Malware Analysis Report

2025-03-15 08:14

Sample ID 241016-g7sw8axard
Target 2024-10-16_8407fc3b6183cec64939631e05806d11_virlock
SHA256 19c60c87f1c3e44b76b8e4230a970f8376727f992834368a3cd152d109e90c20
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19c60c87f1c3e44b76b8e4230a970f8376727f992834368a3cd152d109e90c20

Threat Level: Known bad

The file 2024-10-16_8407fc3b6183cec64939631e05806d11_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (67) files with added filename extension

Renames multiple (56) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 06:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 06:27

Reported

2024-10-16 06:29

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (56) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\ProgramData\FQsYYMAU\qyMQwUko.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qyMQwUko.exe = "C:\\ProgramData\\FQsYYMAU\\qyMQwUko.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaEoogQU.exe = "C:\\Users\\Admin\\nMooIkMI\\TaEoogQU.exe" C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qyMQwUko.exe = "C:\\ProgramData\\FQsYYMAU\\qyMQwUko.exe" C:\ProgramData\FQsYYMAU\qyMQwUko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TaEoogQU.exe = "C:\\Users\\Admin\\nMooIkMI\\TaEoogQU.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A
N/A N/A C:\Users\Admin\nMooIkMI\TaEoogQU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Users\Admin\nMooIkMI\TaEoogQU.exe
PID 2052 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Users\Admin\nMooIkMI\TaEoogQU.exe
PID 2052 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Users\Admin\nMooIkMI\TaEoogQU.exe
PID 2052 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Users\Admin\nMooIkMI\TaEoogQU.exe
PID 2052 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\ProgramData\FQsYYMAU\qyMQwUko.exe
PID 2052 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\ProgramData\FQsYYMAU\qyMQwUko.exe
PID 2052 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\ProgramData\FQsYYMAU\qyMQwUko.exe
PID 2052 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\ProgramData\FQsYYMAU\qyMQwUko.exe
PID 2052 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 2920 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 2920 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 2920 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 2052 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2528 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2528 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2528 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2616 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 696 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 696 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 696 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 2616 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2840 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2840 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2840 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe"

C:\Users\Admin\nMooIkMI\TaEoogQU.exe

"C:\Users\Admin\nMooIkMI\TaEoogQU.exe"

C:\ProgramData\FQsYYMAU\qyMQwUko.exe

"C:\ProgramData\FQsYYMAU\qyMQwUko.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCoQUYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmEAEkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAYEkEso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkkgcQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CkoUcAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AQkIUEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EoooIgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gaYcssUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gQssEwwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HAgwYMoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKEsIIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEQIIEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FikQIgUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMUgEIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQQkYooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsoIUEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eMYUgYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NisEkAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEEYsIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQEcgscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NuYUMoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YuocUsgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIkUIMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UAAAwMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gywcscQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmUYEEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOAAQgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqkAAoYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZmsEMAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RiMUsIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RaoEEcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcgwQwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SosQwsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OKEsQEAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIckEokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUEAEgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NiUAQsog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dYkkcwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgwIQYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JQQwIsIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RCwcQcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEUUwQcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGAoYAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wcEYwccU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsUMMsAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYEUoMME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAQYwcoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWcccQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwogYwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UasYIwoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqsEscoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Maccckwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMgcssEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgYUQYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HAEkkQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fygIwAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hWAoEoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMAEEIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQYsIswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocUMQYEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoIAQEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQggcgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgIQAQYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fGgMgsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JIEMosUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TWMsMsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cgAsogoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UcIAIUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uiUsMkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeswQYIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mgUcQgYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nqkAMEsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BoAQkQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jywkwccY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAcgQYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PusYswYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eIQcEQUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGAUwMQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUUUUoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSQwQYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FMcQoocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMIcwUsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rgwkMgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSQsMEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIYUAcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\weckMMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sEYYAQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKEkMoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qWYUcIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGUcQMkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQcAIcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rqwkAkgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jagEIUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYooMYsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AOEYMkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SGIMIUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AegIssAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViIwkkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwsAAwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEAIEAkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QaUksgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIYkUUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WIkEIkcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EaMcwIIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BIsUkscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYoQcAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgsUAwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyYwMoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQkQkEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sGokEEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uUwAAYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwgQwoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyIQMkMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSkoMMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\REUkocgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWQEcwIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUEEogwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSwsscoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\akAMMUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yqAwYoQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tKcswssk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vuEcMoQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeggocQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYQMgwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WIMcUgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2052-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\nMooIkMI\TaEoogQU.exe

MD5 7dc843a1cb8a31140d170b99fe69b550
SHA1 77bc6332f18b16536bddc72e539ec8aabf6531f2
SHA256 034dd285c895759e622355352bdefcbf75fce2ed90750f29803cb222f1149043
SHA512 3cacaad70b19117b21ddad7c841190d72cb83edb987e1d6a42554fddd5eff0c90938bfe1eb2b0eed74383d266ad888923c62e4b0572d791506617f0ac782105a

memory/2052-5-0x0000000000560000-0x0000000000590000-memory.dmp

memory/2236-13-0x0000000000400000-0x0000000000430000-memory.dmp

\ProgramData\FQsYYMAU\qyMQwUko.exe

MD5 400df440a683f48cb698a13453725e0a
SHA1 f1488b6b4dcdfe0a93f1e769d382e96f0de7dee8
SHA256 0d47dcfbb622d4a273a1b3916ff942db384963535c3712ea9f9361bd309f262a
SHA512 c8c34fcef6f2df48f0fc4a6ed44e6600a6add4f13f91e06906b7f28ef3f254d1c511d7c0004bdd62612835b125eb129963d1efa95632ca892b1121d0550ef319

memory/2052-21-0x0000000000560000-0x0000000000594000-memory.dmp

memory/2052-16-0x0000000000560000-0x0000000000594000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IyYoMsgc.bat

MD5 cd4386863db23bdb963db76315457a20
SHA1 046b83e079a4906387453237b5251827d60082d6
SHA256 7a8a06b24fe1195c4ed6991de5af12c2b1814297706a26cca762f44bad21826d
SHA512 af849f09921b30f39d221a9cfbcac0c8ae8a546065ac071f1fd5fd8ae414b095ea94590e31d44092a64cf70d003ee2846b2d3be6c6ccab6b945686948c1f4ad2

memory/2616-31-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fCoQUYcc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2052-40-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

MD5 bfa92771c90c7199a8b84d21ca45750a
SHA1 8c0c9053bddcb7f95423392ba7d8de7960fd99fb
SHA256 61282907692cc4761493fbca1f89d7eaf3de7ec5f00b57d7c03cef01fc3e707b
SHA512 cdebc94fd6e0fc7a10ba67a06479330cf9a31ab5cfe21f1211775013c3a49fd23b15b6ff792f24d49d30032442c1eb582b8a43412deda8518fbd02deca5d6e86

C:\Users\Admin\AppData\Local\Temp\PuMMIwIM.bat

MD5 a13063f6e749911a695c3c956a69f5ad
SHA1 f59d1f1730139edbcffd35775be94a8342dd9c85
SHA256 4194e43c7a029ee9f29ef489a6dbdb1891f3722252fd94d4ec37642a3f0d76d6
SHA512 93e72db53ac629e3d833177bacf7148cbf7713200ffe980ec91af0ee3efbf64e13b37a7c124a2db879301813c1b62343e2feba841bb27a1ebb0a7430ccf076c2

memory/696-55-0x0000000000120000-0x0000000000154000-memory.dmp

memory/2616-64-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vcUckAso.bat

MD5 33cb6d858e76c7ae1249c19f7efc4f69
SHA1 eb061f9b44b826df0c3ced05a3b1e9d91d35c4cc
SHA256 221d030378e4875d00fdca9ff85f242ced6841106a3c898fc8be3f445515b72e
SHA512 d851287127e6a3ca55018e876fa633139889d46c4456b9bdedc1aa786f113d17b72e3e273adb4801b7967512d62eaf94988295832d08408a8fc1c42ce6524f06

memory/2000-78-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2344-77-0x00000000001F0000-0x0000000000224000-memory.dmp

memory/440-87-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PEAkcEkU.bat

MD5 eb0708c6d925e8ef0cdfad1db45d47e7
SHA1 12a1587528e1fbef084def3a87b2a4f390678c29
SHA256 14771a7053cd6b9916d2cd07292d7b14a3da5fdb03da54b9c7e32c2a42075978
SHA512 175a7f092d14d8788e2e6013d32bd990c648d0728f74d8904ae63d5af11a3ea53809e28a9909a208f091903a778be61568d0af2354fada7f6675819aead6dc06

memory/2116-100-0x0000000000160000-0x0000000000194000-memory.dmp

memory/2000-109-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WoYMMsoE.bat

MD5 5995240dc1bb09d96721455ebf809f81
SHA1 315d8a170489f0ed325fe7a34872a70d12e61f54
SHA256 65e35fe9565e5c51fc9c865f2d5a65522b04acadf1424b881b8213b8ac42397d
SHA512 f60707e9e8dd0fe08a7c78ec1775693ce75bedb6f7a726c4b3eff56be4b029fa37121afad445fc90874b48063b6b67bcf9fa8e915858c5ee56bdd0ecbf162355

memory/1816-122-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2124-132-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ciUcskYA.bat

MD5 428c67680ef6c09dab1ba988b4d77bad
SHA1 2c31c16a7bcc2c5eba633c2a72e2e261fce0563b
SHA256 5e1481f350037bf3659949632641381f98001bfd456b926b6bf98c561bcd9678
SHA512 48558d67472b9dd87c94dbbc5ed249870c32b3eae45e4a67c783f3c6d80a797a79e96dec010d378fe461c0713e3c05880de32fd4b5924f37b34a3ec252ce16a1

memory/2260-147-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2464-146-0x00000000001B0000-0x00000000001E4000-memory.dmp

memory/1816-156-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\esgAMYAE.bat

MD5 2132a1efaf880167c93ec0b7d55ee352
SHA1 14a882bd0c005040e24fac8fbdd3f7d86ea4b3e4
SHA256 3eb5d0ebe84eecb79385a8e957920634d4932378e68ad7a08f1d4bc645c4d97f
SHA512 aa032d98860f9c10aba478cb34c385dd200dfcf1426b415ffabc713d2ee0849b84aa85996cb7f80808077525e87a289447f3a5c3bf92270827f3693c2e2e8a37

memory/2672-170-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2104-169-0x0000000002280000-0x00000000022B4000-memory.dmp

memory/2260-179-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EkswMssM.bat

MD5 f2e483cff17656053d27e912950f561b
SHA1 ea33d19d37d01412dfda85468b24e4ebd041cdfc
SHA256 cbb45bd89844b40503157a4f3a660b4d66ce3bb9ed4a94c14a2b25ca1258369d
SHA512 906a09e85b7ee56e292fda0f9eff3266cae519ca5fe3f93d21435616c90e02856bafd3de3ea5ab6cfaa88f13eb9e64d253531ba8cfef28a091362ae0b512d922

memory/2832-192-0x0000000000120000-0x0000000000154000-memory.dmp

memory/2816-193-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2672-202-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sCUogoQc.bat

MD5 f4505fe67bbf6109a95912be4011c891
SHA1 2a2b6bbe501179ebff38299b5bfa183bc1b262d5
SHA256 7bf7e14e527b3e98f16c4d1ca4ec19e977ebb3f1813f713be193697c3452c47e
SHA512 ddef01d4727d28417d7f61cfba17e85ccd7fff4ce2db1b9d703f0feb09ff6985c92940d933e3da335d8c82f41da10891818811f3778dffaa4fdefdf6cd876e8b

memory/520-217-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1820-216-0x0000000000420000-0x0000000000454000-memory.dmp

memory/1820-215-0x0000000000420000-0x0000000000454000-memory.dmp

memory/2816-226-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xYIIcUME.bat

MD5 9eba0fb0c3864703d0f8ace2a998b0e2
SHA1 6fbf3d0c55d4abdde5ac1b911d909ba6d92ac073
SHA256 623207f762e6e1e26b61cdb32489ca86b660233c005d105b66d66216e782e2e0
SHA512 fc0217b551259fa3fe77f25c0a0580633ce77728752ca393de80f86006807296b90eabb96f4a8714679e7f48cee11e780279b9bd6e532210a517686c9dd96b56

memory/1860-240-0x0000000000400000-0x0000000000434000-memory.dmp

memory/520-249-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMcIgIEA.bat

MD5 27cded5ae72962c65fa728032ae45c03
SHA1 fffa9d60655729e2351b57f806ed09873117e4d9
SHA256 893b3f9b91ba524be8b5cac522c0b747e365e5d2499a68d866457df56f16f4b5
SHA512 0466ad3d88e99d0c02096b9bceb1fb10bb74f699a052db3fe3d634ffc0bd3f2ae19e8138b94b4dfe2eeb154321770fdb7484c8498bc7f12061e5c5ef372a90f2

memory/1776-264-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1552-263-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1860-273-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BmYAQocc.bat

MD5 30c6ed05a529704f2ddebb5857ac2247
SHA1 9c394ce112008f739118321413d70f443be71d57
SHA256 e0cc7f3550c2ed2f687ef6c86e24a87ab148b4b1cf3fc7b8699e6f183f03e901
SHA512 e941221d86be20389581dbb11e78fca55868307d4412e5540f981ba6296d2b97873f16b48d461ae9345ef88bf694f3dcc8938526139eeb6c9e7a8204dd703eb3

memory/1720-286-0x0000000000120000-0x0000000000154000-memory.dmp

memory/900-287-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1776-296-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1228-299-0x0000000077430000-0x000000007752A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JiwIQMQk.bat

MD5 8e5abd46acf2dc2773f4db8122da53f4
SHA1 dc18398c5b4ba7404196a7bcb9850a565e753d1d
SHA256 9e8bc50bdc81cbaf16ebdcdb04c82a8f0a042f3fb15e5d2620ce7e92d0022a58
SHA512 264a3261ed3c837a16aee0fcd9535071a3ca1d6958d7285db5027ecda86610acbd671e9bfaedccf866eb013a7f3f709ba287f9b2b9a1368322a63ad2612d4857

memory/900-319-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iYAkYwcA.bat

MD5 fcbdac84b891f9f761811e12205f423b
SHA1 fe2580d9f5dffec879f707d63eaf64295308e510
SHA256 307bae07b178e8d60c7631434e543b24ac158d4bc70fb3bb6a0825f18d738103
SHA512 339ee459f8cb28b2e1b4e8de4c789bc6dd7087c673986e56d8f7efaf6ee6de4b8da91c675207c9fcc6db8955c8e1f7f2690e0adac5362cb3c9bbccd4fe971607

memory/2848-333-0x0000000000400000-0x0000000000434000-memory.dmp

memory/876-332-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2792-343-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UEQggEwU.bat

MD5 0e2fb98a0feb972a027ad44039769e94
SHA1 45b766b5a4ad0633e276e5565a78bfb3c845acfd
SHA256 08b159e834918fbcfee0ae7afc7dbf43f7b06d24e41edac6f4e6d77956f2bc1e
SHA512 939cf025ce1ba7cf752de0264239f9dad45aac7e9eaea15498063603436750c142e834d3429cd89df40d727f5837a099b90a9960332dfb1096dd3b9b4f359dbb

memory/2764-357-0x0000000000160000-0x0000000000194000-memory.dmp

memory/2848-366-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kSUIEQYc.bat

MD5 3bf29512c5fac989bc5dc9894af3e8b0
SHA1 92485b5eb85911e6feae1d6c6d4441a773ab80e6
SHA256 b992b815912a4d0a9ac9b2230c38ee8403c21b114564cef4359013000783881f
SHA512 3457a6af559dffc06b07d1ed098f5e880a43fc18a15270faa67d6aa30bf143fa76902704397e3a5b0a042682a15c608de46eca9cf2c81b53a7d189afb7727ab8

memory/2924-379-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2096-388-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iUEMMYgY.bat

MD5 8ffcae5f04b2c7755090fd7025c4c872
SHA1 1dc3db5f8ffc000092579e08077dbc553004293f
SHA256 1e885ebc99887f54ced587b57d21d3614462612e2296ea6a90c84e9bb94773f3
SHA512 7a71f9018ea2241bd0b28139896c1ccb24c10fcdcf20b417b95f55f1de99dd394289bbfe51ce758f913f6e29f8e2f3500c4b06972c2e300854f116a457f8080f

memory/2072-403-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2348-402-0x0000000000120000-0x0000000000154000-memory.dmp

memory/2348-401-0x0000000000120000-0x0000000000154000-memory.dmp

memory/1356-412-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rkQwEwgI.bat

MD5 567b81db53137896b641ec117df97588
SHA1 079b55afcd2bc8c013808aecd9ee7769c3d62cde
SHA256 0a9b8c65e7786191239954a36eb1b61c73daa1d7dbbf600bc1bc9ee09766d9e8
SHA512 062b91d1dc2afd59e190fae0292bcaf28a301bd0c96555fb4180895be72781b8cbfd58b4048e269f1de2ade8b7b505d7e1b09f7e6f5fa6fa4afefe384c22cd22

memory/3044-425-0x0000000000130000-0x0000000000164000-memory.dmp

memory/2584-426-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2072-436-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zUUkwYEI.bat

MD5 fd6ab515d11bf2a659a352dc96a4ad54
SHA1 8072a3d6f8bce82a3e0c62b5cc8e47e50c650315
SHA256 ed772f7a9e2c82465dce7e8fd2dd2834d85aa2fe5c2950aa9923a658bbb81a58
SHA512 f790299cd7d792850a9dc59e8a31e40497ac3a53e4ff1ec28c4b7ca5321de627fc679f7c7d511de22ae04ec7861251fce7fc9e4a8cb16864b6cfcf1d5eb63c48

memory/2616-451-0x0000000000400000-0x0000000000434000-memory.dmp

memory/900-450-0x0000000000190000-0x00000000001C4000-memory.dmp

memory/2584-460-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lUowgUIo.bat

MD5 9116c6dda967d5c2c3013ee0c115278d
SHA1 1ce53157ff06a46eb0c848efdfcadc9ba0dccf01
SHA256 de8e49f900d79ec4ace450ac8dc6f7e2641c211de2639a189d7e9ea71feb9dad
SHA512 b395becb59a3f8a8c04b96c0fa1eb0b5b44476e576c653f3519507d6ab70f998b8a4e0a591891ab5549de4a9d1f6c8c1caef8c2cf8dbd9711de0d90863a98a1c

memory/2616-481-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lWwcUoMo.bat

MD5 9f476898b237bdd8e6069387ff49a6bc
SHA1 645e83b2dae157e2758304d705e7c231d118179a
SHA256 b5c6ed4b784879e1f25847ce74072d48a5be1ebe77c8582af65d7f10be9a2684
SHA512 280619c48d3c6d5f44ed62ad64172c7cae0d13470802c1662cc72672aee7913430e5c09b41727b153414bea0b8e21769f6bba8550662dbd39d6924005e97a10e

memory/1304-492-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1244-501-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZcYEUoAY.bat

MD5 06e3f29474b81ddba830817f80bc83e3
SHA1 cea5292fc3a2aabcb8251f120f69fff751b5965b
SHA256 74d2e4e7c6c13331c9ba52b19c55ce6dd64d957dec3729628c027c6d93a6a25e
SHA512 66ff4f5f0025d9153aee6883cbff4912a90ba12716cebbf667f7c493666aa2a6206da83345ef6047a30f8d179e68cb7d7663677fa05b72e138a9e5e3ddcee9c0

memory/2124-511-0x0000000000230000-0x0000000000264000-memory.dmp

memory/1304-520-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iAUQIkso.bat

MD5 1173ee366fd987ef33d91342daf54a14
SHA1 9c277b6198461be9f18012aca10895a00ee8a774
SHA256 92f54f8be969b32e4d86f19ed7488e18f3c8b6b09b1eb019603e2fc7b43dce01
SHA512 378f34c7854004bf0ab0b1f077dc437e59f2c95b80b0d8f9e2cae7ce4108e2daec014a430e79ef04a7730bec44dfb02212684f93c5c9da58c25fab9492de0d97

memory/2924-534-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1516-533-0x00000000022D0000-0x0000000002304000-memory.dmp

memory/1516-532-0x00000000022D0000-0x0000000002304000-memory.dmp

memory/2468-543-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MsIYIUsM.bat

MD5 716825d10d4f7690ad8837afef174352
SHA1 c56a5c122b201298e094791f9808a7b6cd4fbf7b
SHA256 52b6beb0880109af2c29a142c7d49412a3537db17ee5829417a904c6100672cb
SHA512 1a036a02605b0b121cafe2427c388edfab263a81fc4575d5ad7cdac3c2536630c999457b614bd629a1559d4258dbea353a4cd405edb19fc65b44fcc6ab139ae8

memory/2060-553-0x0000000000200000-0x0000000000234000-memory.dmp

memory/612-554-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2924-563-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IoMwQoMM.bat

MD5 aa200e99b5ce334b7370f3b168534072
SHA1 c9ef731a0ed02d4aa37b1e075dd3e7f544ec76ea
SHA256 53426d2b52f6350f7e10a5312a85b00444712f31eb85e428f8dcb917dbbfac07
SHA512 81cc3eb69e874ce82fd3704cb195c52a7db7ba433c8ab8f109c008651b3aef49e29d79b4dfeafe50d4b7765f9209aa731b6546ad1ea92d2dd7cef10693490729

memory/2952-573-0x0000000000420000-0x0000000000454000-memory.dmp

memory/2564-574-0x0000000000400000-0x0000000000434000-memory.dmp

memory/612-583-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IGQYQcgU.bat

MD5 2c7a37a8d86afc3f2902acba21c54e76
SHA1 cc2d610a6a52eb6f4627e28ab36831fc9c3a5e59
SHA256 58a9a4d0c238dfb5bcaf2538bbb787e336db9b11148a0b912e49770683b87934
SHA512 f3b6ba5799a73af64d877b4709ddc8844b9f9d02b6544091c8a7aa3035b434c4d5d76df8e853504268b10a07705c2ee77fab410d48470d16b63a6cff6be1d76a

memory/2564-601-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BMMgUwEA.bat

MD5 f75c005bb4aa61a486605d245ef2ad16
SHA1 667f7c95c39a13a91efad113a80c5a68a1de1a0d
SHA256 a428bb91981cfa68173df9d1a30e86b52e6ed1707d6f2642a0099dcc39014bbd
SHA512 6146aa587594528688b01c2e71debdcc996ac1729a7ff9bdee0156d0027f7256d5125e449b2c29333d2d86c0bd3b445af27c73ac2c1aac5c935ade4bed947fd0

memory/2732-612-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1948-613-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2828-622-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fAIckQAw.bat

MD5 fc8d044a40d60ce05a216f3f04079a05
SHA1 285f648fe431917d3e5003b7fd648edfdff21a26
SHA256 87ea776e5e6c6f3297bae7095b0e12684114040904a7afb688f5462612e7c934
SHA512 51d7f572c7d88d6413426bb8d96661d7f28806b021e37d985ba68edd3ef53898702cbd918e253b3e01d9e47b5a9eee62ef2bd62a5ea93a53f6529958f5e370ae

memory/1020-634-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2928-633-0x0000000000120000-0x0000000000154000-memory.dmp

memory/1948-643-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pYQgYwEE.bat

MD5 6b483f61499e5bada6d788925e3e2191
SHA1 516340dd4f339251381fe7e5d28a546ab6ac8a53
SHA256 80f0c6070a6c503282bb50f764ee68bacf3330a2d9abe815b700eab827ea52b0
SHA512 776ab4fbd4e579f7e0aee685d8bb591b277ae2eb8845fbe35b502ecc9b2c35c106697c994c59adca0617e124e71a5c3dd31518a67a3ae49ab52bffabd49864c2

memory/1020-661-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vkAQUwco.bat

MD5 2cbfe8fbecc5b11a19a856e128140312
SHA1 495bf6e2499aac2f3bf6089f7c6ab56728b8d56b
SHA256 f8e78cf571c79a9219c7aced74a8efc01ffc7fe178d6710702ae0d61d32b56f8
SHA512 a11346bd3623898ff62f955cec276b854f00cc6bee405046f2960e7041b6632375ffc06c1eb787491319fa6c4c9cffa542aefc37af16eaa71660ff3428bbf136

memory/1508-672-0x0000000000410000-0x0000000000444000-memory.dmp

memory/1508-671-0x0000000000410000-0x0000000000444000-memory.dmp

memory/1624-673-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1556-682-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HyQkcMww.bat

MD5 7f7cb75ab45978c55372655b6540541f
SHA1 26350cefcdba2ecc05324d0d54e70849002059bf
SHA256 1f94ab05fb3585726305c371bdb15c219d3a482ebcbf0cddd70cc68ef2978a68
SHA512 c8fe255217347cd3afb9509fb3e474505d1a1ddb4c81fe1c669bf1e3615768f7cf6caa7622adc4eaf45680ff5854bdfec22733f48c40900fed9522334602a244

memory/2992-695-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2596-694-0x0000000000180000-0x00000000001B4000-memory.dmp

memory/2596-693-0x0000000000180000-0x00000000001B4000-memory.dmp

memory/2236-692-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1624-704-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GKcUEgkE.bat

MD5 d8b216fae50e715ea37ce8295261d626
SHA1 583f03e4ac5c1f1184ad5ff0565ee6cac151fafe
SHA256 6254f283156fb87953a48e5f8dde1669029929ffc76067ac3303a216c11e5a80
SHA512 e898ea5e2817c70c96c854c98ad1a6d49c3a8fa9bbb0cf79fcbf935599fd177cad166e6209cf0c8d12e1f32f2e544d5feb01d2eee8dc3ebdfa7a4a50a77ac5ab

memory/2188-715-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MQAW.exe

MD5 55aa26295de01afb09782541350e43c3
SHA1 a1883d96165f2e2b1301f22e995d05e74b88df01
SHA256 12527c713582b2f097f2276748dfcc79ee2335bd6336d858d073d58c19d005df
SHA512 0397947950448634e9c8c3692b3bf26bae926d65bcd10f47b720e90be907493e6a3661271d1dfd35e2ccb2945216ede6151976599c0c7b12df416232c987c737

memory/2992-729-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YgAIgIsA.bat

MD5 c3908b8a73c8726a530edbd01bcb9c32
SHA1 635ac5c5e120a45be540797d3ff08c1c219e0ea5
SHA256 280111dacc83706c638610dae9464a1f899c644052501c94e472980784f23710
SHA512 26ccaa95d0d7a90b1dd35c7e5ad5d7c0afaf489e178ccf21259ff7f275a1c116f589521f6e5b3178c7a938f69c91144432e4118e392b01a940012d49e6754f75

memory/1244-749-0x0000000000260000-0x0000000000294000-memory.dmp

memory/1512-750-0x0000000000400000-0x0000000000434000-memory.dmp

memory/440-759-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CmQEsccM.bat

MD5 fd7094fc0bfe91034e14f11060a75713
SHA1 2e7cc26f7fa7d39aa6c4f422b7dd64a678aa9ad3
SHA256 50b32a7050c3709077d7ea2b107dad59b371d2eb5ada620541eb8594baedfb50
SHA512 6b41d9f145127fe4280a3901421685c26f2efb713d3c6a6e59bdae950c282d56e6b393e395ab1830cfcff1acfc24a01707253cad66c27077eb09c046c6016b41

memory/2848-771-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1360-770-0x0000000000190000-0x00000000001C4000-memory.dmp

memory/1360-769-0x0000000000190000-0x00000000001C4000-memory.dmp

memory/1512-780-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AUYUMUgY.bat

MD5 4b6b868eb27be1a9fd55d3e6fe96c3d5
SHA1 4278519df74f3c6921848ba73d8b4db92e620be9
SHA256 3d90c7de618e63daf8d22c436b791e91a51555496dca76255dc07fb60f772faa
SHA512 8cfa93a0b1b54c057593ebfccad3005c3038253559e2738e969c8d9578c823874be6e4244832f6840d774ce854360c7749610533e0bc0b830227a0ddbe0b9a21

C:\Users\Admin\AppData\Local\Temp\wqEssYUc.bat

MD5 dffb817800d345d6640a92b9e84df3d6
SHA1 856118f44d84a5d411c73327408fb6cde5a3e2ec
SHA256 5dc9e3f6f640770438182f45225ded76c3caa6b06ce8e8a134ed0a161b163994
SHA512 4f243f8a1ee8a89604fbf0ec14535e0c0f381057d23c569188bf771485da9cfeb681decdbb583dfa42a5afacb0bfc2f00af5ca933964e2e7c80e9f37e8ede3d0

C:\Users\Admin\AppData\Local\Temp\FMIwcIYs.bat

MD5 f17cebbd3dde3f0d6c1131b2bb381962
SHA1 46d633b3e45cfa417d4c4b014336b6abb44fe7a8
SHA256 2beb77ac9527d233091da64172b96ffcba145bf556c6eee6791025d071171ee7
SHA512 6278e3f2515976c73e99e0d7dd7a2d7b11b3c8959964a631ba1e705e2dcb55f02a01d33600b0f07cc07e6e039a0282bcbb522eac16a4e56c730e7556b4d09b94

C:\Users\Admin\AppData\Local\Temp\BQwEIUQY.bat

MD5 b2ef3c9822712a8a7cb741bc9f17e1e6
SHA1 14695ce5a69aae6cc6f69c126da16359bbe74bc3
SHA256 d2a8d125be993fe0909c7474c8c3f4b5c2f2c4f026d961b502e8d2cd99bb4cf5
SHA512 d2456155a0096d49776f8f62f47f528e9c9f51462a114cdd05d9d7129071364caac035312099fe16b83d69c03eb03eed8d510c1b60b765c095f0f849fd04cd5c

C:\Users\Admin\AppData\Local\Temp\dAwQQMcA.bat

MD5 e124b267ee578f25fc43e7c87538c486
SHA1 4fc9ce7aff5a5c589df6b95b4cc2d4ef90af7d3d
SHA256 0094e711b6c466380a82065479213c6d9c71816a9375fad2c17803b032f1ae48
SHA512 bd4dd723e90fca0d36625a6565941a8ef494925d3e482658d102d07565d9299bf8899eda654da0152f0d7ffc9251eb337c5cf13832d578f73517d68719743ae1

C:\Users\Admin\AppData\Local\Temp\xoUUsgMc.bat

MD5 7380ad9e8c1f6066162ba6f426addff1
SHA1 253cfd08aa4bb4d760419bbfea17fe863d070a7c
SHA256 254a808e3130ff335bf4b546fe5d6d08a3b0fc426970badf1fb9691e5417e1c7
SHA512 e6c519dc89c9ae917f423621425824617c7038fd2e9d1eddee33dba7a8c0609c9d8d24ab433a12c779449ac66ad773b692926d362e2ecb4403af955f8a40cb2c

C:\Users\Admin\AppData\Local\Temp\PiMYUMcE.bat

MD5 4b4464791a6a680d023f01468782ebfa
SHA1 920fd7882f2eff271afac0fafaafbed5fe7126ab
SHA256 183080aad8e9eb003354f5cc964264cd487e8de0d38b8a54cd66e030f86af406
SHA512 cc2c929bf77a8e9a7a1c089de9a04373235c4f1e00af302c94635f3a64c887743da7aa51a1bccab1969bd9bce635f690aa525cedecdc54a6b49e59394d299e94

C:\Users\Admin\AppData\Local\Temp\uAkwUYgw.bat

MD5 9ddf36d2dd22bdacb24c2481e35c5c84
SHA1 821b666a7589782663a2f5e3fa557434798ef2e0
SHA256 ea3d3f94b97df9128845555e4450141b37511e7038842b7f151e55f785ed342e
SHA512 832c7a89bbad6d1343913a7eaa31d6a40fb761f55947e4b4b88e5e21fd60fbc1af3ef390c78203503d087ee97c2827cdb9490f025fc47f34ec1aa819f593e973

C:\Users\Admin\AppData\Local\Temp\wMAscwkM.bat

MD5 c8814f77d9e5bf1d449f7833f6475433
SHA1 f78043b63b7be58e068359bcc5ca5a3d0d759109
SHA256 a1d353fa71a54f7509845cfd3062d3d0680d387ba060c12349fe90b52e881357
SHA512 c3fc9ed5000ced66d11b88d413594d652e66d027b7e2d697b0f9e19158f557a324c7d52b41d800b44009579ab1091d69f336184d42deee4e76b1508a905a9745

C:\Users\Admin\AppData\Local\Temp\cgQcoYsI.bat

MD5 ae62242ef71d080c7a89c5cc94699c15
SHA1 9c74d0070deb843a95c46b0c9e3d31e2ad5b3a0f
SHA256 d818903f623418244d31d9883a6c13ba7d791c106e84faa6c3e2777aa5e9ee15
SHA512 0c8ea98c5e04f2bc93ed4f88d2731f0b44e91e522b05627404eb81e5808e5ae3540d559202229c2bea24d7f3351dc78b181901b82c3b7edd316c111bd568f0ad

C:\Users\Admin\AppData\Local\Temp\IMEMQcgE.bat

MD5 031611fbdbd89a1be1955617cc0033c5
SHA1 c146ce0c1c0566f5857bae133b63bda1420e91ae
SHA256 d0dbde32d678cb3423228067e778b1db4d4e7902e1b474a96520c74c641b1bdb
SHA512 93890525db073f0d5cf7a4fc899abb9c6e8095fa0b2299c33eefe543b33c363e7a7e8cc5e867ef9d7798ab144bfbf603d84dd34fe59d1fb63fd20905f027ad57

C:\Users\Admin\AppData\Local\Temp\zSYIcAkA.bat

MD5 5a6e8ad11fd7c605ed8168c02076bef9
SHA1 a28e271193e3ff09ec58003fb5eee9aff9fced4b
SHA256 3b18047392953ce49ac801e7822a51f6d199c8fc455bd1ec09d030aa80842b22
SHA512 8878ebb4c67705e031e5aa5b2d3668ee5d370da0e2f85633883946afd61d0441d259e4908d9a7c92ebd78bf24747b9821a897ec58f058fe9fa60e5dc7d426982

C:\Users\Admin\AppData\Local\Temp\hCUwowcM.bat

MD5 87bfa94c82048611b618dfcc865f09a9
SHA1 d8240aaa34331e9f79228cf3c5edbaab6e2e14d4
SHA256 fb1ec4fa5464fa54cdd4434e1ad3fdb1c3f051e180fbf5e822c7ad0ff9bb5812
SHA512 e20432f30e9c9cf08e3ff5c34dc91dad28d96e58ce493a15b0192a02a130439ec85c928f8306351bf72e8144aea39b064da4dfe016287d8bd57deb15ef256fab

C:\Users\Admin\AppData\Local\Temp\zaskkEwc.bat

MD5 2d65e9412a36c571dfa31d0cce0c0b88
SHA1 3daca4cc0f38b5f8b47c42a86c2eb38359fbbc6e
SHA256 efab749755d9f30410b94d71be86aef878acd816b29a01d63704c6d850c14a05
SHA512 489494aba7e3d81531135a8a2decaeed459be0f44b5d4f8374279723ab65fe95a65c86e9c1ddc9db1d63cb7d703606dfc9899c124e01d3b357bfaceb92b0514c

C:\Users\Admin\AppData\Local\Temp\PgEUEEsU.bat

MD5 bd3718b19cc758a85c3270912fd1533f
SHA1 0dfd2d6e7dbfc75b66153701d8b9e02854668103
SHA256 105a2145fa588f3a0e5e576e1c389ed4c1d653a40ff9ebacc0702f1b6cc12b1d
SHA512 e6c94c74f2d77429374f23d954176d1803ab0e909c180bcc3d6e6d7854301e7c3cdb6c11780925b23bae5e04064d9c611d83c9e4be76849e7aed53c8f11b5f25

C:\Users\Admin\AppData\Local\Temp\BGsMsEYo.bat

MD5 2fbb965dc272270154c7e97ee8ab9dc1
SHA1 3715a9d74d287b767609fcc8cb770dc74095e178
SHA256 9947851a841407033014d0162e6da9b49efaf6f29fbd9989b252b9a40446ff65
SHA512 62abb16285b7288a21b4b02a1a5e0c92cdf65c8498d8178d659b17167488f14441bee5fca663f8d4c3a7970aa8618df97a8bfcf25a91eface2ec06eea345f258

memory/1228-1106-0x0000000077430000-0x000000007752A000-memory.dmp

memory/1228-1105-0x0000000077310000-0x000000007742F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wAYAsMss.bat

MD5 13a64973c165d29a4d0cbf1376e4a5e8
SHA1 9052de8caf618f382c1b4a25e08740e68afd5f74
SHA256 229272ecf2b0bad0a9f3640147e04b15b8dfbf879faa832663ed7eb3a805c7a9
SHA512 f7c4e5e50424cf283af8969ae671606d4efb0554d36b498dc50ffcb860a705010ad5eb272588ec1f2716688b1cee7c472dfdabcb151195d26e8c912400e4928e

C:\Users\Admin\AppData\Local\Temp\ESogcEgY.bat

MD5 8ffd6a06cc49750f84e26484be0a1984
SHA1 54cf31c2414f8fa61898103731676f8824aab4eb
SHA256 b9bc09bb67de34d59517ea95d8b23b5bd4b076d26b420f8e310a5224a37962ef
SHA512 9fb9975cb2c65f07f30cf2c5c9e03622e133bde490707dc405ddb4dbf4afb0934007cbfe7ac0c4c30dedd5801d5c80bc8953d60502fafeb7937352db42341347

C:\Users\Admin\AppData\Local\Temp\ecgcYMgI.bat

MD5 31ef85f27ddf17fe43619ea737e7e70a
SHA1 338884ec40b454d9fed4c6a92352a29cd34ad611
SHA256 c83e54e536bb186732d08dcd29e80ca0de6a994f47c7327048f45bc205c8e31a
SHA512 346af79bb14dd2bb1c2c5287baf3272e1865edd704fd2b07ec103c1e80e031c1fd60f816fdaceaa72742d056363b249c84316290c9b9436dbf36cf2d5016f99a

C:\Users\Admin\AppData\Local\Temp\MGkogAAw.bat

MD5 cf002b5970d7f32025894cb4d0a6aa54
SHA1 0b34a605c63ede6bfdfde623efc82144732d8965
SHA256 3c94e01787ccf48fa40b07849cc6177fba752f329dc9bff157976e1b7f38a46a
SHA512 01773513f46d722b29f48bcea28ac5e5eb08afc5beb274f5f7822badbb2afeb067db4606cb4c559811deb0f6090b11a3a31fb3bb8e2521ec48e5919d23810dab

C:\Users\Admin\AppData\Local\Temp\EQAk.exe

MD5 86c5f6c8c5103c7665adab561fe7fd85
SHA1 e68848df3966fa4843594cf3239e33c94b811d8a
SHA256 78ea82091a2ac70c75fc989fe2cb5adc43350a01525300d4bf60427b5eb883f3
SHA512 fa3f13a5b8eaf72442d424768d6c8b1b5ac94e99b1696539765081f418c4061f4a7c2772eef634d94aac476284c600aa3f20ad39aa61db6b04a7b68291637595

C:\Users\Admin\AppData\Local\Temp\lGUEMIUE.bat

MD5 5d3c7198a0deda15aa85c0f97227bd1c
SHA1 1c9238cd047c29e71e78063d2a20f31caee54e3e
SHA256 0c1fba73639d80ddcd31c7cc4e556cdb942d6c97d66b57cd6506d2c75a9c04fb
SHA512 61555a762772448f6f79d7bbbf5f4679fc092ff74f7c0bf3ea95dcf9a865d8a7646abb44e44f5650f22e7416e7880ed66f814fac964473f59378c10cb08fcffa

C:\Users\Admin\AppData\Local\Temp\YckA.exe

MD5 d54639fee208cd1eac052e907f2f5014
SHA1 36e510fd69ccd3b4c3e4b0cf7bf98059df485eef
SHA256 7817a7b3bd4e07b68efe2fd492c38a0783b7235cf8b6789f750f866831aa8db4
SHA512 e58ba237ae358af0e3f16d588b79913bcdd582643494c896ec37a9dd4d2aea674d06174fa6221567da3ec3893776a35075d5cd991fb56b0ee932f3a79535ab2f

C:\Users\Admin\AppData\Local\Temp\OkYE.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\KsAS.exe

MD5 1c0d5a40ae50e4c808e8bc09f8e2cbd1
SHA1 e1996b6d8ea533b25c205cc272e8a6162135ae46
SHA256 531b1760d0eeb3495b99fbe1e3a445cf5ea190665e498d86e499dc3d74bad2a8
SHA512 01544e392760882a2802cd94285457056628ce5e6ed657125522bbf992c45b28fd08f62cb8a08474c10cabe9e839b1fdf6c4051518c43cd2436cd858db0aed3f

C:\Users\Admin\AppData\Local\Temp\CsIE.exe

MD5 12e3a35cef1a8a05fac0d1bd432b1797
SHA1 5060b903ec32f6d61416131b28d8dcd927636644
SHA256 5d768a1a36558b52d2ecef0c74e461e376478810753e12c84a97956d9106e040
SHA512 671b737944c5e86ea1df85411656179b34840fd19168d94e29acb0b8fd138fcadd443600155b35020b8a8334ebe072ebce46fd9fc3e89470032485bb0ee2a8a4

C:\Users\Admin\AppData\Local\Temp\WUca.exe

MD5 5b7ca1321e3981de4cfba96463a049d9
SHA1 248f980655c540af39021ba59ba1e8ea5cccc7d2
SHA256 01405f927aed55d543607172bd2258862b6acd5f1401410051eee8dfed06d72b
SHA512 bce1d23792e18fbc31d62d46f6312c1598e37f04db3a9b21c5e826887c72b695dc0ba82bd40b3abeec4c4e2aa3ec41f1761184d078df5e3ddaf1857ab49ef289

C:\Users\Admin\AppData\Local\Temp\KQMK.exe

MD5 7bbbc535310a3a834637c7b42a9cd7de
SHA1 a31c78a5bf09f89c7049fc45ffe8738ee685d55d
SHA256 bf975f165710999881740d655b293dad2c89988f793c477063db7a6494c368a6
SHA512 8017831d014badfe64146eb89085d1bd003f074295149e078d2d46bc011803e2099718c4fc19fe6f91320385d68ce957807fc1784af7b7a761810445486c0fec

C:\Users\Admin\AppData\Local\Temp\jeMEwUkg.bat

MD5 8cef587d555b3570db61a5ec584ac3d0
SHA1 db774e064c2a4bb16f466aba298987b57fa87608
SHA256 e6b00787d1b2f7ccaffee2920a0aefa6f2295241c0fa002939c73e6b197166ba
SHA512 3dcedd10b279e9b294ffe38076bdd247191351f16ba2bc9b5ea1392bb4b573471fc5f76895f2a09732f50d478891df31cc94eaf26cbc13a6cacce699067ed682

C:\Users\Admin\AppData\Local\Temp\wkMo.exe

MD5 e08f72e04f961a984d3d8278d34de98d
SHA1 18c8ad62447a7f5952ace5a658834fb72703b15e
SHA256 27213d5c9e882ea1e6ef2a7ae306670bf953dcfc08b9d39fd60fbfbd3463c637
SHA512 c17e29cd7d8aa4ae5ae7e883ad94905c901fab6730c5b904d148e4c7c7dea2df9769652f9b47e0cae332762fb7cc40b8f001ce3490bc5bfc5cbde30fd0247635

C:\Users\Admin\AppData\Local\Temp\QYIC.exe

MD5 2bb44c1d45f39f5e17771dd65cecf861
SHA1 22a156b247a6d35f9d79f1d27988da1325d59d5b
SHA256 d170b4efe8105b925ea6541d86aa2182aa75cdc7921534147c7c64dcfe587c33
SHA512 c2257b8aa908e02fdf0bdf35863d772fac0505c84a4d6c33bb0ec227c944bc40ba88eddc1f56027d458fbbad19c7143571cb6d75d5701e7aa602159d38ccc164

C:\Users\Admin\AppData\Local\Temp\kYkK.exe

MD5 72804bc9187af58e82b2d8d2cb28b40c
SHA1 611364cae5f979ede746e3f5bd9a443056efd4ff
SHA256 4f1e75044a3b7aefd9230cdf4e5cf41fb37ac1a69e13306def083f2e664956ee
SHA512 abbd83d97a4227751b1e005db8691fa5739beb2214088d18cc840b6a28615538c977bd1ba85cc165daead189e395a6164f8ef2266fc01318b61d99549555adf7

C:\Users\Admin\AppData\Local\Temp\yIcY.exe

MD5 f158fe52910854a5fbbe855747230d6a
SHA1 793331934336c57d833461e50ec028619b4e51e2
SHA256 01a5a8ae654b7759f6f67a0b2c8eda39d64a8976094bbac7a255bb85c0b71d91
SHA512 c696624bfd3d36463dbd9f6364c9eb5d5e3ddf0a60569f3b7640c9a192540a75dcc15c652526b70e8065d53d769dbae08fe8a48e0648fc45ece6e3275e074e3c

C:\Users\Admin\AppData\Local\Temp\ccwk.exe

MD5 d91314f9788a5233d935b6dab5db924f
SHA1 1f14a2b77596cb9677ca2f6484577a029e024087
SHA256 32d6f9293c79382f42a92826c6cd1cf3f003a047421a0d3d7ebd4e39e0557751
SHA512 14aaecade9056ee39017b13806d750947b8c5c34557bc7e1e58212d6bd5385882e177078f8b3120e5f6b4f03a118a4d817ca975989500b9b4a8f1e1804cf828b

C:\Users\Admin\AppData\Local\Temp\QMIA.exe

MD5 2abe08bf7579a55fe3a0ba40a0e27fd8
SHA1 4832f904b4e89090030299e89be18aecaaebe4d9
SHA256 b13845f4cb591de1bc6eb800df00e93d9d5645824647904c0317be40e376fd82
SHA512 29bf644edb519b58bbf95152d18316e60606c1ad2cdc314908e42de92acc0cb3aa5dda0d42036de77d65b06ab6ba44eb5d673ae3f969e59688f7a262b3f8970e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 a01d5d1aa17963db9f0ef3e97513a643
SHA1 813ed617638eff24421fb9d0bd40a1122516b45f
SHA256 4281c9661b36b86c82a39e62eb2ed3a663cb9ff575ef7fe48a397898cfebb982
SHA512 7358ad8918d85dd8161cf1fec379cdc4b9f3c83e6741dd5125ade674a424f273c183f5986323926fe59e1de65729c9ea2b7921ae3fbdee92adae0be03e92d71e

C:\Users\Admin\AppData\Local\Temp\DgYkoQgM.bat

MD5 3088bd84880870b3f55144694ab78feb
SHA1 574a06cdd80b356354a54698378f84756737a470
SHA256 a1407859c6b9ef49c7e18a3594ff6969fc9b82773807859ca152fdf2e8d4ffad
SHA512 1eeea96929302bb8b770a378259ab7c37a7d1f158abe276cbaa2c2509d2aa1a0dd4ef2096c48d322a582636b802ca31ee79d0f255c27192310ad3152bba69b06

C:\Users\Admin\AppData\Local\Temp\aYkc.exe

MD5 b398f58585f8f36d902b0b6206522e81
SHA1 d30002790e82328aeabc369f3220c4fbb89913b9
SHA256 7fca76afaf0f1163c1075a76fe4de78acbe61a571e78e0d31e6927e5246ff9a2
SHA512 c62f7b1b6c5362fb089d55f89b20633b8c54139614335170ad5d0ddc25d805dad48f159fb462d5595bd0c0bdf127ea34f7f19f8d23e74642ea9b72ede8e6d091

C:\Users\Admin\AppData\Local\Temp\gAAC.exe

MD5 6a8ca5019864734afc3afd45b0a780d0
SHA1 ef7019d1d59b53a61bcbbd743a9d09a53c779959
SHA256 21cacae536998c9d1957f82bc0339ce4da3030ce0d71a96dc701d41ddd7c2209
SHA512 db35b2fa5b3eeb1e42ce0e21079b5a1e7a18ec8c8411deef1b15c49f2917e381eb96e81fcdf35a3a77a05a12b3be1f436e6747ab460c506e1e8ee72bca24e2e8

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

MD5 130920af100fea28aedee660ef7c807e
SHA1 221491d9003707e3f7c1f5b48e09471449c9d07b
SHA256 8172ea08de818ffcaf880e724ad41ab707aa32953faa363f3bb0f60932732f34
SHA512 bc5cf08f7d90f21995949015df452f0c80c6c59984972f77265f75ad428318a05505cfd9689f64748374fb7c176cc105239ea7697b4382a476270ba8bbb5fdfe

C:\Users\Admin\AppData\Local\Temp\UcgU.exe

MD5 c09ca03d63c67d20d17e16c1d8e8ebe3
SHA1 26408a9912df6510322dd4add26fade10b9c01e8
SHA256 f1f557d2d7db75ab5846afa6cf3e66ea1989df03626aac8760406475c64a75e6
SHA512 4e399bd3bb875252165970720dcabd0b8e16c46570b1a41a07d6b646af1c865966142634246a9806e3bf34738fdb04c3c97ecdb7d4032a2b562a0c273d52cc95

C:\Users\Admin\AppData\Local\Temp\ZOQEQYYc.bat

MD5 18d89449bb43af9c93940be2e3c4bd15
SHA1 fe1d696f87da223285d47e3853808ea8de17c005
SHA256 2c954f908b1905e16069d21359d06afc837886c1d7495a821859f366de197eaf
SHA512 fe851a299758167935a85d963f6ce67c61684f8b76f37c2dd87bfba531c3feca346f7072bdde03d050bc8fb91855046736b0d39ae22de01e000b24ea8de59736

C:\Users\Admin\AppData\Local\Temp\IkQS.exe

MD5 ec45226d4f0537d92bd650463e8656ca
SHA1 370acfef08c4903495ac3d19d1ff58ad4dbeb461
SHA256 2900991abd05d06f248acc37560dec6840e4f8c455268a0fe1e62e89682ba895
SHA512 473e23de5c2a79d3be3190ae77a7f6f2c561b507316c5e88e7b51b3e820438602fc6e695cba0ef04f768a2c9ad1048f61568ebe497a6e4c69abd976a1a61037c

C:\Users\Admin\AppData\Local\Temp\wwkU.exe

MD5 d2d1b47b24fa10bf7c379f577e4063f0
SHA1 f372723bee058f8b11e05989fd76a0652bc85670
SHA256 2bd6d1cd4339c5dab34d000ce012ae7533a8cb28ef41ff9171c0fbb5a28a727f
SHA512 c0822a42879a06790c6307d873941ad9e32832773233594abdd70e58e665dabf6eafa6229508f2f7e11441a7a4659b3fd047d51e59c0632b42d71e94a79482ef

C:\Users\Admin\AppData\Local\Temp\yUcc.exe

MD5 3604a5805ece969d1ec04c8697b8bc78
SHA1 de20cd3c77361b3b8b215ccfcec019b681d431b5
SHA256 ad8b84f826f78c9c04524e8014996a29e9560114bceb669e9f611ab2b244c2a7
SHA512 72e4c0d880f038a81f4f111136b5bb8bee2e1cef231663d2d0efef332e18c55edd42bb081ecfc40e562a24d8c795958acf3e05c1c387b8a9935ee16729eeaa3a

C:\Users\Admin\AppData\Local\Temp\esEQ.exe

MD5 4d8434a999bdd169eebbd7bba7656863
SHA1 8ebde0dec5b10069c39386ddd197f0c4b2baa700
SHA256 d84a4836556c3917ae87fe6110d5e992c58717eb97d5ea7c66425d6f6df7b339
SHA512 7522618eaad6de361a35c27bcbd695ba5aa680f0708189bdc713143c96c1f76ada64c7b24169e343ba195b6e1b83bb72ea945c2f5377af0696cb96b6adf5324b

C:\Users\Admin\AppData\Local\Temp\qgwm.exe

MD5 8c264a2d328bb940f4fcc599ec85cd3a
SHA1 466b822a0f119e2a24fed831adb8afc9cb8eda33
SHA256 17bbee5f31e874df8c36e3aa8b1df4d421a748b315fe08dd15d9822bba440075
SHA512 bc7024cb5b795df3831d45a0e37ac127e9a04bfff9f1e438c41d9817227e0d93f8baee85a596f117c84afca002bae2e663b77c0993226a3b2eabff053c03d284

C:\Users\Admin\AppData\Local\Temp\CsIQ.exe

MD5 d3932c261bedaea5dcef99fd4bfecdea
SHA1 b8122c982d525653c36cf7726efc6b2225878beb
SHA256 b42a0933b141bd00605bbccfc71c88f49231bbdf641a5da49f8acdc09be572f6
SHA512 215610dce9f7e3d9513dd6876193802f8e8999a02276a01be3980064ca7d07c96ac8689dd9a93c99321f5f6c33b51369b3aae900c183910f2362c5ce53b4f6e7

C:\Users\Admin\AppData\Local\Temp\aKUoUwYQ.bat

MD5 ecda530d1436628eb7a300e8478c8ff3
SHA1 103695555ba101edc498c04544e795f2d6e66f95
SHA256 0f02e3738636425e33484fbb8c3bb07781179e6f6e381dbac1751a18f0ebbf56
SHA512 53587fa1d71075450526d04ce939965894031d7aa331f32640514164c488d098472f6bda65e8fccf719ea5834b20002c672258f571ac3727caeb17605fe51c41

C:\Users\Admin\AppData\Local\Temp\qMUu.exe

MD5 b65571c2c22f0cef6b31dc2b180b6dfd
SHA1 e54029e2687f9001166774d66c8fffd0fa9ca9ac
SHA256 5ee750962be3739654930f364874a4f19061f082bce019ac8df51db4c3e0168c
SHA512 56ff3dc244e22a0eca853a0e2d165047f3ad3b6e8d273c81df3802e0b29044a54436e57e3ab7794511797ef5e17ab2a0d57ab8fb403e542a1da1414687138311

C:\Users\Admin\AppData\Local\Temp\skUW.exe

MD5 5f064186aeef984a2c203a51a3fb5d18
SHA1 4f7318682f7bf191f858ca785abad7516b53b802
SHA256 68cfa631e9f9d1941e1a0e48f8c8a93fcc3398b3727467d001c567058634cf79
SHA512 d927fe93ab4e98fdcee815006f516cddbb3a9728ec145a8e0247b3091b5610811cbe7cac81f014649e7b1ae4cdbcf5c3bf626b136420d1b8cc30fef85e79da29

C:\Users\Admin\AppData\Local\Temp\GMwk.exe

MD5 9e9b7ff3572e6814cca39ff98d5ae730
SHA1 af03f43eed5d5414949c7da0ef74a1637ac15576
SHA256 cbaaea58f882782fb6cf3c15e6db9bc2660524c629e65bdc90846d3e5bddfd30
SHA512 b1aa37a5abae549aba621fd163bb49cadad9fafc9da752a9643ddbb3f3bce8eecff4f1dca136f666ca49eb641241645ab0871202dfa89e33647b05b0c016a294

C:\Users\Admin\AppData\Local\Temp\SQIq.exe

MD5 1c2f1df65475cc9fdae29b72f6878a69
SHA1 65a642c8b59eb4f8c7019108988ff5e6290da84b
SHA256 233d795b220e5e99dfe4f127b775842774887bae2a8de707a1c3f91889fba69f
SHA512 587e45889d3058dedd27b3c33310405aa3619c9a9d09ba5522a47105d11c3d275d556727c92d717c4ed87e565b9f1daedfa0ac97209d3096b7f9cf9cf288adce

C:\Users\Admin\AppData\Local\Temp\cwsw.exe

MD5 46da7dc884f9dea62c0331fd85f1d230
SHA1 7b722f75fb2b9e8020790445396e6afd5801582e
SHA256 ad9e264193b88e1962f2656662c525200227b006d3ef303605433c41557a0828
SHA512 3b659bfac8e74687217ae3f5498e4269d606e1590311da33b925b9d958ecddb35576f1a0b95ad951c6a293f5e789577fb0ab3fb3d4c2a32ea8382b3488d1d819

C:\Users\Admin\AppData\Local\Temp\iUEM.exe

MD5 d4d62646172ea8d5367dfc8eaec35284
SHA1 66387506eb3393c89cc6bab9f80bf5f51f164876
SHA256 6b3c47efd89b1aff276ba78fabf058e7d24d321a6948f20bf7982c51e282dd02
SHA512 4ce26a085461a0a08155907c643f1b77c7c041ea067255681757ced0e1787bf1e92a47504ed125197a42b467cf5e9d0490288629ff157d290dfd71817d336218

C:\Users\Admin\AppData\Local\Temp\ywQq.exe

MD5 07ca156fceb16f6d1dd427c1dbab42f3
SHA1 8201434874d911649919e282397ded7c0675145c
SHA256 9e56f45fd5ce3e31dba6fc15f49f3e1d9ca7f71a6b4fe31ea752cbb86fd0a459
SHA512 4ea33b6313e752116b9b54f400a3b50fec886cb60615e3cbf950ee11f980c72a5e38cf09e0aefd78ef0575c95e6b922fb80747095908e5e48f92568d391c1463

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 8e3db8a532bc1eb589c191ccacfa70c9
SHA1 040e89ce21502371443556cfc772ab9d6c8403cb
SHA256 25f02f558acf5e886e1d48554f68f22c91e2ae086f0f2a4cd5d5a148e6522aaa
SHA512 7225ee66e2561e9c6015f0cd457abf587bf1b04a7e59660c2b6c8e832ec3b8fb44f3a3eef3932caa31b9d6f8b220e7f19447ee154a82453074b13c5617312388

C:\Users\Admin\AppData\Local\Temp\KGIkYUgk.bat

MD5 1b8cf02dabee3fa16cfa07284710b44f
SHA1 085c8533d0d3d52586e1d4dd5fa6ead68a6b04c8
SHA256 2ab4820e2509e5de1f44bd7a967bf723ac95dc6115063a8a71f5714b92c36fcb
SHA512 cf49c7069a2a3bb84c1c2ed1cd195c581053f9cc4588623d4d3e085f29426009a0b9f145827f95c4fba513d57214edbf8977f1e22b4ee5aa3d0952c49eab3991

C:\Users\Admin\AppData\Local\Temp\sUYK.exe

MD5 6f7edb2ba6a315f06aeee92e350606ab
SHA1 09544eba81e036fb8545334b4599ce75de235068
SHA256 571eb69798fa1933ab5c646e1ae6470ee09ab56d71735e15af537ff8fb3dfebe
SHA512 720601bd6e8e2a706c377e505d93af36d2d105cde90db1442a5c08755e46526392cee4c3ea7c5e72fec6e8a264c0f6174967bde4d5cbce0d235087b93a5bc2ff

C:\Users\Admin\AppData\Local\Temp\qEAm.exe

MD5 16a83eaf4cbc33d364a81a88dab4a572
SHA1 24d253d6c57b9b6b8ccf4323c879e2aea6ecaa93
SHA256 2650d4b48ca3f5e99aba607c27c45c915bf7c91b63b6121b03fba0a08177b449
SHA512 7ed08faab461a8c04f07ef84596a7577f7bd59656bc5c2e6d06296afd4a535e6b614cc397318291b45ae2422d6e29bf50e63406b40b0902862b21dfe661f90bb

C:\Users\Admin\AppData\Local\Temp\OskS.exe

MD5 d6c299aa00f85d319789ba236ab09df8
SHA1 da2867be08bc324fa2985fc2082da9db673ea762
SHA256 e30d101a19230070d1154f9fa3f6ea09bfeca46f5d4bba96600b3decb06650fb
SHA512 148feb4595b13d1da1c14eab97110cf6b962e47fbd01aea1303fa77cbb472d06896d3a2cd2caf6243f1a4434b3668cd1a4ab672ab037435fe8d6993c2385f86f

C:\Users\Admin\AppData\Local\Temp\kAIu.exe

MD5 fed9417deaa41d230307a5958c05e700
SHA1 02ec7b7deaa3002fd500de24637634072927ee24
SHA256 8e4483e02c1dde0035f9ac8ae051c5a46317e9a7a11d4b83f6785f7ac9ed6475
SHA512 1ce666864e0adeb9e1e4509f39a9775c84b7d419b614ff55abf926e740fcba1b166ac52b19d004083fbe4470b021fde2f0ab7a969f6658a8a94ca26705e734a4

C:\Users\Admin\AppData\Local\Temp\Ikgg.exe

MD5 d7f1790af21e8b8dc3b81e623be19eae
SHA1 ac5d580de2f537fdca5c5495c637e5993517ddd9
SHA256 5a19d5d495bedc95964817efcf4171ef9f5229cd7434bf1bd1d57dcb0a247db5
SHA512 c2aaee6dc3e60476daebd568a71988d8fa32f4cacaff5db0e31937862a8c6bad27b5f2ee93e33e32fa35343c8c2aa618c9eb7432ba25bf0e7ac9b6fdf156fe8c

C:\Users\Admin\AppData\Local\Temp\ygMIEkYk.bat

MD5 890a999b2da56f0f4241e578d9e2cc33
SHA1 33aba649df38315e517334e4e5e5b5329e783cbb
SHA256 9962699245e51d9afedd45248dde0f216e1542f742fb97bfc557a9ba391b8d0a
SHA512 23e07046b6888e5c881cd99a3d75e46985d1d5befc90ee261672cd3527e2907c7a5e0d04f81e592cb93da3f44a8120ce4b6af4ee41e2451425b0c3afec060313

C:\Users\Admin\AppData\Local\Temp\GsgY.exe

MD5 a39a0d8d02032901ee32e6fc7f7cb935
SHA1 c823e547800b83f60ff7f3d7007a43c5a2483323
SHA256 0045487fd48621864b6e30319772e892e4ebf4d73880513d5756b09b09a1b75f
SHA512 138f31ea9818e801bec1cd110b669af727dfb86530e1567af4f3eb9db8d8b272e4bef9dca44e4283febb789c70df84294b0465bfcdb2148b732d65509c2dc3ab

C:\Users\Admin\AppData\Local\Temp\qQoC.exe

MD5 8e61c70874c5e97802af6faa4b3b3445
SHA1 ad28445d6ca6ad0dd8f35e4182a636f01291fc8c
SHA256 222477daf852db4dfb790e9ea4937bfcccbbe6a752b5a7107c7ed20dcdf55d80
SHA512 9d821a37c31e14df70f26922adf83448a200dfffabbc39aae3348703d697ae75f3695d5c5512b497c2ea3a7d26699e6f30e89b621d796161a0e28e5ff50a20da

C:\Users\Admin\AppData\Local\Temp\kcgY.exe

MD5 76d744357076a416b0452264d4298d01
SHA1 9acf9e9dc4eb747fbbd096f90cb4b30344b9d06d
SHA256 f34a97eafab7009d02d5f3ba72e1fd8b17d25fed9fba0606bafe682989c993e5
SHA512 c064a41a6b4b04effc995b320f5126772a82ad361ece2a28d842cec14a2bcb18eab0d918c229b1403ee39338f97097ba8ce00f057abb3d16367624a1d57dd7a2

C:\Users\Admin\AppData\Local\Temp\iokY.exe

MD5 3331973e78ef9fab44b6a018586672e6
SHA1 11a0f4fb9b72a037a3d2552a0dd2462032f5a8a2
SHA256 6a6c369255313097736481a895440bd1557fe5d63b0cab20892a74654fa1f735
SHA512 77f425e6ba1ab145c70b31b4fd1e80204dc50c8d82821ce8e0430fad32739790a54646eddfcd368e15264982695d38235d5beb7ea7cb2b8e1e0012484370cef2

C:\Users\Admin\AppData\Local\Temp\qcQq.exe

MD5 4e96fef11ed836d387ce06e2b02b4d0b
SHA1 f9132445b95fb020840d4ec5c7ecce018f2e263c
SHA256 5d47e92f316526e438bcc1c0cde5e47471489e4d83cb0defbfb2480b59ab8fb2
SHA512 2a495ad3c1c03a41a2fc5537ff58433b5cd007cc076fbcabe019b3a968eb9de9bbbe151a880146cb0c27300e03c2bb7f92c0cc09102f2a3819e66622ee770759

C:\Users\Admin\AppData\Local\Temp\UkYk.exe

MD5 170ed9a4928ec439f6868969df5fbae6
SHA1 4864137e5e0b977a6fe0d134fa9f2d314e3f55dd
SHA256 8ab1a01c69f4aeb6a76d05d4b69de2e1fdf3697de48f9dbae7b7e54cd68e9206
SHA512 c5d5840a1081446bac1aefcd646a80b8b10b13469865864754604e7ae1bc7814fa15a1008edc9069dc9e79ff27eaeb46709e5da944f3335d3209b2306d0bd115

C:\Users\Admin\AppData\Local\Temp\wigAMgkw.bat

MD5 d4111691cf0ccc946c8d9b2c3f3571bd
SHA1 3c8509bc14ad0b8c21b17a7d109258e1e22f320e
SHA256 39b56f333d7d3cdde305367ebf4a02e5f5b74acf0dba7a616c10eb9bfebe5c56
SHA512 16e1a425875e6a81527339f3b76e2c9ca33f657b855a447aa0492dc2082fdfec054e5a7af3dc661bf0c46698afaeed0025689669accab6c084801ce0ddebf5ac

C:\Users\Admin\AppData\Local\Temp\YcUE.exe

MD5 269b0a1759d04019a8e1b109b022c72f
SHA1 f01343d40990d4017370fae47fcf1f40856198e0
SHA256 9819d2b0c58e1c2620d08db83446efcf2944ce1428570e63d6d15fafaa456e69
SHA512 1f3e5cc072429f06ca3302c0c6612390c288d85d511e329a911485f74bfadec2a22ce5ab5f0d08c8bf8f5d56b09606d8e8a2666ad455c9cdc5aea27588060e41

C:\Users\Admin\AppData\Local\Temp\uAsC.exe

MD5 c453b6301374a74f10d7b1e506f166be
SHA1 1b046ce71597c54578aafc9e3536b340e40c0710
SHA256 d0e14d08da381f9f642fb4b88ddc678c5b296ae8520f71e0111805d34463d955
SHA512 551b1a8a05b11a8e0f618ef03cc83c3fbd594f5e48654dec4cae1fbef2878b05b25d4e6518a7a328fb6bdebe29df09a06ee35aae7a75cd7f1926a3409964bb5d

C:\Users\Admin\AppData\Local\Temp\aQkw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\mMwS.exe

MD5 8882d4ae892c121fd262116d0f1bfc0a
SHA1 16d94cb623a2a091395656816581c4c668925cc4
SHA256 a07ea8019238d77f3b7b357cfa3e3bbc979bbf262b5f94ba306f7c8ac664fcdf
SHA512 f84509ee68851b2bbde50a8162840f457581723841ed28fabab45613ba1488b8516e8aa212d3c950314601ec22ad58dc4545d3334486e5b97822b74d4581f6c0

C:\Users\Admin\AppData\Local\Temp\AQYu.exe

MD5 21e61b29032bd0dfe03c18954c5470b9
SHA1 d4918af47b217b57cf6a97a449d0318a8a039c46
SHA256 4f42e8a5d5ece4cd11ff17bc8c7ed6728ef7ce542eb037f80dde4a807123af15
SHA512 c578ffd1d672fc4308ffb9b72fd1a29f8ef5393ab6235295c200c8d269dc237634e4801bb0c25fe5073423bd340a7867e4917cc17f0f8d8fd10a2ad302ae2ec9

C:\Users\Admin\AppData\Local\Temp\iUUG.exe

MD5 9d31c8cbf2ab8dbf4ef8466733ce8a8b
SHA1 b32b501546afe7fdae91688918a1a4f8209469f5
SHA256 4735c0d12150e7b9f82b9b8a8e5604c9d488859f29fdc41245f4ee5e73bba92f
SHA512 ba915b22c87e089044185a9babb86e5a593c35c4cf17a82e1c2ff19950fba30bebb1da631e203eb853616173b9d31660958745886c05a205fa6eb940f0dca2f1

C:\Users\Admin\AppData\Local\Temp\JskMIcAk.bat

MD5 69bc27b584b353144c742478b5f1ff7e
SHA1 f37557c15b0f971a0032828f700ad9ab1e0163d8
SHA256 aa278e076a9b7a37f3be2354ddd0914ef73b91531bb078234c4e4e2943c1855c
SHA512 abb2e65d82d4af3c54f1ab718263569dbe9ae07423cf98f126a7df5221b904288887077711be69ecbc71f17e0c525a42e93877d9dc45af38b84e4b504a2dbdbf

C:\Users\Admin\AppData\Local\Temp\fMMoQsEg.bat

MD5 c6a38a8be1ae39ef270f8087623b0b6e
SHA1 46eeaea548071a31f18fe4bb780b8a55f26275ce
SHA256 14d41ddef4677f6aa8b5d51b36ca658d2ad5b95a9fb012b3c784082fe0653b04
SHA512 b781ae9ba84c6bb22f57bd5f6ee767f0ddbc2d12dc056f1bd7bcf61b90ab93ede56a956475e7aad527e8945a8649f4463c57d90fc01c19642a4f18e976abaf9e

C:\Users\Admin\AppData\Local\Temp\fIEwcsgU.bat

MD5 1b5b550b287cdb2756eb41becb6deab9
SHA1 2f82c24e0b4f97888c6c2aaa35c1d06bd3edddcb
SHA256 76e1d9deeab9f26dcb31cd6d623c640c03d8fb3c217b4900f5424acae3e244fd
SHA512 e50eb90f884cf8e27c5d1afb92c2c7c7da851ed95a853340568fdb2a8f84b82d4555ad032a4629d62fa4eed5b73af0b60c860dd43a61a61595ec354742dbd278

C:\Users\Admin\AppData\Local\Temp\fsMcsAMg.bat

MD5 1dc5e2409fd87ed8147f5240223cfc3b
SHA1 2e0cb4ffaf38737f0432db962d07159598e4d8bf
SHA256 d9982f22e0632114890d5f12c0e4504cb6847f4b22a7620d7263d470b88b188e
SHA512 c86393d9b08ead93ba99118caf2eead4611f4acc338179b58c04100cc857305e6f99f4857eaedb4ea246f81dae52dda1bd82baf01b32f08257a0ec001e36a1e4

C:\Users\Admin\AppData\Local\Temp\buwEkwME.bat

MD5 969e746a91c281016491f5569646a4f4
SHA1 29c013cc0956c60e021220ccf15c5605cced1c9e
SHA256 f4c671472c46ddded8d239c8d8890dbd7c14d6bba87401593282a49b3cf160d6
SHA512 cc9be7276f26b357a25c59fda93b018cb26300f49961b3143a36e1b70bcf58c171261c57c822de5026deba2ece3948289e6ddd6da37cd2e3c83111faf644a263

C:\Users\Admin\AppData\Local\Temp\IqMYoIwg.bat

MD5 5c91d434c2f57555123e797f89e0ddca
SHA1 387ca16104884accedf0ddadb21f2dea11f83a42
SHA256 d1c26184387e8c084ed888254ce7491425c2d09aeed1773cda05a2c9b7fc896f
SHA512 bc0a251ec8d5320569b8453839cd46b076a2610b13bad653dc9c5460e365f1ea8b6f19d8f59792ff9f88415e34e007eceaa3c13d37af17c29495e9f5b5ef8ffc

C:\Users\Admin\AppData\Local\Temp\WKwcAQUg.bat

MD5 93a5a5a19536217826daf1171de1cac2
SHA1 3cbc8ddc217e1117769ca6950d1eda3cfb97c1dd
SHA256 0003f3340d4383ef5813e11824b1b428849d421d8c283471c55bc59c83525783
SHA512 eb5ac97c90fc206465bc586fd83eee06aa7e73223be06a38f04fac67ccbc4d23976ccbf14728ff38f41b549e19992176b9ac5c6c759b5b9c989bcf2f7afa53e2

C:\Users\Admin\AppData\Local\Temp\QsAAMYsE.bat

MD5 ca9271f233fb7975ecd4422ba57227d0
SHA1 6798575732b783a602718bccb99ecd4d99771184
SHA256 27d3e22a9d4ebad52ad469394eeec28b3aefe9ffa6f3305367900ef12901c772
SHA512 8a97407a0225ada0056d18821f0f11f785c50ccc8206a1ef4a51aad1e331ba065f723aab136425975e277b23c37ec1cce5da53fddb29a2a9b587d06cf2454b99

C:\Users\Admin\AppData\Local\Temp\IugsAwEE.bat

MD5 fcbdf7e1dc478eb1f15f0e7f2677062e
SHA1 d44cf4409980c5bfd18c56aa6c5877db6c6106bc
SHA256 cb5a1f1748da09f30dcad7bc938bd71dc86ea501159068febf791a7233bc685f
SHA512 dca577ba1b8cfb8b4846d9de4be65ffa4fae42f80827711cb7ba3ba04bcdebb3585ddb49e6797ff720538044a660138c1d4e54934e6cee62c69920e25a8dfb4c

C:\Users\Admin\AppData\Local\Temp\tQYUMwIM.bat

MD5 14b585a4210544c833e0f4a5234ee9ef
SHA1 ee458692a5c342c6ad193f177543626b9236194f
SHA256 c691adabf84eb560acff4c0df445fd2ca47e10d613122539b60075a968af47a5
SHA512 ef3f63806ab53b3bf86657e68fe980f0f7e929334347f6daf24995eece730e8317c78cb6a88e7e84f03227c2e9275670a7556f584331490e3980b80dbd1acffb

C:\Users\Admin\AppData\Local\Temp\uMgK.exe

MD5 8ebe10a57adc8d32f3940fb971ae6ae9
SHA1 1eedfad4ac9c3e67888209072bfab32c9beefee9
SHA256 8704c955e6fef90d9e659f979a2076dbc7e486a14beb346306a26fded2484655
SHA512 02498a7cdc0c5afd0ea3a531a634bf81cdc5c6252d59befd645211906deb26a835cc5d0b9b4cfe77112e251409899b18a29497c43d34654543a8c869a23476dd

C:\Users\Admin\AppData\Local\Temp\SMoC.exe

MD5 bac5b05193adceb24f8566e108af90c5
SHA1 7ec9848c792a0dec16d076e898a5ec10393e850f
SHA256 0e1a373c4d9eabc34a37b175051461b6e5e136c3a1eba8d9de5f31df49d4373e
SHA512 db5e4a1d8380967e6f89a442f749e57820725883ddfebf4fbb98cc0d792e102c22bbce4d1c0f8af8137f1c58eedb3aa684cc895a7ffa6069b937a77dd2632481

C:\Users\Admin\AppData\Local\Temp\tkIAsgoM.bat

MD5 de52cd01a8ae691df923f6581dfb3b97
SHA1 63556d7628937fc6d319ccf1864bce5b8b0e5345
SHA256 f20e68c59eae91b5e0a1f3d22418303c7290b58b458f2b27f267cb5f4b799c83
SHA512 0c00e729f063d9e702d57129e33ca6112120b1db399cb737d18b9b261797eebe908ac02e25cc9e7e583ff7706d5f559c41942d93a1e59a0d27635be6332ddd49

C:\Users\Admin\AppData\Local\Temp\iAQW.exe

MD5 d299e7de6e90353f719dce05ffda0bb4
SHA1 3b3cbe1dbae98e72126f0ad266d9ca2338620428
SHA256 37235f94b329f9306e1630450b9eaf8f0eb7547186614e795ca109a10c36e692
SHA512 91b65c3970e52a3b0f78d882a09b48766c2d21ab92f9ec6e8393a94f92fb7b5109821c15def48329c487789361ee11334531b9b3023dd2bf23df742552782d03

C:\Users\Admin\AppData\Local\Temp\KgMe.exe

MD5 f9abb040594d3aaaac91a8790d562263
SHA1 79cbc5fa91ecc8380b4ec0fdc34801d7ede9eb17
SHA256 99751a0b655375e1721abd5982c12962284d45693d0f0a426c26ef26a9867b2f
SHA512 1b95c85c0fcd9b77b7784d63ef46ab929ed11c4e7b3826bf3fc94ffa874371748dc3bad8b39da9ca056d27992f610d818479897da81a3195bc59bb14491beeb3

C:\Users\Admin\AppData\Local\Temp\SUwU.exe

MD5 fb11a83af17760083359fd96855da899
SHA1 7835aa8f309307ceaa41059e75b5bf01e8ba30fe
SHA256 d61a0cd774834b43ee1d305682a90e167740eab2fd4677fdd2da27087700fbab
SHA512 05f5a92bf5b0de7efa488c98a9ba930f4ff4b65dbf7d31c24fb0a20ce28e53f490b72a7b696ae0244be26e509b4ca45f80ca116739df22e2b1389e37a915a12e

C:\Users\Admin\AppData\Local\Temp\iYAm.exe

MD5 35f9a93b292a854365bd974405f206c8
SHA1 a0929e7084db8d5b656482ad64180d234133b544
SHA256 7c2cde3c8964d1cf5815f7ce46f2344b736d06f76c553e98975f35ea7964e0fe
SHA512 1526616b19f83c5411e2f1b77ec29c7f3ae7fa080086eba1f6f9ad517c244cb3bc91d585aada3f39f65b70bd45562d47ae6ffa34c52367a3a96e95f0b7452ac1

C:\Users\Admin\AppData\Local\Temp\yEgE.exe

MD5 a508c1fb83ae1f538ced95a89494cec9
SHA1 3b3b5830af04c1c5d4183e15ad8147ae5b0ccc2c
SHA256 f4007125b1e12b62788271f53588a16ca601f6e4fb7bfdf7b56c5c4c8753bdc5
SHA512 f1f274657b526ad6d92b388d1dfe5d17e8ade3d45dd2dae2f2294fde922c9e8f52531f01c085594d5f46b41bd2e38cc79e1f27d96361b0648ffdea7bf9c32b75

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 27f36514344f9847a9e643f3b7d45592
SHA1 8c3d1f5d4271f189c1f2625800a8a3f0a4f9b278
SHA256 5d6ae6b37777628f6f65db555c4027e349fe4d48a0d5c6b8f5c6a84105c7cbca
SHA512 50b0ac44695a61a40f0bb0347f1a08755f3148bbc8b4235fd0e3bef002fe371df327047a7bacb2a14445426245f8b205f241c8302e56b365ff4fdc3a1ed06d3f

C:\Users\Admin\AppData\Local\Temp\aYcA.exe

MD5 4199eeb649503c562728c401ce1ea432
SHA1 6e53eb07272ac188afbc83272eac510eaea761c3
SHA256 07ea570155d6b3475c51a7f57810ffe540b7c88431774964142a650a7fa70fb0
SHA512 1327fea8b3f0c6808b43182eb51b7e55bea90d51f80ee329dc4266af244f24c391d6c5d0cc3b556128d8e047a928b761d635482b775885cd6a32e7ed200ada0a

C:\Users\Admin\AppData\Local\Temp\XGsUAcAk.bat

MD5 61dd221fafa019ff8d9f60fea8326a11
SHA1 5aa7dc838d8c12a0aca55dc05394005a3a936c16
SHA256 fffda3fdd70e399b83f03c056bf722606d43ed0a74ef2da767d19c5fee7bd942
SHA512 8447229b0c5425d598d0a886738c86f7e38ece656b8abf0783dfdc6a5d6dda61657edc4572ef15bb34c88b03b2c0f8eafe708b41056d8a9d5e32a0eb68c764a3

C:\Users\Admin\AppData\Local\Temp\qMwG.exe

MD5 6e92faed451af976bbcc3d8df16e319d
SHA1 85673e57c1f35116e7c1967d938001af61702b43
SHA256 9d92b80c9bd962f9b033b83b1b017b69e76ef3b0226bc87f219498ec2deccbaa
SHA512 d7806001fa42f4b212ea5259ca70c80340f51188a112a692574455ae08b7deb89a6e8acffcad3eabe2912156482b542b21c57999661164240329ae708479da54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

MD5 d70e8e847c82db122be0952fb5b736e7
SHA1 9ce11e53cddbb58cd68a7d4a36bc8d032750dcf5
SHA256 737696cf07870ff6339593d40741943571ddcbfe19e8128a70a9c0a0e3c32009
SHA512 002a1d2f19fc5334f030fd9498399c707f5de31e2011027c76477078a45a7e87dd3d1f3687d11dd9d683a00e554fe81a86a335450822de015330a76b030d7fe3

C:\Users\Admin\AppData\Local\Temp\ggEy.exe

MD5 3825f767f2f37949e348fe06969ee104
SHA1 933371d3f0e816e0ca1211c9375743c55a063485
SHA256 3952fbc8a0c7afa40e3ae2593a36ee3e4497b44d716502bfd9cf6aaf844637df
SHA512 1f5feab3e23bce686ed82fd7ebaa0aa00b7b20f98467e31e33bc31d302a01da81a7dcc520e1606e96745a2ff931922d23a3d370b6f688474b26dda62c4e80b80

C:\Users\Admin\AppData\Local\Temp\cEoE.exe

MD5 cb6f7d0a995819b782b2220989136cee
SHA1 8a9919e770632f0bf6d134368cdcafe9dd51bb38
SHA256 2fbf49338c33080662e4318242f5fea506a8859c03906d6466b80bee77e59297
SHA512 f9e96ca9107b3e23470cf43d0faea614d59b160446d4be109af98d3ba693f696348f98ea1b7813674ca463b6c672387eccaba62003283df89d89eca22435a303

C:\Users\Admin\AppData\Local\Temp\EswO.exe

MD5 c826d13eb1d283379954f2254707ef4f
SHA1 3d9b584a7858ed5e30837de236413d72ffafacff
SHA256 7d94b6b6388eb9ed53e63d20cc35f556e1866020a390519eba8fe13e15f59844
SHA512 30b6e7391369500b28dd3566585e0a4cf1fa6aa26e8d21d8035b54ab9dded1aa097ed1905de748aa731c676fc3d3b0c6499526a62154764d308dfea89486246b

C:\Users\Admin\AppData\Local\Temp\TEEgAYgE.bat

MD5 ccdf3fb9ed72358454195f6b8404d5f0
SHA1 e2e63dda42c902755124c875a2463a94ef808802
SHA256 65a81d44805cadd01d861515e590951159a4ea4d70211e1b631a01073a258ee2
SHA512 f8c1a962e22688ef9de71f0d5d10bf89a4eda59db019cdb17e150924c44f3c3af44483499ace1d068d9e2b222f6604b6d60d3e40c49f2e09074996173f41b9ce

C:\Users\Admin\AppData\Local\Temp\yYwI.exe

MD5 418d951310df12c2fa4ff44f639d05d5
SHA1 ef0e133c7ba3def181a56bce170c863af153f700
SHA256 79208c95d0dd61e2c7e8a15ec1610b5649e5aefbcc3406436006f8c052db5896
SHA512 7bdfd208473e5426f2e54bbe2f967306fc9edf12b813f9166e54a5c33cd71dfb03801ec5f591ed9b09807f95f4f9f6f5602719e7e9ea0d69626c402799fd20a5

C:\Users\Admin\AppData\Local\Temp\rEgsoUsA.bat

MD5 b7f5b7a0237d758e92873d68cda416bf
SHA1 420a96c1c52fcdf99cc4d374db49bd47432ccf50
SHA256 32178b862598acd1b37d416ee47e046b5099e8ea7134426a6ffcdeea8f090056
SHA512 b93bb34e1579ce37a7756934ea19752cdf45aa1938349231fe03adba4d4fd26a81bf203e9d57a6777bbc913df6d458366f650d7c1312de28373193835dc8bf09

C:\Users\Admin\AppData\Local\Temp\AMoo.exe

MD5 559f9d574258c4d86e1cc6d40ab9d389
SHA1 88657216499b58d56fbbdba58d8c844792ce218c
SHA256 7233376c6fb3ce8bbed5f180181d3cabb504e1b2a75723ff2600cda7fb4aa3fb
SHA512 0f96635dffab105a99f46b79f73ea07f32cc729c19b499abd5593543448f714e00c0f44cb68d2abefceef6d78687eecded711f52417738a7194a4efa00237c8b

C:\Users\Admin\AppData\Local\Temp\oMgC.exe

MD5 79e3c55a8b227ae3b9355f88815dd5e6
SHA1 36542397330f78786b3f00c6d46e8cf43e4333cf
SHA256 911dbcf50ed130a8e9664e428cc2f15a29d9d7bfcc0a003136e1fdb782bcc622
SHA512 f6d348b201e86d65677b1a920db6f1cc6e391bc52273cabb7cf68bf3ba440c6d125a777680d6e0862e1f00b50cd5da6c533be44e19e052075e4a2a6f4f7652f7

C:\Users\Admin\AppData\Local\Temp\kAYa.exe

MD5 c22b0057626822f9a8dcf04d34251ad0
SHA1 b6111977a3029e2fe6c9ce6ff2cc90e24dc6ac7f
SHA256 67802ba264250b5b68c53f6bc675e5235d1741d184b3cb3948b0acc23c9ac41d
SHA512 c398aa7f140ce1b43c8535d4f98e132d58521fb535c097853541350186bc6483dc862aa7409ecf34a699c7815b72948f4047d1eb217a9147a916bc4192e493ce

C:\Users\Admin\AppData\Local\Temp\KMMO.exe

MD5 c364d2d3e07666fa4dedce0a508d2ed7
SHA1 3443421a42fa8e6772cd9cdc69aa591ab0845bc6
SHA256 647e81d51459e0a2a8b594e4b8106898943909f893a1b8c26c0a45e7df527901
SHA512 087b13e40491d23fdfe0b584efc78f28c0de7d8b21f361cdc1f8c821b0911c69c074f07de057d348c215efb1bac896b9888e1d71ec1a5cc8a7117200cdec1942

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 146ccb94774d8f9eeee5374918102c12
SHA1 fcff78c4009907d1700d86d70be6737052165190
SHA256 33cc0f0b58de1e00d51fb6df0c5479bf52383519db28e47e7cd342d1cbdd1589
SHA512 73fa3f04855e60d3c6ad1a91b45e9e84c33bcba1879c2b716976b72de55a37ba76e5caa3567d7bd2f8d61962724650e37ad62b181d546ebe9a6d29e68ae4cafe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 9acc6940c959173611d98d6f62ac50b7
SHA1 8b51e4e8927ba63b34b2e97ea2a192ca6d6ea5db
SHA256 a3e309b6f2104bec960e0a6ba80d6c877d998248d173345389493bb0b3a8aee5
SHA512 d07a1e8dac84a26ad0d30e03e45eced27a609441ed318d64c53c9e71c36d5e2ba115fc88e2aac2961606cb1fccb2a1694e675aa2ab80ba41b18890d3be6f275a

C:\Users\Admin\AppData\Local\Temp\oKMQcMkU.bat

MD5 80816e7265c7c795728f63e7a98b694e
SHA1 1c98902ead5a5eaa040534bbb7c6467c39695920
SHA256 8560a7bc2572b987bda97797389cd69061f6d5e3f90a4998448bd495d2dfceb6
SHA512 eeb27af3e2b16ebb2b9a7b17f6a2b81d8003878fc590fb1958293f858bb3d2437f176d3a5193e1cc3e043d5a5bbf22412ac238f6a9cff2251e7072566a051847

C:\Users\Admin\AppData\Local\Temp\OskK.exe

MD5 ac73e448c01965945b397f2b878e14db
SHA1 9167e50758e0899b6a9a30c667b8001ff52fc935
SHA256 653a84d377152a0078aef9603963950047505dbf590057a3f34f08e9a2c276ee
SHA512 a0fa03b9efccc0471dadb43eaf291802eed5ecb2b427cee2e02685d0793d09f29fe914e4153db4678bf7208ed7ed3c8c8909a74ef1bd878a322915b7d7d7ce5c

C:\Users\Admin\AppData\Local\Temp\wsUa.exe

MD5 5a90b563a30f7914265da40cd15d71c0
SHA1 7dd2a88942b3dfd13a6e91933b3a6ad432afdc10
SHA256 ecdee5e22a1b03787c462ee5b6a8636cb440f3a3db518b1ef3cd460948a7f99c
SHA512 26a89dac645b39bd556d5525d01ca11096435e79844919d075cc70e50b46cd0e8f8a18e9e16d097099d8b75556a78ff4c51ddeea3133965b299ce7f10706f472

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 9c3c0cb038e3b31f07b1fd250a2a53d9
SHA1 cdc62fcbb2b98614c5dfb0766d2abd9032d5bea2
SHA256 4fc9e2776bdc142b0c0e4a7b8adac0f0c531efe829eadfce25027b7d9f24182d
SHA512 b47cb0767d3de51154dbf796c68fff3cf7fd6e349420e0c7cb131b90f15565c5f582f9db54cb0d63244bc625f529595d62469e36bbf02096ca94eef70de505af

C:\Users\Admin\AppData\Local\Temp\egoG.exe

MD5 9fc94dd68572043603539326c09ac41e
SHA1 aa6434a809f6de70e41885a2bfcfc4f0e4ea9bf8
SHA256 0a4768ab1402d76227723445150308c9af921fd72eea6546c99a2722107b2d99
SHA512 0df3feb6eaa474c5c64af2b716d2947963fc327f04f05175497a3f499f343873120b6ffd339ffcf656eac5af89ec9597820e64e8185376c871d9a323a272689e

C:\Users\Admin\AppData\Local\Temp\kAoUMkEw.bat

MD5 fac68bc9c503935b701143f05de3076a
SHA1 567df78f7d595d3dd1c97a570d8d7f7581e0f12a
SHA256 0d20616e4026cc322e2cf381f23d7bfba97978846e1bf025b6c47826e0366efa
SHA512 b93e928c0df98de04b2d823cdc934b843c9553eea3342e6a9a3e998fe44dd2240c1cd5bfd1f617b5f66a063b871858505aa6aa1cf3fc05cd611703b0b9822a89

C:\Users\Admin\AppData\Local\Temp\YcAa.exe

MD5 e291b8051220cfd604e431921d6dd129
SHA1 c248881ca3e2a9a67e5cb0111740956a7673296a
SHA256 e73f4bf39db90d6603d6104691b840602093582e0a4e7e7264a8f774f4185d00
SHA512 adbc15cbb1272072490e7b772d148f15bc5d0d8e887658c543e226d6e934d7deea9af91aaa0e0f5919e5b9e7e05a58c81834152c7dcd7f86624340d2e182b82a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

MD5 9a14b755b51f8590a04c23f3e548ba75
SHA1 1d01b42bfd1760b5c0556e148a5af61a325a264b
SHA256 ea3cc59c9521d2d770d46f38f97fa6487e175fb664dd04f8ef43b0f9e9823646
SHA512 38fe4119d128677017cb40e4d4a194f78b50dc7679b70857c4a7714d63a1c0046f692a7aab4a38827df688a96dfea7207e1bfd7bc044d4ddfc4eaa318878545f

C:\Users\Admin\AppData\Local\Temp\ckEQokUI.bat

MD5 9a97134200498eb03831968df314e676
SHA1 e45699b34ccb43741472d4e95c8e6a677df32afa
SHA256 ca3fa201d86a9625449b8d05a3de05eac66386de458061e633b69899e305b53e
SHA512 5eae79a0471d5c538d47169b9d2f9ebd2bec6aa63feec410bde89ca213d0646e14af9a9cc568317e7aa73d464a4ba2a50299bfa885c4d9467947388f988dcef8

C:\Users\Admin\AppData\Local\Temp\YUEc.exe

MD5 827e502b46f475428bcb38f89fde20f5
SHA1 d3cc151bfdab6974f9f8b401449b4c207ea779db
SHA256 af9002c22fe4f78836fdb7598004f17c6abfdb0d24cc276f53af42935d54f2d7
SHA512 ee1cfdbdc47510a9288e3188bb3078dc7886d2584e5859418824139d94ff20c46a109c02d799a6998719dbe7a07dc31d8c905efc7407d0d4df7749e2d0722e61

C:\Users\Admin\AppData\Local\Temp\iaAgkosM.bat

MD5 f201549204cef8f266de613f8dc16cfe
SHA1 57f94f7f6231382963c0b45a7982b1291602981a
SHA256 c142373754838b9391bb3d9732f01887d250b0113ca54cd1a993a224e89ea740
SHA512 e74e9d626693879130ada7e232b10404db8a8a609b058fd82d8bfe19d8f4e464e9778607ec22ee229bf6fb5b36b46ca8bad1dd2eb082a144ccff33265e91785b

C:\Users\Admin\AppData\Local\Temp\KEUa.exe

MD5 e501c423349e972d2cc8c839c769959f
SHA1 cc234c5143a241306951e20c87f5a1911579d4de
SHA256 44d1549642631d47e69d0acddfaffa263ed25028da336d11847d1af4117779c1
SHA512 5d0c54802b589c42fb2170ad4f28b19c865cff6190dd4a5261a026237c18a9b79ce5cdc7c218c5a6f90aa486b8428f9a1453336ad23e77bed265a77b4c6e7666

C:\Users\Admin\AppData\Local\Temp\QkcC.exe

MD5 f5e70d7b50e7d6e0db14ec57b7108a08
SHA1 eb4436b61a274bff76c16a958a00266246d823cb
SHA256 4e0e28644d48a50617a79375f179910d19fe0575b09a26b7a26a02fa03f30118
SHA512 da4ba823a6abf22e3e4654b2c1b02536c0831edc41c30d6f97f731492c034e53c1899eeaf12eaafa9c95f7060f26ba470247274dd6419e6624da988c9dac2999

C:\Users\Admin\AppData\Local\Temp\CUQA.exe

MD5 ef766c336c86e456d925af7bec96bbf3
SHA1 0dabd8412befebf7d41e2436972c234d90ccef94
SHA256 b5f6ed573c2d250ac30826916467ebd6975a8e2cd632cd4ce3aff7f771f2b23b
SHA512 b540d9ed0fbdee742935dc95d0462be38f95b51138cfe0d705042a2ed2fc041a9fa7d2a8a1b94a6ca683afe91854cd8600b27d48bd7e7d4d117ebb4719bbaf86

C:\Users\Admin\Documents\CopyRepair.doc.exe

MD5 baeb78776c6a67c65dcdfd1b31733c00
SHA1 598c31d253c42f99607b5e855294dcb5c3f0e121
SHA256 2c88587ce1412b6aab60cb01d1bfc9de4d925b34451c59f0ca898470b8897944
SHA512 ef55bb2029a8d4f4f88c520a429dd726aa53c961c87f97355a3519ce591799aea81e1a5901fd3b6b62194ef78a1913aa73a010da6da94636a20dbdecc6389461

C:\Users\Admin\AppData\Local\Temp\KUwW.exe

MD5 681c55ade9ba4717204d83a13723ee8a
SHA1 1b4ee593e2b7f5268ebb671e39d23e6dabd00b62
SHA256 3095ca74d89c19ed76c09fd328e8907a122b12c57cdff89008ff8cfa4e49c22f
SHA512 4d8208018cfbb93e53fdbd74ee5e83742d4214e30b97a3330705204d8b1ed84ff3ee7723d3d177760e3b90c4b9abc0f1cae45224f96a257bb0c33cba8f0138e5

C:\Users\Admin\AppData\Local\Temp\WccQ.exe

MD5 0303aa7ab122b65f03c6cc03037ec3e0
SHA1 a3287069affca764c62d79e959ae4fd441e438d5
SHA256 3ab25a18521a1b80adb5e9a2b8eafe8cfe9e00cd9a834d0bc683dc36338d0945
SHA512 434bd5b9290bdb3cb4966920f5ffe27da384c61d58cd8d123ce62b8a3743b3dcacd4cfa798cddf108471592ecd5586f91c07b487bc5e563c3f043d0267f25df7

C:\Users\Admin\AppData\Local\Temp\vCowYUow.bat

MD5 b1c18a0b6a1bf266d8faf3abeee3efb6
SHA1 04ceb33f2ab7ec3bc9e6369681fa8ac2f604ca98
SHA256 62707e070f376edea41ea2eed30c6ad5a6ff4df69799cf0070fdb63b0e1636b6
SHA512 eb14e8367e6cc48f79e829c73fa4cf42cdf75a136db851b8c8b60d607d3816b3a5f05469701d8dcd3fd240997a7e29d9b28820b9bf7749a649e34edae3508af2

C:\Users\Admin\AppData\Local\Temp\YscS.exe

MD5 e1f91051c78c295cba922e2703ab535f
SHA1 825b99eb443563f390f62fc24ebc4e88ff0b6262
SHA256 51c0b0e23ceedb9c8fab3a54e51d7d363f4534a363dea4cf7767061d5f0da794
SHA512 27211aacae465afd357bfb38954c31f6a170f90200d7e06b6dda69d66e8e4742cad1375ded826a8cd03d01009797e3a2f3370ec5d2b6801c2a1347f61a48f38e

C:\Users\Admin\AppData\Local\Temp\mwAm.exe

MD5 ddc06bc13ae846c04b02063647d9b655
SHA1 3780eb3fc83b807ed5f909805c377691a56ca5df
SHA256 41b78a49b472398ae817c1a30df51118ff466731a5b15a1a9cb8b76cd2bc8757
SHA512 0d6d4d984813d0267e5d4e7a4f418e1c70a90d83c59965ad7c8c5eabafdd6bdcdb27985f528fd27991ca51c5b88891103cef00ca2779d8ed58f345b9125f6497

C:\Users\Admin\AppData\Local\Temp\CYcE.exe

MD5 f33ff2a5069af3ef30285c5cf9d1bad4
SHA1 f862d8e34459046432109285d7a90c46ce980a84
SHA256 d374ddc616c25d94c0356a69d3bacd68f3adae6470d3e30c89d1e8512485af2f
SHA512 28a98a078bb5e5c0d662e6463383f6857d6b6c3d354c31c849bf1ac0259ce03c94b33f1ad8a020fa2f114dbd047082cabdb040faaf3c7ea0f79717f9418249aa

C:\Users\Admin\Downloads\SwitchExport.jpg.exe

MD5 26995b62fc5c701f2030bd377c88f5e0
SHA1 1e72a3d7a169c8b80f79b1538133153d74eff788
SHA256 88ffd2d5618ebcde097841f34b990428459625099596779c5939116ff62a053d
SHA512 bfb78255659d90d654eadd7eac0f71f99d8221f0b33d174660b6ca5b69beed1ee7e9be1396278401dd0d07e31ea0cb0ace21daffe5f9be5a18329e508f871585

C:\Users\Admin\AppData\Local\Temp\TOQkQYcs.bat

MD5 a8f99a9c3df5b04990a89966d65bb854
SHA1 27c440f69b9cc200cf3e4c88222995905e0b4183
SHA256 a45e7bb3d43579f9d6f503500aba097ec6fc4ee0ef7425cb844ec089d955937a
SHA512 2aa73174d35a3c74d999913732927fcbe8b1c8190842a1bb0137d9086a95a493152ed17737f54581387a50bc88c738331e0658f520471f62833ef61ac40773bb

C:\Users\Admin\AppData\Local\Temp\qcww.exe

MD5 0a6daca5c854332c86d5cda2776843bf
SHA1 ef202dd60f29028af4484c1fc72889cbf53a2a95
SHA256 551eba694f8eff4729c7c7ac23265f67948ca8034fd3368c9104aaebc5c30841
SHA512 2b87d8061d0e8c337c1112d21acfa8af61654957a68a080482fd741f3aca27b32ab4643f1cd584aecadfff6018e918edd300f695b5fb1114b75477b9a89e49f5

C:\Users\Admin\AppData\Local\Temp\yEAq.exe

MD5 5230981a756bfc1d5ede4c9e751d0d3a
SHA1 ef7683fd27cd51cb80dac923b61d40d09a08d3a8
SHA256 7d84ff1d40519052878d2bbd4b592fab7750b9f7403ce18036b5a704d82cd896
SHA512 90d71a4fbf6ec54ff62c7ed20d2107dbfb9a7ff219a8ed067450407bb38b9b2978671bb9696407fd5c0c4bbb150f292448352982c7bbdd18448c60b3a88c96a7

C:\Users\Admin\AppData\Local\Temp\sgQu.exe

MD5 083429c279b14f0effa01657a41ec83f
SHA1 646809248145c079c495536225cb2bbf3d04144e
SHA256 cb919d2e1860faf7d8631351ed579c091d19e85f91ac21f47bb290c5b8eae348
SHA512 fbcbfd1f3c24672a3bac0d02bdb535ce54b9f7a6535df1dfe1e1dc40f67c9fcfe6c8d8d3b1efa49a5491bf3b445167a872dff689c3995741434a2aa51090d577

C:\Users\Admin\AppData\Local\Temp\nWQQUgkc.bat

MD5 a137b8fa10cf231a6fdf0fe61f2f3698
SHA1 dbe5122b96b9a79738a616b0148e70cf8579cbf4
SHA256 f087cd04e51acb8384206a0f197ebcc2f828c75ca8b83cad02617d7d8277ea98
SHA512 5030eb940bc97458c11a6c8b40c530e1b5878422721ebbfb2b882620919d180ee5d54d6905b5a939659688578d834336e7451b36d16cd1d138ab6d0504a7b317

C:\Users\Admin\AppData\Local\Temp\OwAA.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\owQC.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\yokE.exe

MD5 af71fcae6bd8ccc791b781a15b8e2edb
SHA1 ca249a8679f535ea33e0fe22f42fd1133de05050
SHA256 32c86807db0367c98915bb6ea8fe31dc2d19f241fbf6861ec326237066704806
SHA512 9ac73f48f4bd5d4fbd3a7feeaee261766ddeab9efdccaaef8fe7617e799ad78826453e239c35e4c00933b475739c848d732d9f77608671e53ad884a2b1226b81

C:\Users\Admin\Pictures\UndoRestore.jpg.exe

MD5 53b7a14b806ddfa864821a789c6df927
SHA1 384a443f6605b6c2c99d377f7587eef0032021d0
SHA256 3189a7ec04151256183c7638eac9d497b33282837a7c7952401ccedaee22c325
SHA512 a1c8bedd6b6bdf3974bf3bb7ffed373d0198d035e84d1f5201a2d02a391df3cca52231a57887aa1b19fc39bcf02e81157b12fcc609b6160b265f5427b5227094

C:\Users\Admin\AppData\Local\Temp\ukcG.exe

MD5 92a7831707763efb4b1026ef28bd5453
SHA1 b902915d3e286433e018a116353701648795e14f
SHA256 4928a4ea3f91071bb80e557c5b138cd31d86282b5b5a8fdfba7d4f52b8771664
SHA512 cf64d0312c9a938d176f5ca42fd8a1af5747cc781f6eddfe19356596e3079da1ba909bfb6ad82bfe6a82a781ba0c24d51db5395e7e26f0df74b3ac3309e04254

C:\Users\Admin\AppData\Local\Temp\vWMUAMAo.bat

MD5 4b7cb8a152e3be84a00a9e0eb1624107
SHA1 541f2c1bff274728ca4d69541b551a8640cbddf5
SHA256 335794930f3088063ba1b5e1fb966cfd86fcb54bcc576312055c52e1aa44cec7
SHA512 606dbaacbe682478ad2112a8269bca2f58bef5797a1d7f72cf8bd28da9475d0f109c32805388f5b517e4d5fad574492df43d996eecfd993ab6c7c86c14775ad7

C:\Users\Admin\AppData\Local\Temp\IUkU.exe

MD5 4d73bbcafc993aa5f45e5f8d526aa404
SHA1 ffb02752ea1e98873de952d6f2199ec39284741f
SHA256 4b07defafe31608887b8872c655fecdad7368fadc3229a79d84cdd3ee85a2df5
SHA512 f7eaa25a72017993b9d95fb5d86e4b84eca503db5d1b512ef955ba7c082a66973b7334e11fb677b0fb47270453a3019af2a176c68bbe80eff3be1f60bfe3cacb

C:\Users\Admin\AppData\Local\Temp\wAAS.exe

MD5 c46c64d2d3d92137ac8a8e97a8bf53da
SHA1 d1f530ba9eebe8c7e579358d3b10610bd76b1a66
SHA256 8952cdfb1cf5e07eeac14a3e76b23a55020b0bd2712b5638f63b7d54500ef2d9
SHA512 159c295732b0107b064cf2dde43a330ca9760f5077075ac3366060dc27f94dbf35d5de71276f5f5c20431dea79ee5aae385051d6b280806f0ef57ccfdcd1c09b

C:\Users\Admin\AppData\Local\Temp\ficIskUg.bat

MD5 56347f4a76751ce3a4d57fa181e5cb7c
SHA1 5f1d9612112ea004edde66c767efb92eccb961b5
SHA256 261b878a66239ff9efc83f2994aed7ec767eda1fecbe3d42f54bedc7c7abdc57
SHA512 3302861bef29c0261c19ddc9cf976a3643b2259eca0a5f3457f35cf386a08b0d9ac18ca480d01d1e475f190b53cbcb0dfab1c9dab064e2c1254c216f2777b6fc

C:\Users\Admin\AppData\Local\Temp\SIAq.exe

MD5 02b690b0a4578dd64105ee4a9db88bdc
SHA1 0c59c072e5b67e33e6222bfb86ad53e2a5e19d01
SHA256 bbefa360fb59d4401ae2d5c777ed5d07e10508d9340a15c68b2f00ab5bd97ca1
SHA512 1ad146f33d3ebadd1f848d1b36dac3928457a4d1e72c7bdd6aa75503f8a94a6d0d35965860b51bf02da50982fde314e1707b4d00bb32c642a2d9fc044a9f50d9

C:\Users\Admin\AppData\Local\Temp\sEkq.exe

MD5 33c54728bbf34feddc2d2c4e50a86ae5
SHA1 57c889d4a290dc4d5847437603a33e3667284e0f
SHA256 e0bba9be5db360e3372830f02f81658a3e55792a2dad0189c275b4f8950b60a3
SHA512 45dda95569dd0e03e726f32ec8d4f246437ee8a1cd0002e922374991282e152fd162f7c963e2375647067d9ed6ce77363f9e19ba75b8f35529707a298438886d

C:\Users\Admin\AppData\Local\Temp\QucgkMwo.bat

MD5 7fc910fe8aa521864950c932c5ce41c3
SHA1 27d3745187d02071b4b45a8eaca540175d57d494
SHA256 aa29b37ba942e04695a60d072c1f898845686425e7f6eaa6c3794e3d47003afa
SHA512 02658ec3199575406c9fd4fe5c42b17c2ce93a97e70b0b36f4ed8a9b7d576ddd2ad10725c0d7beef63a1c5927d2243ae07ae8bdb444c20ad31d3890a08c84ec4

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 6e3cd99fce5a4dadae338192fa73e745
SHA1 49d87b5dc2a65998daf9e8d8fb8ae12bb791ea48
SHA256 1cbf6c4426bb4e9647a5bfa9cfe5e4d0e6eb22b804a079c67d52c5566fa29ab9
SHA512 4e0df90ae9c74cf686d19607551392491348d41c3317181b4054a7ee622ad3882e832e172e1c85d3739fb778592fe1a8516d9bf0c26b8c7d7a24b0ea492426e9

C:\Users\Admin\AppData\Local\Temp\cggo.exe

MD5 f741c7d4fd63c612739890c16c50dcb4
SHA1 baaeab9f6d4991a18e8af127554f21ea0f485d0f
SHA256 32dbf93110e384c5716c8a76d199928f941d4bf754f78a32c2c8b0046b271d8a
SHA512 3c65b2c8b212c7fdee00f4dc7208d55511398407ed3dae4628e9b5193a6f6fb4e28a4a414221b052eef0d262c6d764b51221d4b163a8a3884037bb2a8b3eddff

C:\Users\Admin\AppData\Local\Temp\KQIc.exe

MD5 c67bbfa62b2350f8ce46e07ca600a2c3
SHA1 e6350e73e03b8580fb660617984bf6d9cfab2880
SHA256 dde07492aaed833b9309970895050ce7bd4036e2e86a63d43d2b5068a2339ac5
SHA512 000fc2bf5539e0c0776652c7446b0b36ba36d52c2ffef082cfe0dec55cafa47b1d769b33f50812d8fdf2cab0c4c10f5ca51a6ced7985e73a2baed85ae686dd71

C:\Users\Admin\AppData\Local\Temp\gKwgogIU.bat

MD5 71705f941050651315db1c1a08f6623e
SHA1 7a21606ef33af08b6d7ec831814d3347e6da2a0a
SHA256 41df51dcc052a561a8810c0ffd19d6b0913b6d3ba5ab4cecb90906859a8da758
SHA512 e219fb53cc4205b095502094d9af5f65b2b0b59a5069b28faa74624343075970e5f90217ac3ae513c93a680513235f06e3c49a830e013f2535c46c226c41cf5f

C:\Users\Admin\AppData\Local\Temp\oAUA.exe

MD5 9142b959e353d278c3e21dfe935429c7
SHA1 e2f20b69663717540c3c76d45c146b84cd96315b
SHA256 e548fd021e9eed71e908760460f164c18973924bbe85d1f4acf9c78998849152
SHA512 b7917d961ad664785a9c145b911cc1474bb734076b67e19e91e7f191d6b5368ba3977cf2d3aa76e28ec1f53572f3950315afa85b08cb627a34148e55a13cde7d

C:\Users\Admin\AppData\Local\Temp\kMgu.exe

MD5 f2257e9931637397618b035735096d98
SHA1 cd2cff01b894523fd69e9806346e10bdcf2e8018
SHA256 88207e4d5240488d28add2cda137bbec81544b4613741e9824ae1ff37b73eed0
SHA512 b8098e4eb728551f0661f986e34b6f908440090e7cc23e01713d3a1543337bcb35478684e428cdb027c9ddc786b29d736346c0cf1f138141c3b14b755b0f01f7

C:\Users\Admin\AppData\Local\Temp\ecMM.exe

MD5 a95b18ff949217b65523c9215bc9d903
SHA1 35268a8a9ede05954e5ab1faf06a60f273380c79
SHA256 73e99c688a96ee9a0e1defd1cf9188cca3fcb1dd8dbecb53de15f68d71ee8a28
SHA512 00061e6035e7c8d12db1013eb6c2644b266f69f9321e8963c492a291bf9c1545962e05b989040fd96ccf9e59698716a3286beca80d67bc08b8d22275d4e26417

C:\Users\Admin\AppData\Local\Temp\gwIQcwAc.bat

MD5 dc3223e4002e62fec930242bb68244cd
SHA1 377c82b8b144095c75db807daff5bf429e4b90ed
SHA256 48127a2ba41acc94c8788275decec77ae9df7bc6f9d6f614d1afe6ab5abd01e1
SHA512 70eb51900ab3768878bfb8ec5f9e397c5a08ed4e4dc32687d71a59f6a6ff3afaaeab0f10b0bf4705bbb326279dd48c1f8511106a65938bdc16e6cd4f5f76bc73

C:\Users\Admin\AppData\Local\Temp\KsMu.exe

MD5 65e23acb959bfd83c9bde4fcf80e13f4
SHA1 e95c431dd49100a5b89d3acc001ec44c999f281a
SHA256 6ac99a6c59f8900dc9a8eede4ae8217db905abe71ac046527e88ed74da73b4d4
SHA512 82b43907745b66b9603b7b5dcfcc2f084e6438599eeca9d9bee8f77c4f595877c88d930c76d35e460f878979cb805811d4d20cc5cd70b8d60297fab21fdfd358

C:\Users\Admin\AppData\Local\Temp\GEYg.exe

MD5 9c5678721cf41bcfa14d78687c036f3e
SHA1 f7b2a38fcab55146ce5e652a4e14e94f85db8d1d
SHA256 8f4040b3b4013fee80bfd1b272e93ada683b22bec01251c554293c3c6509cb86
SHA512 7c7639a553632c263d8fffb59b2b7a69d7bb845276112b16e23cb8ce702ef8fddc60eab203ae636bdfe47b025bc8c2991ff0b479c4187303a0ac0ad2521184eb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 d9c07bfaf3a5843172041e172d1da6cd
SHA1 2d7ab0d71966581f171dd2e565f45ad3044f3c58
SHA256 1fa499e1fb4b595136396d85538793e4d14cadcd5bf8dbed848891f792fc4a20
SHA512 bba79a058bef75ca9616204db26c2fb91e6e9d6083214b985a060e1fd97e6402c5b9f0b1d39f0d2b4ebbef17e1e23af19d14810a28abc123d083809b95714d25

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 5cfc84022f1cd3770b8c53c2e48bdd6b
SHA1 79a9406ae3ec83f978438a6a860c4b598eeec49e
SHA256 4056e1897171b795485ce3218a76fb339edbedf7a3d1f2f8d292f702642cd1ab
SHA512 0e80d87e59b55c61b4425afb05126eead5c01f1f5aa1e533e89ffbef31b3e0f9101769fdb2430ba97ee62e0b5ffb953967cbe12df747056c96a1f0bcbeb1728a

C:\Users\Admin\AppData\Local\Temp\augosAcs.bat

MD5 6bd74c746372a878d838e2fe51cbc094
SHA1 d72879f81cb4caf848964fae5d286d27c27333be
SHA256 75ea04596afb846a4cd2f0417995bdb76e0175d3d809df724a58bb0e2e7e1ca6
SHA512 c7e548e4ebcf672dbad2e5eceb10a3982ad1053e9400468938a994d1b9eac6023215db40f5c16c590d8b3bc8823aaa7494e5d5cfc7aaa1b49681d1328a48ec2d

C:\Users\Admin\AppData\Local\Temp\ioYc.exe

MD5 2fe1a000dd58f6617528c7708c98b846
SHA1 02a95c1e624677fd6c1c83bac420f618169ebe4d
SHA256 6500c93a13d6b3d3f975424765503c2523e155752bf0da2652bc1d9c618fa63b
SHA512 8125300fd0fa853ea9f140ee83286deea7d903893ddfcec82763c591311f6404a683988b1820628344965e8d3242a935ba3207de1d51184c0ca0746c2522d715

C:\Users\Admin\AppData\Local\Temp\cMMw.exe

MD5 944b33f7b2a799cbbf358679dc28c406
SHA1 cf231d14db9810aa32eb83138abcdc1405c3119c
SHA256 581ecc25556325e3e4519f496339b877a3b1f691b553f1fbd1e731441578df6f
SHA512 2d963d19e392de28ecec01afd0b63bc7c6acc06a6995dd3930fa4ef5f32c1c14c41b47f4ce4db9f4c18cabcf5007d0e13277ff5cc7407a0e878beacc0901ce30

C:\Users\Admin\AppData\Local\Temp\CMsg.exe

MD5 145e39679058479014d2b5c84ed7af11
SHA1 698af5d5b88315294146cbb390b3ffb4ce4562cf
SHA256 aa21fb678595e5ed14c05b44a6fc85ed6311d6640dc6c9dc9d6625a0372a21fa
SHA512 2d2aca26c1a408e0ea565832ece2db0c33861fc942a65ee72868767caddcbd2accd7546c28b7dc86d77d7a354cd4e76293868d2d43715857c3dc2d0e09cace25

C:\Users\Admin\AppData\Local\Temp\lqsksoQg.bat

MD5 a9f30d21398054d6eba54e062495fc8d
SHA1 f451e164d8285578e6a98f57fad56dbf524cdefa
SHA256 fa5b967ec8c9ee0b947a05b8ad8e6c2884f4f7f1e92dfb2f122ad242672625e6
SHA512 b98484406301aebf2e24c9507a4978878243e0e1eabb5af85aa07191f79cefd0e988f2019660d77f4dc2108c2b1abd2ba85485d8db0f136b6cb1a21668773486

C:\Users\Admin\AppData\Local\Temp\kEQq.exe

MD5 5af9a15d6828df2740a793099498824c
SHA1 7db7280843b39946bcbd8002cfdbd6855798797c
SHA256 bcc33e5f32fe582b698cd320aab2381cccdd0cf5691cbc56bde9bd0815f569fa
SHA512 53fe8a2a54a7b600d8a64d00ff9313393fbb1e36b934516bfb1300284822fd867bb11ef31138210342662796a38c5a8dabe37b810c9b3c5c403c924686b8081b

C:\Users\Admin\AppData\Local\Temp\SwcE.exe

MD5 d57048baa8452b21e74cad2cdcb17ab6
SHA1 467cb26432c083f1329afc85e8aa5ce2adf9756c
SHA256 c5d8da42d78414c44e1689954a32e5c6ff124d8c82103ca57ba6621a1789f471
SHA512 31b7a303fa75d845a99f3ceb0c9d06af20ed00f430b7e5c5050fd2209d46a0ed96f46901cff3346cb3ea7287a20ae8ec3f517651fba76a699bcdaabc9f61e173

C:\Users\Admin\AppData\Local\Temp\AQkO.exe

MD5 ea690bc8db6788f4a1dbd14040f297fa
SHA1 1e5224e9d4a3e617df2f5c61195b93fd04fbde93
SHA256 52324ad63f1cf89bd09d096648cedd67caf9d02748d0163f27028cbc848bc090
SHA512 bd74241eaf7b28cf6e60f9509de14ce523e7809ad172c7f3cde357c8e81ff1cd09520e0882207119e39fa0e691abc2569d7f88f83f0a6cfd3c1f1e58ea739ee8

C:\Users\Admin\AppData\Local\Temp\TEowQggQ.bat

MD5 49e7494a6f3705c0011bf36ab8946414
SHA1 dbbadbdec2f86461f8b433aa65f2f3e9da66b341
SHA256 5d3d32bcdc120aeda51748cc6dd8730ffc11f4f3ef7355d0dac63df601a453a4
SHA512 447fd0e1175cb703e1135f93428e14f6d15e1d23e6983a8189196aa86296b5cc820f3ca6dcd2907dea68255e9c3cdec385303f313a92a7a64cd64e79f1a01530

C:\Users\Admin\AppData\Local\Temp\ecws.exe

MD5 2a608123d1fdded7ca63633e95d126b5
SHA1 58aec2ad65e540d102fcc1dc1103e4f2adea1d84
SHA256 98c5ba6eccb9913969111ebd64f4d7eed1129f68c8a4aa49669ff26fc567db8a
SHA512 980747779384c4c00167a056a8ce18079f9f16e4288c633acf95dfe726f133a1cd60fb53f73072643a253a08c413368d57516965178d8c4936499eff05af8100

C:\Users\Admin\AppData\Local\Temp\yYAA.exe

MD5 5407ed04ce6e7b6f13ad45a711ca19a3
SHA1 88e30fbfba96c3c291e4736c8cc871b90fa4e23b
SHA256 f2e00b50e22c029f50cf50fb9ed0dd676ca84ef2fdfc5145167e62d49f1c302b
SHA512 ff09b6a1ca7e9ae5e7b6cc82e2e7f8ea38952456eed1d878ea9191c0959ebebabf753e12099532c9d44bf9e6cf2f948563b784dbe1568d48b13b6c9ee611408b

C:\Users\Admin\AppData\Local\Temp\OwIk.exe

MD5 6c0e35a807833a88689a692d50761d4f
SHA1 d0d043c2568faf201917d99124b88b36f40fae90
SHA256 006ac98e71bac44c07b87bbf405eda7736fb21320c4d7b721f4c500d96fed940
SHA512 9e1d60006a2caf1e05704eaeb4de9bdfd024b204e307f70fe826711e8b393776f9f6ca88e7f43f54a25ab4b5fd160d0c0df2ecf9b9f8bb6e06a80a1a886818f9

C:\Users\Admin\AppData\Local\Temp\WcYO.exe

MD5 807fe9fd8b481607453cee21b39c013c
SHA1 f99e663b92b282f4e82c6900dbf16b2044f17c72
SHA256 b3c3fec91a25edf6a266a4232d01320334fca7c31faefaf72f1a19739d453686
SHA512 bf28d1732c5f9b1759c691bedbd4bfc6f1312a4f81b25797697fd5a2ea3bbb78198827ccf9d54860d551f8bc40df865727a0b044119baa70d804de1e91218362

C:\Users\Admin\AppData\Local\Temp\JogUUkAg.bat

MD5 2e394a402b31d9140ce64237daa5b372
SHA1 26dbef27710471de7003f635d809ea77a61a2157
SHA256 e83e4663092a5d563fa9d36f3e7df76569c71334d430b90e88e450045f8f4165
SHA512 ef881ab2d1ae4d3c414fe5fef1182aaab021965c38843b8d69c5ad9fed658d4a62f5f9fc47bb055358f69d60b34fd3565f6ffb8e1e8c52e68f912ed7b8a02724

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

MD5 dfbed6f736f47b6ce7a43174491decb4
SHA1 abea00dde4fb4c69e8247c5c72592cfbb6ccc6ae
SHA256 7f79733a6063d29d4eb7fcd6f45b8b9f4c06e61f0bac9ed464606a596c1f27cc
SHA512 2f2800196f3434ab45616d0e20414aa5cb85a33db2ae9c6310181245e110f7d5b7db77d29c4739325385e0cb5e256aa5f5ac39228bd33fdf6b97059daf3a3117

C:\Users\Admin\AppData\Local\Temp\cosc.exe

MD5 75683dd928309ec22fc12f3df2413c1f
SHA1 7f20c32879f9468011fc9cf80ec7756c66defd54
SHA256 ef09a65b64cfa2f4c288419b43f461e80de826cea15773715d6e5b193a437c03
SHA512 ae81f6e759e0c06ad556b85914a5e0fb492861e5dc194565a5cf5103a861be127e7328619cb0e6abb7fbabb74a1ba1e9e1b110e57061268d007dd89394b95a8b

C:\Users\Admin\AppData\Local\Temp\dakgwsgc.bat

MD5 d70c326a7b03a508c3bed1f7f6a1f70c
SHA1 e0e09fc4f37fff733f0bf4218abb9984c535f44c
SHA256 9d0e998d8204de9f04e95170ad35e2681eb33e7438cab8dd19f27659a89b2837
SHA512 7fb4c70cd97c3621a582df94a2fb40329d8807cb5d21c0f0ac218854c35e93826fd5695fbeedca5a3dc2c89be533c5509d8f8fd23e1fc7fe2cc5275134acd61e

C:\Users\Admin\AppData\Local\Temp\KgMc.exe

MD5 a07afcc786f925476cb78d2d477eafe9
SHA1 9626e9de0fb9ded654037f93d4589bec1d52a8cf
SHA256 a9cbf5fd9ff5ec22f735e5f63067b2ce51d2258897c67ce136a1d3e7c42c1c4b
SHA512 69212de57be70365b2cfabf4d92b8b4fa9ab51138dc80fb61e3bfcd07c04ebe51f1c9569557529e7326ead6c09c427cc689b1600781152838467071a2d902b53

C:\Users\Admin\AppData\Local\Temp\yIcI.exe

MD5 cf2c44904bf9b0fcd06d5d1b919074ed
SHA1 64415238fa7775f1612cfaaaefc7ffb61fb7e769
SHA256 55af570380b877aae82fcb626b0e2144c087b354bcdbab917ecf90f92bc730c1
SHA512 3bb77790651de918ecb96ad7a1085fd9add8c6c4a74312fc55984b55bedc846ac772b282c959d620e39fbb62cb967a59487d7c9ad93cf3706e4fd21065dbe716

C:\Users\Admin\AppData\Local\Temp\wEoS.exe

MD5 41868bcb95494673ebeb8012c9b77f2e
SHA1 dd3eac8b05cb1d55637860ecbe8a7bdf5e71d827
SHA256 a6da2b015f6a846b563843fe2b7c2f5d421e80248ead697e36044bdfd72bf019
SHA512 03a13327d1db0006945804b622931c8c035adc2160f0482e61831aab4d025fd2855a6664ff95a52491b8613de5cce34a3c325fdc0a654be321c9ed15d0300f97

C:\Users\Admin\AppData\Local\Temp\KQYkocok.bat

MD5 8bba5baccfddbbe3a987341e85129df1
SHA1 701a6e4bc787e158b3b198fdfb63d732556b00d3
SHA256 27c363c74a298bd0f342fdbf2c7aa9a400d6ed081b5dee643bdd32321430bfdf
SHA512 9521726c6aade062ba1f9f6d70029dd11ec91abcc17d8d7a892ea67349b03ddc0935c07cf04f0935d2a6f8ec6cc1b56f70f9bd43023b9eb8ba7f020f6f7c5413

C:\Users\Admin\AppData\Local\Temp\sUUO.exe

MD5 0dbc3ff854d15e0ee81de9a860d96d19
SHA1 84f8cca59140e6a279003a94f148ceb0d3ae7c53
SHA256 cc42b5080901a944d6098705f7a111dd2f6118a53bc75f8e0d565a554640b17a
SHA512 4cda5a4666d01fe71108b8f0f6d5173882572091c497de8624c424e460e89d452ce655c196eeb9eaf7fdb2e75a3efcc6f189a25d7092b6645574b442162522b2

C:\Users\Admin\AppData\Local\Temp\UwoO.exe

MD5 71036104474e07b415ef226f56fee3f6
SHA1 f4e03c3590ace8d10dcea31e61d606c6e12c7a5e
SHA256 b16a82d150c40f55f68a4c61ad965dcc6c094791635e97dc235fb4540141bf51
SHA512 ada32e2628a988911d6a964aa0a891b1f6332b32a8a4a4c521a79483be87966625b0e4951d4377a03580f7f2a4d8cdf7ddb0734aa053e2e446024c202c1d88ba

C:\Users\Admin\AppData\Local\Temp\QUUq.exe

MD5 e1852f81176ea5fb616c6140ff16a3f5
SHA1 61250b897c7b3bd842a984272ed9a129d45a768b
SHA256 4efce094fb888cbf278275378a5482c2a1b1addbdd7487c2ff563536ead6e420
SHA512 bd0336e14091ee707208fa668ab730451256d8d913dc887ba94c868e66296471a6454db90ca840c4749b2d6ec6ff26aef8990332d5eae86d2a6f8b72fc819fcd

C:\Users\Admin\AppData\Local\Temp\cgQW.exe

MD5 000b3512f332d832966f8937b52e2afa
SHA1 c0d685efdaae2a2bfbe0cd419221c48044fa0812
SHA256 0f06a5692dfce6a21144d706907b488dd96b911fa139e7ab5a268bbe446b324e
SHA512 d9902f9553ca6e226b2508db93a30294fdf63920a8816a4fdd4f6d62ea26c0e4cc73a8f2ca1b703382f154d931cb03cd2e49eed037af6dc52fef70558d8a6788

C:\Users\Admin\AppData\Local\Temp\OOEAAcUE.bat

MD5 a4b4221b523b5169c9467dcc400b82eb
SHA1 66aa44732ec46c29bcd2d907a7af68b014371a62
SHA256 0011b8f81b9da18f2da7e07ceafba7efff594b7aa43833bcc9e440785f4275a6
SHA512 020296b009492a904af9ad7e487b0976230fc17bcd8deb9ebdada3690dcf7747f0423784ffd48370a745b4df4dc76b32c29615531916f188e38cab37d27f3b28

C:\Users\Admin\AppData\Local\Temp\cUwE.exe

MD5 ad8601c3b57556dee725c10bec1f9ad7
SHA1 90e1d351b6923acd91a0396f8edafef18bf9fb34
SHA256 af7a7679f5bf248a2f62f912cc56303327cd6ecfa0ea19c2b4532d76bbf1ea68
SHA512 f60045e85791cb34701fa323c7281d70a63827ff8593e203f0ad203df09dc408338da245a483356393227cc2f174ba14b469043ed90f1449868fa664b248f5e1

C:\Users\Admin\AppData\Local\Temp\yoso.exe

MD5 85c16e9fc80f0f01531ec38e9738c3db
SHA1 11dd62d5b778e3853987ceecc21c6780ca831323
SHA256 07333fb88d1c4d7091f7b668a83076362e8dfcc255fc0a94c721959195fd6028
SHA512 ef91672e52f44d69fb303752bf15e9d891c19b7aadba8af1c31ee3913a86f6adbf3a6fd6a0f185122bf224f1f1850dc06590159238aacf9b150ed485844740de

C:\Users\Admin\AppData\Local\Temp\CMoG.exe

MD5 2372ee799dabdc6344118a4679203c77
SHA1 35391b317d355a010140293333d683e10f4ba74a
SHA256 914782be1254cdeade100523ad10c20186c582934fe9ef1e3552105462479b5a
SHA512 2032b7cfeeb70d9ad24e025eb53a08b93e09f9ffcd84e57325c09d8c01f7aa2bb9cdac842b8bd8ec7bcc9eed1888941be1dae9290fc154ccb92226f2192b2e5b

C:\Users\Admin\AppData\Local\Temp\wIMEsEEM.bat

MD5 e386ac6533b16c705575acb22a436c2e
SHA1 f6f3792518b38e4ca5094a77707ae7f7aa1344e2
SHA256 f1de0424e92d786933c79b146186c40b179ffc88229ebad7358e7872f41151e3
SHA512 87b0f739c2cc4605b4c84936cc94a8d0282a09411f65976f478f31ee352285e1a73c0577b98a16f1c4274fd430afd94fab9c297d5296cda8aac972976a62211a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 805ddf367d9ab39aaecfea765469a012
SHA1 84cb41141749669535a1cb64625f2002d215866d
SHA256 bc3abaa9730578a16c2e8f63ad6793427afea2ee9a1428c7c57709efd113a96d
SHA512 0302c9c6b21fa9746ca15531aa773ee224e8cb5db9f2501eec0afeea099cf7475ec3ee1224e99d0cb6be6de3e778619a88fc816c3787f7527dc7a4c8e72f1060

C:\Users\Admin\AppData\Local\Temp\qQcG.exe

MD5 7a5826660c1486635890cb91779d4434
SHA1 46cd73f02e54085de9d72cea5fb3c7ee9539c5e1
SHA256 8d6c34a6cfa59667e762f7195e197d5ca5870411e27177d2f8d8540d3d4a7d09
SHA512 034c17717c7bab0938a20edc0fe6f05ee4c6819073cbc4881377edab6f7e4310ced14a08b5c2fe7a8721609cbb4246b50ee34b6062332cde58d3e46eff2562b3

memory/1228-3893-0x0000000077310000-0x000000007742F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aacMcYgo.bat

MD5 cdbedb061c917e708d9478a84eec4ecb
SHA1 f1e97f41ec73ff712b099eb429becb1852f3a905
SHA256 36a0255f3ef364fbf50d3e25f01c075bfe24b0911747897b31a98212e111975e
SHA512 4904c387cdee4cb8b2bf23ecd22c531fe6a08c16e5cc8460d3f230eef1daef893a4e6cfc7afb87c3d6f7ede37c7296816d66f397b74507ab02948ea12348bbfb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 0af2dc0e1108e40c1baa6b26d7a1607c
SHA1 c82865b18fa0071ca68ee7fd8093b473ed70e7d1
SHA256 08a5f9070f3dc4cfa7667c7698f19a0ced255ce8a379f25a9a94702b5d1bff5e
SHA512 3ce8a9e8d2aa9589b25ba7267661dbbbdd3445a0a554b338d999a5db5479284c0535f283f16e6187387244dde431ab32242d1ca24f882dae03ed99fc380ca894

C:\Users\Admin\AppData\Local\Temp\KAkC.exe

MD5 dba1658b3f6a7c03cf1b756ac54c96d7
SHA1 e90b4769d393408870010a5e957ee3929ecd89d5
SHA256 6797f3b958cf9ee677f30aa2a4f97134a528ecbc1e26d75dc13f2ceab28c160f
SHA512 9b09e20265f64f239f86898f80729dc98c38ef7cf1b73b397eedeff83909f96273be1b858cf7ae3decbe9337d99cc88d337da6218df142d845e9d7d61cd027a9

C:\Users\Admin\AppData\Local\Temp\beQwwcUI.bat

MD5 4472428787ab7b3f5be37013b93843a7
SHA1 62eaee3e8c540e7adc047d6cd63e28ed7270c203
SHA256 34fce2ee97dbc39087b9b00912569c101150a3f23011ffe5300c50ab731ff1b8
SHA512 96b3197d866f3ee27629195c476624e20bd1dcdde36e68e91b4fd30378791af35f52b5fa89b2d72c5e637f460ce1ce2a0bb5c4f6230b1f82c455145c652f8e8b

C:\Users\Admin\AppData\Local\Temp\ckkA.exe

MD5 2ebb06ee3f56f92ad82d9352ace79184
SHA1 2d1306c5294a624c4118ee409ad978671eddf5f1
SHA256 d5c95a849903c02e393de4ae94bb321b7f28a30229b3f1572fe78f48f8a1bb73
SHA512 ca856cf2b6253674f41693a8994b87b3a9c85b01d0ade0f515e6a4e49d8874fa13fb542e8b4153c9892e3f453ce1b23e9e4110cddf0a5b213e46185cc1197a53

C:\Users\Admin\AppData\Local\Temp\YcMi.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\gUUs.exe

MD5 86cc671c1f6a4f75fc82607ab25457fc
SHA1 1b0dbb5f73c3fe0d718d543e5e3a915697227601
SHA256 21f5f40d6075f3555a2b5f52b0a2be6799562e6b7d447c44cc0f99af8233191b
SHA512 36c9a57d6a664811f3ed15d554d8fc74d252e73bb8ae1e2cf5361115b7eaf1051586a7f41d7666e62da312ef084a811a330a8e1ecf22688b3afc4ef4cfb84023

C:\Users\Admin\AppData\Local\Temp\fygkQUgY.bat

MD5 008b623b8a82f9d8efa29d2fd99e5042
SHA1 68c53f2d4d2fe6aacc2c785e6dd49ce66c05a710
SHA256 e9330cfba6b37bb2d4c0df805cc46b229cb6aa15e066a092716f2b43abbbb3e7
SHA512 30f293ac8f9709ffc2ed280595ab54bcd81130b57405d1d8960b669a825590ea2da53365bdc3f03832abe763a0fa27df0dfe38c7cf054cedbb9bda6ecfbf1aa5

C:\Users\Admin\AppData\Local\Temp\oocc.exe

MD5 da99853cc7168d111e300b8e3d7d1eb9
SHA1 023ddffa4da1dd30e352d7c10624d32d09c488df
SHA256 03698cb17a2f73392c7f80843eebd6f506e51e74b9697afbd661e46117533a9a
SHA512 f0699b6929014bf737c1f1f09d97b7e79986ab34856a2ecf0376b582a93e292be62f6da113a351637caa19888214a5d8f9adcc7cf810c75d5c0ededf4bba03f5

C:\Users\Admin\AppData\Local\Temp\CAgO.exe

MD5 2c45c03419127c6f055652a8979e0129
SHA1 a9e0bc328d4c7b80eb727df344a9e49ee1a1e7be
SHA256 22d86fc61047fda88ca55ac8f05eda4c18ff5e4f7fb9cc0e174ab5f249da1afa
SHA512 2312ef271c66f5e5bacdf30e610e288c8eebda3a50c40df81f076bd9a5cbc5c85be4168727a3ade97fe40010a61ae1e86603cf476d6f4982cbde48e548da1253

C:\Users\Admin\AppData\Local\Temp\mUUW.exe

MD5 c5a7be1ee417d0eb5098f737493cdb50
SHA1 209f46029873c1b69c0ce1712f043dcc80a58ec4
SHA256 5e27b885b3abda600cc13a23a76a35013c5ba198d8c054fa906ffb414f185f38
SHA512 e7b2fb79dc5cee312cd2bb912b1e3ee4d35ac3aaf6cbb032730595d20d72ffd0704e33025e8301e755a7a8dff387fd01359ceefbdbb8d3d25b83f2c1ea67d442

C:\Users\Admin\AppData\Local\Temp\SEsO.exe

MD5 434acf51dacc2596fc3ae9fdff288c23
SHA1 55ad9c1fd45b013e2605f31978327601a5718c87
SHA256 2d7c3056af2d858572f0b6dd1c13dcef4cddc1b5f3167c11cca2a582cc81d1fc
SHA512 43cf50593e43f598cdcf6cfd63092797fadb4e04d4881291cd1651b2908c5ba1a9ec804f87be0e833d7b7c91e9b914217d1e6cebcc2510ea076a7dc283ce087e

C:\Users\Admin\AppData\Local\Temp\hKUEAEEo.bat

MD5 5b4bce12d102bf9f2743f680c56995c2
SHA1 f76de002436a8021f88a9bcdc5c25a77eb747c79
SHA256 5865f35cd4a28e5683338676ae68a008be43eef7f61562f155ddc0b5802a3fa1
SHA512 18f323d2e85141de9c3cc358e5c75edbc4d382195d43b7d3898dd4caa85693e2787aa672d1928ef6b68c70b674ac7e07f01bdc087a2bd06a946d69b26c2079b9

C:\Users\Admin\AppData\Local\Temp\OoEs.exe

MD5 264e73ed3045036fbb87b2f5559d7ca4
SHA1 a2427749882d290f15cc523298effa05a29ce798
SHA256 41683e5a852c75a5a1b11bd2c5d3defe03496742a1f583c74d91e4862a184f6f
SHA512 965247f61d3ba888b97125fea5b9de500a2eee353f4133a43c06e98ead07e559dda402ee3098e236460af81ef503328649c10b86a57618da54e4461ca558500b

C:\Users\Admin\AppData\Local\Temp\OEEY.exe

MD5 dfa92bdaf043b56f28800456bcef5b23
SHA1 97b8c849c4663ecb48fa61d1723de724ea865e94
SHA256 e6123a58e6a7959760e62fd1d74a93e9cd3db3271e5f15825afe9398312452bb
SHA512 dbcae27222ecaf79683515cdc13091feebd35d8f0d006051ad121886562d3ba66017563305705938967a9d9172d40003803dccf8468eaf03af9ae4cae56093f0

C:\Users\Admin\AppData\Local\Temp\Qwsc.exe

MD5 8677db9aa8acd6b9dedbd96ac3358ec8
SHA1 ee626f1527be7df8f37f15f3c0f05dbb39ff43ff
SHA256 d568ad5fc9cb9ba325d7ead6962fe14bec08affdff4b9ea6357a30f790a47f87
SHA512 01780b1139e4fdf58f132d3446ada0cb23202f74d86fdc8dff783b47aa62cfd06efe312ab54e5cfc6c43751db233645605be01d18129eb5c6ae270a998bfdf4d

C:\Users\Admin\AppData\Local\Temp\IsIo.exe

MD5 d99d9ed041cf63fb6a3e2312e7373742
SHA1 a972b2dee340d36f5acb82272f53ea8c4739cf5f
SHA256 b50f00e59179529ed3ba8fd7b614f0dd32ef500eac287d11d5fe117833cb8edc
SHA512 6e587307bec024a24fea333879e973dfaee5415c71c3bb04c63169dceaa820eafbdf4d8068b9a6b0c7613d759a01fa9824aa03a2dd3e3adc8f7bb9b765e2be22

C:\Users\Admin\AppData\Local\Temp\uogK.exe

MD5 3c4e853108e6de056237a25611cf120a
SHA1 853f2ebd886c0c497e3a17b819441e44b1c7ef2f
SHA256 ec0cc50d7d3e52f64bbec887a1873a61245149b48d067de1191699eeccafdc58
SHA512 e429207cf629e7dfedaba068cb2a98e4f952b8c837959210200ba6d219072b8f27ec0b6b2d2cfd660e4e5f53122e600ca42661103878b794b3673b4f38ec7f57

C:\Users\Admin\AppData\Local\Temp\OosAAAEU.bat

MD5 b045cd3bca571127eec191ac8f4d248a
SHA1 ef5a843f8cf047f29d7cd5e2c313cc98fa7fefca
SHA256 fdbc073ef44d10e9f4f996c034b45f4c0417523fa8e47f7fa14317be3adc31cd
SHA512 edeb2ab68a7a78ef3063875282edbf02a2a74613dc00ef4281320f05682c3752a98f3926b20af609006b4d5f1af6a22c132296322f4e4dfa94f5336975a7159e

C:\Users\Admin\AppData\Local\Temp\OmQsIksE.bat

MD5 3ac71f55d243835f893a53c92ed94905
SHA1 a215a40ae4f07bc9d394970918edc83549c5dfcd
SHA256 d649fb00f95ccd3ea8525545518b4433c7b9e667dcedfcb79e5c572273306782
SHA512 7b9db17cbc5a3929c75c085d60bfae14aa69ce27471c2502db0f6de7d14eb2d05b9f60d86fca2b1dfd6754ea6133b627975c1a0f44db8d1ec9a123730598565b

C:\Users\Admin\AppData\Local\Temp\qSkkksIs.bat

MD5 9e5185ffa3b3935b8f02e17d2b304d4c
SHA1 1f203e578e86f9d216f96a202e5e8bc7d3c73e43
SHA256 c801911c4b8f8bf3139698fe93de9c9802afa0672b94482586d772b747767a4f
SHA512 a72484b6a534b0929bf53b5496e6f189968ae7b23ce4947b43251d6831390f9fb093d78b8f68cacdfa91e869d420b464252ec2ca3365d534524657e7db0bcb1f

C:\Users\Admin\AppData\Local\Temp\yOkYIEgU.bat

MD5 71aac03e727698789f5e7ca9d9d3bd87
SHA1 24947e4f0026baa2f5929399d7945caf1e029531
SHA256 e594091439216af348b652e9ddd5ce984431d2f1c51cd1481ded9e4748de3f64
SHA512 256746098823c0784ed83eced28c0b9330177a5ea6185a6cd07480bf5a9b55f8c7fb59e067539f5d20e00ff4d6435849e34d0d323379b543a81402fb668404cf

C:\Users\Admin\AppData\Local\Temp\BkcUscQs.bat

MD5 c7a76b60d9f52ab2f8825f0c3543ef08
SHA1 14d4ccbd15055f4b4627f4a45068d4f7b7ee0330
SHA256 9811cd212ae55cf3eb2bdb7f9300ed7d826db490a28c86e63d49af883367b529
SHA512 e15ef0e8baefa24911555d69006cdc61b8836fa8e80fe2091ac650399a54efdf0a2f6d592bf39046f7b3f35130d2cbc625dc927f55aecb67a31c50d17cdf8cb4

C:\Users\Admin\AppData\Local\Temp\zEkcYUUI.bat

MD5 e3681054f532a16578007740cc779759
SHA1 ee2dff5278ec01c57ff5f35a4aa915fde7a0e172
SHA256 8bc9fa1975b7470949a12ac1ad1418524939a0ab76ec8e2ce8dd71d804db0be9
SHA512 fdecb51ab46bc9846e11af1b8a65745ee301f4ba6f29f97612dddd6752b395a4472ff66c04bf2f283e5b48a7e6ae7174d671b0590fc0cb747b315721949e03f3

C:\Users\Admin\AppData\Local\Temp\dqMgUsQM.bat

MD5 72765b0b57ffb8f08627d8d6be9f4157
SHA1 bd24952447b16a4f9ce10025ca4c1c5de660c3f9
SHA256 1c66a7402199dd546af3fcd77d36e3a4b915667d2f2594ac395a4f71abc997e9
SHA512 eb353f1bb653af53cd482fa22b3be41953678088a792dbee736ecf47384a831209b60b9b699344213645c65a4129d31bf7bb5a12be44abc60210b6df007484e1

C:\Users\Admin\AppData\Local\Temp\LEQEwkUc.bat

MD5 4f98294e97f40ad6b95a6fd1a8953611
SHA1 d91c43461468afde2d36b046683b95c817047089
SHA256 b626748b6e1fbb10bac700fcf46de5b5d4a67800151c04dce63ee5537b0fdedf
SHA512 56aa3823c01a9fe5f919a04558c928bcc4c4a2f48f85d48ed7a7d4acc52d84e530756afb9195c19f25b2e52c5f328507cffae57b42abee12b5e37a25b0f22e58

C:\Users\Admin\AppData\Local\Temp\KcoIcIEI.bat

MD5 294a463eae261ab89956507f0313f819
SHA1 43229a47b27f6fb0af05321f82599962c5501d63
SHA256 428b8b83f5432b4f8ecedfabb516c184d227ddfb37f5ce38eb8c7c742381f27f
SHA512 ed4246f4f2ce0591ee17349239ad259eb349b4684268b05e108e88a88d3abb20cfd62010f6cc8fd1f9cb88272f7360d732c0bfc7b775dbe0593bcceefdf1c9df

C:\Users\Admin\AppData\Local\Temp\CuMwwQEk.bat

MD5 45c8b2cd4f63298655edabc41b8fe457
SHA1 7fcbd948a3800338b197991f33a816f728ef8a0a
SHA256 96a830833cec3293edadb2c0bd91752bfbee196865f867dabbc8b621afc76038
SHA512 098fdb2c880ce6cce1a5775405fee642eb6501b4f8b8fc2d9528c9c14071be54c9712f67b5408a71eab4e175150b5c653b6b92a1d5a37dbb1e82c713b94d7005

C:\Users\Admin\AppData\Local\Temp\MaUEAoAk.bat

MD5 0961b4565925a31ffd3e28e325ec339b
SHA1 5572fb097194afcf2600cbe83e1618ddec701734
SHA256 532ec904eee4dd8bf6584d5b8375e8e4957aaf2715da4b0238b611a2c8a962f0
SHA512 31826f2e7686a9cbdb95517222949227f32edd4b42dcd462ac24c51eb61c17ff2edbe574076bd5535508593dac63061144402a51636a2174ccd4359bfde29678

C:\Users\Admin\AppData\Local\Temp\swgUIQIU.bat

MD5 da9f0ac1aee8c6f0dc9a1999f53de481
SHA1 e1b55af0693e45642411f634432aef55d596b854
SHA256 db34d1d27ee59fb6bdf758cc8268033d85ced19a390d29d6dadc996b2574f70e
SHA512 b03a31e8987a06e85450b3fcfa3d931dfb8d6dc9ca59d1598097ce9d55753b0f4af01b0fb241ef3cea2c9764811035808346b88a6bae9e28e17333be547e9d07

C:\Users\Admin\AppData\Local\Temp\fqowoYUQ.bat

MD5 d0696c399af2e857203ddb6eb9c2bdd2
SHA1 94e308039c4827d83c9baaff11edaaa070bab932
SHA256 e96b6afd2ea35a5b49a0e84237ee3e829a328f5ba0b40c84313a36df9f589e12
SHA512 0a4f294bde04e7f06cc489f2010efb7185c01830d23c6fff919fc2135aca67e002860b988f3ccbff86d6cbeda7b48e25b992a8d6b13e0ec6b13da0a2b1c584f6

C:\Users\Admin\AppData\Local\Temp\VYwAUgUA.bat

MD5 c55de12134e46f9761a0fb3454cecb7e
SHA1 5a6db512117f2bea6bb7ba6ae203563577078c44
SHA256 7f002cae5b672a5f6408d793e6828f809224761c662d8323fe4b5accabc73de5
SHA512 2fe3696c610462d3501a79fa141dc6fded787760e89ed6541deb018353a5b2a78ebae417014a4d23082663d49e254346087eaa3b9be6dfb9d71d95d0f6607980

C:\Users\Admin\AppData\Local\Temp\NKAYswMU.bat

MD5 9a8d8c432ba1f935e52c1c3ea5b5b9dd
SHA1 418a7f8af9cd8f7852d529653e5b54f5329b86fd
SHA256 21aabf39cdcf3775c30a151be0960402c73ecbcb94a6868c386fb23699fd983c
SHA512 1a81af0c8ebc6e2a6736e871690dd1915ac435a49677f9b5c7222c4922e521025c76f11b050eb786d4b00909cb2f5c370e2192ded66cc89f7a11584beb17f79e

C:\Users\Admin\AppData\Local\Temp\TmocgcwQ.bat

MD5 104ab6b3de7c6cbefff019d3883fb8a9
SHA1 a5c503edadbcbc19eddf37c82dfa21d6ffcf24ef
SHA256 22fa3641a493111efeea28d60e582e2e8c4f62a0bf3ae22a35e646cc14968180
SHA512 8d6038e670e9b066490a038b9f3c579ab96293c6cbebb5aec07be7d1278540c9583edf730426e2a7dd95ebecb7e90cb887bbd7776e16abf60adcff7d28dbb02f

C:\Users\Admin\AppData\Local\Temp\GmAkwwMs.bat

MD5 3f82a965aaf6b585a081df8454769abd
SHA1 0ecfdd2d2589841b3f929364fa018c0db6861c22
SHA256 774755a9e68737c6eb3fb98b22f99fbc25f0d57339646dca600181c30eb2fedd
SHA512 d40327b1bd74e9b4313219127fe31864d33ce35b8131eb5c26dc1c6c61208c3e8ab4ee251c3ee841383e5132ff8f7d8e305a20354895852648d4469e665f3a21

C:\Users\Admin\AppData\Local\Temp\KokUIEgM.bat

MD5 3cc4d449bc27a89191d8904f0b2d8e6e
SHA1 c252361c3faba0832281029981a89e2c37061607
SHA256 18318f4953a88acb8fa99793c5ead5f0a1a8ef626cbbd4b7a1ab3e23f5772d30
SHA512 87e2bebeb740e5cff0a5de510a37dbe2d9ce3285f2cbd704559dfe671dc6eeee3287b047564268689a8dddb4969a21d62153e40e455e380a90aea8e2dc55d248

C:\Users\Admin\AppData\Local\Temp\iuwsoEcE.bat

MD5 d7d765c63225c5bfb7ce2f98864cd0e4
SHA1 93abfbb215ea08ad102b3d9ab4a0bdda193e911b
SHA256 f08c6145e64afa351101dad57dda9b6fa256178ff92b6305d9b7ed1367fb4d3d
SHA512 bd9ccaaf4be7a8ee41a4b8afa175b64999a3e2df2829b7e32f3b09acee3b8b00c8e17af4c099115bcfcf857dc1f80f40c5aa90749da7415628692580433a2a3e

C:\Users\Admin\AppData\Local\Temp\uWgEccgI.bat

MD5 a8b74ddb92d09539d121b858b3620dcb
SHA1 7fe01f2bd6e8a87bbd36839373d077842dbe2f61
SHA256 9290440af71108a1761f66da5a6e7c8ef935ea91187da5bdde19cde9f06dc790
SHA512 eba438a2d8cebf3ec73efbee53ab9a378f5779ea5c34bdf2d745b0b044d87aa90c50d614430628f5b7ac2deebff01857ea8db68ffbbeca3260d125a6c6995fd7

C:\Users\Admin\AppData\Local\Temp\hAcAMAsY.bat

MD5 bffaef85a389e8ca1333ec4e0dee61a2
SHA1 02c33e1710dce304f33bb98a72b5db56fa3aa9dc
SHA256 75e2298da989744d92c05bef376cad67df675e5668263aa743099b79da587afe
SHA512 3dd4864b01364cb80a7d669e92966d242a68b36778f29dd9701c0fb4543773646d63948cbcc93a2134a5fe957c11e39e41367df2f12a2e484a83aa34ee6ab821

C:\Users\Admin\AppData\Local\Temp\JIkAEcwI.bat

MD5 b7610ec2f93c2a19da1f960caa7d304f
SHA1 a740d8b311760905b4bb1dc4daf188c2beb1884e
SHA256 5ba9643f4adb2cd8e535aca00b05482829396c21d144bffb2ce2878005963045
SHA512 34e6c667e44a601582cf91a18b14b1fff760c1f16b8eacecd8e84f50304688161134c892d584bca3230bd53d6a0592609cad630b97767a4b9f75502ae0abf3a8

C:\Users\Admin\AppData\Local\Temp\VoMcoYkU.bat

MD5 d21447da431e4fef2f66b72cc2886d41
SHA1 21f8c59c7bd49615836e4c7f47a50e0168cd4016
SHA256 b3cf5f26e423e9bcd8b5437367e4e32fa058b1a3153bf8efe6fe1f5d748601e4
SHA512 cd47c971eb8b83a1918a54680fc3d98da4f63c253da7298af590c4a9cd7e875914c18ef676eaf9b9cc06676b9d3e7237e98ddfc15989921abaea1ff43ddd8904

C:\Users\Admin\AppData\Local\Temp\LwMEsIEs.bat

MD5 432121544fe9d6fa73d2e475ddbc2837
SHA1 f3376e556b7deba816eafc3be433ae3299891ea7
SHA256 43248c4367ad59ab664d27c813b9df3b914f1037d15725944b5be75057d64bf2
SHA512 ed68e4d3217d385426fea5af5128c57def9be36d50bc49adb84e7c5f05f6d4c37c2af2d762998e697f2853821df0a222bba4219ba40463f8cdc91c8134a6b0c4

C:\Users\Admin\AppData\Local\Temp\SGkQAMgg.bat

MD5 49c0035ce23c70c5187448b7678beff5
SHA1 ef3018d19d7c470d0ec400e20caae86154e54d44
SHA256 a9f4bbf429ce34e69e1ede703c0fa4729949f8896a62991059a986e004fa6a49
SHA512 fb42aa53de1d4f84ec1f81a9a6b84e6397011e12be2790304dc3642227157f1e50c5359ffc9a1d6dbf7013af6649abafdad69b11e340ec8d82bebe70c4922fd3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 06:27

Reported

2024-10-16 06:29

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (67) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\TAIwgMQg\JuMoAAEQ.exe N/A
N/A N/A C:\ProgramData\zqwIwEgM\nMsEIwAI.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lawQAkkM.exe = "C:\\ProgramData\\XOYIggoU\\lawQAkkM.exe" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JuMoAAEQ.exe = "C:\\Users\\Admin\\TAIwgMQg\\JuMoAAEQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nMsEIwAI.exe = "C:\\ProgramData\\zqwIwEgM\\nMsEIwAI.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JuMoAAEQ.exe = "C:\\Users\\Admin\\TAIwgMQg\\JuMoAAEQ.exe" C:\Users\Admin\TAIwgMQg\JuMoAAEQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nMsEIwAI.exe = "C:\\ProgramData\\zqwIwEgM\\nMsEIwAI.exe" C:\ProgramData\zqwIwEgM\nMsEIwAI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EqIcsAoM.exe = "C:\\Users\\Admin\\sGkYkgcw\\EqIcsAoM.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lawQAkkM.exe = "C:\\ProgramData\\XOYIggoU\\lawQAkkM.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EqIcsAoM.exe = "C:\\Users\\Admin\\sGkYkgcw\\EqIcsAoM.exe" N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\TAIwgMQg\JuMoAAEQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Users\Admin\TAIwgMQg\JuMoAAEQ.exe
PID 2364 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Users\Admin\TAIwgMQg\JuMoAAEQ.exe
PID 2364 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Users\Admin\TAIwgMQg\JuMoAAEQ.exe
PID 2364 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\ProgramData\zqwIwEgM\nMsEIwAI.exe
PID 2364 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\ProgramData\zqwIwEgM\nMsEIwAI.exe
PID 2364 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\ProgramData\zqwIwEgM\nMsEIwAI.exe
PID 2364 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 2740 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 2740 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 2364 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3108 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3108 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 964 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 1952 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 1952 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe
PID 964 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 964 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 100 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 100 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 100 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 656 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe"

C:\Users\Admin\TAIwgMQg\JuMoAAEQ.exe

"C:\Users\Admin\TAIwgMQg\JuMoAAEQ.exe"

C:\ProgramData\zqwIwEgM\nMsEIwAI.exe

"C:\ProgramData\zqwIwEgM\nMsEIwAI.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAgcUIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMAYEgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQcUAsgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWoEsIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YccUEgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwsIYkMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIYscwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsccUMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGogMcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiUwoMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcQcokoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWQEYEkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuMkQgoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWwEsgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsYgEYAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWoUkoAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeIYwIoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmAcgcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOsoQEsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaocYAAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMYAIgIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIkEAAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEQkoMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSocAgAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMYMwEoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqIAIUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgAsQwkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCowQooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AscEwcog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGEsoMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqAcgUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOEosccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmMwMMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcoooUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOYMEIoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYgQsksM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe

"C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe"

C:\ProgramData\XOYIggoU\lawQAkkM.exe

"C:\ProgramData\XOYIggoU\lawQAkkM.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4168 -ip 4168

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2576 -ip 2576

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwwwEoQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 228

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEwsMccU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgAEskIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGUEkIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOogMMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmEYoAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaMQAkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQAEUggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deoosocs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkMoUMkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAwQAsgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQAoIYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwwoYQAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewUsMQYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csMsMIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqEQMgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWUMwwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rawoYwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REoYwgoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyssYIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAIEYYMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UusgAMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egoogQos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UckMIYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgAAUAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcIYgYks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmcIQQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEIAMsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WykUsMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOMAgwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGMkwcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMocMsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQAMoccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUocEQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amcsQgEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmEUYwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieoAQgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKcoUYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROkIsokg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEgQcwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAMQMsAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auUcMAso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQscooUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYkgAAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAkogwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUYUEocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAoYggYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcQEgwsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygEcQMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcQUAUEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGYckMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmcsogUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIQAwUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XewUUkQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoAcQEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noYEwcEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOUMkQMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKogMwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmUscIAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCowMQgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmQMUgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqYcoMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCIcoYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmYQEIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIgEgUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv S4TQiynNaU6CPbAkN+7B5Q.0.2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWIAcYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYEkoscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncgsUEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeIcQcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkMwIkQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEkUMwQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQwEgwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyMswoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKkcMAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgsIYwos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuEMEEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSYYIcAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yksMQcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwUsgUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sacAsAQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkQoUIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKwoQokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMUkAkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOwscEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nesscUgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUsUEIgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQwAMEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouMgMokk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksskEcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWIsEQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noMUoIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dscAEQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RccMMcgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccEYEEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock"

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2364-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\TAIwgMQg\JuMoAAEQ.exe

MD5 1f9d913d630fa4b49eda73f93d480aa5
SHA1 60206f87e1e919c9c6d19d1a5f764f6c025a2780
SHA256 13c63b55fa7e685b967d648e9038fc61fb135b56e91fb38b1e8556a5ad655f6a
SHA512 4e0e09ec96355f70177815f9fde80e17dced23c103f5f435833ba8ff14f10b311c37decd9ee127cd408e84e0c0edf1c0190f971ebabb41c451dab4f5313b6a0f

memory/3888-5-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3420-15-0x0000000000400000-0x0000000000431000-memory.dmp

C:\ProgramData\zqwIwEgM\nMsEIwAI.exe

MD5 a994fe492986ead3e15f56c11037882e
SHA1 a74c6d937a1878546270e78a28b21daaa4a56145
SHA256 0df514dc795aec7bea08b95939dfc5d23321a8472d848cbf4ac45b097af242d0
SHA512 4553af182d17078cccc7a209c791eedd9efa41d0e4daa9ab8905f98c77d401695c3d6c7f122b8747a7a7d6b0da7619d2a2b78ff7f7919f9defea0cb0f282c317

memory/964-16-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2364-20-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nAgcUIUA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-16_8407fc3b6183cec64939631e05806d11_virlock

MD5 bfa92771c90c7199a8b84d21ca45750a
SHA1 8c0c9053bddcb7f95423392ba7d8de7960fd99fb
SHA256 61282907692cc4761493fbca1f89d7eaf3de7ec5f00b57d7c03cef01fc3e707b
SHA512 cdebc94fd6e0fc7a10ba67a06479330cf9a31ab5cfe21f1211775013c3a49fd23b15b6ff792f24d49d30032442c1eb582b8a43412deda8518fbd02deca5d6e86

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/964-33-0x0000000000400000-0x0000000000434000-memory.dmp

memory/656-44-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3392-47-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3392-56-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2596-69-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4396-80-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3968-91-0x0000000000400000-0x0000000000434000-memory.dmp

memory/648-92-0x0000000000400000-0x0000000000434000-memory.dmp

memory/648-105-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2052-116-0x0000000000400000-0x0000000000434000-memory.dmp

memory/780-127-0x0000000000400000-0x0000000000434000-memory.dmp

memory/244-138-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3996-148-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1116-152-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2052-160-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3996-164-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2052-175-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1996-176-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1996-189-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5088-200-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5112-211-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\zqwIwEgM\nMsEIwAI.inf

MD5 6a2e74d1656618ea1571a2aa3375b820
SHA1 3d12785204fb8003d6a93cd5922384b023bdb1aa
SHA256 5d86f78115d7b652a08d02b36d8f7df995ba5d946d1b224bd0f0688072a51e82
SHA512 7304e735f077ec7104199b439b4ea66010c953a48bfe60e909b3fd51c91e3b3ee1b1854e579b14e67ec68c8fe5645f7feaaa311ba84b60f29f77f41ac921e0fa

memory/2656-224-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2292-229-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2292-238-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3608-239-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3608-250-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1668-251-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1668-262-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4236-270-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1816-278-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3180-286-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4904-289-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4904-297-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2596-305-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3432-315-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2128-316-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2128-324-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5028-332-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4864-342-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4936-350-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5004-355-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4236-359-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5004-369-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1148-377-0x0000000000400000-0x0000000000434000-memory.dmp

memory/464-378-0x0000000000400000-0x0000000000434000-memory.dmp

memory/464-386-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3124-394-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2576-398-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4168-399-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1532-400-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3496-408-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4168-410-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2736-417-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2840-425-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4268-435-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5088-443-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2164-451-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4696-461-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1300-469-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4932-477-0x0000000000400000-0x0000000000434000-memory.dmp

memory/708-485-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2544-495-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5064-503-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4776-504-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4776-512-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2164-520-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4184-530-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1652-538-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4492-546-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4508-551-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2396-555-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4508-565-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2624-573-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5064-581-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3620-589-0x0000000000400000-0x0000000000434000-memory.dmp

memory/940-590-0x0000000000400000-0x0000000000434000-memory.dmp

memory/940-600-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4932-608-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2792-616-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4256-617-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4256-627-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2436-635-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2840-643-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5084-653-0x0000000000400000-0x0000000000434000-memory.dmp

memory/468-661-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3180-669-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4864-670-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4864-678-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CQwY.exe

MD5 64661a12790d7fcea762a5399cc781a6
SHA1 59ce64f13128b4a5026bb186a4790e790d7da7c5
SHA256 78255fa513e486743806dad28d3420b79feef2f92a90607bd2d415028ee0e032
SHA512 22da64e49fccdef16cb6384ba5e76905496d4a96c1c6186457202e6d40c00b73233c91f07b986ade72afb6a3891c28deed0583c17c4f20b82579516849830d2c

memory/668-703-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MwcU.exe

MD5 aa3926e99de8a3d5cf09286dcf1f8a00
SHA1 029faa836e331c2951258b1ff8e7712e922f5685
SHA256 15812d3a0b9f25e2cce332ac6d6ab96cf5f9b356d3069fe735c30b9b766afbcb
SHA512 2b90607381f37ebf54d9fbac4e0ef3983cc9538bdca5625e51858aeae9dc5a819b306c4aaaaee52fc7d05a060e74ae4c42f7a01e3f823e32943d03a44cc78935

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 56cc0087d29113b431374b9c0a68adfb
SHA1 ff6c6c4ea1e831000185d6e1a886763acc97adab
SHA256 bdccf2bd53111bfe3f703ea909f8d77943c0bdfa7016bb417d2e7c0fb77e28e7
SHA512 da371d3504a7216b2889171d147f27f131cb1b29b758f5bca06cebcd34792432a72852b8a12bcd343060a3881e05a7d45357bca09d227d602f8ab80fe776d2d3

C:\Users\Admin\AppData\Local\Temp\GIcg.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

memory/2396-753-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iwkc.exe

MD5 1f1107dc352839a16feb81be8f1c2d19
SHA1 84efab005ac15ea52c101930ddd00f764425fbfd
SHA256 58cc50a0e4c97f686cea0f53aa70cba0f947e832551da73f35c87a2f8876f4ac
SHA512 5a34317fe1cfef4b578c4d5d7343462f12133f974876163c796dc93a062c9e34feaf57bec5933d9f44842ebc644b0408be04ece6cda275bfa5a013f012fb4513

C:\Users\Admin\AppData\Local\Temp\CoMo.exe

MD5 1d5270eb9857a14b67f09cfe05c22516
SHA1 c401e9e98a59c2e92fa47405cda44ff9b19cb1f5
SHA256 7ceab88d21aaa0e39f78693f15035506ed66647fd354cf4fe6b206555fdc452c
SHA512 eedb8191c72f711829c6db7b1b475a00b6e37fa5250fa8e1f1f7ffab0ac932bd0604100fb033dd8d5e91a5ba16bd052332acb1e359376bdf20ef9872e58ae6a2

C:\Users\Admin\AppData\Local\Temp\KUwI.exe

MD5 2027253a30f0917f60fed4e12762c54a
SHA1 c9bcf67a8f073b96b817017957849122eac09fa4
SHA256 33b2d2d79b9abbaccc67078068122a03676fead98ed03e74a7e54728e108d6ff
SHA512 33c6c5a04718b92f3bdc46d75efb7822ac3db940dc16e6a776435996f81c1271525faa4e557357f0d44df9a8993197bcb626ba4c7b516677a43daf641e8481e5

C:\Users\Admin\AppData\Local\Temp\aQIk.exe

MD5 eecfd58fc8dc5f9a1ce457e07f108c7a
SHA1 e19e89ebf7cff3d856f2bdd51b2c7ac8f2f1a923
SHA256 1b865f30eb33e1cf2bf8b47e9d2182d5c50ce914e9ab3517373bd2759cb58da3
SHA512 704acd9b2f0c270926b400687a63be5f404c5d249e86ce79f5d413c8b21df60b3b5340c0b1469ad7c69b3610191d6cb05fa98240c94a3255f546b88706f3ba81

memory/3528-803-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gYkk.exe

MD5 d0b5a69cb67f351cff0b74f9f20f2e89
SHA1 ea47c7a1f6d18b7988b6ef3f8271f05dd3b5b842
SHA256 5ad5385fe092913a8db29f3a4fa0215480d6d9bcb45c2cbebad5934d818b2552
SHA512 157e4c1e7c13704868aca10f94408748820d431b8e8d022ba360ab99a5a5ac7abbf6bb5072fd9a2b4dd10f17c89aa54864f399742e5265497d515972c25d3cbf

C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

MD5 21d78ac4aaf20b899c20b0e523256f84
SHA1 b2cec6a5d1ab0cb56acc0fd17d49f037dec385f7
SHA256 ba8d4781330630709d5d39db190b16858ff8a31e0523260303ecdb781615e88e
SHA512 6e01ac687e26304a739fc72982abbcfb777f7d73b50555fbc87f879ca8bc9e85040b8079d955c5920dd5170dd76458d88124be45f915e5a4fb10d769c0627fb2

C:\Users\Admin\AppData\Local\Temp\cEMQ.exe

MD5 55d5b0daaefd3d64093e2a6488f0357f
SHA1 397ae03a75faf722495280460fe9f7bf6b24ed85
SHA256 74b96be832787b6a2ac8a845a55183408726cdf8d8e9dd046219d68c1d693c76
SHA512 35b088814a2f004b6524dc7e2d576ef63d70dc2d9e62a092574362f9276a9cbcf4dd02dc3c1916c14c002c81c43b2126364e72295a94769c0540602f6a7c9d56

C:\Users\Admin\AppData\Local\Temp\Ukcm.exe

MD5 1463a26d2276832d3e0a030cd3adbb6e
SHA1 e714853c4593b3a3f1b6fffd4a42088a7832f55d
SHA256 6d69f86c2182e1fc260c2dfed1cbbd97174bda51ed0d37b1541dcb0674236bd3
SHA512 71791c35145e551d8c5b8a2acdc18ff120f1f79a2af402975ea329d50cbbd905ad76772da5047008500ff6ce79e8ac01563ab2bfff6de8c26a4e0f403076f87b

C:\Users\Admin\AppData\Local\Temp\WkAG.exe

MD5 2c720740b8b56199410207106582fffe
SHA1 d864cdbf2406ceb90fc0cc03392076b390aa2088
SHA256 b0546270d373c696cf62d9c4ccd06024c7fe21f5a25890100f1932c069eb55ac
SHA512 67f9c07966164b630ede74c00399edae9082714a6ed8891af9000a150737dfc4426706278fe50c001efb839d923991729fd09e1b94ebcd7bf090a4d8386348e0

C:\Users\Admin\AppData\Local\Temp\ckgc.exe

MD5 b8bd0ffb2ead8fdfa854e3c6d76b46ae
SHA1 a376f778159992916927c07130d46b3a1bad865c
SHA256 4ef1854db9f3b5a1096bc8d9254caae435147297ddc3153f320a3f978a4adfb4
SHA512 9540135911c11042f2d22ed9ebb81ddeaced381864bebf00103214527652786b8c2e6c6b3987ea51596658fd10ca0103f56478daf9450dd46cde5e9adc15a027

C:\Users\Admin\AppData\Local\Temp\mAIK.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\msws.exe

MD5 17df96c24bfdd417f33fbb870ddf4b81
SHA1 488938f270e16a038a48bf3221936e7d10bd91c7
SHA256 63138dcec9706f6a0eb41e3c0f63c9a4286a1ad95824754ecff9a109697cbdf6
SHA512 0d54d29bde67855ff57c01334c6c6d99f1167ff7ed1d0bc683b254fa1673ac4d18fbec69116f0e34ec17cb213f667ce2baa64f40934a605bbe2362d8013af2b7

C:\Users\Admin\AppData\Local\Temp\EEYc.exe

MD5 e4be165bb5708d241770b1351d975da2
SHA1 5cc30dd059f05d487d665eed2a083cf6913b625a
SHA256 263af1a10e3f894618b566d0f04dea2521705940381af5dd40f001de359e598f
SHA512 6c7cfbc322778242be8112fdb54a33d4285cfb01942c3959d6593cb3fd158dcd29707f882147bde7b4972a799d87ba81b0da870ac7588022583a1fdb48a89192

C:\Users\Admin\AppData\Local\Temp\Cgsi.exe

MD5 30edbc0617c9475c6b4c237a20c2e73f
SHA1 d4844e3e766f5b68cc70ce9dec57ac75be4847e9
SHA256 1220ad91605e035730018260f3a41497588a7aa933d735d17d67352c41f86bfe
SHA512 4f8bddfa1098f0a47412ded72f5452c3ef7e29d39f43107956ce70a34eb4944de38677a6644af4d64f841c38548172a34f0c7687367b8339df25ec6a8cb39760

C:\Users\Admin\AppData\Local\Temp\MsUW.exe

MD5 6477d87e9fd19e54f1429b121821115b
SHA1 27737bc6c3d23faea25b26bd865c6acbcbe4e95b
SHA256 a4bc4d533db57d7eb52082ff560d8081d77bfbeb0f64fed1f22bc0ae313c5cea
SHA512 bc1a6c2d0570d636fa82e1c818a0fa856aa397e5aca686ea5ccab28d90fddd839d4852187e2517ecea4418da0753968edf56805f8a557e804eca92c3b1f79fc1

C:\Users\Admin\AppData\Local\Temp\UsMe.exe

MD5 578f824146cf3fee91bf9fd77593c608
SHA1 d6764e6466df03f2f97a3af5ffcb196aa2b1f773
SHA256 de59e193e05bbb30de3a389c136798a0503a2e5ba59e6b933f93417fd28c124e
SHA512 dd0362410acc9e355a0ddccb4d448ba7f095fbb5d1c8739da7f60eb567c682c7145d927c0b0ea5e92772520cd6a7d0d39c1b94553b7f1da12e76dcea18c915c1

C:\Users\Admin\AppData\Local\Temp\GcgG.exe

MD5 18ae57e80eef46030e35c34211a45081
SHA1 e7085ecf34e3dfbdf36e3e15b2bbefc506b2e6a0
SHA256 321031ac94336efc66163af3811ff26b3119269c660831ecb8cf1041fcd2960f
SHA512 dc33dceeeb91eab386c74409366f77065af7fbe04931a76ab78d653696e63f8c1479653796eee332d0b51bd181579e6bc40110cd3e62d42d66564b1b8a20742f

C:\Users\Admin\AppData\Local\Temp\AYAm.exe

MD5 4298aefd06a919691f94ff4fc91a3b27
SHA1 c10ffb234441ed14bc51e2a2ca0cd4ce4b2a1554
SHA256 83d89170bc8ffbebf7768ffad1d67c64adf1026706dc12c6c61c5dc961efc6a8
SHA512 edd755146faebe35ca2782594ae5e62e278b47fcf9f46342a37cf96c9aa01dfa19b6da3348473c00ab5cdefc38441d73535d526277ae5fb5095a1a8ba75ebc47

C:\Users\Admin\AppData\Local\Temp\MYUS.exe

MD5 22644903c44e9ce2e6a9e3508f586d48
SHA1 9d52bed4ac4fa6d9fc4d39418714c820467ea23c
SHA256 64a9aec6dc9e0df91936310ceaba639676c9abf8b05fc1db97f7a3d43ed64de5
SHA512 001059a4102831474743ec36780fb3bde92abe65802f94ac5570b6f852fa4865c71f5c4d03f6bbce65198988ea23cc4d751292d1b15c2b22a5475b90dd265748

C:\Users\Admin\AppData\Local\Temp\YYIG.exe

MD5 a8965b3133ff0605eea569d0ed561701
SHA1 5811d63f0c52e06c7400706142f3a7fb4168a238
SHA256 0652c52dc974c2f0e815a4aad73feaaf32e2fad129f846415aae1696ec2fe74c
SHA512 79f71ee2f80d125390465333534b5fc1528f4f74b2f6b58d53e56999349debe01f07d2c2772dd011662377bc7f3e6a65259c965665666c5873b7f2acf6a40062

C:\Users\Admin\AppData\Local\Temp\ygYC.exe

MD5 c621c3fddd84e1eaf7107e9bb014ce9a
SHA1 e88b3d7102508408a1dff225ccdaf2364cbeedeb
SHA256 cfb58ecd8344242061d656054962c930ac579ee62574875d269c350796b6b8af
SHA512 4ec27e7cc51123c35e195200862cdda2a4e0c03c59c1ce43c9ad35890cdf2a2157afc6bcd7834a083c9de4f99100e4d8cc7436ccbdf7a9f2a22180466023d2a7

C:\Users\Admin\AppData\Local\Temp\sUoe.exe

MD5 60b4eebe1b7d4c499979a323bbc072dc
SHA1 b7f2ad4d13f8bc003d5819903ab909651e9620e4
SHA256 dd0eafb84464f53487dfd632a75fbbcb4a38f914fb1e9f1e56ede106089aa859
SHA512 81e48ccf6628cce72ec66017955283983c391c1aa469915a0edf387190a4faf454cac0bdfe5d0a407f49b3407a8e19ea541c2503f245b6d9de6d3d3d70ebc62d

C:\Users\Admin\AppData\Local\Temp\iYEk.exe

MD5 b69d7c0fc5b67082d4f52e1ef7f472c1
SHA1 51dd882a9907db8993f5a61a128d68ea47a5f7f2
SHA256 e88b630f19f840b94d1d994ffac1c9ed7ef3c84e2ae1ac50fa2fb3e3ea73bf16
SHA512 91fe2801c82296b10ccfb38c4b8d2339eedb220b41c3f7cded660e676390721150bb2bf62d0c16d9a444d880f09164b9bfb20c4f5d44218fa781be6ea7fa051d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 332b51aa425a4a08eda0f0e38e184a9b
SHA1 aff1a92a6998da72633072287287137d640afcb3
SHA256 8c8478102cf4adf7726fee7373239f57cb3e44d90db13f2fb36c619dbdeced53
SHA512 8351cc2a0d3847051142ac96580903b47cd161066b2c73e4bdb0a16a259f46a4bee6bac2e5fdee7a8059d3a8bf1fb280eb13e4b4b8588a0a287484fa244888a0

C:\Users\Admin\AppData\Local\Temp\WIwE.exe

MD5 320ee38adc269e47f7b7e3a98c1e97a1
SHA1 7dff94ea1ef227dd7a6b8ac915c3f386c63e3204
SHA256 6f52857e9c81d872bba5682ac0ef06835e94c25f802ad42b12a82d192d6073a7
SHA512 46f95e40be2de91367ef32cbe53ca68472a845d34d26e5a0bc01aa7ed33430287b47fff00af1ed2005a77e737c7cf2c9627eb68b112357b8a15024576d8f3678

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 7275bfb2ba7f882f5d7e376842797b0b
SHA1 c550c2e20b13ec0ec44d7c5c2e793035f35ab608
SHA256 26a2b3037a0907fd297ae5056f27c36a5858a57b0b87b9aa74b9b69d1f649476
SHA512 71c7d63adc47a8bc3421fcff15a771739f4058001ddc4ab0983c5b3adf09bf910b77bad8f92f268fca13b0d5a2a8da1dfaf2ef8f13cc8de99503ce2cfd8c044d

C:\Users\Admin\AppData\Local\Temp\aYos.exe

MD5 4932af6be987852d47de9b4dcb52e768
SHA1 46665169019845ba673a35c9281eeee39f0e7a0a
SHA256 132076bc6c924e65c678be806488cb330e01308039239dc288ce0ecc52d183a4
SHA512 6f4fda4fa4b82026df5e98c686f7b1c259c597fa5f5950887d40c037b7a53044cbbcca0d99af49c817a5f942b044ab08281dab8150717d1c7b235e1fd4bd9469

C:\Users\Admin\AppData\Local\Temp\KswO.exe

MD5 d4830288336c32f1048c071ab13ff95b
SHA1 50b8fc3370431c65eb030399ce97f093f5946cf8
SHA256 8c29cf616661229a75aa1bf670715971fd85f16cf313f44f88f9993910a26882
SHA512 3e281eefb7b51b03513d91de1045599b74abb33e23edd744573d5e1120e8b2ba0f650fe968f8bb5596501714fd518a83a22ea5029589e0ea02c38eb13066109b

C:\Users\Admin\AppData\Local\Temp\wkMk.exe

MD5 0622aba7f0a474483cc0f8b326b8a642
SHA1 b5fc88f97203ba3b0b71bd25b2ae815856bfc063
SHA256 95a69985e1c50f297dfe92d6e4ac66962c4406e3492bbe05442e2681d16a1a9f
SHA512 aa7d8904b9a223f71c01633107bca0f7fb87437d5ec9ed31da241b06aca56ed990cd28a2f2735cff824598c3c3ce8df68f7e4718efc91b104a158eae7b6e52cd

C:\Users\Admin\AppData\Local\Temp\yYog.exe

MD5 f0dfcb6383b62db3d9f646275206da36
SHA1 3db0d96e920f192c392b4ad30d29a0c59d08f472
SHA256 aca74fe84d20f766978a2a17ca49423cd332acf74f0f10aac01726f0b2bdde1c
SHA512 850d90d6e6a371ceb8bb11dfa4d3208669f763d70cd60d405a0e1adb0bc4964e2f5430bd21488377a16fd2d6943fe2e0e146581c9db6d53c9046c5cef702922f

C:\Users\Admin\AppData\Local\Temp\qsUM.exe

MD5 9fa4559a1eca0228649fb65bdd37f3d3
SHA1 e8c2cf1982ac1eadf4399a3a0af82893498d52f8
SHA256 b65e00777e50532cf175aaabd97c6f873d213aa4667847e93eed8f9f56e6ebeb
SHA512 867caf9dbafa5e65c24349dc39ecd7db916f8dee8ccd15f006dc69f290c4e3d79b6b1fb020fc51ee3c92e270834bae55cf70d369ca55a7d8cfb0a027eaa87ea5

C:\Users\Admin\AppData\Local\Temp\UMoW.exe

MD5 68bf47721bba2b8a61cde79576eb70a1
SHA1 a065bfa3748aa1916b22db3db6b54f1fa1f4e3cc
SHA256 0408073f821c6477a3591d4e8097fb1928b6c3942a3d3e9cb6c61a2319f22baa
SHA512 3e254f76305bfac89b1386aa6defa891c7af1f3fb986704c6dfed3ccc42aa69d5d436240086ebf0d32ee704bba7f7daf7270e93de337d4991ec990753698a70e

C:\Users\Admin\AppData\Local\Temp\kAQA.exe

MD5 ef649b2f814c0ddcd6afe618bc2cd796
SHA1 669d7222464dd3fbf36b08f0218ce97600d4fc42
SHA256 f8743aa63d504d679e0a128b19323b705bb6e2d56da7352c3f4e9e445830bdbb
SHA512 0c3ce1f5cb6b459581edb07afffd6b27fec16eccd1a09857745d710ac14a37db3bf91bbc3ad32ca2964a26967beaae6deec762249c020bdfff3b0bcdb60becfd

C:\Users\Admin\AppData\Local\Temp\ksoa.exe

MD5 80f9ac09f75c9b89d308c52aacddfbe9
SHA1 b328ab668ba20f87d19b71b47e1f700447ffe0f3
SHA256 ed037700d75b8b92c0fb8ad132ec3636dfb45f8d006e1738c8833695193f6f8b
SHA512 1ea577d161e5b1b9b846a012e51b08b948d86ce3cacf25da2686fd3738e4912b178f277cb885164e0d123372118e7ccbd48d3a9e7cf7661e2c9f07fd7b019067

C:\Users\Admin\AppData\Local\Temp\ysII.exe

MD5 3b5f5958e3e944900fa4068118f9c7cc
SHA1 a68600626676981f090c693844174e9afdd06df2
SHA256 2a7c05574668180c22fa9a5b6b9981b9a96e30b3b3a9dbcd328129837589da15
SHA512 680b4cc0c1d7fe573107b7305531e6e4a1d6c5ae9165d935bb86b01163255d958aa1bfbd5b15fde2a97403c0fb6f22510046e2dfd6103710ed90729de50fe80a

C:\Users\Admin\AppData\Local\Temp\ewoO.exe

MD5 fccd9b2ab40fc08b98cc1346ac7df6db
SHA1 c0c4fcbae8b6b8cf0df1e6b0dc8355388ef9cafc
SHA256 e7a67adc6abd4dc0617fc999727a483f17fdcdecf40c05ba90f00719b35eda31
SHA512 4ebfd7d5ba6ffab955ce157718e0cc1507b8098b104147bbc44d8dd048bce965eb9879b54f4e3e91d97d3632572d6eadeed1597c3f6555b91b40d98233e2b984

C:\Users\Admin\AppData\Local\Temp\MUQQ.exe

MD5 72149d2ff8dcc2d696d971acbc77f0e4
SHA1 a976c7d2315297a8c5c7ca32be4061010ed223af
SHA256 56f9bec72ee9642712782d2876eca9cd18ce76957674a568ffc2e8b35c1e05a7
SHA512 c1ba6cf5509ea4677199986b6ad94f64b378b2938c4fabfea5bfd55aa1d0c21b2f393f16e12b28019c9d6328332076981fef511aafa160705909c19d3b745039

C:\Users\Admin\AppData\Local\Temp\McYg.exe

MD5 bd7a2bd7aa4b55f9a64c5a1d948b3151
SHA1 218ae1d1ca8abc098d991d5054baa45d1fbef7d8
SHA256 1b82e8dae05c22ded9050be42a35c52f52128271d03b7056b970404ac7bcda4a
SHA512 0ca627e8dbd58037d2a431abb07d8107d72b7b4b313419fcf5dffd6754b5b8fc4abab8f6e84c6c4037d23bb8f7890200df9f86d5b32f0634031630e066f39842

C:\Users\Admin\AppData\Local\Temp\QIsU.exe

MD5 4b6d99611be7be35ad220679609f8958
SHA1 f74c7b8016fcd176c74cc181675d649fa81fbc06
SHA256 941ed6d414cb3bfc04fff6d93431b804d98b11b0c7d748227a1b3057a2cff1db
SHA512 2cdfdccc400dadcf0cc94a22db8b85f6dcb8058fbb5c672e9fe6af5c5624661cfae3e5f009ed5e6a3af026dd10eb3a5a9383f7deb59131a06f489de939d7e6e0

C:\Users\Admin\AppData\Local\Temp\wUAE.exe

MD5 d1bcbcd91cebfaa6b12c0123674488d7
SHA1 69106638b7c73d0e68e8377c83d07139ca6d6272
SHA256 a9b949abf206510dd750b36bfde3c1407bd27c429eed4d5cb10cca5b41eeada6
SHA512 8e4d630909e562c1f7a037405d247738da4bac2aa29c4bb3b99437bca27b553f0059919f67a84410e68283731d49696c1cf10bcb47a64d773aebbb129d56b130

C:\Users\Admin\AppData\Local\Temp\EgcQ.exe

MD5 79bda18618908d34ad8abc4c17fb280b
SHA1 827fbb70fc008ec08e32b27ea6279e5092f3baf0
SHA256 e45dd143ac808e451f624961d0fdeb253f1ad03d95a9938bf712b1235925cb88
SHA512 b6a19ffd2c8b9a7ef5fd4bd1ef6a2cac08a053c4ac1ad6d46331bb23e253a7ab2676989be0d1636b3f78dd1d2b9590e406111ffb8868dbad0828abdbad852a6b

C:\Users\Admin\AppData\Local\Temp\coog.exe

MD5 8af6f0c0d9265435f35d8740bca3a4aa
SHA1 3f4de5764f2e169be38c915970ad4eed19b4ad8d
SHA256 b8b46f04a246d4c28df010352cb6e16e8c324a2eb08b70314322f1b02d9fed93
SHA512 2176bdabe47c61224e0f355c0b161dc9301b6d6a66d0bb71a596d9b2138a9ce9949b09ea4d8228f8025fe40487afa0a5b561d2b03e72cf5b02e8d397c8f96baa

C:\Users\Admin\AppData\Local\Temp\igcC.exe

MD5 7b611ae39022ac89fb026f1e2b7ea953
SHA1 4126cd9973f4e973a501e8b9bcbc5ee70dff39e5
SHA256 c6e9fe6eb36244438a68d170a24d794791b5226bb98ddec6d530315afa996200
SHA512 b9136c1c046f579fbf9a25eb64f9431e9746693f1a3b3212e3aef83077432d8afe960e8b033b8b1ebf6c93e0af97af9583981371c3d1cbdcc7a3189b8ff988d6

C:\Users\Admin\AppData\Local\Temp\Wsog.exe

MD5 1ac080a9978e23ba87143dd85a84b3ce
SHA1 b56e4cd4ce28ee0fd58ed4fc4432f2b454585b8b
SHA256 4f26c2416c033c92f36a5fad7f5600b847962b4a4e0f60179a6d1f5db000bf25
SHA512 609c2fb18574e615b4c8637d7717c359a7f7a6e63d0a9c963f32ee099d9b32acbed4d1acb41215fb1eed147ec9d495e9fa98829ba5d929bc9a5edebd7c973130

C:\Users\Admin\AppData\Local\Temp\UsAG.exe

MD5 863a03c8b1501f243cb0b3d661e73742
SHA1 47ac82f1b72308e183c04e1470902b46cdf9721e
SHA256 4140057e3a65dd1e6a707c761d760e50fca1e7583a33455e7add9fedcd195d16
SHA512 c5162c993cd88560f27719edf0696453f7807676275fd31d71a56fb01dd1e99e3feb88ce4b9d3fb58a7a04b17f49c4eee46cf22122e6c47ec2f01a6d9787cfaa

C:\Users\Admin\AppData\Local\Temp\SAwE.exe

MD5 bcf551e391952544611cc6791c975393
SHA1 e19c1c0553b0e7946ad8ee23c91463163f178d17
SHA256 4fce8599408bea5ae6547dec6bdbfc7fbb3216a125ce40627372879f1e3cfc46
SHA512 b3668840ed53649af06d8c3963be87a85bda7a3c22bf65ab3d300c2ad266338ed2cf89cb2f985b6bb1b9719c5ad609e95f1b252d19d0e9a3afde1746455feca9

C:\Users\Admin\AppData\Local\Temp\GEAE.exe

MD5 8109652d6b0fcaec7c5b0a32153d4be5
SHA1 b2e7597b67030c03d660721ca3ebf8d9581a1ea7
SHA256 7e0eff4c3e6f3cb4cadf4617c5243273aed340e2a3381dcb47a776cb32d33eef
SHA512 9d360c905fcc8e31e85fa28194292f8c3f41bebc82c7e103c94db0266d013a72caa9bb489cdd008549e41743292fc570463c79747cd293802cd9f156fab5898d

C:\Users\Admin\AppData\Local\Temp\Cckk.exe

MD5 436d73a073d752e40e024c5e19f5db6b
SHA1 bbccf530156aa574f916b78f724d5989c28f7852
SHA256 bd353dfc08a5472730dcde09470b2f365f7ec915eb6ec89853bbe59f9a5e4f57
SHA512 2ec0ef77a6073dbad9724b70321762d8372bb7b0d24c7f68bb11b113635ae945c6422d054c31de5ebe9a99eb9eafed5334e270b66d9e39eb4f14d346217f1eef

C:\Users\Admin\AppData\Local\Temp\IskS.exe

MD5 fffcf6779421949dbc55c81ad5ae20e2
SHA1 d7bf937e1d69462cec3c859f2b71a73457c3a289
SHA256 d81e7bf685c79fcf050cbc68297b517f1d9b77c314be173c0f0ee8e453497c3d
SHA512 150e5553e49f8dc9597627d9e7914e005436c33cbd579f082d99d4e7aa6bcde003275cf955e04c995c5dcd5e27dd5f814f2937c3cb2433d514e2903d2f2f100d

C:\Users\Admin\AppData\Local\Temp\oQci.exe

MD5 599f5a23c3179d47b4f30888437b66e1
SHA1 51d235cd672a34efec3be0566875d1bd90c0c71a
SHA256 71337ec7c81b8ada3942154b832b7abdcc05fee446c628c2882431d6de8e2171
SHA512 b2564f44048dd13143f3811e244e9152aae85ffe4bc9d5829c8c2ab28aaac0c84389767b550b1c4295d37be59737933424f0fa7dc6cc20e66fe7874b3ed22509

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 e41fc5a46df6393149068021bfe1fb23
SHA1 88bdc9c618a153f6cbd835ef2f9e484fe1e7146f
SHA256 48c67d0fc182c2f175934c64b80b59070e07b22b54f80ddd5d861774a0cc963b
SHA512 8b81b9c4dc1b2096acbf3717eb40e2d9b4e4df75e547e049459d8fb42894471386e947c72fba3d5ee58910bb91f5266f806d4115e1660c1ba380aff12ee3d59d

C:\Users\Admin\AppData\Local\Temp\Okoy.exe

MD5 691f59de9631499da97af45acba2b247
SHA1 ac6677a71e39593e4828715ec73567396440b96e
SHA256 5411b2f835b9a9ead55f81ee831fd420064084e704b4e1c82eff09f6b3f42baa
SHA512 567250f21320fdee75da392f82fae9970dd948f2681df908ec38b2b119f46f1995ed966e546dbb9348780338a930f1a131696cd9263e4a579e1d63a9ba065cca

C:\Users\Admin\AppData\Local\Temp\ckgs.exe

MD5 b02290cb22d32e21c00c7a032f5d01bf
SHA1 afc11e236fcd800e4cd90006bc32ad6d96569580
SHA256 e1de1b1d96871581466d9d643205d23433498b8f042ea231ca9d77f17be4108a
SHA512 f27dfca47dce102682e687c47a5d6290072b5c0af914f3dcdf1b614572775622d14f0d235ce4a9dd151b49b1ca964d5451ef3dd345e29a5dac00d0a6e35f071f

C:\Users\Admin\AppData\Local\Temp\akQm.exe

MD5 58c9d71c03848b31ce22749ffecb459d
SHA1 102a1077f561b6719d3466c35e1f5011d5f9f195
SHA256 feb5f81be1af053803fb229cebe8a3782d8c3a828d513f20b32c250139b34e56
SHA512 804e9b3dca907b7cfa3afdfedd6fc697f9b73498b7a7fc41c216a7d93a3449c9725a3913ae56fe375cd8a189a65f28cb98424c952252bb51d734441f1c9ce713

C:\Users\Admin\AppData\Local\Temp\OgIw.exe

MD5 48f562dea3e5c091ebc45dc4a5f58626
SHA1 cca8d16a4063955c576ae93d0d830d868f4ffa41
SHA256 e2eb61253cb45cb4b031dc0dbac1db802a402d57d96a6822c74abdf59501baec
SHA512 7971d799a46674227f2e1504dc79c8cf2874202419afd56c243b96ab72133939aa4646b1d0d2ec9efe3b6d521c3fad50711ab56b735e24ab90fdb12206361c12

C:\Users\Admin\AppData\Local\Temp\iMok.exe

MD5 d51a56eb03e79095f27ec32fef1d898d
SHA1 c634553db03fae7fbd12b8745bcff3dcf340cd4a
SHA256 a9a23915fce5aa53e487da65dc3dfbcebae6db5df8b5c0c1f3585dd40d4032e3
SHA512 48a83677ec56e30027858f9cfcd78ad9abc654c30d9306d8d5ff26a72b821adc19905c8277d2e3225fad623515eaacedb32e29208de6f05cb1276721f53bfab6

C:\Users\Admin\AppData\Local\Temp\iwgG.exe

MD5 4b9ecf4c214652aed0f3a8069abb8ec4
SHA1 975165963919e5e4ba98fddd223db63d46203037
SHA256 49f69ed8ac5051ce7b7854bb7c86c012726a47287307c49d89da53b7a344de5f
SHA512 eb402c032fa086ae77d151925d8b065f9cc26262217f17865e2ccbb6f6f4763f3ed58360e08f3d384f1e8176b58692d8dd1aa1917f846f0ebfdf0c4211b715a6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 12889f00f1f38d46abc30aa92b7bf226
SHA1 8e605971128a83c432acf843e6da1dd98bb67638
SHA256 ed09cbfe965c48fd07c1a4b576622cf32956008b311371bf6442bb3ecad080dc
SHA512 13cf0fd91862e3021c9b5b4fd9bd3e920526e26e5fdb1fd7796baa26c3fb1453ccb362cd83e2a3c2c5a50d4dbb24196948216d8420a09db0372115be3802ebb1

C:\Users\Admin\AppData\Local\Temp\MEMo.exe

MD5 018b01a2e481b3502201ce3d8008195c
SHA1 d0090e140485393d53c8a3f53952144454ed215e
SHA256 d90a270abf725ce0981a9f1b615254296c8c5ffc26bb3f09a0d779f34d303fed
SHA512 1793ee5dbc18463ab8d7aacdccab9283d9bd0fb931d69acbd6dc3326f989034620f5c34ef009ecc842ca738298b8cafbc6a1ade39e922511b6621d3d1ce35afb

C:\Users\Admin\AppData\Local\Temp\sUcK.exe

MD5 dbd5a79e6bde68d8b565a870012a186f
SHA1 12b64eb28a13b20a0d308040c1411af23e001ca9
SHA256 4541d79fa4dc378a046e7cc60fb788481111b968ad133b3e65c6047dae0ff747
SHA512 317155c9dffbdd055e20d5228675658ddf02af3d19dce0f954f05292ab07a9c0737d3c0851697950a2ade820f9d8e4dad08c3829a6d7eff000233e7e13db64ce

C:\Users\Admin\AppData\Local\Temp\aUgy.exe

MD5 01e41b6635a4f81996e36e5f31ce4734
SHA1 6d061f8e809457490afdd44d9990bbbefc162fe5
SHA256 85aaac1c15d8666962c33e2aabfda01009e6043b6f8d48284ca9e17c2c22f4f2
SHA512 c740ffd893f984c9566f491021074c89dfe0f48965266a57dffef52ba09b42ea85fc7ae7c149172891fdc6c10f78bda78a0f98840a5c09ee7d25a0812165ea5d

C:\Users\Admin\AppData\Local\Temp\IEAq.exe

MD5 afbf845eb999b376489e7640126292ae
SHA1 b966f85d4c7efb0168779c37b6ce378ce8762b1d
SHA256 37b221ef957a3c61840c2244303e952addb893301bc9d913dae39bd3596564f4
SHA512 ecd33a235c56e6f4264ff20b344aa62fe94ce58d7828d2248e8d2526b693279e2948c32f6f09c57e623c3eb14120ab9160ddb5bf692403035c3852aee76f46b2

C:\Users\Admin\AppData\Local\Temp\MIEk.exe

MD5 e29c5e7d9a9da601354cdb3c4dfc7c7e
SHA1 5ecf5032b8377610d10e636e0791b2e983d00cf6
SHA256 2c01fa606c87b375857ce02020a27c4bdbb0023e59b21b6ce35b1f185d297d6c
SHA512 4821598f503d4fa4ef1c88f11c881900cfed44f16601ababf646cf17ff32fbdfc953fc6259aa11908a45b120c2e090c32179cc7f94f227b35720bd6ab4041514

C:\Users\Admin\AppData\Local\Temp\QIAs.exe

MD5 c880e62fefc924a33397df3e44084eed
SHA1 9154d61e43523443e3925b52be92dbbe8694ec57
SHA256 2f7dea72c1e049112009ba97bc864cf9f3934c291a697ec74f8eedc97493fed8
SHA512 3f90546e01614ec78f51b97b7062d1c21fd8ad76dc344c86be182c59e5db7955f1513e5b1219bb208524a175bc586cfc25483ae7724a0ff4bf59b0caef03329f

C:\Users\Admin\AppData\Local\Temp\agos.exe

MD5 d42b60e392a9c989a8492c9c8418875f
SHA1 297e97ee71b767b2249d315586c9c2ffc9f44009
SHA256 ba9620aa95317337ed1d1fa5780fb8372dbed0697c2ec4bd80d010a6114d5177
SHA512 d6b7cf27c51e0b885662943276c76616ac21ae701c5580445c0840b1911b1b1a849af4a2f989b5da22deee8b8efe35f3984feec6176b465d09cfeb0d6d6dea5e

C:\Users\Admin\AppData\Local\Temp\YEcS.exe

MD5 140e6a28a59f769b0054fbe2ea62883a
SHA1 83aa2cda2e57f85532dc37dbd34cfa7f7a665672
SHA256 e78cdcb4a00d207dd8975ff275ca6a92a4a42adf2d5521bf3e0d0454c46412b4
SHA512 0bd5f83e8a398fe3a7892f4e7222f4ba76ae5c4217dacebffed060907be6d3a0242f8b3e0c4f5a272bf3f6d1379777a1ca9d786ad1b29ed614fd038f0e7099f5

C:\Users\Admin\AppData\Local\Temp\gQYw.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\KMAq.exe

MD5 847cbb6ba668d2f2c9290eca9c29c5df
SHA1 a270c968effd1c97215c2429818b11df80893f04
SHA256 53ee3ec8317835a170975a8d108cf02bd0490c61b9792b5f1f50b7e91b5bb795
SHA512 5f281fbea7874c39d3c0ccb0f0c31a5e8eafded03ac3cc2ab402ec9375bc6dea8cbd455b3985b55c4b9a30d794176b50adb0bdc73f356c3707cc68f582908e90

C:\Users\Admin\AppData\Local\Temp\Ykgi.exe

MD5 797b2cd547130dbf6899d7147f90a56d
SHA1 44fe2501c1c53101c4beb6cc93093653b0d5acf1
SHA256 f27de287c2aa15de759d4751436b278dafb5b3f173ad846aab5f9256f8b81767
SHA512 ece04d9b86f678ac8876015793f8b913826e92f3fb3010c33319d22496039b2b272cc10006f7c0e4c55db9e015af9f7810df981e313cf522c0fb6570711e21eb

C:\Users\Admin\AppData\Local\Temp\IQky.exe

MD5 cb6112b7a70f60047778e26dad0a0854
SHA1 e7031987124ccb1c74a59f5af72b4011a0c8696c
SHA256 ed005866871bd0c9a0d3832d1fd89b8b759cb2a33c63f142d640f9a864e70034
SHA512 6a12517b4fd727d72aedad157437c697003d8712b42c63ecdd53f6623860e67869925487d7bb92934e1aede3630d2e600c296328c951e5d4745e31addfb1613f

C:\Users\Admin\AppData\Local\Temp\ycgs.exe

MD5 a111f7766f4d220625e363fba6dd69ed
SHA1 76c82deb18a552a8eeb0eb94ff50e04a78205946
SHA256 63904e8b43dd51dba9e45bf132835a113e2a41a0a7dff0264d399a05cf0a6bf3
SHA512 a639b9af3bcd667bcbfc7d69e4032d3152a341cbfd4dae871746a9a5796e23af79be754144c84c47bf594761079600c915b39de9da9ca48e819f71789a331f22

C:\Users\Admin\AppData\Local\Temp\wMAO.exe

MD5 0b118a6bd5a81e9c5a72f9706eaf623f
SHA1 f118f580ae5e2106c1b64b7058aa7e2a9f58f4f5
SHA256 2947d652f404bc87b8f5db8b275940a0639c7bed8d4d0c9cee8be1b83cbe4b84
SHA512 6c74497823e02f1c2702c667c972dc419208a0c482afc7981827b72261194e1852513534d64a470213c5008d44e619285c1a5527026695dd829a83746068f322

C:\Users\Admin\AppData\Local\Temp\OoIo.exe

MD5 208f3d729ea7997ffdc99bc011e60244
SHA1 a5467eba295f59cfac431d80ca212b8d53be885d
SHA256 622774105d04ca30b46e8f552ab05767d00a995b00366b18d82dbc108cacc68f
SHA512 beb89739ed2688d529c8363e166b16c6f526de2a548e3fa341e8b3bba3a8db30e04a557851529677b71a671d10491088873f05a80fcf7c2ddad7f63efb30165a

C:\Users\Admin\AppData\Local\Temp\wAMw.exe

MD5 cca4918a0f51cd7a8c9b56cdbf33cd84
SHA1 71e0e63077c3bb9d4e5d2909432675cb16a6fbab
SHA256 176f9fdc93f8b9b822ce49f30f47fd79099760e9046d610aaadb92dadf635e5c
SHA512 3342afe66299fef9b661d472b3c07e905e103d2cd885069df7770c25faa801af64e1dda730aa414783431f79ca3b63f1e0d256cb2d89885d7ff795744d26f9a1

C:\Users\Admin\AppData\Local\Temp\EUQG.exe

MD5 54f0d01ac53f7a95b2ce7fcda65c0aac
SHA1 a591355560924bf0c490d80b13f8caf9202af78e
SHA256 3a6c141788c2fbda2f27bcd988b05c9d3e9652723c9639ac5e84df86bead6bbd
SHA512 cf5beb279bdb322e266d720208fda4594c71ce3c77c8b32973f9a0612d2889a794ce0bf220d0598cfa39b5e666e81a34f290a24c341ffba754325c2a2daa15aa

C:\Users\Admin\AppData\Local\Temp\CkYi.exe

MD5 bfa4ba6626eca2aa3aedd259f38f4873
SHA1 2d08a548e21ae489ef3abe99d451694bb3a070c8
SHA256 a71e32c8962e2471c6a9234b858a522d21dc5ddb45102e7e2bbc088e49323d7f
SHA512 a8c177167d5681c860bd07f5b367b0a50c36290b80896a1fd9932166018fd5b959e340a51d8376da5250761e07ca87bdb354143d01fb0672f48376a6f140dff4

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 93fbe67bedd598e91ab9feb3e4850f7c
SHA1 82152e7d0ee2a9abfc9cf12fd3df0d1bf3264ece
SHA256 bb76ee4a1b7d27405f32e8444bb7258404c875ebdcacc8dcc5416fe4a3204e44
SHA512 bcdcc1693e440a8321d166bcd0f83188acfa3a93d6b286b8e48da0ee18929c2fa859f1541ce08f48a6647df47a485d602116439211c32f2188f7d378289b6103

C:\Users\Admin\AppData\Local\Temp\igkg.exe

MD5 6722d475c959207a279cc66988e943fc
SHA1 0f1faf3484352f2db4851f895cca633ecbd2384e
SHA256 c125ebcac4e145c43af861c2061790c2663c2eaadaef8136a7eea0abced35a8e
SHA512 e33591d910852efee1fc2ce23acca1b436737fe38828cff6ce772daad9ea429b93fb0e8ee3287ca47433bac00204c32bd79e6822d8797c1b3422e59ba2068571

C:\Users\Admin\AppData\Local\Temp\cosi.exe

MD5 4b9c7649c9b18c466a706f0bc6a658aa
SHA1 072e71d7d6e12ea548e637175ac240ba188f95c0
SHA256 6fbff5a663212086ece492d0e5a0ad595b64e2d64779af9030dec51137fe1667
SHA512 f1ae7992842f2bf5f094021b24a565838c88131cb74801b0a2f225a5359dd0653a5ce7e6ea1ee399046ac88261219d9cb9c3e38a069774528ba7819d178c9469

C:\Users\Admin\AppData\Local\Temp\gUkK.exe

MD5 e049ea4ac09ae54971eae37622fbb1ff
SHA1 e77f95b4a6c23aca20cb7b64a00f360eed8a81f6
SHA256 707d7d201abe117eb7672d402059edb149b6e7f4fdfa92053eeba98c5dc514fe
SHA512 4b01d53d5c533f994505fca5632772e86a38aaf0125842eb049bc98f6c72ddec555c44480407e69ed993fe7581931f826b80c74200b6541de11d6ecbfa544926

C:\Users\Admin\AppData\Roaming\ConfirmInvoke.mp3.exe

MD5 b0f353a31ec6e388893a9089b775cf07
SHA1 557776423901dcd4a9e3b2ea00c95b6bd8e76375
SHA256 0311aef67568ca2a541a04a399ec50c35ac210864c1c4cf62b4adf28eba258e6
SHA512 d11e417536e3a923c9970be59d04ed0e4c5731ea497dda51c7526fbf5c0c51699e07fc219f34efc78de3ae477f886d103443af9cc6c74895ed01476f93795183

C:\Users\Admin\AppData\Local\Temp\cogO.exe

MD5 11c714f3a48cc5752860cd089a0c00fb
SHA1 154d587bb7bf94b3b23cb28a8d2f63cbacabde5f
SHA256 2b2a8ef93ead0d4ded53a5cb7e32b43eb2165650990b8f49face948f450d719f
SHA512 4cf7cd2cfe40a1b82f5c683112ae99413c7ff95ddffa3f641dfb8c994ae601028de9f3d77179243269cac7cb5b1e7676e2d8e3e93968174c88de8cf75bfb2730

C:\Users\Admin\AppData\Local\Temp\icYW.exe

MD5 186673763c50cd836e75fe3720c7f203
SHA1 9436454ecd100d49da603a5ef89b4b429530e5f5
SHA256 de6b43074ca58d00aa1a9bf28d757ea57a7abc306f2a12455127dc8aa9fedc4c
SHA512 e13334caf70c08db8d021402cefcb5023ebb8a0cc494c15c03c4f4163e60cddcca4f25b8983955ffdb95479ba05c69be895b0a1db4ccb9c7b08b6e80f9d1fb94