcebf8e95966a3a0032b9fd684ea3d6adac9dceb4e29429d5229207ddfbfbab1bffd14fe399a8ac9ac0c2231ea8

C:\Users\Admin\AppData\Local\Temp\OkMm.exe

MD5 693d0e4642f428224e69ba0c81aec481
SHA1 3a1208d5024736cd6ad4e7d8f3621de8c54021e5
SHA256 a613b2039578cef39b86a43d3acb77c4a8c0bd0123ac879059fd91d3ff61d8c6
SHA512 e2c143a1dec7ed0ec2e8a1f41aea878a170d69ea2b7352cee8f4557aef3a044cd478bc50b3d2cbb2ea4b8a0212915f421c68218f5de82b6836a1a1a839ccefc6

C:\Users\Admin\AppData\Local\Temp\jeIAUEQc.bat

MD5 11711f1d672f9e84e78bf62c6a188f86
SHA1 1899d0408512dd672ebaff73425aaefee1ca2161
SHA256 cc604c08a0431f39890a2135918281efdf6b1027a5dec84647a859888b10155f
SHA512 02203049e7544f9fd4f6ea1b18375f79eb12913e3d58eeb2824905184d500cc29112cec6f5d67efc22de508c15de1c370d392d05dd32690e76736f457d764ca9

C:\Users\Admin\AppData\Local\Temp\iQwy.exe

MD5 010d1e2578b105ab0ad4f4acde71919b
SHA1 5d836aafad0ed9285afb71713755eb103b653a84
SHA256 d4ae5621ae78c55a3ce729b0fde55044fcca4fcdb41a31b60f01de5b403ce0f2
SHA512 c6486f27fbb9a33e719e718b1e8fea1c87b6e54066c02539e12b294061f2631e8bf9740c198f737db1c4de8eb2ed1017f1f4f9a02069ae4247ef59aa59b91bb6

memory/3024-1072-0x00000000002E0000-0x0000000000300000-memory.dmp

memory/1176-1082-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1324-1074-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-1073-0x00000000002E0000-0x0000000000300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OcMU.exe

MD5 7ebecc0e415e9abd4c845b368faf4397
SHA1 5fac32fd5d56edea3c689dce740b26115687d5f2
SHA256 b40d546390840cfabae5d76e90e9a99f57fa031e4c9656e6394a370b34e37023
SHA512 df7c9687e058612c375bda4a65e589be0b2b5c21534b15b711712a67fcaa66fd31b35e33831279f6c148f5c267b398d1013622e50499ab6b48507dfc82e6d304

C:\Users\Admin\AppData\Local\Temp\yUMy.exe

MD5 59f987cb0c2ceeb813980d8ea585b701
SHA1 9b3e55da178987e4d1ce98f082c5b212cf7ecc15
SHA256 3cd3a6341a0d0afe5a3d4256e70ee81014974832b7d8b08097498186a49db4ee
SHA512 efbaad03ae1f79d05ce04a6f13e9e541094f2980abfc3ba04d66f22586cae44dcb2f433e0a88eb651f5498964d9f002f969cecf4ad5786b23913e9b83fce8aad

C:\Users\Admin\AppData\Local\Temp\mAoY.exe

MD5 dd2d877180e0faffe3e6476169c97c8e
SHA1 10388436ad19466e0f459cb2cc00d2464cdcca71
SHA256 9f88e78bb31277a2c085811eda222ae0511e0d761b5239a2a6af1d7637d56d98
SHA512 4f04ebb92e60b1b50bbe5755f2d6b76ba0e69645d846eb975b9f37bb9aa7f73f60b3a8e7f1e84ab8d8db0d299ad0c38b4d6f97187ab8a33a57afdf30a0b99f69

C:\Users\Admin\AppData\Local\Temp\cMYq.exe

MD5 3a2368b9bba434c498d3f865865506cf
SHA1 2c90af85c99ca7b0ed0e98ee0cf484867aa5ae41
SHA256 c44339110e989bd3b102f638c39cc8a8b6ccdbb5d1d39cdc104bb151cb9b7c8a
SHA512 1a86a7e5c2095842a73757b557acec9156f4150f3c28e2c52893a170636d7335ef960a18d117dfdcb0da62e36109f0f44c5220ece97b7ecc33db774f248b2aab

C:\Users\Admin\AppData\Local\Temp\Ligwkgcc.bat

MD5 f71c678a520155cd9485f7a8d5dbfe63
SHA1 b6a5d6ed09f7121fb55bcf3a2a56ad7bd977b8e7
SHA256 aa27428b7536fc3da6fbc73badd72c7f797486c34f465134290defe626c449a8
SHA512 c493f8702be1fcf088ba7d7dadeca052cb770740f2d9230c6be7215f94faf9ce3698c05d9277c96a637ec1e0e95a037e484beb59cc5573e0cb2b5b11ed95cae1

C:\Users\Admin\AppData\Local\Temp\WUoI.exe

MD5 f4f56930afc6c99db392f1e9c2160ce3
SHA1 d904603d737becbbab9628f080a1d1745e307832
SHA256 4f03fa7d05f80b811748dadb07c3a04eb9e119d6f739ec0221226cdab817a862
SHA512 55169f482ed42a011e4068bc285c76dedc16c0f6f7f51ae0f30844c15d5ebc327be861e59d8771e1e45ee691cbd191964627a11b4bc1a8d7f40fbd023c121a9b

memory/2312-1159-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wMYU.exe

MD5 fdb02df6b10bbb4c5ff460401717f9f6
SHA1 4c199bf2411e1d0f045f903e3ba3f9c368a874f1
SHA256 c7246cf484070653bafed67dbeff6e6abda5614275f5f4d7d6abec774223e350
SHA512 33cce185361bb0af113e0b788ea1baf2c8683a6fd82adb211ba3c87fe7b4fc4fd63f1b9e8031b72cd5ae394b21b3aed1e291cd425eeb8668f1a792539edb8ee3

memory/1324-1169-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1656-1158-0x0000000000160000-0x0000000000180000-memory.dmp

memory/1656-1157-0x0000000000160000-0x0000000000180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cAUU.exe

MD5 8fb802e5957264f22b570471690da6db
SHA1 f9a8f136e298282a9d60a10703ba75947917d331
SHA256 558e31b43d4aaedb21348109693e8c21568b813411da1873efb4a3911d1aed3b
SHA512 3cebbc625a57a638a7462d71ffb86cb7845e4727b0917a5aee813201672134e66c756f025f42bf14caa02c040fda30dd5ab8cc4015401fc8176a3d16ab219e78

C:\Users\Admin\AppData\Local\Temp\AIgs.exe

MD5 ffbf22a9b0ea5f11ef137c4ff7a18967
SHA1 043c4f797c8cf320e01dc64d6d9f71d7fe4376f5
SHA256 64d8fe302c403834e7f3471d80c34be42c5c9b717924a023d38a416d6d250dd0
SHA512 affd1b0bf9ada7497455bd49f791f07a04190de9757c1d490d363a441ef2a8fd88c24bd02512975c0293187453f0a2573e796432bfea792d1d7c7d0d6f00bbc2

C:\Users\Admin\AppData\Local\Temp\eoYM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 559b90b6eab9d13027a6ed6ef4f053d5
SHA1 e5952139e081d095b7697251c3a0c71957f003fb
SHA256 f35bf66b927b23cc097a7afec17c7f134d9c7496ed984fb848e70d235a09c61f
SHA512 b7d91ef45622639abe6a88181e177b8438b494ec75782a7fcdb3900e5422631a198436c2c029f1d3f7a2c7217fc48ef6bf8f12fc343f1585557599efdb9be03a

C:\Users\Admin\AppData\Local\Temp\QIwEUYkg.bat

MD5 cbb2b1a9a32a05f840bcd8d323e8b85f
SHA1 01547bf3be078b60ec8655807de2d511a4505dcc
SHA256 e8d8542f3c10a322bba24a38cc854422e3730f8a22263b077bad07540ec58b44
SHA512 44c2c8d8a9078515e3384cc0fffc5138bc712166e6ae1ff566dbe205267e191a60d2c96b808859555233013ce18cf0679e159d465b5c387b6e47d6404b91f2e4

C:\Users\Admin\AppData\Local\Temp\CkYi.exe

MD5 49ec69dfdab03c06736d641c673fb4e7
SHA1 6c2922f8e93d90b28be146fb0d459a9b5d882b68
SHA256 e31cbc61be4b08d3ccce9ce591f799c1785fe4d4cb36ddc07da9c5c7ea229be5
SHA512 2afb36602f39ecca773e353e07a97f92701542ded33f736dc3db8c69473b107650e2409e3466edbef5441dcd1b944f6b4cebec64b8083246d97d5a0a0e9a0159

memory/840-1243-0x0000000000120000-0x0000000000140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sski.exe

MD5 9c03697dd1af831286235a8e0b2d83f7
SHA1 3e885b440f36b5b44eb6772e262e0b667f08ca21
SHA256 48dc71529a97eb73bf3c06ace83cdf0974e23015de7c717c7df0ae986f62d327
SHA512 75a500628e4548b6fdd6d641d006a494cb9f737d6acd512247666ee27103c10676ce1a643056b8fb03181b49678a92de6ed19f29b49bcdf5b54ea44a7b5e986f

C:\Users\Admin\AppData\Local\Temp\GcIm.exe

MD5 e1eeb50298d4d4478c03e1ca8908f27f
SHA1 c1da049c1659562a86aa9e4fa9c4e1649e9be320
SHA256 afa43dc6b8ce8bc0fe3f502e494bf2f3b296613b7e8c8d70f35c5918bc60bbd6
SHA512 6bcec3acde121b0272d3a54609fe3dcfc44bd4ee0b87fc0eefd3094c7d7cdc741302be54a9a75f73f1d7fcf6d7df964a047b58ea4242b6eb2c1eba3bf50c0b9b

C:\Users\Admin\AppData\Local\Temp\cuwoocAs.bat

MD5 f747526e46ced22121fd19b767338eba
SHA1 32d05619e8f0278f12e93bf28b7d8ba448f4a04d
SHA256 1385e761cd31845f5b89a14b16c36f04dfbe60dfcfa493b6f729ccc1cc419204
SHA512 129ed427a6117cffecb00f5d767c91fe4b6fe2ea0849b38c5ba59d049ed2c6928da48b2a06f5dcb6ea4d8fe74d6ecb45d7cc72442d984cae09b690d69a9ad0fb

C:\Users\Admin\AppData\Local\Temp\QsAa.exe

MD5 133e8b333be9b289e69516ca8fb51093
SHA1 745ad3c2c94ec3e8b4241f5ec6ef2ab9c20d9d5e
SHA256 8e0731ff7317fab78623156fbe633090ee60910102249bb1097916f870eeb004
SHA512 7cb9fad0843ca8ff5553d6c18ab8d14890b2624b812fd0c2100ee230b3f2b2dd1a0ad195f8670a5d6326130d39df8b1a237834fb83232be989c61ef4051c1ac8

C:\Users\Admin\AppData\Local\Temp\qgky.exe

MD5 15edc06a128e0a2693b597c35230b5bf
SHA1 d4273854a6cb0580afa6330f3abe007f1eb461b2
SHA256 52012dfb7f0ccaf0d760244b6ffe6e33c7629f9d4adf3282eb6dc5f05cdd7a36
SHA512 6f6c0910145dd2dce45cb33443b27dcb63052062fefd3297e19f051c58042c5621d36f1e83c4d856b90743902d7bd6f993bc05ffd00a1bbe4c8b557500834242

C:\Users\Admin\AppData\Local\Temp\yAMy.exe

MD5 0dfcb09260f959d68f29a938fe374580
SHA1 d10940a137e7747a992ae472ce7765c976aef5f2
SHA256 2e6085d9149551ecf0d7545207e202b96d23e515194da95527d4803be23758df
SHA512 fa9d87cdd49546170b9ba3d4d0fa5f2bf3a0f4622f4c50f8e8e6f940d7da1f0822e403c27e90e510addee1e5b88929c4b2fd44d73a10a4d3982fa0ca0773dd50

C:\Users\Admin\AppData\Local\Temp\SkAy.exe

MD5 3c8703d6b5f216cddac47adb0228d853
SHA1 4fdd9c9392b9b05a06fb482d6245ebbd97d22de3
SHA256 efdef5a64e469af3b6ab3b6bc680ac33e57fcd15bd89317d364a1664ab79da45
SHA512 62c4e269292cd904aab062a9e14c05eba5e17dbacd598bf24dcf972acba99c96f0ba82b77494b9fa0f44fe556747eef2d531e5efc551d06e20352da6182d85b3

C:\Users\Admin\AppData\Local\Temp\QYMs.exe

MD5 fe2c57940259693a6bc370f3388228b0
SHA1 32b0a877dde80dc91dce2575d0ec10ea77228c0e
SHA256 d4f8a38978f6572565a4f46c4e7f295fdf92011eb4b87ac1f27aaae7993acb58
SHA512 0f1cc4219f98dbf97136638e80c0eccaf61a1caf0c506eb159ec2034f4851a59063cc131b45c5613a177c6c6f962e750ca2837e215f043541bf51272864d29a7

C:\Users\Admin\AppData\Local\Temp\UoYK.exe

MD5 547aa7f8b0916ea68207dd2bc53b6134
SHA1 aedc2db17eb507b5ad4b98dbf982f5efb703b3e0
SHA256 1fc8271aa254012c4f202d0131e25ce4c030d4955e9481d09374b6603b46d151
SHA512 096542044770d0236b22e5352be5ff79f188fb8355eeb8ebaf39d584e7819ff231897dc21e902e9688e4f9b5be7497007a84b0fb6a0a57f39b879cdc28eb27ee

C:\Users\Admin\AppData\Local\Temp\MIUoAkkM.bat

MD5 9861a3ae082e3b56ccf9facb48a89860
SHA1 0b3a363fd1415e9610483277718b0efaf67869c5
SHA256 6453a9a4c539a18a45a9905a036cdef6ea229af7c3b54ca66893eecbba1fbad2
SHA512 63e193c813071cb612b23464fe3be30c0b024032d872e4e252c3aaa8e3fb2b75d90d30d0403efcf84ce067ede877f179b6481abfd38ec0e115950781af36dcd5

C:\Users\Admin\AppData\Local\Temp\UEQa.exe

MD5 4dd36e4c39154e649106c92f76ab2c9b
SHA1 cff4eb32b1b27160680d89a107d7d6392028195a
SHA256 78f65ca235ab5c774867268b412a2e70de89d6024b97a9da4400cd742e256a5d
SHA512 eeab5feea12344c7f8c94958bf0d7075702fe2063dd9ff1224f5d8d97ec37020ab8f5924aab4b59b22bf2412e0316af31889e18a0874cf294c0334f8b26abe78

C:\Users\Admin\AppData\Local\Temp\McUe.exe

MD5 011e699d383697e99e403b2f1ba81d0e
SHA1 022130e7fafaf82364eafc7d836165841d1147e0
SHA256 66658440b3711b8649ada3d87b24cd854b3009a41de007299c0261ea2c6103dd
SHA512 112aecc11164506a270b6cda9bb788832baba48326044cdde3c8977cf49e27eb84341a738d70a8b1270de2e686d4fa0996acef1d656d0a7e374cef26385e182c

C:\Users\Admin\AppData\Local\Temp\OQkW.exe

MD5 0c328632eaca77d8f057b3dd007d9284
SHA1 97720b1647907a1a92b3ce65949528fd55b17793
SHA256 0f54eff35282c8bd8c51316b4d91567fb42610df7f52e354aa71fe7b1b33f228
SHA512 d089049df91a6191c8fd798b6f687d72161af871896bbd11a4f48861fba704efaeea3430a24760810beeffe9339fae9e7611f8a93e427ff015c9bf694634bbf1

C:\Users\Admin\AppData\Local\Temp\pOkQcAUE.bat

MD5 1bfa772ba632d972943067ab578bf631
SHA1 2adb43888a9058e53275000c7ce43ee72359fc0d
SHA256 68fa873234c67d29a04af8921ade8403fb1801bdc760d485fa035581e4a7d5b4
SHA512 e0da8aa188ebec6e9240e626032cb168dc48b66eba97519552b20ca606f67b2afb611f5c6f891f831a2b343ac1a1798e9d2fbb3d406e5f183c4b8517d6aa7d3e

C:\Users\Admin\AppData\Local\Temp\UwYY.exe

MD5 8bb58fb4e610f8f00539abc688065f5c
SHA1 04bd93c891bae31c1738be982d96def8f23ecea2
SHA256 a3192426939b6603b5003d5b222fd3e93d15ce536097d5eda74c0e458be428cc
SHA512 e65fc7b650cc9d784ea067b6eac5e86e5449300058ea55f4239a9dcf9179762c9ba941b7cfd769b3a45599e793da46c328a66314f9efd092fe70a6db44930390

C:\Users\Admin\AppData\Local\Temp\IsUe.exe

MD5 3f8ac01eaec17e854b911b85444c2f3b
SHA1 2c97e99e9199ec71e3fa1a403a355394ba20d91b
SHA256 9757fab30d3c893b752a992b8f2678d8799a2884f34a4f30813d7e6d11a98dca
SHA512 c18ecec08c2dcd9e261c2836af8321a42066e014c0c2b0fc5fd028804dd25e87cb9956f41f2e0b2b568ec6460aff43db5f0881af31393c6a20276420256dcc31

C:\Users\Admin\AppData\Local\Temp\EgMC.exe

MD5 d00fb0c20f47288e610e5ad5b6d603bf
SHA1 7bf9b433fe97950686b217400bbbbf04c2dd6833
SHA256 dcf6483d17b4ad154b0a49de596eace3c13b6df294182ac91cca0fe3faae595d
SHA512 5550af2a88dd9403e1d5b32fd8ddd2a70a86dceb8539101c9a362c6746e8db5b0196a0f2684921e585bee86ff4e72717b64f71f99bb019727e4d459d75a223c6

C:\Users\Admin\AppData\Local\Temp\bgIQQsks.bat

MD5 c0aef8c970ac419f4fcfeae6ec16f6e6
SHA1 762cc9e8057cd5137eabf0e3a7e60f3919f3f72b
SHA256 a9ff7239ba5bc401f8a0331c691318b772f0c25ddce3ab7ca4d457ced54b34d2
SHA512 11fabf61298d9e7b6dd2f104e1c5157b2215d6d0e48f080b2dbc5a177f07af690ea415cadcc87d8bad8968af73f45776ea9b909a45caa2777521fbecf4c2433c

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 af414157e5575c84add43429b94227a1
SHA1 66042406c146f664d7c5dc6ae6f1e2fb63daac31
SHA256 b93698eb522ada318a9ead4c2253bc9abf5c9529ce531701901ba3e17f43c81c
SHA512 7d8fdf9ec1a9cb4672916fb0da73d84f36666749ca43c71be89b56bd2884f3c8740dabcc43869ccb5d9af8947715e8210931ce10843b8ad462b5a91bf0d09fee

C:\Users\Admin\AppData\Local\Temp\iUwQ.exe

MD5 1750da043e8b84554866b1d02adfc4e2
SHA1 d161cfbb3a1739d3c1edfba5c5a99ee5312dacb6
SHA256 4733ec114a4223a31ccff05498fa15423d8d52981bbd16f6348924d650950552
SHA512 be18c99eaa9f12c6d66d05ccd55c239e4474afa87980813e911a9048e9d5977fd04fa728451b2036c32e0bcac7b0e689eda66daf8d31c73d95b4ffbcf6076fdf

C:\Users\Admin\AppData\Local\Temp\Egsi.exe

MD5 53e3942dc629f9c0fcbfe4004ba831ef
SHA1 85843ba3e197a0b3a530fa77499dd35f45c993a6
SHA256 cf4d2e1c19d187c691208ae62beee1124be77a40677f8bde6988981ee782cc57
SHA512 74c9d1f63e6f6663563862b37355ddc8f121b86b23c29f619ca84925eb28609df6b5914e70cad5f7c4dfda1f4d2e010fc78256b0187c5a48aef2775ef94f9878

C:\Users\Admin\AppData\Local\Temp\NKwIcEwU.bat

MD5 f22cb59ab9fb776578839add424ead9f
SHA1 a6150e522991218d0eca768043cc8a1cc03bf083
SHA256 5423da790670d41f8520d9ca92101b9e929d13038ce8f929907168ad0236ec51
SHA512 3cd0c27a831279d592d2293f76c6c5ebd1e994e8703d3a92828fb7f18bde620bd830b25011bf1c63ed3895d0f5111439c7ba727a36f561e82d341245d884dce8

C:\Users\Admin\AppData\Local\Temp\WcQM.exe

MD5 b6b116e87a2cb02b82e661298de6d97c
SHA1 5142f4202f1e816352b9f398d18782cc4b7fb9de
SHA256 8afe22e4dbb40425841d5497d47ec526891d2ab9b48e14697c3e9bc906914e63
SHA512 6aa6934ec3d5fa9104a491dcb0a9f7b627f1b1c162fe1f9595dfc59c98a0fd95e219f165654414e085b5450d2b85506f83dab83122ff8b6feb5cb3a378b0aaf3

C:\Users\Admin\AppData\Local\Temp\kYso.exe

MD5 d0c1b5b4025089232a9bcfdd73c2b91e
SHA1 d95bfad6e0492548d3b7ed01697fe7840d8d010c
SHA256 12ff55b304675609b962a240cc401e8bfdd82aedd91abd3258dd70189a1f475f
SHA512 18fb7b06786a08dbf0cc59da81800c22111c4de9ad346667a545d8c59aa3f6a62bdec3176966702c01ec0ef2b2b0edc832c1d47a6f69421a5326020873438e26

C:\Users\Admin\AppData\Local\Temp\feYUEUYs.bat

MD5 59a1965506cedd7ba6b477cbc484adde
SHA1 2540b584e8fe67808d709a512e3445f2483c2115
SHA256 55c9d870643e3541034263387151d9e107db7b072989f86cab4abc264d9577e7
SHA512 50bfb34cc070ba23c7a5d9f0e0cf094a7c7b26e8cea41384d96d825ba2e10ae75f9c2b22cb0d37f02e4daf3687319d73d6fd89b15fb905d933684fcb2a706cb7

C:\Users\Admin\AppData\Local\Temp\Scci.exe

MD5 8aa57a63394febc837119c9c27cf91ef
SHA1 d07937e36f675bc4e669c7e338ab137afbfe7856
SHA256 c527c895b62f5e3f9a907b25b5929c2bd44918ca1c3b8d6734a40c9cf80de25e
SHA512 eadbcf1250802ff825bf802cf3747efd3e15839c451e19dbc7c04dabd1e1cd616d6408c7c78baf164839017340c9b6a6acdbfb0b62b683baaa7f14d8335f695e

C:\Users\Admin\AppData\Local\Temp\wgYQ.exe

MD5 4edc0381ec49ce6ab078d7d25f4c2bfb
SHA1 f11c4d65888e206c60dc99e3dfd42d9734fd2fc8
SHA256 71f9032d95cb229333c393a73185cbd32457d0cd895ddaacd6af398b217e76e4
SHA512 7988a7c684b9d5fa253aa270d92a151bca26e951d2ca01dfd3de8866acdbedb5583455ef1532dab33dce82e7a88cb1e561a0c702c71d29b05929b7effb3ef53d

C:\Users\Admin\AppData\Local\Temp\EUwi.exe

MD5 9c58e0db181779189e853ec8341e5f04
SHA1 faa3f726d7734d9e23203699914757dce4559659
SHA256 5882aca6d4f2c752fcb11953c2c1027d3836a0245287227d58bf3e6cb3743eab
SHA512 fe791ee3761c10fffa857864267e7b98130194d9ee14a8dc377a61f249d2006163541e13a4678395d4b4190e2e3975458234593b2fcbdd5ada43732b2b58ce48

C:\Users\Admin\AppData\Local\Temp\lAAcoAgQ.bat

MD5 df6f3cb2e30dfe7a6253d6a0614e26f0
SHA1 9cbdee0b928b0a1eebc6d658c20a517fce6476a5
SHA256 61b893adb68abeed628f7a33402c8a5b696e090b686d8d4e2bb4fae701e1fd50
SHA512 2e96d7516beff160b3745ada4d8346c2272ac9d7183bc5a12c80f9219f11d8d93b3949f56448f1c7d08a49f2b304fecf93befebc61db1b227022081c97e41f76

C:\Users\Admin\AppData\Local\Temp\SIwG.exe

MD5 3ed986926082cc54bf6eaf0cfc65952d
SHA1 e2859b8824603cf839db3b6ddac5f7fe152e828c
SHA256 4419ffa7f6565ba8fb69720b1c36fc02ab38f87f870513df096596b82aed3837
SHA512 f877b64470f197d71d254811934a7ed1c41be9bb4fe5cf3992372b60305527709e274dfda055f9b10fec1ac57f267d2b9956579551c122cb2b238bced6f7a5b2

C:\Users\Admin\AppData\Local\Temp\gcsg.exe

MD5 72b3350c04d69fe3196dbd75d70fa5ef
SHA1 efcd6f066f6d0b65311b0295ecc983a65cfed1f0
SHA256 6fc50458f7d0a2649224e614332cb5d481e9e424abef29e1dd8317c1ed1fb1a6
SHA512 f6503fa020a288833b7ddfe309f62aea622d5501d7db374cd10052ae688de36b59ddd19524d8f99fd00b79c8b4844e9b3c555c30d22a34e79a2c5d4057c20d1e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 7e5708c7cec0aa5be1d51e98f9b7e976
SHA1 665a213de3e3358954bbe76c2e9fadb36bb4acd3
SHA256 d6c4b0a92d2ee23c46328aef638fa0088d695319c88d7f3ed0f2d6cc19d7cf7e
SHA512 7d2ce7e65bb42937bbd1184edfaec71a3425195efbe2b3c8923b2e8d947a870aa80ec2bad168a52e890dc60f2dfe06a06714b0a2617a3aca7ad3432b57273889

C:\Users\Admin\AppData\Local\Temp\YgYq.exe

MD5 12c9916d1014cca6e86abd2018060431
SHA1 980505ae4838332b71437a5a7cda544832b0ea86
SHA256 6e4cf0702018ac16be39bf7d2e36a8c0a39ff600582cb70849d089f640705410
SHA512 703f1931866025902d36ba3f6a16c913347724b3cb3d808b6c66a023e8cebeb04bac4c4ada2d4637deedab145c582683845d07642b4261e5e47fe2696fe83cbe

C:\Users\Admin\AppData\Local\Temp\agQgEAAs.bat

MD5 4ceca420d6743e4407d37f9a4f560776
SHA1 6a2750d9ba8158d27d1ced2e83b8461161743d26
SHA256 5a37c66a4fdb2444b447a9c68d0c33a7216837f7a0f81b934c6925bc078d87a5
SHA512 044ea3be7795b7603a9d1dfde1bf841879c925a69149148e41935dd254bf4a48212f68a0e77680dac2dd4da1ce15dba150cf0ce2b4a06b23a1f3b70e9fa0e50d

C:\Users\Admin\AppData\Local\Temp\AUUC.exe

MD5 e3f8f1382093038fc094058d5397b9d4
SHA1 e87bab5060bf45c1ed6eaf970f70a2985b88efb2
SHA256 d6b92dbcf16d3fd659423fcfa190f4225f2b9f2f6e6fa61111bc619c9f801f37
SHA512 8f5dadf57eed470cf0805f3ba3553e734bf15a9827fb653942675446f38beac6c6d44a235e6426dc5be430c9c9c17eb661e882e94fd118981a10cc63038daad6

C:\Users\Admin\AppData\Local\Temp\ckAg.exe

MD5 0f9fa30eb80c4aede962257f5064a1cf
SHA1 856413006cd89caeff9300692daa87c806d7f538
SHA256 5a97d1d4e160368674a109c59296759a99b5f9248aff7542850d9c0731f18daf
SHA512 49db04366a07d6d2e8c406b16ddef58b783218f446d8b14d564c2fb87cb64d44ec597be4974483c131e2c1816e4f9ccb7816bfa33244861367e9b5d7b034055e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 3241e378773875a3a5edb5471b7d0869
SHA1 89e17d44d1d7b608caf9125ef463882c5a02c87e
SHA256 131743399f051946dcf819d85805897089bab3e605bfe7898917d5ac0df89177
SHA512 aeaefa6924f4452c5cff88e7687fff6e183d05920f34c9d95bac8f45410c37cda7d05d1083423ac7fdd552057960bcae1302cf7872f2564a5d8927bd5bb0d4e1

C:\Users\Admin\AppData\Local\Temp\akEa.exe

MD5 fc73db6c9efe792565ed63d4a51244c0
SHA1 0fc1f4b4934bde9d7a39ee44f1193fe7f7ddcc9f
SHA256 e348ee2957f7554927c07cd1576b1329813b3ee1a2894c6f9d22f2b1794cbb6d
SHA512 30b6620c02e28bf2a8fc0647c2419a72f7f4094e96f69da9e4a40bd8fa897ce9e643bd0547b4de514f24dcda547bfab0ff79da12928b2a892095874ec6c694c2

C:\Users\Admin\AppData\Local\Temp\YEIU.exe

MD5 a55b057f28a4578dfd7a5e922a88fcc8
SHA1 f6f3fece6bc18f11bf2826a3d5d40dd6ee52f36d
SHA256 2c8c82f81d507e082841dd4e5c9f0f661e7ce4262600ca9b9b297c556d981008
SHA512 420f51e24d44b5a3d8d614fdc24a8153cac1319acf61b6ae2af08431250264fa1e93b2426d4a5fe29d7395f1cbfd47ebab3794ed400657fe8ca07f77f788f7b9

C:\Users\Admin\AppData\Local\Temp\cukkMMMI.bat

MD5 1915b339bc7f40bfdbe9392f77e0346f
SHA1 2e08c8e32d9aca9d04ea2e7e72bd0f8f6f17753c
SHA256 97b23aa06f0711d0aeb76d9177dad3bd7e870d8c403dd14ae3205229591dc544
SHA512 efee255738c82420406372da1363a570e9f613c9c11cf8041193c51838e03777fa91f5a0071dccdd5898e103162999f7ef233b2e0a2d9cf527eecf9d1fb31058

C:\Users\Admin\AppData\Local\Temp\CIQA.exe

MD5 1810c51e140c7a7a11b68e2d6e9ec3ef
SHA1 9c136e1d381b1c890dd641e9538b79b4a613994a
SHA256 489982b163a1acdf49b137023bad5df6788cb36ed2247a54ae8d75fc0779f7e2
SHA512 e7ebcf0aedcf2bb0177bf53579a846631741d5dfb85f59cc68b30d0597b1f269ae0a952be4d59c3217dcd82c045f21c50a307c6a1a22c1ec484110ca9f2484da

C:\Users\Admin\AppData\Local\Temp\AMwO.exe

MD5 44cb99563a3cf7b4e165c7ef416aa819
SHA1 6596ef164d93ffa02bbb9b467b08843d4d54b07d
SHA256 3b5f2466b6e13f8783e196028d376ec1dbad4552e998c97065a5fdf0af318ea0
SHA512 8746a6ab29c1ccf7e7dec6fd7fdbf90c733efa180b0635b53ce8e7245df6016c3c80ad238defb05c8025e9b3dcae72609da5bcc1555e315e3d366fe1fd344a2a

C:\Users\Admin\AppData\Local\Temp\WMck.exe

MD5 9e0eb5098ab3d05ecf514a7c2ca78f4a
SHA1 485db829f9a337aba82d120f2b1e1fd2a881b13d
SHA256 a0e0e7e3ad2901f26acb6c4822e16836a9220192890c971653f469643851b929
SHA512 6f88b648278a924b3dd1b56e0762b6345a24b8fd9ccc5d4bea556d49eb7d5109c33f25f6d1949fc67768c8e23b8975ecf0f28d4b58efee225b812e4450a78c25

C:\Users\Admin\AppData\Local\Temp\MMcccsIM.bat

MD5 a5ff95a72b0fb89183b2279479f40934
SHA1 99655056ab2f21b1851cc47d28c9246200a1b9b5
SHA256 f87edf5445e20e9ee20cfae00db950422be49451c387def9e71650f69eb72073
SHA512 fa39a1373d6b20e6b16172f04b433acebffa2a8c332d39984d1c2481d4dbc834c3b2430b53d9e3d9b0716814f708bd60e484141adcfdb903eeebd75450b01620

C:\Users\Admin\AppData\Local\Temp\WEUo.exe

MD5 c86bc161fb3a5cc901a4b40096b691ef
SHA1 bd8182eb39de9d5b29e9d97c8c24ba1a1fcf12e4
SHA256 4646db8d8a26ecbf3a1c0cec9332b0911cba2101f4254fc1fde5aace00feea9d
SHA512 5a46135cb70536f1e466dad97e0d102240b653e6b8466d3ce42fee172d3d156227a0ef43929a37010becee26768169029a05e73a9b734705d5474a416dad13c7

C:\Users\Admin\AppData\Local\Temp\SggO.exe

MD5 b10a043c64fc6ae9eeddf69061ea56b6
SHA1 48c988641750d7ce00e4a773b7ee21772c8f59ca
SHA256 3ff2319e89c37e2047092c5ef47916630748f20b2f2101144b93f1cc8b9682d4
SHA512 0478414d218f48440493cc9599bd2cb79b62b1dc7cd2a74ccb753c654f3d720a6db925682c1946532b9d15e8bd61e5bd90e525be01fe5b1b2f7637a10b454afd

C:\Users\Admin\AppData\Local\Temp\QwUi.exe

MD5 1916f847a2aa0fbb9400ce8a4cad165d
SHA1 88baddaf9fdc965c1bfb75562bb6024ea5f60d22
SHA256 5b6e3a7abdf3ee39068a0d25ab93700946c4b5be23d2d2a5b210b958ef31c6f3
SHA512 b12acf78bc1cb36d85008693a57913cdc0149d9793562116d73a2a509b3d0c95bf9b5cf79f582864c394ecd6ec88c1025a80b9c6f77e790db1b3135434d68f24

C:\Users\Admin\AppData\Local\Temp\mewwYMos.bat

MD5 1a0b295dac98a490a7435dc157997c70
SHA1 9787366b9695cba8f9728fbb2b32f31136288663
SHA256 78aa0161df7222a36564ffd9161a0f89d15349b6aa758997d00e9f8542f41087
SHA512 3622f64f633e9cebf317aeb8185446dddd0de163c47fb23385abb06a22940cfd3172f24bb599e5991e868bb0096e3c7a3be47336557af3d02ecdabea5f030d1f

C:\Users\Admin\AppData\Local\Temp\yIAi.exe

MD5 758c6aff782adb826b129be1c11dab18
SHA1 7973c081700f2fd21d85d1aa477e308954aafe17
SHA256 2918232e49a06e5c4deed1ebb77fe2cf07c83259de1f61151c8ba76f6e236b8b
SHA512 e4aa049fae6aa2e37248efb14e9134dbc165b7049de821ed0cb690b7873f30c22893b970ea370a1e4e3ee450de449ae2af6cc074df3bac43c41fa97ebb496af2

C:\Users\Admin\AppData\Local\Temp\oMAG.exe

MD5 0f8f6643d43fa1cf7e6cc9f0d312ad3a
SHA1 0fd40c09b7b5df9efc188973947756d1fd2bbd12
SHA256 ea426abbaf50aeb3acff08c63d61aa4d4c70f0e6afc8cfec00d21f3b5b8803e5
SHA512 ed0e3343ee8a677c9d096ea3f25cae47e14c848e79d6992a41e0ee1641db2c012fe318840f9fe6a7aa597e32155f04a97012598ce8c00d31843f07bc7974ce36

C:\Users\Admin\AppData\Local\Temp\ggEK.exe

MD5 74c7703e1369c124ad1acd3a5f5a1da1
SHA1 b5961ea8d355922a4313b4202137f8e739a726b9
SHA256 0d6f6e6d047290b4d0890fc9a0276e2d554487a6f1f5f8f33ac2357f008f4359
SHA512 8a7b70d08f2da00103b9c7b6d816a775a80c93f9f2ad3cc9de376e3d0d200cb1aa0f0120df55c1760b7592eb3fc522b1811ce8a0c88e109ad3000f8621b61df4

C:\Users\Admin\AppData\Local\Temp\oEck.exe

MD5 6c4a2e4531d7be89d3b0cabec5d7e574
SHA1 1b10dd48b472056d01665ac71f451f61ca0ed7bd
SHA256 835f3a77f9352c26a7f677659d37a7c535b1cdf42ec5f3865013d9787455eee8
SHA512 3424fb44a6fa04debd98b7c10d323824b68110a0b8a0d76a7e377f7bd934344c91a6697439b44cdb34f6bc77f6e499aeca0512d6c390c351f2956f8e1683902c

C:\Users\Admin\AppData\Local\Temp\DCgQIIAY.bat

MD5 0f82a9b0ece22b896e0cdd98a6bae3e1
SHA1 1f74d410ad78257e1752dbb84654332bc0835ca1
SHA256 b5ed85cb28dc00d06105878d71398b9973d97a3c4ce8f5f90fb3729ba86cf1df
SHA512 1eeca78ec61481d4e4f99cbe359af2b030bf4170d668e2f81a76097333ece663e655989a171a9478e83ba57366b96cf5b5696b5b14a96e5fd32cf72b4c9d9891

C:\Users\Admin\AppData\Local\Temp\Ecwq.exe

MD5 dd3defd23635b401f508462e4f5e686d
SHA1 8087902499e33a9e8c54fb74efddc4c2e52c1c30
SHA256 d2e3ff83009387d0b124f47f5ba3af2a80131a23731ed054f306bce9aab2bcc8
SHA512 1ef0d3debd2ce7eff32d41caefeafe6e9b355f52de0db39cd20419d1182b9cdbb9daf0466397a98d36d3515edc1a23ac59b2380dc62e84ebb0056db279baba91

C:\Users\Admin\AppData\Local\Temp\UQgO.exe

MD5 db9dc5b04674f1532c9e1cba0531ce38
SHA1 df0cfbf97c6adec5eeb00a6d6d9e98024ba8ba4c
SHA256 79704d99f56842d5338f34632eec96419a52f53841ac0e59009567d2c04b3169
SHA512 baba96e82464afc2aa72131a62a75f7f708bc698aafe7aace3a98a90a0e8496fe4f97b4b049e0fa43afa733a5d2af673d0203ee7d1680602ab64d9995374f9e9

C:\Users\Admin\AppData\Local\Temp\UYcE.exe

MD5 62f1ae9c8eb7aa6f0fec418858f31791
SHA1 1a11e3c90189b5daef3c7dfbb5e4e80074733d27
SHA256 aa4d9cf4de1be302287ff64bbf5e1b1d85863a52819a2172ba014ee3b2efe7c3
SHA512 e6f329ac24ec01695958456c9c16f9fca9efb3c0e9ac862383db9aca05f742d9349b1b8d8082d1fa242730f97e73101ab13f741e037e3bea185d260b439643d7

C:\Users\Admin\AppData\Local\Temp\uIAs.exe

MD5 f6966119d6d198535335db00e8cc68bc
SHA1 e7e6521a33f291ddb87477f37950a8c139c79691
SHA256 968e0d2bb35f1a2e3e1b46e0ddb400425e9ce820d8cfcdf67a5b478c192027f0
SHA512 521993f1efa939449d06a7b5245e514b381071038078c6e1285cbb35442446d0ff54f2a0e1bd2e9e020bd93345b0f920ad7f10d90c4c1c978734e247c1da4d86

C:\Users\Admin\AppData\Local\Temp\niYMEAgM.bat

MD5 fa4b639861c55607238a70cd75e453ee
SHA1 d625edc3fd7fdc1f9502b75d37004642f87b104a
SHA256 b5cba2118105d05579e083c19bf5c6c56bef71d226454098dae4ce644a130a6a
SHA512 f457ddbdb78902472d317cf6a7fd46a728e08ca6555c64bb70af4e8242571af1ee8521da37435d329f8bb249417ed0c7d407fa32045e709e345ec56147e6dfe6

C:\Users\Admin\AppData\Local\Temp\yosu.exe

MD5 3a5acac057b2d72ac63d1f4ba5000c73
SHA1 1c763847439c144d4ea469f468b9206ca4eabd51
SHA256 acdf9f3567a440c3981ded0324526cbe5e5212c6958e14f162bde88fe5623b16
SHA512 45549734bb449489546dcbcebef082163f416d815abc312eb60dcfaf569132326eeeec4a69be7ee57ef033b68d9044820cdd008ecf5c2b87e7795f5a3e0e9252

C:\Users\Admin\AppData\Local\Temp\AIAu.exe

MD5 12bb1367d4f4a07cae2f129a5728b898
SHA1 02158861f09596e6ca39fe164e9ef3dc7cad33f1
SHA256 c7cf5f736fb0afe729e3dcea7c47be7ff82639085728cbf1ff6d67128eba07bb
SHA512 5feec3d889bb7c98a997d33822143c60a102df8165c63228e2466ac6440145273d8f5b2192dfc55140256e1219fc30b58a373cdfa86500cad2dcd4e22e82fc61

C:\Users\Admin\AppData\Local\Temp\PYQwIUwY.bat

MD5 c8b45f850d3e436b60dfa43fe33f85ec
SHA1 79a2ec610321374285a1834da7695c1a0612084b
SHA256 1ecd903f31aaf60706446c0b0f3bd43ab0237d96c6e4b7b0d20af9e6f6a584e7
SHA512 baaf51422b87194bb8473c53a8d0875778cb2b058f8eb8172274459aafebd4f945139e6be61db09cd5e700350ad3f543f295884c652b5ce9feacd03262aa4793

C:\Users\Admin\AppData\Local\Temp\aEIW.exe

MD5 2891d034334239945d9e6227353e9f94
SHA1 62dd6d331dab5cb7db4f99c58b67d14a65d29301
SHA256 2e190f34654f0bd936fd93a590d2db16fa3b6eacc75d6a0f54210cfe9fb8168e
SHA512 cba2fb747efcf01bcaec3c7f5434f6629d0a0ef12f100eb95ea6f41283676bd59f85eab97f047742a0f2a8ca8c0544e8e0ec4926fbad06dc1fa6570aa3082dab

C:\Users\Admin\AppData\Local\Temp\GcEk.exe

MD5 e9e58b22239a7991e802aa79cfd5272b
SHA1 563bdbba10434f9d1931918493ee0135ab8d297f
SHA256 a415a2b430319697d8e3f1609d53a1c376a797b0c2ad26e679e0c2eb4274d323
SHA512 a9d670df3dc9c14908f149c8086b409be34a6ff44edfd9cd9c842e2fa81d91b9126fae4215a0f3d618e4472aa3d8f354a3f5dec827816dc1b86b55e33111c5c8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 0a045571c4a4e849a36892191dacc2be
SHA1 8c610fdf0ac7c8f401a2239d270b9edfccdd063c
SHA256 fd6469c922439f315e2b959e8a65b0c1104e6130ffe4d46b4bcdc99b63e899a2
SHA512 7c82ad58b2234376af8e589732ba4eef37ea98f04420e5f457d692f6c638cea2b769159c74324c7bb6a9829dffe344c4247ba16b676dd63e66f71859d77e3dcf

C:\Users\Admin\AppData\Local\Temp\qAoMAAUA.bat

MD5 2f37e1892cb707355d88e3fb3625d3e7
SHA1 39069418f6cd24909e3eddbd8ba9c1f4a21ca16e
SHA256 70d71f6af46a30d569acbefbb5acaec491280c1ffe29f9c81d4970de2e53180e
SHA512 86e8405593b27e765c5b700fc4231aaad04ae4df743875a8e38ff326da93f30239e38e35956d4717099d10b7b06aa7b8bf79f20c9c20a8e3434eb0805b32fcde

C:\Users\Admin\AppData\Local\Temp\uYQI.exe

MD5 21c717517850b6f69805e2faec9ff099
SHA1 c54e81432b3e9f9a7947e51990f02c94974950d1
SHA256 8b1888f228b591b610ebfaabbdbdd528ca6ab5d310dd282626bab80dfe9b9abb
SHA512 0be3be6f544e01bee1966196e807b944b035ea3cbc2ab35815dadabed9ad6cac31dbb27aa8ba054d4aaa1a8b1f8fc2b8a0352ba117b0fea910096a2233e4c780

C:\Users\Admin\AppData\Local\Temp\kcwAgoUs.bat

MD5 f58ab1178367fdf54f1e65662ad4ac70
SHA1 17482482e46f422011930a90a8fda96c01a6d707
SHA256 97b5d6736e8d6d2f564a628afe0b2ed297d58b8c84cd2d5cca62afdd96162c98
SHA512 2ec2201b9e7fd4df0b8f3df7ae930f37d900e766542034bc7d7c52693d3245104e6b8588f2a073bbac8d25e8f475fdae440fa170ba25bf11b9b339dbea04da69

C:\Users\Admin\AppData\Local\Temp\yIIy.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 36bcf838f3239d8dacb3d314a450b2f5
SHA1 2338c57c8a977b701b7d374d526380e7b479139a
SHA256 5f2ec097376944556ac08a46e152b0af37353fdbb02b9c0a6aa7566cea91ba2f
SHA512 f2c863a8e2da6cff1aa4f78d9898c3cfd36f3f0a4d623e834e95c60e757313517dae0f913a6cbe8fc4553e3dc7c899eb8c359e94a954faa0a5cf11f4b984b61c

C:\Users\Admin\AppData\Local\Temp\CosU.exe

MD5 d5391380d628ec3f7f6b167ec719dd22
SHA1 31d27b75f5d28c71d0e07edddda4be2e0d83c213
SHA256 5e930ed6d33e94554068299845b577f2d4b28892e2a6f273cd5826a0913c1284
SHA512 fe66276683188345822eeaa013a2728258272fe4ff8da98eda82e1b4ffded1e7dbf551e955e5b29d993e2223b41568a54db35c583929c61425ccb5d0b6bf1942

C:\Users\Admin\AppData\Local\Temp\AOowEIcc.bat

MD5 6aa5304fecc5cb5c7125c3fa1cfe48d3
SHA1 4c876eba1f2b49e5ad516ec61a9f1a7142534564
SHA256 d4cc6c6ced2df375830ea022a6320710ebac0c5838266abe5040513b767442c2
SHA512 18eacf6d3d1bd57af069ce816c5ba18bdffbe6c25c1935a8da4ba7c7772012675c0316e12bbed15f75acb777f8715cfd48b39c019d59db0fef02f29e803052ca

C:\Users\Admin\AppData\Local\Temp\SIgc.exe

MD5 54d87d5f97b9c5b89d4803ab4e19ed54
SHA1 f6d28c487365e80b9fd77fcdc8a55001fd7edae4
SHA256 c25961b23e9e5c6a4d39927d675d31a354af8290df10dcb9bda9ec2928d1bde1
SHA512 1e10a727eb656db1974eba018324f9f559af565eac9101d32427351b621dd9ee28793a20ecce3813c8845f0da5b73ca18bd1fcb6c8f3d7e4711e117e3dec4296

C:\Users\Admin\AppData\Local\Temp\CsIcoYwo.bat

MD5 6abf6b4c1c9e6c4f2be08cd2fb25fe44
SHA1 f565f50c2d3d0dc2e9401bb3c22a2b066271a8f2
SHA256 a125a116d60927d772d166a13649654f4c45ffe2e1024ea8410096a09591500f
SHA512 7dbc427c5537ccc2257e8be13193e5a01cb796eeb5bef7f9755b0972d72792bf142e96a652c12972ecbfc177800f72fd7dfde53307e873d3cbe5a19c28145d71

C:\Users\Admin\AppData\Local\Temp\cUgq.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\kskW.exe

MD5 4dd946760423893e2aa99cc4d331b43a
SHA1 2ca955e0ba82f9ac9782d975d75685ecacb22901
SHA256 fc996224167e04d46ce0e11f2c6c1cb766b5680ec72aee8b1cca35efc46fe769
SHA512 c9de551defb19c5aee26b3e06eb009212d82a04453a1583e7cafb692cece5f78f0ecc7c97c920048a4af66142b7979d00e4900137c0fb85d337f01eca6a444cb

C:\Users\Admin\AppData\Local\Temp\WwAE.exe

MD5 65abbfc4e0bacb73f0650ff98ccd5d5d
SHA1 04a2f3e79b4f96b2b3d5cc145f94f99bec76a626
SHA256 d6af027eb50250a2da830794bcab32157dc10507bb0afbce06a0a552cdff0786
SHA512 191eaa56f9715f368101fd586b70477290603feeae4584810be0f9b936176dc04bcd043734b1af09f337999156251fc55240a35cff85760e5a4500e0ce0ac3f3

C:\Users\Admin\AppData\Local\Temp\qAwO.exe

MD5 7d01b45e143ab81afa5964e0b13d9f86
SHA1 c7ce164aa52707801c38ae1bcf0700c03306f8d1
SHA256 7b15c8fc81fe40807f09e3d2b0eccb6e54021d11aebcf5769416e5fbedb31425
SHA512 9d2230e9c7ffef0a295744aef0d404341051314abae3078ca2e5d77b7028299fab9215192dba0b05768d0d79c318c1440a6a15e4071100871fd7821a9572d997

C:\Users\Admin\AppData\Local\Temp\IwoQ.exe

MD5 29f53a821bd94b4ef31c188be08b9547
SHA1 ef0199186ae016606d960d2165356f0321a4a610
SHA256 bb0acad786cf99f8664fbf7c93b0932f0809fdecb20468e6a0b4d5c6d560abad
SHA512 c8cc39e24e0440d1a643abee3555e8e98bc2bb2238dc2c2e04d1204e74c41156922358b453076a264ee490c6def0e531a341fbdb88db339499199e2bf3e20df9

C:\Users\Admin\AppData\Local\Temp\eIIY.exe

MD5 5c94dbdac459bbd9e5fead3058627c6d
SHA1 dc1c6de51d5458e3d2d0ffe97fd2fb25e21d5673
SHA256 1e81833dae78591a261dbfd125b41b14bfe9c95fbe0723fd25af0e73c8744915
SHA512 a69f20945b98ae66cd9c5f4c640af06eae66f41eaa9ebc53017f91023770a4f231c21a6e35100f117601f04bd4b5a25d0d5d4532101532686c6b8617f2f9b53f

C:\Users\Admin\AppData\Local\Temp\MEQW.exe

MD5 add8a3f94d5edcb0d0f2dbc244276b9a
SHA1 d9dab196934e72963a334b600c14dfd0e73134f1
SHA256 30690035c4c8d43d70a31e5ce2e3e31d51ee2129967bcc8f666405fac2508ca4
SHA512 65c0e02c5892e93fbdde4ecb662864c3e7fd6256d982fef63abd117cd1e16be7eeccdf116f320b594a9f2b463df4a34748153cc4b99ad3838e57d2b92e1cb15d

C:\Users\Admin\AppData\Local\Temp\aIsq.exe

MD5 9ef71a3a693f6d505d245fdcd0a992d1
SHA1 0062707e3e2fc546c461d630e525db49feb6ed79
SHA256 d1c8f3f434c89ce1bba116f93dbb19516d564fc947bec6934aa430868e654c11
SHA512 06e6925c9475474812703b1acf4d307bbc4d849f97069588aee6d4196ed562f6a8bf736b797010ee5f50d20da2fd35f0689e9566d7552377626c79481cdd6337

C:\Users\Admin\AppData\Local\Temp\RewgQksg.bat

MD5 8a1667c10b8dfd5fcd9da08da91f9779
SHA1 8cfba5ec893feac996cd3fd423a7d6c132988435
SHA256 5d8fc02283fea6d6f0e16d9401b9a3e25563f7ce6fa7166ebc1b1c40ddb40f3c
SHA512 e11018e5a85c66e0aeb9a5398fc74a74cfafe630834791b8e6ac1f44df81299959a661aea6537d587372bef7abaefd142e7649660064490164bc2c09bc67a6f6

C:\Users\Admin\AppData\Local\Temp\aEIa.exe

MD5 05110b6ef433807903141fa4388c61cc
SHA1 80220b126bd1f747b8921763292bce3c8d02f52e
SHA256 5e1f94649ac7ad1257f22175fd4cb153c7e343325bedd441723a6ace777878e2
SHA512 a9254780b76ac5bec099475024d25a9dc66691ca1dd6aeefc245ca83894ca32576ba9b309bb036ba6f3d1158fbd352677b9832e2ea9c3def78cd715a8ca21194

C:\Users\Admin\AppData\Local\Temp\JYUUsYMQ.bat

MD5 aaed6e6f9c8cd7fa037f440771563d62
SHA1 f100b94e23912f70aebebbc66bc5ff31023fe397
SHA256 adc6f2ffe29d06afc380d69cd1e72ad67248dd8225f2ec0da2eb7eaefd096b1b
SHA512 c5eeb84194ba62d5ca51438a1ce5130c7ec40d7fd9a43916a03fd4ebf4bbfb3e54061d3f171585ae8c949766e9bb4c6a75dc8210514bb34b9c141d98e111cb96

C:\Users\Admin\AppData\Local\Temp\pYQIgkMc.bat

MD5 124046bac17c47bda9f6fc98aa3e8463
SHA1 160c5400c6f9af829c665267980225a81d8f248c
SHA256 ebe8b2900067057ecb14b2c841ea0c2fdc1cb2d195d965029d4d87a6d85c8266
SHA512 7296841216546abbfae8301ccddcedb1a847fc4ca7b5ef36ef8287747c734e19fff03ad95777e2c886c75425cbb606b31d3ae6645b01fd98b4a096ef916ce7e0

C:\Users\Admin\AppData\Local\Temp\zQMYwsco.bat

MD5 693d794e0dc486163a0413417447ce34
SHA1 02e9463501b88397114f0458668795d0c3b117d7
SHA256 976ac44eca77b88577c7e6eb3d1b8401b233547b555168dbab1c69b7eca6d4e6
SHA512 01d2ca0ee0ad06bc6de6f9b84f4371fdaecb9564042067f5e323b3667f3691e0eeca7ed71a845b5b4fc17c71eb45ee279fb5a2115399ec06e9644efa73cf3b62

C:\Users\Admin\AppData\Local\Temp\yUIkYUwo.bat

MD5 9ce2b54de372210dbdf49d9cd6dd9c31
SHA1 36537fc724f54747c6b920f52bb48df7e54970c1
SHA256 2be388b3946ff19f61c9447aa92f27c9ca1dbe1e7c1e0f6db28ab055d5e7da52
SHA512 8c571fc05f4b6c7bce25f9d63a9d1d85ad8cef554c61de7a3043e1fe8629cf4aa9dd2e84bccb5508c638bb1554b1b0dab2fe9b4d73c810a5b683953003ab696c

C:\Users\Admin\AppData\Local\Temp\GoskwoYM.bat

MD5 8316a429a20743628e15f286d150aa94
SHA1 d920953f1ddc78405c2fd4db838154a3493738e0
SHA256 13f8b42032a69695ac3992b69ec0b95945eed32b8ab607bf5054f0a0ed580abe
SHA512 565860d4b8471ca9325949160bd8e362daf0398cc9cb89251c4a3f5d516e97cb102cf6f26dce79c25e63f487c8b7ecc04c440772ce7f52a44880f346044e4135

C:\Users\Admin\AppData\Local\Temp\oCEwwcco.bat

MD5 a51e3df5449f60d26ecaa5ea833f630e
SHA1 e755f6fbf6309072f8bc7aac0b38c693485f9b3c
SHA256 a0a8925e729a7e869c806f3b6d0aa725da2e77ebc9df160848529dfbf440da21
SHA512 022ff6b0da65a513ed8286b4c8cd587a87a3d8fb71cf5a268d704d694be79fb89b7574aceaa26760702e9209a6059409638df87615bd3792eb073a92fcf75bf8

C:\Users\Admin\AppData\Local\Temp\gQAYsMMk.bat

MD5 1286ebf8d672e17c2da8239fe2f6d8db
SHA1 d292cec80f8ea593e9f33dc3dbd6cd00209cdbac
SHA256 624752b404ddb3c3203346eccd795b1427141c874008f862a2848c85fb82373c
SHA512 2d5f610f79a2b9c524bb2651b9e3d7fdd14d42f7ca120f940a864d7651bb53b35f4619930f3ad819b5129ec0091535941609a006d53ebf69af93af7b0d0a1780

C:\Users\Admin\AppData\Local\Temp\qgcgAQAk.bat

MD5 3e6fbe0d97c5c35dcc18bdd7a24c3cf8
SHA1 58ef9fbe92f16722fcabd7add9ca6fd6a3bd7862
SHA256 d67add566927bc56cb188b970a1185e1d6d4d78c0c5e5a100ad9edb91f269747
SHA512 a64bd3e41a5953074cae497ead3bbb7af83d262e23583504fcf9b9b7cb52bfd43fecf24fe948cf34ba6c187b5ea820a59594d754a51b03b06799ae709f023eaa

C:\Users\Admin\AppData\Local\Temp\xiIIUEAc.bat

MD5 5359315551bb29e004e464ab871098ec
SHA1 5d9a3af3b5b3b839fba71b54a7cb9b7576d32213
SHA256 0b5fcf81da1c8f70c3cbb5a8a88968e22974a361aa83e5581fb4b01bcabe9473
SHA512 1fd28f579a3c09d67d9a1e8305b81080cd64e7a47fe0d1b3e9c6525d6ff0f51ea05de17bb398fcfd6a46743d4749fd901388f61d04fac77b2687731ea01059cc

C:\Users\Admin\AppData\Local\Temp\lyAcQAUI.bat

MD5 22d2f0ba8227d2d7e739aefbe1e5bfd4
SHA1 3c2eb960ac77d9561beabbe19668beca04da8893
SHA256 88f4bda04cc0f466742850dde1a53cf2a0f92d07c4b76ba73223f247ecf2d818
SHA512 1246ff179a38ebea1ddde225c51995cea946503ed9a835cea720d579b84f2d5706590d367666676683559026da6be809382e5e83fefc2012cb241916fa44d334

C:\Users\Admin\AppData\Local\Temp\BeQAskIM.bat

MD5 456d08254490f017a855b1d41ac1678a
SHA1 ab0933ce76d0a63ed445ffc1bbacb26e1c405be6
SHA256 a0663d0bb39413ed413dbc048ced3ad80909342ced08d18d41b1e8145589861d
SHA512 ba1481ad95bebf8f0f0c4fbce472abe38dfd0dd5d692d16192111596ef9f08327acf6aa81397c35fae937838816ff958cc1bc628f1cecccf22e5a41cb05e9f52

C:\Users\Admin\AppData\Local\Temp\HiAYgowo.bat

MD5 ed4dfb446cc23e32f3248dccc6338ac2
SHA1 603973c28ce6f5db91a08a0b23bc4de802dd55a7
SHA256 f1b016b40a11907a089a0878bd829ca3386d14c47bceef006754868652be4294
SHA512 2ee930a03b4fb96540a536d681b78be0e8f35f81683b5bc9cde5796933227f80aa5cfd8143565bdf805f911cbf7eabeecdb84be9c0bbf49827c825913fa1dd22

C:\Users\Admin\AppData\Local\Temp\ZSsIcokM.bat

MD5 f0261aa98dee8bb27e9f1e57221cd915
SHA1 c359319db666925d8d8c559012929f7c225fd732
SHA256 daeb5f8e67421bdd376960adba4dbb71bffddf14816629bb6e4834233040051b
SHA512 442e71f7287cb2055c0eb7cdc0cd9fc8fcac13921ed9b5ae81b219bd31e345f58f409d2de8d66ac5f12e91ea2f50425ab7d51406f06da24f337aa9df3cbc8ea5

C:\Users\Admin\AppData\Local\Temp\UQgIowoo.bat

MD5 4e4a6fdbe0c75f4d3fdd3e1a2b051aa0
SHA1 0e6d033cf22eb2b8c03b673e8ba851ae6d71af7f
SHA256 59467c32a65c1f23e1dd51403b9a0bb4d2cc42df605c4981c1bb0645ead92700
SHA512 9a0280adbb5b17e5d66d3e394a6b8fe6cf15cd2d45362b49833382cd82d15a2e9a582d88b75e80099f1a6ced8d97ae62f5fda698115b41031eb51207a87587c8

C:\Users\Admin\AppData\Local\Temp\uMYgUMQE.bat

MD5 9755e02ecc9e8c5b86d799387cfe23e0
SHA1 441a6032383745967ec295baf89db90dc9cd4e7d
SHA256 2f8d99c9e86d86fe6a8cc1c3979093a76954d0f8ff74feca3bbbb765a586b2b0
SHA512 2bd34440838f88b68b68d2987e3c9b53345ff265a47d9ccc9fd64bd6cd115815eea18d65c28bd196022ba5d8f78c1be67874257f2cf1c25144e8e1589de96192

C:\Users\Admin\AppData\Local\Temp\WMEMcoss.bat

MD5 9192a5843185b75fb3b76b55a1d50714
SHA1 fefb5845f09b4714335d8c84e4be0594a515da00
SHA256 4399eddbc6463a9c618104b4fcdd60ad842487d187e0b52acb3e1945d331d875
SHA512 cc3c52b088357174c01d531b1b4eab291690878a82d234b6040e97e09a8ae625ed90aefdfb9d11a507da0e3952261e6cabcdac834085192d8c6a06343d71e05d

C:\Users\Admin\AppData\Local\Temp\owkAoUwE.bat

MD5 3987792ac5cdf2fb455121af5f2a5b18
SHA1 880b4002fdad91ac258dddb16e19fad74d68e430
SHA256 411825fb41ac17465b939cff3416c3480fd3efd86405e87f3b6839993383655f
SHA512 bab8e40bfc57dedfc7309e3d92a53f29395a4178659d8dfe65c641e0cd0611d858b5e01b95e660159a4c6f0518b3ee90454461f427c41bce61504c60ff9bf314

C:\Users\Admin\AppData\Local\Temp\zgoEowMU.bat

MD5 9e41915ffb0e3e5c02caa59cc969218c
SHA1 b5881879db487a4aadfdaad3bae854a5095250af
SHA256 331eaf890dc7e25179560a891024d5df7f6cdeeba953605c05100ae94632794f
SHA512 e2b7ae6cd8a6519c6b31e197df0a56655f6404db2b199b1f2f1fc025e9794f3f4c82cd57d2e9000967897e44d53df1750007abb79cae216126b2ba7350dd8566

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:00

Reported

2024-06-12 12:03

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (82) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\ProgramData\ckoAAgwU\OSUAAQYk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Icggcsko.exe = "C:\\Users\\Admin\\pUcMAIMs\\Icggcsko.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OSUAAQYk.exe = "C:\\ProgramData\\ckoAAgwU\\OSUAAQYk.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Icggcsko.exe = "C:\\Users\\Admin\\pUcMAIMs\\Icggcsko.exe" C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OSUAAQYk.exe = "C:\\ProgramData\\ckoAAgwU\\OSUAAQYk.exe" C:\ProgramData\ckoAAgwU\OSUAAQYk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A
N/A N/A C:\Users\Admin\pUcMAIMs\Icggcsko.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Users\Admin\pUcMAIMs\Icggcsko.exe
PID 4880 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Users\Admin\pUcMAIMs\Icggcsko.exe
PID 4880 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Users\Admin\pUcMAIMs\Icggcsko.exe
PID 4880 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\ProgramData\ckoAAgwU\OSUAAQYk.exe
PID 4880 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\ProgramData\ckoAAgwU\OSUAAQYk.exe
PID 4880 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\ProgramData\ckoAAgwU\OSUAAQYk.exe
PID 4880 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4880 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 3520 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 3520 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 4956 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4956 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4956 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2108 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2108 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 4260 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4612 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4612 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2488 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 1388 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 1388 wrote to memory of 4072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe
PID 2488 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe"

C:\Users\Admin\pUcMAIMs\Icggcsko.exe

"C:\Users\Admin\pUcMAIMs\Icggcsko.exe"

C:\ProgramData\ckoAAgwU\OSUAAQYk.exe

"C:\ProgramData\ckoAAgwU\OSUAAQYk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOgAoIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmgMUkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guUEMkUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIwsYgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOAEwQEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vykccoIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYsUkQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGEIswMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyYgUcMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IucwIYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omokUAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYAsggEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCcUgoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOkcQMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYkwQgYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCEsIEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAcQwEkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acsUkssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmsgEQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWgIYMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWgsokcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEUkMwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgcEgQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmwMMwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIccYIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISYowoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsEMsgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcYsoowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nicoYgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqYgssEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWUUAoYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wikwogoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsgUUEwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\basQAIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIEEAgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeUoQwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImoQYksY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooYwoQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akwMwkAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwkMcswc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmIAIkkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSgUAgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkYUwUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYgAsUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaEMUEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\begMoYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqcAwYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEQQQAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYEQIAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOkYAAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cycMQswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkAMMEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwYkkkUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmkgMIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmQggQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuwMUwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MosQcMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUsoEYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqMkIEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkEgoYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWkoIosM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKcEcEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMsQMwAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcgoIcEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckokogMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juMwMcgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGAUsIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqQkkkIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGgkEQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akQQIkYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsgMMgYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoUkgQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsgcMoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyEowoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCwEEcIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSMoAsUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQkgsIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYosAQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKwwogYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIAEAkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKMwoIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SssckIsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSsAAgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoQgUwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmYgcsMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEgQQAwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqMcokMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmUMYwgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMcEcMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSMUoUko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAkgQwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oekUQcYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMsAYcAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQwwMggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOskUMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/4880-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\pUcMAIMs\Icggcsko.exe

MD5 6587d3f78238b996ddd6a1f4c3c670d8
SHA1 9be2f6ba0176b86292af82864fa12bcbe4585309
SHA256 86bb707d8d3f88fdd11c7f5851af21152ec23f160d96674f7c55a45f3c6e6826
SHA512 9a4fdce8a8bf0d5e447ddbc3c6440e9c9f0687c1c864d330a2a58ef8950ea3cccf5a4a3824f3113e3e3ad6bb8cbea91037c8ff5387685354a6db4237b21054ee

C:\ProgramData\ckoAAgwU\OSUAAQYk.exe

MD5 00e9cf63d1aefe3ba4920bd50affcd07
SHA1 9e336ec79ddfaff8ac1b410bef20b84c658510ef
SHA256 128d19bf619b7faa9e6ece208bc333756c7aae7101f63574ebc526fe161935b6
SHA512 13f487bfb427d9eaaad76c6cbef1feda8581e12a4259b35938761670df8393b0d401d5fd105c2f05f49fba6830e6b45fd8ee8210c5d233015766ef0b58eaab1f

memory/2844-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2372-8-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4880-19-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4260-20-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EOgAoIIA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-06-12_9c6ec48eb16153706191b02cf4097fb8_virlock

MD5 3ec5c3e607f34cc9d912e6025ef19268
SHA1 f0311c3dff7cfaebc9ee927477b2c8b97465e6f1
SHA256 7e51a0181f0a07085aefb09c3131cb9d98b9cef7b33f471345ba5917c5619f71
SHA512 9ad55ea85ca9fe3eebdd14f09147016c58bffb31c99421cfac13e93b6ddf8b28991298ac417fac663075f934884c6fd982ac28c3df85d327c97a11d45a42cffe

memory/2488-28-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4260-32-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4072-40-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2488-44-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5040-52-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4072-56-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3196-64-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5040-68-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4300-76-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3196-80-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3888-88-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4300-92-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4476-100-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3888-104-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4072-112-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4476-116-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5108-124-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4072-128-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3704-136-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5108-140-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1308-149-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3704-152-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1184-161-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1308-164-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1184-175-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4612-186-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3968-187-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3968-198-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4420-209-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3704-210-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3704-221-0x0000000000400000-0x0000000000420000-memory.dmp

memory/388-232-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5092-233-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4968-242-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5092-245-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1196-256-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4968-257-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1196-265-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1580-273-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2648-274-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3616-280-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2648-283-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3616-291-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3432-292-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3432-300-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3856-302-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3856-309-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2092-317-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4016-319-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4016-326-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5104-327-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5104-335-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4040-336-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4040-344-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3060-346-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3060-353-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1020-354-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1020-362-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1432-370-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3324-376-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1544-379-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3324-388-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1768-387-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1768-396-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2296-397-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2296-405-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4556-413-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2924-414-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2924-422-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4440-430-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1324-431-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1324-439-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4804-441-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4804-448-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3440-456-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2244-458-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2244-465-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1544-466-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1544-474-0x0000000000400000-0x0000000000420000-memory.dmp

memory/864-475-0x0000000000400000-0x0000000000420000-memory.dmp

memory/864-483-0x0000000000400000-0x0000000000420000-memory.dmp

memory/884-484-0x0000000000400000-0x0000000000420000-memory.dmp

memory/884-492-0x0000000000400000-0x0000000000420000-memory.dmp

memory/876-494-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\skoy.exe

MD5 c74d82745cde98a0cf065ea4997adf09
SHA1 cd1a9bee08766907bc10abfb8e4657b45e459911
SHA256 65fa8125d719ade19814714a409eefbe47dbb6afbed4b7f12fe52b9304026dbb
SHA512 64ad064e78f58b0b9219e1220aed0a2831a3553c81f58d8f03a4d7a8255914714923769517bd6ae575d6498a9e2c93d187b60d629005ed5206a0596f0ae8ccfb

memory/876-516-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gwEq.exe

MD5 6988ea112ad28edce900036cb35b26d0
SHA1 11d626ff21792fddda2587cfb7c7bf6cf5c70ab1
SHA256 56366f263366318999f45d5414de9b3d95f965398079ce507d704aa7a50b73f4
SHA512 e8effa9d563edd6df8035520bc768703ce31442f489159394cdb392a9f48898d9e112873025280e6b189fb0e18aed206b04039e2c762c29afb91a92e1a30e4de

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 7ebded6dee83fc81bfc38b64a5d4e402
SHA1 918874d020c2bc6f4783feb5926de736625a3fae
SHA256 f05692d4d3df7f57560d7d8d1d4e182b0b62d578ca23a0d182ddc00096b4148e
SHA512 3d4bc1167260e1f5eb300ee1ae47915f681218ce803eee4d2ff712c3d8e70cb2087ed76a889797dcf69f50dd2691fbdf1433c7a1e32d1604740fc119ab30bb03

C:\Users\Admin\AppData\Local\Temp\CwkK.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\AwAA.exe

MD5 73002e8e68a14de115c409f5798d39fb
SHA1 4b1f12f6d6f7ac29bc1464705d1f58b9b8900355
SHA256 2565d8e652904e0c55c5291d4e1f9ad1a55c58c4d73216668cad6e70ccd60761
SHA512 fd53e686bbdd6e8b49bec3558c0a8c476e6c95124ff4124ba4f894853ecbb95e0bad23b00191f456f633ece054505c259fb271fb3215b46ab70f07afad9793bc

C:\Users\Admin\AppData\Local\Temp\YEYG.exe

MD5 6ad7bec21ac35a5711057e98a09eedcb
SHA1 05f1e5a481076080cd83521cf099114100068b2c
SHA256 688ce929d983e6681bf2513012226bb1b1bf7de5ba6e5250e3de51425b44807e
SHA512 c4169abf3aec59e022966945ec4ec76e116faf82588f7c7f7f48db3c4adaa8641bb040317ef6bc3c906aa2a621b750df22457ec485080e37a9502fa3e9cf9c42

memory/1232-580-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4708-581-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mUwM.exe

MD5 ef5ff0303664051b9672a41198ec2076
SHA1 ffc7e8cf02985682986febcd6cd45ec1a5c89f8d
SHA256 c0bf52cf062feb9030bb2a4fc2d4bebf672ff3572d53b698b8aad55c5c9b2f77
SHA512 2eb90c011974ed44edcbb0d3042936da8db37d3aefcd53c85f6e9a317da12e27cc24c28f45b7d847d1e3952ababfeb1a461651cce39b498fcbd8066c26d66412

C:\Users\Admin\AppData\Local\Temp\igog.exe

MD5 ad43dfd4346cbaae3678e8448175a558
SHA1 9b13da012ab058f0a7ac0523a2781a97dd6ed469
SHA256 cb69fe634112279db5645146e399130887424379412483c49c4c5afeefc00311
SHA512 dc1becd7d9087855f6dd1a5b52b57870c5e49da7ca7bfe8ba7f4fb579fb60c0ef064547261d007ffeca6bc4b63b16c014fb7d26fd5354010c3720e9b363c7987

C:\Users\Admin\AppData\Local\Temp\kIkk.exe

MD5 4fa30d8bdf882408763c191b8f4e64b3
SHA1 4f7d0e15711d7bf6c7267b60ced13313bb99981a
SHA256 cc33106f277baf43e14849ee2fa77d260822dcd068ba59be99d61ecec3f15a95
SHA512 144a7ae98a386d0f86acc31597adfea6f38dc9ff2ce3d4864ce830833a1df9e0b3ab21e7ad93791bc672b8adc581a98de2ce50527368f35f74ae7922785f4931

C:\Users\Admin\AppData\Local\Temp\WIoU.exe

MD5 0cbb96bc1441cce4edb681d8596a43e5
SHA1 2160d67a92c53430fb3fdbc3bdb18ab616dcb3bf
SHA256 77fb2d4176c9710d70354429d6b64e006597ae48aaee680cee1bb7b0ef27c422
SHA512 477e3cd98d10f96d716eab2ac78b80e1b5341234438d214ff5555ac910f7388c778930cd76ec3a55bd3e60844cfeb0d887cac793a354805c83227a3aaaff9429

C:\Users\Admin\AppData\Local\Temp\QcoU.exe

MD5 1dd071af533dd57c1fcfce1d7a250245
SHA1 afebe94dd4c03cc9d5974903b631e461c2a73449
SHA256 11f6b056f9c3698d090e282e2cb4b487570763244d8d8c8a5b6171ba00dd1225
SHA512 c31e8c8477fa53d9a37a45c53826a30cf667b35291555d2ffd4c78ea585ee6b94ac86cd0b864139da42ca0467d6688791501cc326b50154e1a84ff3d3c8a94ac

C:\Users\Admin\AppData\Local\Temp\cUwa.exe

MD5 52c51a27ad417f426bb1fd3b698e1f4b
SHA1 cc38331f74d6e57ae485bffd9a4189d98b7c6432
SHA256 aa4b23f08f5d7205d83e6d66cfe613330ff41587a5fc8e6d6d7001314394c268
SHA512 fe64185711af8e5bd6754672c97ea319f7e3cd703e50a598b40836c1b9581dc8cc6b63cee3962b9c72f0a952d901a9a9be97c96a67cf153fbfee90af7ec1e536

memory/4708-673-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qAIw.exe

MD5 2a7acb7694df9af824076dce89012a79
SHA1 f4c517d27235446db5f3af5631914c534f16988c
SHA256 bc0835334911eeda092bf934e315a3c0398c0071485c2ec130fea73241ee5f8c
SHA512 f9fc539c1d33c7e915b6c09f3c5be34ed8369c7007a7ab8c440de0eeccb0ea1a91060978961867f99ebcfab2c0e33b49d23837c0b5c26334fcf60569826c9621

C:\Users\Admin\AppData\Local\Temp\UIgs.exe

MD5 0be896feffc2a80ffb50bb0b3ef8400e
SHA1 a39b91adbcec9b90c1c28859d3058927646deade
SHA256 4dd6bcf859fa21d94cd4f570a2c8dfc3d9c9beb4747596763e72e630482ac305
SHA512 7b51e25f1d17f7164bec66bceedd1f8940aef18f2b59800b42ba1913353ad3b55907b2ba876a3cb6db7cff5191026f6c27b2d085be356cf70085c3b87249a5c7

C:\Users\Admin\AppData\Local\Temp\uUEi.exe

MD5 4f37ce928005d1dcea3aa0f70a3454de
SHA1 25e3afaf519f6498526a148bef344f435bbf6798
SHA256 b4547c9fe8062c51a26aaefd90a7623f589d5f4d9a90f6bc83b3b97cf032e20f
SHA512 e86e68b2eb68c68ae6e98cbfa594606765880afedc836d0b9a93ddd536ed1a358611f2921d59c2266f56d28579261ffdc690362a9d89ef1a65051b23726fc743

memory/3508-723-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4376-725-0x0000000000400000-0x0000000000420000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 db2cc9c009f88631c9dffbb7a4db8489
SHA1 ad8807e87017d3de1ce94749cbd8e1b239c15750
SHA256 4ba20d4f1256501ed3f2e61484157e68c5569f5cc0b4ff5e47f3fdbb0323199b
SHA512 9873cf39b3d161c19ca71bb8b6e5b6891e58b5ad937bd1c4b96bd597b647ce559abbeddc59e958f248c8dffeef41c65dc0242bb0753f888b7637bc0cbce0a7dc

C:\Users\Admin\AppData\Local\Temp\esgC.exe

MD5 913544c1af4f67447f2e74d3a1730ea1
SHA1 228cdb2e6a08a31434033564cbcab05afb6e8d11
SHA256 cd97d9aed6907cdd33546ce70bf791a617a1fd7c80344ff134120376dc7cde68
SHA512 8cf1fc9f5de3891e26670958f00d3572a25ef82419dec3505d12e57ca0308984a2d93385c4f6aa63457e22c5d89ac3b30880abac7b8f22b56a98964847499c20

C:\Users\Admin\AppData\Local\Temp\aoQw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\oAIm.exe

MD5 692605baba3b6b02daa15671f30c6596
SHA1 326dbea5025f4675cbb55f2a24d216d9f99b2870
SHA256 9958e066dcf1609697eaf0f7465db49ca5c7df39a3dd08ae6fe646063451c237
SHA512 a9b5ef2a30b8b7edee4ff4fdd5d815b59b93d8342f12292dc81f44b9fe34d2f0eb3657020540092fb804dda86d9b548a89e1d0e16959c256f891450ebd8051b4

memory/3508-788-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\woMa.exe

MD5 4d968872419df173460d50555de8c3b4
SHA1 e5976b32deeb1ae93187a2e06aa2d26902ebe156
SHA256 2a0dd08149b0f93335941b5814843397cde4824600885a80af6d90c1508b11d5
SHA512 a4e31589356c5632a4396827436faaafd6237a398997ad3e7af2ddfdd7e70e3ebd162ce29d4c0e3c40d4d48525e6bd9aa3f3fcb3cea4cdc5d7db51a1a5a5fdb3

C:\Users\Admin\AppData\Local\Temp\ywYI.exe

MD5 f9f4e00ef661d4f6bab0459b522d3716
SHA1 9320c95a2674783dd1fcc4ad72f3324b26892a4a
SHA256 cc393206828fb113a6bfcf5f8ba8f95f6f0720440d54db2360eb53995133433c
SHA512 a007a1dd83c542b2b5e2d819e4a0af61a774e7b871dea61b741d0a9297d6b508ae66f40484a881f57ebd046fc6d43eb3fb13211bb4a42df0f3b0fcccf64b523b

C:\Users\Admin\AppData\Local\Temp\IYoi.exe

MD5 ea8957c51da130d2785f40dce228141d
SHA1 cefbb7eca7b9bfa2bf22ee73dcc58fc197f7a7db
SHA256 9b2154dc0ea318d8b35172eb6204db857bf0da266d4efd4a5b19003cd6867468
SHA512 e8e28dc19ccd5f36c2e0964a2c36623e83244e51b571ec5ec8d691aba34cdf0bebde35f67681fbcbbff992844a0dd7b858dcb7218470db6f30d8a98080439719

C:\Users\Admin\AppData\Local\Temp\IQkI.exe

MD5 203d03edad236c3c8180ebc74bf9e12c
SHA1 f9406d7c51f789b323bfb4ab43ab2b3589dfa12e
SHA256 ae68638e838a46e421e6814190fdd9e5fa80f5d52d4cda4c3ddfed081ff7942a
SHA512 4c5d3b0dad6aa4334c9d58ed6316f3af552b6b2a45477f13aa018870c46fa5875c0775311d19f6f59934132d5ffaf125a59e6e93486f9a2d9c151e38457b6099

C:\Users\Admin\AppData\Local\Temp\YUEY.exe

MD5 3a02c8670771fd3ba586c377d79dbfff
SHA1 92dc980bc7e2d43e7ada89db5915d851b98e41e3
SHA256 335b6f7c267d50734b06ee2890eb3640ad93d0e756c87abb2941b112e6bbe07b
SHA512 79fd398fbd9fbf5d44c2d2b23b7342620166e8d88fb4f72cea90127480c66ae331731daba358aa3d5292582920f122b32c3c8da850a67d361f8bdfbfdd2823b7

C:\Users\Admin\AppData\Local\Temp\wUoO.exe

MD5 0deaf7d8bbac83cb37bce03293efbd9c
SHA1 68cde6980b44c6346e60367e2d0d26b37ccb1b05
SHA256 10e1f0b9f659c452e4456592de2c11555abf3f7c7476a78d98fa4950128dd15d
SHA512 f3287b1806b950cc022b9299042cc839283cdcda65f2d49da0ddce7c2df8fc89222f963475f7159ec503c097902bd6ac0e46a190f7541e26ffb141ca09e5bb0b

C:\Users\Admin\AppData\Local\Temp\YYck.exe

MD5 34a55ced10fc294d7d2b9a92be71363c
SHA1 e4a62257ee06d9fc3a787fb1085d362cc436442e
SHA256 af89c17d6089331f2603b838bbd458b0a02a6bee4f2bb005a197e87868df201f
SHA512 9c968694833f74608e74c467b8fc018d0ff06c1b0b44ff3eb36de86a2963bfeb85ef2c087a6f5cb2881b57a3d106511e99329a42e19a7ab65f14c876c6114a75

C:\Users\Admin\AppData\Local\Temp\gQYy.exe

MD5 ee7fd2992248aa52d5422eec021f0af9
SHA1 1bd7a4b4c8f87de33e79ef65191b6bf0bef64cd1
SHA256 c3f35fa764fdf3547d4f61b0b57442b7e6739e1eb5c5dad8264e6f451797b016
SHA512 3f0ef136b22b4bf6b7c11041ccfab9b1492f79f7a612471cccf61185c470f6d9d6db26d2428e3341b321123f82c4cd31eab1c197fa27365f3374b8ab2d3dca87

C:\Users\Admin\AppData\Local\Temp\wYsU.exe

MD5 69ea555ec610f3d895c5bf216b3a3a24
SHA1 009b811e154d2f52e87af3172cfbf22e8d49bffc
SHA256 6a5c3d3fce83d0069b99c636c1c2c3b2ae6c82de2456ee662e839cf2aed38d69
SHA512 6425f270acd5ea91cc80562689c2ce6f7baa85835c806833cc10b6c49a32a31f62aee11799a995a9de3df09a38af5cc8184d9653ef8cc0a12fbfd3701873a9af

C:\Users\Admin\AppData\Local\Temp\CMwc.exe

MD5 482c9e06eb689e3a3844bdf1b2b18f78
SHA1 a64bf76efd92b0523995995ba514228e8bab0490
SHA256 f3d426e532206ae48bb72de8ed3417543875b6d20ded1becdf83f9a26a80ef24
SHA512 dbffe04fcf7357e472ca13e002263ca644d8e9bb61aecf102d52a0ae22cd220acb8c718d90da68413534da2f9eded91ea1f49c0ac51fd79ab29b483b90d4a539

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 a300b6862768e163c15c08936fb3bb4f
SHA1 76bedeed54ed6f88ccd2bc5b32dac5e12355c43b
SHA256 21944492385160e4603fc2f73e022ccf9a66ca861dfccfb81ffe61e419b920c3
SHA512 97935836f07245e657b86f710338e24cd8d5b6965b395771543d383889cbf72697e0638f8a42d7e73903c3809786d57c7578195a0752f4d1bd209e70490f5fd3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 e8bbeb8b16d18f4653fe09083e9bd85f
SHA1 e5979cce13a52d7588a121b97b88fd7179d22a10
SHA256 05674a1231b34e0a1fce7bbd1b1b5491d2a2702075d4ea0cb027e0c477d6340e
SHA512 6853ad2583d34ed5b472615266acacb65af9182a7fcd3aca521152d12c7e75d1c64ad0fe237fb9125a07892a1efc45049668664d40b7b9ae874b5effb717ed86

C:\Users\Admin\AppData\Local\Temp\sEUO.exe

MD5 8d52e6f97fe31cfc3dc0bb1b235c793f
SHA1 3ec3947f69e01c1ad2a8fce8020b8b1fc3424bc0
SHA256 f1f889d3e86a9c9d7bc54863993adde2129f29a243f770ac841cf26b600226f7
SHA512 3652f64ee6ad3aedbfc083db02241be726f8e8002db0460317c8a98f216cd6ccf946d33c9369cbe9f2c3988976a2629ae233d677fc04c6c9643c21d589e76317

C:\Users\Admin\AppData\Local\Temp\GkcO.exe

MD5 0cabb83e56aa2477f27481bedb70bf55
SHA1 6da56d661a31e98d3e837dd8986d81f1aba33ebd
SHA256 7fa15e9df766c57fd28dee1a6cdf0f16d324a58325cde1b45cbc38d8948e742f
SHA512 5ae0295c8752a777e7c9e2fb1f1c933a05eaa86bd0e600a737ead776f55281854184b098be41d27df6729f4f408f39c803edc4b0fb7e159b58d592ba0b8e107c

C:\Users\Admin\AppData\Local\Temp\UIIu.exe

MD5 f0ab270f5ac6f1c854e7a9cd24702cb5
SHA1 99ba6fa17afd58ce6df1646f517331de7672c6b7
SHA256 15184de23802a9f8bfddbebbd13b6fe158e66f8c99fdf02e56a1033e1aa8b2f4
SHA512 c6c797729da732291141df04a75dfdd48339ca265417b9a6fe9ae4470516a58807d8354d4c0e1b3d2aa2972eb802cfcd2cfaf61797b9c132b2de082a8c857671

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 1fbe1c6e81f84a1e7bb27f9e7c45c36f
SHA1 e9e0c71602bee1b2a9be478f137af9143657876d
SHA256 d7c78b8b5600ebe0365f2702a8d0013388f2490e0406342548d398a091278bd2
SHA512 f6171096c3d269beb7a7f7d7c87bbcc124082f3136b6ce4d38e2281604496d2c7df421bf611c4729cde2ff3909634d92ddbc8176a2b57fa184a0edb4b832bb0c

C:\Users\Admin\AppData\Local\Temp\qQsG.exe

MD5 5909f9550e51d4dcdb5b2666b29783a5
SHA1 1b7bd5a65c3cedb13a68cf700de999d3310208f6
SHA256 03671375d546171d60aac0742b2e6790ad480301b34a0bb7a2586e7d6aa91ff5
SHA512 6d50efdabac9ef747841d8af0f0c56687a7877b9705e3720bf4c728903b18d2ed4f5bb2036ddf97f935eeb4513109d69fbfdd3b9e41f12a6ebaed29d977349cd

C:\Users\Admin\AppData\Local\Temp\SIAI.exe

MD5 405d9a395e074cabebeeb01e66a05007
SHA1 3a64297d13d8ea05c37a3e4a46b8d4c80c817a05
SHA256 089cde2361a6c6e78104ed10f1701fafbf2d0265257270960b4f963ea9a30610
SHA512 1511b5d17f2defd99a81ec822576aecf90d081d008e6dfe9d433f9cbb7014eacc310ba57f8cb5978af104b4981b3f6760c2a4d131474537ec12f2b959f50d59d

C:\Users\Admin\AppData\Local\Temp\asYY.exe

MD5 ad3d91d95ff5430a04486043d6aa4789
SHA1 1758cf69a8a8b73f748764440f452780d5d2486e
SHA256 8811afef30d167cd85a29f30ffd0ba15c23f19973126923a9a1f028eed9fe3f1
SHA512 6d1f414da47c231c68c08d2f6c6d11ad517310bfebf5c42bcdc8892218b841651a4d4731ff35b054cdf894e6793cd7ccb6072391d93a63ff103cb0f764765556

C:\Users\Admin\AppData\Local\Temp\yckc.exe

MD5 6c186362bd4908339253d4cfeb6cd23f
SHA1 c124dbfe1aa4e6958de5a220918bb4db5034af94
SHA256 894ad84236897c356786aab28a2f91516db67fb444432ef556e9a7bb108ed9a9
SHA512 6f719503ec5f8bccbd74b65fdeb80bcffea1f58a41e115523c4482e022acbe55dbe833fe1b82bd227e1110a7cc5a5868fb9d19b01299746eaa2f0ddf69a6e785

C:\Users\Admin\AppData\Local\Temp\yYMs.exe

MD5 8694cf4deefcbe2f66ecc596d337c849
SHA1 6a7d4ba77f3afe2e69c2ea61b031f2281a736676
SHA256 410f80426f7e24e4b40f25e42df145faa77e22979b0f16a4bd539a3964335a50
SHA512 0356c439fce9906f9b45fa91b99c82f68c02289a4bd8da9b3955b56316ca07f1bd04f3c7ad6f94a70436cba08428ee3cbdc5a24bd6c92f5bb1296abe2625ee8d

C:\Users\Admin\AppData\Local\Temp\McoY.exe

MD5 877b51ebaf00cd22e804d7669ef66894
SHA1 f2627490401a9a4780e61b03b630343136d4a3b8
SHA256 be4556da6b0c343f4696b77cf1b81be2c4825b9baaca15856bd16d757b9243ba
SHA512 698c8f455ed99c4b7f66a3c9bd08874282ce5240e23b32a0ff511b9bfc9cd5c6ee142ee152116cdaad6b3edcef87cf7f3366b123840abe6a59855b44ba52417e

C:\Users\Admin\AppData\Local\Temp\qAIW.exe

MD5 c1b738f0124c0bcc1892b2b05b3e2570
SHA1 10bd94856ad052d791f93a054bbd4c433a4dc12b
SHA256 6becf877527c251746e3ffe2a2441d978f6e30e5d0b4fec79c2d7178332bcf33
SHA512 b9dc255d8818b79fd87c1f3021c64aa6a3caa2850cc1fe2d5fa40f016b26e60d9e6d4028bc2fee1acea1122ba50388ff92f96a570e2d1a996117db407b078481

C:\Users\Admin\AppData\Local\Temp\kIMO.exe

MD5 ae036cae2307e7c3b815dba8735996b2
SHA1 a21e116fc3f6878d7fef91fa3564cfe40813da7d
SHA256 92455d6b39651da3153c70dcbdd8233e64ac95f91708ab622f09dc68789ecb57
SHA512 545f5b2eea6814ad4f5ec0454eca1df0f27bcafdf75fc7d789fef224896f415a7a64f3277a6ca409336a715c3fab2f6b3b130301cfcbe07b1d7e03952f99ff63

C:\Users\Admin\AppData\Local\Temp\Mkgw.exe

MD5 ca1638116877c12bd4d8e5811a9e027b
SHA1 9d893134c9f6f38e7278e3db496a4f7a88a9bfc6
SHA256 7718af1761344b65ce6914ad28bc99a9fcd390b67accdb0a19e6a9e6123f8f53
SHA512 5899b032d7550b28a0dfc21231af93236b43a3a421f0ebccba5020ad60f8c34aa80e03464ebf0bd9913040550b4e14602a77a86e941f6a76ccd4930464c480f1

C:\Users\Admin\AppData\Local\Temp\SYoA.exe

MD5 93849ccd65e84d619b8b2f710fc3fd8d
SHA1 b48e570fb6aad4c902e0b8f0beab85ebeedcd7a5
SHA256 178435fbff1dccec4158e9039a793221344cb8bba9bfbe0428de87a68adb6b07
SHA512 097d92d917a8e6bf61c70a58e93aa2dd714e465742656a4e79d10ae7db52e9947be2e6b0704d52aac8ce5e11a1f31659f5c16bf8e4b9f0f4165a503d193f5289

C:\Users\Admin\AppData\Local\Temp\gQQy.exe

MD5 8d0db356bc338bca13705012a4917b41
SHA1 763442ccb4651999af447084f383d2967fbbab21
SHA256 696211246f460c2458bce97c3896218b5bfb1f2ad241059a6e5f5972b98a00a5
SHA512 fc98ba6794d2394dcfbb44b5ae6a189a134d77c42e001c8944332e5d8fb106ef9521fe9ba9a51c8dde215d3a69622ac62a45dc6286d20e0c2dd054f96de6a0c1

C:\Users\Admin\AppData\Local\Temp\mYAE.exe

MD5 866495ce5461ecff855ad917c34bb666
SHA1 18bc4eb6fe3fbb4ec5fb91cae1660e89ee374ea2
SHA256 dfd2e33c8838e5b7d8f4cc38d04b4f62c26d0a09069c6eeb2595d7bd6a10ea2a
SHA512 3a4104cea735ac10eacdcf77479caab818402ef224ac92acf36819e12da4cda0507ade9ba7a354da8a2d07175153c96859cb92c74868e3dd5b420f7de91ef424

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

MD5 cb63170ec0bbb01287b274c8e6a887d7
SHA1 84b4929636badaedc1251637d1f4e83f6276f1f4
SHA256 c33d1195055664734f7204c9739417bb0102c6edb327eef4ca0a57ea811ead3b
SHA512 8b0c53daf524ad80a0b3740b470794822fb4b91b902710f2f23a4bc80674ee9ab991fc34d1e039d76e21e9444bb61791c08a6973d1f556e93b20fd4dbd14cb92

C:\Users\Admin\AppData\Local\Temp\kQAK.exe

MD5 654c59dd3f7f45f8e7563e750582ff91
SHA1 90596cf877bfedb609fa513bc6f5ca47321bd229
SHA256 359947cd43d611011f6e999e13184203ca18ced78b94fa0373bf70aa0646b619
SHA512 0ee237625adf165220caef48d2edfa150e2661b6aba7887eaddfd8733edeb6c1fd92021c068e637716b5844c150cd74fcb600929a0f7800df2272501c895997f

C:\Users\Admin\AppData\Local\Temp\GQws.exe

MD5 9df68a6a44bfd2393b6c789572023263
SHA1 7ba06e98886b6f5a749ff03816e8e93c36e214a0
SHA256 e22a66c3723e5e9e13dd1bdc3441bdf476340b778c9e3391680893816d24b5a8
SHA512 0aec27a38316307315f0f48e07aa0388e446b2de28abce414a90145a7410eb3aaff51ee9ba5ed415fa1888bbb65abbed26a546a5baf7bca12beb5252b1619f72

C:\Users\Admin\AppData\Local\Temp\qIEw.exe

MD5 953c978beee935c30ba67317ea95068e
SHA1 ebaed1c6ef62b0d9651548ea10b00950ce500683
SHA256 03c1e0c24d05bd50d08f9b7ee6705f0e287673d66d2ee3c60e881abfea414fdc
SHA512 c21c4c15dfdaf80a33a92f97c120af6fb4360d0690ada30ebe90b99c828eb7e021cdeb660fd48b0543fba4c8dd7c679a936a70ae52990c7c947d3fd39dd5ede6

C:\Users\Admin\AppData\Local\Temp\KogE.exe

MD5 dfdeeea9a479df0cdd34183bf49c5400
SHA1 6e833f7638960f86e24333c0a45ee50b569840c0
SHA256 1439d66a664ee90743064702c2b1043901c3e9be81442c951f374a58eecb3091
SHA512 1e5ebf8e2a2d9dc507ad47ff1ce429dd2d5bf19b574d062e39cec945804cc84a8cc48a4b25f9baf01617c504326ca1a0fb6dd8260bd06d2480809bb8043dfbd0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

MD5 0a5fec02f8c5c67d9fa0b02ebe19d285
SHA1 e94dd1562ffd122a4189d3436a185498d4573212
SHA256 aafa1935a65f47a34f7307209796cb661bd8b9f50569dd5934b20dd2ef74b570
SHA512 119166bae7d196d901571bcae70c1dd317a60fa6d7397182a26232c26ea67e5a59d83a39345aafeb02d3aa073922acd228284998732cf6d20219848c4ec32d0e

C:\Users\Admin\AppData\Local\Temp\kYEI.exe

MD5 1beb0d7445ab5b20d93e5c09192252e4
SHA1 af3f9941003964d0906d3fa561b03cbcc6a6320e
SHA256 82c86c2d2739a77ec5087df05c65b834e0bb2d505e700ce4fffd9624238d974c
SHA512 5dec2fac56c3135e06b595ed333c1f8a242570c5b95515023bd9df566ba9ba53d5a1b9b3310af4a5a27fee9c5d4bdd012ab022aab2c6557320eb0ff5d66f5fd7

C:\Users\Admin\AppData\Local\Temp\EUsk.exe

MD5 223d5f31f460e470954d2b84b96bf391
SHA1 e1e59502c88b6d2359754bc6bbdbb286464b9e20
SHA256 453e9e0b0ef05517d4484bfec90873b9c4f8e19899628be975627494b4d7e515
SHA512 a8e77d12e5d63142738070f7ba6cd5c1e6845467a96d0afbcd9a2f984fc05f058e3c32a9c65ceacd27b7b645ef456fcdb973fdf913e2471ecaac46c28a94657f

C:\Users\Admin\AppData\Local\Temp\iwoq.exe

MD5 84311f2f8a634cff02f6bd966b510882
SHA1 b2979d224eda9808713b5ad7e9fcff953e4e6cb0
SHA256 d9460401dce887288d6bd02f7ba8822edf57e018fc50e54a61f9ea3dc197a313
SHA512 0aed8626747660a3f3cc667768e2d4a2844441ec820a7e0d36f0f6e9f7c03806cf0d60522e5bbae8b74962f04e91473a779a4d36b7c33f3980ad707abc78b523

C:\Users\Admin\AppData\Local\Temp\yEcK.exe

MD5 5be03cd9e5ad4d16c00da3753c263237
SHA1 6f785b93c24d2d2890cba63341e706e8c9b44543
SHA256 bba46851c6d72928531296727357ce035b1c2ab7bef8c0b3fd803591be43b636
SHA512 4204876f2ee301c18de38aece12b6a87ec7d0df86eb589c51818d7147d86a8794058808994d39670a93c20fb5c165fa5c3df1f29746ea0bf64d8152f6fc53b71

C:\Users\Admin\AppData\Local\Temp\yQwU.exe

MD5 cdf839b633ac6ff7dfe8916fbe0cd730
SHA1 d6843e6034f8e0cef797229373978995cf17d64e
SHA256 9be131be26cfdbc585f136e0a6ea10f07acfe4d96abe1d899b04c199213f33ec
SHA512 08243b5ef9312b5a45ebf62489e8117473b9706bbf5d33abafd5c13f28a714c8bcc761096ec4469d986be616af6f61fb06ee7de3db3791506b637c01bc9f7f6a

C:\Users\Admin\AppData\Local\Temp\gIoM.exe

MD5 a53589d85bcc4830752187fe77255897
SHA1 fe9c24eb71a6a60377da147233ed21ad72ee2b4f
SHA256 4f24ef484b6c6339d38dcf6b802c4aa95e1db045a0a8ce6713eb3fae16bf191e
SHA512 743b6cd7e3b2ff99eddb12862721357b6d968652f8ce68fe0777a430b869027582296642836eeea79f254f7189aea5761aa5699b2455a2db2fb2c064e9b7cec9

C:\Users\Admin\AppData\Local\Temp\mocE.exe

MD5 801763a700f992298d5d08c20f1618ca
SHA1 2ea5ca7a38db4267baae77676fd8fe96303858ad
SHA256 576ae07ffdc85ddeddd6ef17e8c1496e43d99807bc3ec64d9b0844437949b875
SHA512 67d6916702507682d3d052dd9109fd76c6807b220596d8f8bf065cad903c38d160951411423c62fc1d7dbd8172170e7f2a0931ce54ed28c32ca2f8e22af602bb

C:\Users\Admin\AppData\Local\Temp\KIcs.exe

MD5 dd4e3d18f6f84db51142d8cc1e1a83ca
SHA1 469f02ca27222344ef0105318ad501412a8e8d27
SHA256 49e81127da7b18c77e71903c6e2e7b567f182989199980886f6eeb67bd96678c
SHA512 18bbdd31bc6a410a9ebc628fe34cc9cff8503b4bc3a9a9259acd03b9558f9afaca77201e184dcfca428cc369e7651548be257ffa680b379faa7c0912c13147f2

C:\Users\Admin\AppData\Local\Temp\csQw.exe

MD5 aead16176fa311a7049df26445791b39
SHA1 20b2cf168ab3c2acf60e0a4ee860137746c18264
SHA256 fb5e8ef8f6c6f39444b276d0750d876b94eaa7ac186b0e99ed886b671019891e
SHA512 737749edc83d052deb8000942ba49c2acc37544ef118632c59b7fadb6e2cf0c2bdcc4517e342b18e204f69fb67493039bc49e209fb6c53f8ba594e5afd9825bf

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

MD5 f457d30f63cb03e0941120bb1d09674f
SHA1 0b641d202f69a805baa5d749d0b98abb183f72e5
SHA256 cc3da10cca3fe5d7d336be11844dce93ac5305bb6d622c864e13150c31eb2baf
SHA512 eb0527d88888645880291f34c0011c1af9e8e832daf5d78148e75aa774c553880195d544ae59ab865a9af8cf73a949e2f49f9ad905cc7c87d897b54bc3aebd79

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

MD5 1e5c68331625baaf183b7b4bc1922eb3
SHA1 e4cfe5c34c93a135c9472bd6bcdd4bd63cea8aa1
SHA256 b9562c107e17f8cef50a1906b0bbcc7f71693136a9e0a9867fd0cd120c67e8f4
SHA512 1e14bb7573eea27b5d7c9164faf26479f6f6b09ec0724d78678e2e73a92b8374a9d78103dbd2804eaa900557df465722d185d4bb8d618d2dd247af0a149e22bd

C:\Users\Admin\AppData\Local\Temp\eokC.exe

MD5 b363270cf669f6b41ff237b3614752ec
SHA1 8c26b460085f2a7be403920f187752c6be2f50a2
SHA256 8331fff756acf483e368c04b6dabdfee6d8ccbd4cc31d943c19a60c09acd30b0
SHA512 7239ccb355ad1fcb7e8d6357a5068fc1190415b73667099171d769a6469028d775c8ab17c5b9c28aebc6f74facf0860e5b8c20cd48537859e66588ac63d2bc25

C:\Users\Admin\AppData\Local\Temp\CIwC.exe

MD5 dee70c34a1de30f7cd36678bb0ffce08
SHA1 4d4a860646230182363b7a5102d620b70f70b334
SHA256 c0d7d94c6ad014abfaea797da2d45f4007a228c01525984c3b7df06c27f3f9cc
SHA512 017c46c523165894cb44c00b0a92efaf83d2eb02d55d82c2e4e541361244a8be5aede03e4565fff2d0b4750f7c40253b43b6a5d2aa3c62bc0fec67ddea7e8394

C:\Users\Admin\AppData\Local\Temp\yAAK.exe

MD5 4aca465bfe9f521ba40e373969a0fd15
SHA1 1589344420e1d3b7b1c624eceb9ae156d4b53461
SHA256 9c749d0ba8bcb23ba640585b23cc0396921488c9cc0470a75589999d5d978e47
SHA512 e07dab6e61eb1245dcc96ccd11dad30daa9ad00333300e15a4450452aab507d4ba0840d4158c1816fdb54ee164af2b12e98c4af94f2f0a915e2ee7d8e147b839

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.exe

MD5 8975ccef480f3579eec4a05125587285
SHA1 a6a3f4c6b3ef90553dbc1cf55e0f309310b5dd1b
SHA256 51c072e234a0d0700b13869d66ac82d7e4d4da6055c6477bfe6c473817438d21
SHA512 34032d4ca287de076217783e9d6220d3ae6f78f3ef7a20574f101a8f91b879cd6950bf05c7820e138411205bc33cddb0ac5cd41c6fad36d4010edd55fe048be0

C:\Users\Admin\AppData\Local\Temp\OwYQ.exe

MD5 1d360b896f1c399c7a1f58318b23cde6
SHA1 a255fc20c8534668076e49bdb0c6e8f9b5af1694
SHA256 d4a7a52063c0fbaaeb4a8af3dc2988213e3cef6f3b900693aa67a9c3e4780fd0
SHA512 462abade23cffde16a4e3b6b9bf8c92b5abf3c917b1947b44af70a8e68c0986441773e35a3e1d55df614942dd7151fb935ace5a1aad3591a08457b90113b91b1

C:\Users\Admin\AppData\Local\Temp\aowk.exe

MD5 85c73f58f173d8dfa2004d2d4427f4eb
SHA1 e78ade482e94558b175eb99b900f45f9f8472c7e
SHA256 ee146849cb93db2ebac9048b631f6473750c7c5ea808fcdc7b442a90fe3fec7a
SHA512 285e8d84dafa078f4a350675ad3110cda73db313a2f5c5317b6222688e4e1f8333b52d4bae8ee86c50ca923304acf88efb1ed9d762147e115f3925e4be49388a

C:\Users\Admin\AppData\Local\Temp\cEYq.exe

MD5 fc3c039cd4dc2b0f3730246a88d144d5
SHA1 3bd13fdec4b6c50d7d69b3bec8e48ee81d60c290
SHA256 2b56e2512f8d2659f09a46da4cab1a13205926fb930272ff075f138804e04038
SHA512 0f82c2d3a21837787c2cdf0cfeb6944e30098bd302fd688e725772e9f4233f9b3401b2da581d0e8acb0c1eb0c49891c2c000f76e7ac174ce61798f62f048e5c9

C:\Users\Admin\AppData\Local\Temp\EcIo.exe

MD5 ce49999b6d87b8210da0d35349fa3be5
SHA1 47acb495cc8e7c95679437099116ff31ca519634
SHA256 a8e1a4478d4d391e55f83ca02e2cfae838f57cf4d34e1c0714435bda73461efc
SHA512 a767144ff8c1994d82d146653bffb8944ba4abf3532af598a9e60979b6483b5c0148df089c9cd3f75009a4db2d7396b0aa03370299a164149cc1381492e49113

C:\Users\Admin\AppData\Local\Temp\GUcW.exe

MD5 a9c7cfb784668b328c0f881f10690dde
SHA1 b089eb1100a09862fbe4a69bd68dc2b01216c5c0
SHA256 7bb8897a1541d33bed64bf9bff81c126a66650812190ff7050304734ce1b064d
SHA512 c4f7b930dfd1ba4326be5cd4b157a59bc0f12e3034d6741a8a1eae9ae6a33a2ae98cb09505043b9e5f8bc1ca75edf3f7386e980df3bab45118fd749b85ac085d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

MD5 ebc7572bc7ee4f2cffb75444f2605523
SHA1 bf565a250fac8450473d6ab86824a7b76037a15a
SHA256 6382157280f9dbaff8ea9f9c6647d8c1aae73f0c0c5d2a72623bd986342555bc
SHA512 246ead31c008089ac91ec3afb0257e1962211025912d378e160177370a44b80600906526b972c83b29cd08709e1e5f12f5af2e832c41becec1f173367fce60e1

C:\Users\Admin\AppData\Local\Temp\csAM.exe

MD5 e559883f29461e806dd37b80524a486f
SHA1 848a8b9a96e1d4e8e6f810302a1d179837e906bf
SHA256 f9287196add73772a40c2c801959b94d93d82e3fef614d544e2a3120c34dab5e
SHA512 a8f1692e1b4a97f038b0b52fe5d0f3ceadea809fec3b73fab9969433bb141771ff2865a395037ff16aacd6005d0adc4652c269bf3b5ce4dab89aa29c40171671

C:\Users\Admin\AppData\Local\Temp\WMgo.exe

MD5 b46c49c32aae99cc0a8ae3619298b198
SHA1 3ce222a80c1297612f0ca72209b2705283c40264
SHA256 20df29ff69bb2f5b431dda0dea9496abb487883de91c3ddb42dbb6725e6bfcd4
SHA512 fdaa3ab3d0923ca9827a810623aff2cbcb966f9400702c18600e61f5bb323e03eb0388c23993cc3ce0e2100a2b12d0f91dab3ce189b508b0ce8f522483eabeb4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 386ab52268282489ecb73177bcfd43fe
SHA1 040be325dfa1fcef76a021fb491ef364a4829270
SHA256 150982eca85fa373460b1302a3b9cef217ae52c9f432427a45bcaf02c92a755d
SHA512 608a244735fe41b9dbe5c7a42b1e92f8340b7a1dfd501a034888a5baee306f06ba53a8b99ea05dd4697cbab3b2f8f2a39100e92a166637b483278ecb5a57f1ce

C:\Users\Admin\AppData\Local\Temp\cUIO.exe

MD5 d16856cdd68da719dd29e638e4d047e1
SHA1 6f329bc6721cfa490dc9e7f1ba212562d294fcf6
SHA256 c87d509428b362349c2f8863c8cca621386c19f260d2fd7ffb6f15c50bc2aea2
SHA512 e7f1ee3c97dead2b3119243cd354ee044cfe9a8b107ec7c6e8776dd2511ad897bd28d90dd3a89394f0928b5a30dfbe4cd6ce7f472e9550f956bc172a07799bd7

C:\Users\Admin\AppData\Local\Temp\gAgy.exe

MD5 edd75d736f99bfadbcfb5ea8315887e5
SHA1 57d1e68402d80380df6ce9ec4d41b4828ab27c62
SHA256 a38de6517e116d9411f518d5b7bca38f1abdd66da3254c54ecfb74193def359b
SHA512 227635ecf993285495d7e74d77b090a0397ed15733acc58337bfeb2d9769a7b654643be40d708af8c68dffc578e76d6f62caa9c4ab392d35efe441b7b25957fc

C:\Users\Admin\AppData\Local\Temp\uwoi.exe

MD5 e32a9916435090fcb3a49d56c0c8ef7a
SHA1 4c61246f769234639be5d90bd0d5637007f5f64c
SHA256 a0bdbe29ba3a430dcba14fd14a204c0f49119315cff1fcc15912d98cb918a4bc
SHA512 b0d28836fafe57b064e13a182153cf8e15d5b3913a01277f3525afd5250000412fa064309a01ff1fb6a590fae049aa5495aae70c4890b534179b2f29bdbf6030

C:\Users\Admin\AppData\Local\Temp\IsIw.exe

MD5 d38c3e41d9aeb98b1f095d4d7569436a
SHA1 09390345e10f08445edda62857959676a12d4478
SHA256 58a919035500a05ff305764cb6557033ead005614dda42dde79e794a4b3da24c
SHA512 8665f155d3b6de8b8862729b7939058f61eb1dfd348374d189f398450367abaaa00f73e324089c05ff4004aa6a2d9599c285c8674d14c03a091875ee7ec10682

C:\Users\Admin\AppData\Local\Temp\ekoa.exe

MD5 b4b5b2053ce85bbb0ecfeb65e16fa77b
SHA1 13d4ee7d94b2c35154ddb66dac47aa2fefee9215
SHA256 d5427d879a3b1b033c7c0499d5bb2594b4e3585ba8c3de0b83a03405272f639c
SHA512 9682e4585ee57db8c50ffb3be4a0330ee9171a6e7059221f0aa1123486ccaf161d4a8556a6baad7f43370acd75d9373e1d6176454670b52c9692495c2a16292c

C:\Users\Admin\AppData\Local\Temp\gYgW.exe

MD5 c4aa9b37df1283a329229894298c7783
SHA1 09efc3da663843c292534354b40af4d2f4682f00
SHA256 794e5c99ef903126edd2720500f3f0c1f324ba8f31fe0ae6e019dbf34f8b968b
SHA512 8fdf6bffa4cfd32303defb6dfbffe95ecedcfa71f8f57ad36bbe8f43325a8f27994daf1bec6eaf7c1c402fc2338563ad8db6be54464c0f51e8a87b58356f7ddb

C:\Users\Admin\AppData\Local\Temp\OgYQ.exe

MD5 fff9e3b07a381083b02f52f8be5355e1
SHA1 cf8e5375e01c4a2182d2d9e2501d3b800790fd1d
SHA256 80e2b4b3e86bc51c5200f56cb3d12b51c8246610cbdc3175f768e7d7b7a47385
SHA512 877a65d1bec2f118b701f1ad8145c373f491915b709e05e7a2c7f441e9fab792227c49d6bd0375f00e9f0c4bba7359d6b9dccb5150004f575a8f177fb05f4a32

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

MD5 77e50549c768ced972c3eb5c6f6f9a1b
SHA1 baf4022d97c10d3133c97f1be0edfe54fe10e74c
SHA256 bc57defcbc2a408c25a87ebcfc6c1f91a143b3b84a3bdb9fddd9f6c7b79cf7ce
SHA512 7aacab67100c441e29c1643574018b2467e2256a5d5bdb6cbe4aed9ff101955a1c36a56c73cb5efa93d626872c4c2700c566a57c0ea7a09f56d630434cd7fd8c

C:\Users\Admin\AppData\Local\Temp\EAAm.exe

MD5 1099b25d1d418da8d655f2e455aab7ea
SHA1 6712529813e7a9580ca915ac9723897b8e1836b6
SHA256 715cb8f920a0a5b247232c2c449a5904d696c95860279e46c7e15389f716db62
SHA512 977b572b6555ee5828b113c7b268d392eb5b051973a038f6255a1e093139fd35047fc3d95c2d75ca0265bebe841c29abb933f994803f0d95830af040a0aaab0e

C:\Users\Admin\AppData\Local\Temp\IUIM.exe

MD5 43916eb776df346d7e06c59e89c424e3
SHA1 3aac50ba1ab85564b3f3237b9cfd780d5f1424c1
SHA256 0e53ac3ce106ed7f20e04778221aebde6a3c0a51190d2d13c84e7d450abe753a
SHA512 6e7eca237aeff419e9f328925e8e084c7d15b676bae13bd42ccdbeab96b53701747d29b17ae7d2ee1db9f94ffd86cc348d4a4b27b190d51d3fea03f778da5d48

C:\Users\Admin\AppData\Local\Temp\sYcG.exe

MD5 b72f040f25399f415bc05a4fc35e201e
SHA1 bd436d18a7b47ab4b974d1d969fe6ffd905384a8
SHA256 e08144e0be7eb28ca0951e7ab0b51df2e2eea4cfc510faf9eee9b169ec3128d6
SHA512 18e2b830d111cdf5b990a02ad2e1d0de7c3ed6fb945e5ff6f1807de0d340c21770303c1aee069c72e41b30bfef4194d92c603252f23217b60de11a82e2ecc99c

C:\Users\Admin\AppData\Roaming\UnprotectConvertTo.ppt.exe

MD5 0cb3772866ec3a32818f5aa454844f98
SHA1 12d6ec4d6cee3cb750d11ef9589d4b0bc9d74726
SHA256 74486e09fcc786416a776ac29da0498914c9d1b9e6bf8865c397f6734a185c91
SHA512 acd1d93cfc5e2387585dbc629e14bd6abc9d1763fac2e147370d8ef45d660e11f44cc1af4716215dae607f8fa2eed6b23213e10d4414ec8109b1d78cc2426ad6

C:\Users\Admin\AppData\Local\Temp\QoMO.exe

MD5 d2556a0719bf37fa4029cbd146fce695
SHA1 924be97367a4e1cae03c8ba280819ff9ced4e67d
SHA256 a148c125769ccd239a86be52b4697afa6e812a57aefc0cfcb258da1acfc4850f
SHA512 d2d3396f1f8bfa65f97a8874911ff38160669c1bd88468bb3191f8ba5b40e311af0f5be6c913a80344299eb0338c0310046952215ceedf43f4254eefe0e78e6c

C:\Users\Admin\AppData\Local\Temp\qMAc.exe

MD5 38e4c063316e9367f75e762405a14d01
SHA1 1ce5e3f30510cedef6f47467f2a73658c69fd375
SHA256 31c23889f6dd0dbcbc98967bbb26df544c63a18542785ab15ddde963d7a8db1b
SHA512 f09a8a2b5126817c9a9c796495f4938d432fc95cf4a4e6a48bf88ef71e793b9568630818656a9930163bf35c870e8cdeef7ac677ba5551a52e53585b79e99622

C:\Users\Admin\AppData\Local\Temp\AcAA.exe

MD5 8134a625712376eab6d675555e861df9
SHA1 ae7e3f9515b112059102a796d554bcdb147a45f8
SHA256 d1889e5cb7f0a07471dd726e08629c61fd55807f294b1efab4be130959c2d604
SHA512 d529f47147bbedf186049a7892f491418705f1ee09cf133401da94d1cfbc0f2dd6f74ab9de6bc39faaa012392ac56dcd5a896e1c539151ee749bf07964245676

C:\Users\Admin\AppData\Local\Temp\mgkS.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\CQgg.exe

MD5 d3e386053b51b718a073390b560802d9
SHA1 9c7f72d92ab4564a775aadc94dda9b5c7bddf9fb
SHA256 0a27b69c78170ce752d6c4ecb704f6bfc6e02196ab4b0373ea2442bb1bb841be
SHA512 cab6187df90c5ee81969c9018f0843ec6243c614163874b15e57c8d39dff68ad34bc01236ef96fe60b241258e2b39ddd3c4ac2b6001a3ae3df80bf66253380c2

C:\Users\Admin\AppData\Local\Temp\Qgkm.exe

MD5 db0f7e48a7d13583dfd0a8787a3247db
SHA1 d8cb9a7d9400c4a3a8915eb524c3a92a2e6016e1
SHA256 58b664f641de40e5bcd932e6c317fad4738f138fdb83a078e80982c0c109e350
SHA512 4dd48b7d12ce6d37118d0f638bb8923e646714e28c49410149be7e299d57c9c9b05e5b21ceda496e2af2c29444ab1cb95e1822151e9b91b919b5bb5f628044a2

C:\Users\Admin\Downloads\RepairSuspend.doc.exe

MD5 b681da55409ed4c5949e5377e849fc66
SHA1 654a70a5919997394ed4524e366e50dccef53af7
SHA256 51e6c7b04e280f2e3b07ed8b86d69ff8b4d563a7e6d71731c3684592a44ec9c5
SHA512 ecaa2c3495baffaa546c422e26973a7627648bccb1e95c6e598578826b4c8852aed1e12f1d8ecc8138f1cc2b1cabec89f02ac7992832838a181e1f9d2d44418b

C:\Users\Admin\Downloads\SubmitConvertTo.mpg.exe

MD5 4b2eee6d19cf1d40af336f1491c61cca
SHA1 f792bf4620c3b80ea73631126ec496d5aaeffcd3
SHA256 1d838c0bace7e0a362aa37a6de5f94a4a8abcf033b9c0a17bfa8fbf94a85f4be
SHA512 35debfad5f2f148623403f9a8af3ee0dd66847660bc475cf2dd70683cbab849c47cf32940c9e319506e946311c9f9df02d6715b6a0bf9c7ede2b111d7087df6e

C:\Users\Admin\AppData\Local\Temp\qwcW.exe

MD5 96cfa77c411b12ec162adffc435ab6a5
SHA1 c919dbf958273020742215c35712f6e81528e78b
SHA256 63ec52805818a7519da327241cf3afb2c9514ad0fc1d4e7ffdee47a929f41fd2
SHA512 cc3b9607a5eca6aae693d34d67b41d97e682796bca9bd8b459386753199e31c02d5dff235a309968e055733b0c5bdbf16b63a708d01933916e367885d2ce075f

C:\Users\Admin\AppData\Local\Temp\Skga.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\SsEg.exe

MD5 76e9d64b63cb4890f3138efbe11d0d11
SHA1 497bf6702f676041adbc3cac870bedbb896c8635
SHA256 08ba6db6c12345464c6a3122ef22420112589a62e77b1f37781c7b0835aaf9ed
SHA512 e0cab36d226a7ed1d2335fc564309ef38b8f17f29bc414d1ed7b8cdb636411a045a0f334046187eac3d078f5ff90c5a63496d12cc45dfa598c3432ce4a6f9ff2

C:\Users\Admin\AppData\Local\Temp\KgIc.exe

MD5 d441db612ca62a273d170aed434e3934
SHA1 689db552d210c3ccbf583b48101ad4cdc151b072
SHA256 f75ca91082f8a35301d7b3286045215e950a27b7e736369dae9de3a7ae7506b9
SHA512 c1e4ac67281931a579cf21a874451be4a024f69ec40518ff9bcf69ccfb6a1cb753956a725bc539bd4c909765e98dcdedbf065b2e8ea25abc66c21d365a166831

C:\Users\Admin\AppData\Local\Temp\mIgM.exe

MD5 abf4f3a2255d7d56120f40266581aa56
SHA1 672b8a265a7e21d96623c7b60d305b2526a46a78
SHA256 5ec3cb2f4c87458d6c97ff195a345f8fa8f8e7fd77ca11e3ba28c8eaff106be8
SHA512 5c717d6fa7f3edd3163b80c137a389942263b36c78dbfeff1dbaf6ea7377b95fdb262c63d1a2b0e271a6462c5283ded51564eead9a52ae21a3b244a6d67d71b8

C:\Users\Admin\AppData\Local\Temp\mIMg.exe

MD5 e9510273a53e70f262bf3974c73b8784
SHA1 cc6ef519afeac54fcad9ca24b6070acb520493cd
SHA256 3d7cf5b15b3765ce97d74511d611d68d47e6c8d446c648181a03a43c5d2463f7
SHA512 904cca494a9eb0ec227b1152e4e94c4390fb7b3b4e32baa09197a3d03c395049fbf783f0056066d01a8482360699feb21cf3ab5710c68a0d92a621177edfd5b1

C:\Users\Admin\AppData\Local\Temp\skcW.exe

MD5 35a369c98d512958d6e765cc411cdeab
SHA1 6aa86d50ae59fead57a6ab3eb198f9808e3e8fee
SHA256 8b99d5d1740fad2a7603b201c864eef99b075efe0bd2c342085d0876e48ca855
SHA512 a9c819530bd8fdddab48920b26a0b645fe9ea4e9ecd6ae3c84f476736c00955856b7e075fd98fbe0fce474a2f170f2f3111bbcf52bc87122ccbd9f48710f7c16

C:\Users\Admin\AppData\Local\Temp\wQES.exe

MD5 3043be250492ac8206106c873e2e7b0e
SHA1 be5ddb0e2769a16f7a5b7fd8c8e8dfd4690a0cc1
SHA256 a9ee20e6834646c00975343611ec16e6f2629b14d174032c7735718587e76107
SHA512 eb4f687d04f197397e8df0923e0a7fc6eebc32dab1c425f6571f45f87f53964d009c86646dd09c2b16bb36a3bca98c147e20f1f1ceda58d8cd03c39f4976a95e

C:\Users\Admin\AppData\Local\Temp\csYe.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\qIMO.exe

MD5 70c5fce0e35080e51c42e07e116c22d3
SHA1 d252d0840f67a385bc54a4a87f5cd2220bc09965
SHA256 92e642683bebe8793f1ec3722293837329d79d8d87ea2b6709b8d769c22a8a83
SHA512 bb4296ba32d87390a5577bc649f989580a6f1492b2512a84752854820821e062f2ab61b1cf9837e00326e049eee0fa2d954db557c92e90433407a79f6084bd05

C:\Users\Admin\AppData\Local\Temp\AUYK.exe

MD5 621e95ccf95de241ab0161b6ddefc923
SHA1 92a8890b1e9cf91f0534b3567962ad2f185e5ad0
SHA256 e1f50f409a0d5198e71c061c41c374608ab64d3225da7401b83c38ae22c1109f
SHA512 64c279f767aa9862d7faa3da274364d18f83f79e8753b9e09f4f3ace9dceab1a45eeee0f6783019b38d3db207362eb08df3c23577a1b307c1de003cfee0904b1

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 ad505bb5ec1606317f2faba08a1ca519
SHA1 086eb6006236d85531ada6256475a7ca54e817fc
SHA256 891923108877a9c1e6312e20eccfea7998e346cc9f8f857a197218f4249866f7
SHA512 d9841081aea390c4a6793ed405fc24843338da7e1d8fe6feb8e5faa80360c352866f19e35b91f301704b21cffc2f065f3f6bf7ed101a7b4693a68278f777015d

C:\Users\Admin\AppData\Local\Temp\MAMM.exe

MD5 ebde16ac567bf2ec45593c71d19e8a69
SHA1 9f3b05c9673dc58189fb4e482b39fcd45bd13c20
SHA256 5f83ebf4bde274e6bca9fe2e5374708f08ac662978cbf6f71e9193dc210373da
SHA512 4ffc69ec468555c69c0b6c8127067eb9d9c8b866f4469419f2ca8ae663b7936dcecb449e22add280c7a2cd46b01fe071b3ea40d6855da41626edd07f7be5a6ba

C:\Users\Admin\AppData\Local\Temp\eQcK.exe

MD5 40bddfe69fce7faf9234ea1e5e3d260c
SHA1 c757ca4f4cf3ea343bc55fcb57717d6890b235ce
SHA256 7ceb67c0c2d80a6d4f5db631a6b9733b5bf591f5502d9b27a06447e278af195f
SHA512 b0e3e209f772f71e910e57828158e1caf142ee6568fda38bf08174d89aef74f0ee4dbe925173c79604801d39e6bacd40ae1fbd46f5dbe2e067258ff026766374

C:\Users\Admin\AppData\Local\Temp\gwMs.exe

MD5 dcf64ef259c6a26e8275ac40f2a18a4d
SHA1 6faee1e2906f6c6bda2538a53221c24f5cf36c35
SHA256 6d3841d5dea85a37a8fdeb15e48371e9f8b61ed244ef37fdf272552f18711c47
SHA512 b358ca463b76c2077eb1004d11751904d5af7545e5ed18aba52ba00e1b5a299397b746fa6353d774faebf49933ca3ce234762869702e3537ba480c89fee7e1b2

C:\Users\Admin\AppData\Local\Temp\swYy.exe

MD5 29e184a31629de7e519a5b9614b311ee
SHA1 1a9f74f076d444cb1653f7312d41a6b4226dfdf9
SHA256 04ef35cfc859cb6283d8cb6faceae5890c32c42cfeee87bf37add3633433cc8c
SHA512 7326e6e9ca37bde7de15133fb7feca772a051165e2876d32809f5031b019705ac6071f2a11ee01c2cb9861ba8f45d18bdd541549dc5b255fa60f16b82f99078a