Malware Analysis Report

2024-10-24 18:18

Sample ID 241018-dcty9asgkd
Target 2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock
SHA256 7e27f4605a99496865b95850d8ff85e34c06ee25bae1f415ff2fa9b713913700
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e27f4605a99496865b95850d8ff85e34c06ee25bae1f415ff2fa9b713913700

Threat Level: Known bad

The file 2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (76) files with added filename extension

Renames multiple (53) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:52

Reported

2024-10-18 02:54

Platform

win7-20240903-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (53) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\TsQQcsMQ\NmMoYAcw.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NmMoYAcw.exe = "C:\\Users\\Admin\\TsQQcsMQ\\NmMoYAcw.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LCAgkcEA.exe = "C:\\ProgramData\\mckkkkUY\\LCAgkcEA.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LCAgkcEA.exe = "C:\\ProgramData\\mckkkkUY\\LCAgkcEA.exe" C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NmMoYAcw.exe = "C:\\Users\\Admin\\TsQQcsMQ\\NmMoYAcw.exe" C:\Users\Admin\TsQQcsMQ\NmMoYAcw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\TsQQcsMQ\NmMoYAcw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A
N/A N/A C:\ProgramData\mckkkkUY\LCAgkcEA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Users\Admin\TsQQcsMQ\NmMoYAcw.exe
PID 2652 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Users\Admin\TsQQcsMQ\NmMoYAcw.exe
PID 2652 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Users\Admin\TsQQcsMQ\NmMoYAcw.exe
PID 2652 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Users\Admin\TsQQcsMQ\NmMoYAcw.exe
PID 2652 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\ProgramData\mckkkkUY\LCAgkcEA.exe
PID 2652 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\ProgramData\mckkkkUY\LCAgkcEA.exe
PID 2652 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\ProgramData\mckkkkUY\LCAgkcEA.exe
PID 2652 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\ProgramData\mckkkkUY\LCAgkcEA.exe
PID 2652 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 2828 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 2828 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 2828 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 2820 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2820 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2820 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2820 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2236 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 2888 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 2888 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 2888 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 2236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 284 wrote to memory of 480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 284 wrote to memory of 480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 284 wrote to memory of 480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 284 wrote to memory of 480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe"

C:\Users\Admin\TsQQcsMQ\NmMoYAcw.exe

"C:\Users\Admin\TsQQcsMQ\NmMoYAcw.exe"

C:\ProgramData\mckkkkUY\LCAgkcEA.exe

"C:\ProgramData\mckkkkUY\LCAgkcEA.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgcoEQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rskQscYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JKQococg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zGskIUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uGkAkIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UYEgskoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmccoUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mmccEcAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fIUIkYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWwsoIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\foAcwYMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JqkMYQow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYcgsEsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YysMEYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiYgkwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmYoAAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYwwIwsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hscEYAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rcgAMowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BsgQYUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UOcoggME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGEwIgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KycgAkgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqgAEIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcMQEQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGEQUsIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rWokAYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogAIcwss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uQckYUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcoowowM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wksYAMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWcskkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEkUgcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIMkoYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HoUUEoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgAgQwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wwUUAokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCooYYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EsokEIog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyogwYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIYMUUks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmoAcEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rIoYswMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iuEwwcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gIEUgoAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uOYEEoIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GeAwQEAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XIkQscUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xyMUkQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\baAYssos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKwQIQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEsYcoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGkUoQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sycoocAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WyoQQUUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSYwMgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcIIoUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwMscwUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCccUooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OMUMwwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEgYYscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyMYogMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYMwYoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkIgkoEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUsAAQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NGkksYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KioAoUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEIMMYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ugwMggoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WeIEcoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\icsAMIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAwQMUMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQAAgcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgYkgIcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RksUIQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmwUgEco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15504187721900245588-1597081645536093869-81247650-13729268391876237100649750684"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeEMgMwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AosoEIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYYooMkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiAgkMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwEcksIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGMQcEsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ToUswEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1910186571249803059-162986994149489026162546247218629771879816202951872103250"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1294334214-1490504382-45725641213675595411131681273-1648397226-16115861-1980806200"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWQEYEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gUAQYYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12109897165907134381937299962124700068-1418981934-14143780041483261831964588403"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uacMcwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QScUAIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OWcEsQss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1298993801802204783-15551607221121415145-702614509-443568958-1946686744-2096015866"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4978012295815212041351375071-1743854576169560838519570208783430387301069146399"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NewcwoEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAMAkIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUYAsMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcwMUoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsMkoEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dkUYcswM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIEIYAkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWgQcwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lagoUAIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkYEEgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yegEkMwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwocgIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYwAscAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QAYooYkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKQocsws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKQQUMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vOswoQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEAcEIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUoMUgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcgEIkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIQcUgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OkwEMEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VsgoMcwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PUIkcAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmsosUQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dacIcEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIokEkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUkwkgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wycAcswk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sOMwsQUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwssIsYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2652-0-0x0000000000400000-0x000000000043F000-memory.dmp

\Users\Admin\TsQQcsMQ\NmMoYAcw.exe

MD5 881c8b4851e2f67e721512ca116029d7
SHA1 5121d58b2fdfe2547598f95a481456241c7def07
SHA256 d72bbba373a2bc97562e521e01662e3e6ef9cd00617499d5c747ac5ad20c84d7
SHA512 f63266c010338d910cb3ee39ac8c6e88763c49836328244f053d69d17399269c33bf5654086c6af3d04cdba08069d2a07507ef811f83a2c7e1b3e25aac62ca5e

memory/2692-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2652-12-0x0000000003DA0000-0x0000000003DCF000-memory.dmp

memory/2652-11-0x0000000003DA0000-0x0000000003DCF000-memory.dmp

C:\ProgramData\mckkkkUY\LCAgkcEA.exe

MD5 80692a98127351feddd784cf3793125f
SHA1 53df56fe06284a393e74012216ae5ee1aa8c1db5
SHA256 8a92f79420c3c53be9d08ac1649068c5a9c8f137bd421339f616e09e37e460a4
SHA512 2f4f78b6fccd151e9eea9b1b8ef2faa3fc8e84a4eb3fb346f8d1f9aa5eec5d350790311bfd077dcbe0de949a9d6c182f718f56105b508abe18004d157602ac0e

C:\Users\Admin\AppData\Local\Temp\gAwMwMAk.bat

MD5 a77bc110cb954c360b24fb26141a4552
SHA1 60eab3ace955477dad3c8dfee8d3ee12aec411bd
SHA256 61c439649321eba94f6cc2401d659fecae161281e0cc00d2ec2949acc152a078
SHA512 8f873245c7a86ffe2996b1541181f896d54239d42192a50cfb4f4bbe2166d040ce0d6628a372b218824452511457411f92cfd03a5da64ac6bf95f793ccdcebba

memory/2652-30-0x0000000003DA0000-0x0000000003DCE000-memory.dmp

memory/2716-32-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2652-40-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PgcoEQQQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2236-45-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2828-44-0x0000000000330000-0x000000000036F000-memory.dmp

memory/2828-43-0x0000000000330000-0x000000000036F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

MD5 3d404187efd7b9fb9810d112bd8cc368
SHA1 4c18184896e46369b2af6de3d84c25f44d3f051e
SHA256 410fd53c9634965c2b56efbf7a774d79014c98a2cd1d767adc51636e97428c5d
SHA512 5c1ab1a5309e0d2ea3f08e0e01d1291cf964de682c06812061d46d7bf8db454d36532c58fa511873564db9cfa9d215a63e752d57acb5038581b3b9a55dd27390

C:\Users\Admin\AppData\Local\Temp\hWskwsYg.bat

MD5 d8f8d98964184c20d5a5d4747e28f054
SHA1 277af4492a204e09a2303eeec181dfcd4eab8b42
SHA256 7160fd0586e8885583d079afb82cf5830780fbb35732f4b7264e90c905bba2cd
SHA512 330fa9196fe4132d860e9e4caecc83f88a84124d5ec290bb83d6123f457f370d785f85d66a6a12a979bd9db9fc93cb6f02df107358f9865acd92988c097e9b0e

memory/2888-59-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2808-60-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2888-58-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2236-69-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FksUUksU.bat

MD5 d5c5c1ddbb043713c564f3e6e87dd8e4
SHA1 7f805512db0d078d6ca3d92c3378fe91bcfb9d36
SHA256 3e95548b159b50feea8bcf916eab4ce58bd3a5ddc024a4b6eeb36f696858e561
SHA512 0a30779e060d8588eb4297c1b1042bdf452f141fe57d4f004160238dac32490213ee62a494c91380c90b49da417fcc5eb55d741a53cc8301e31a3f21ee905f14

memory/1624-82-0x0000000000440000-0x000000000047F000-memory.dmp

memory/1624-83-0x0000000000440000-0x000000000047F000-memory.dmp

memory/2808-92-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nMwsMoAU.bat

MD5 ccbff7eb94f32e59a14f3511656a8c0c
SHA1 cff3b05c12dc4327514d76a76576052c185baf56
SHA256 c063a8701f147f9bc0d054321ed894dfef3bf902864288c707efce992affa115
SHA512 1a672bf0ddee46b49430827839390aa5fa1d585ca80ba8d5488fc3cb5eaea4c9a40d188a8978cc5d32490f9356f32065a3e8fa03cbe9e9a03801865ab0e77863

memory/1952-113-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fiscgsow.bat

MD5 32793da520231e321b2b15af5535cbe2
SHA1 ab0f4ec8790c108caf2182292f6cdd8d7e1dac82
SHA256 27958cb2a13c972ac93cc0102317d0a2d3be7b31b4633f5d7aa0695ffb1ab351
SHA512 1d90db165c9fce1489615292226d27c1a2541b2530ac397941d4fb837c9408d4e8470339a10cb7324006e8b87f3d1bdb873df3f6d4de3dc7ca5b1a102132141c

memory/2480-126-0x0000000000120000-0x000000000015F000-memory.dmp

memory/2476-127-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1860-136-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ooAUAcEs.bat

MD5 63a18114ec77c84406a9078ee8dcb854
SHA1 6eec5f353fbdf13d636fee7e6089481c2978125e
SHA256 8b734ec9b2e1d206d1f2dad8a855ac44cbcfff5d21db9818c1e4d1d977b9e649
SHA512 4ad54826ac2259f7d969c06b37b5d94c848c1ca2cd515479a549e533d1a53be39612e9b0703d691a2b913b32d33e2746546f63359b40174acf884828f9742fbf

memory/2476-159-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QWUcoIoA.bat

MD5 9ab8497455888d250c121db798d49863
SHA1 f139083b1443d1487f0c7ad59a270bbd6a41558f
SHA256 4bab9c0c9560eb5dbefa4667a736110b801e3c82f4d7b4c8e85f5e8b32b520d2
SHA512 f799099f17cad055ac0ade6769ebbe5dee750a36d7b7068352b9c3bf31282d8b6bf388961a35c63b49bdbccea0e720d96c987889c7113c8d6f840439b613a15d

memory/1680-180-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAEUIUoA.bat

MD5 128d38a4ac858edcba856e7fe19899a5
SHA1 071e047a1e8176623f5e2b65690cc4b07c077b83
SHA256 260d18f6e56f1313b7a875fd4ddecccd32430d4fc0b7e77f958c9076713bb22c
SHA512 bfc7b65a7957625fa7779a07cb060d0dd433ee2746d85e8e6d1ab81a24b3a83c46916cb8ee139aafe55bd34c5bbba31338e68d95ff38fef6a43f425f08afef18

memory/2804-193-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2624-202-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SUAsIgoA.bat

MD5 05960336138712001c0bd01f681bfc13
SHA1 dc807828385c0f17aee5ce1c868ad3ca2c71e3bb
SHA256 4e087b22539cfe0dc6a39782bd5761fb417fba5d35a61f61e9a50f8de3220cbb
SHA512 a5cd573c6aa9dbbf4dded5b04d4630a6ad7b531144458a643125d677713327cd06c8deaec755be3df3f10bcf3bcdb9be792f5f42754a4d4f174a881ad3d705ae

memory/2436-215-0x0000000000190000-0x00000000001CF000-memory.dmp

memory/2436-216-0x0000000000190000-0x00000000001CF000-memory.dmp

memory/2008-225-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pWcosIsY.bat

MD5 e8a1d13f305e37d9d6ecadaa9210ff52
SHA1 e8eca012be5cbcfa7c346ca0eeb592fee3e40767
SHA256 8d10a3844829e8d78a428b98f0c271e8af6736f4fb64b0ec8a72384f5aa4cc3a
SHA512 c3a0a15e24735bd2f9cb9a74829bec4f49a5c03076c0b9585110782980aa87903a2cd6287333a36a7ffe0fceb03004aa1a3fc8a5c0af4daf4f3cb6eb46b02cc9

memory/2332-248-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FIIswcwI.bat

MD5 5fcf272bed73aeab95f512f7b3e759a2
SHA1 f46aef8468441017c2cbbb34787f48e9f22ec973
SHA256 02af4874bc98a0bf7f4c67a4d92e8394c05f0551c5e57216da63cc6b2ef85375
SHA512 7fd0cc6d4742ebc8e27fa5ac023a1e7cdeefabb238408b0e8da286b51185c06faff05625836dedbb476915ca446529cf8dccfefeae3d4688a9f115912e450db8

memory/2404-261-0x0000000000120000-0x000000000015F000-memory.dmp

memory/1704-270-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zKcsEsYA.bat

MD5 26d21d4da5bf926054d404c78aee549d
SHA1 0144ebeab60e1f0581100633a31650be0c1a4702
SHA256 4261c24b06934273265eb68374ce109e37c417d43ff7c4770116cd0c887cb5c6
SHA512 b7b1c8f78f99e757729636079ed5e8bd44bbb953cc84925a8379bfc0763d60a3ba02a029e576e21b9bc3e66f93caffaf4003b77f4de89f3c7726756b03ab6862

memory/2816-283-0x0000000000120000-0x000000000015F000-memory.dmp

memory/1908-284-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2204-293-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aoMIAggo.bat

MD5 e4b9cadaa4ab28c6b45499d28eeb4c47
SHA1 20d772f123425207067af0a3a2e93c4cc22a7338
SHA256 4a406aa3037d7bbf9e624a283abb780d9dc14528963a6316d7aee241ea149130
SHA512 1549f24d0a3690eea86ff6abeb85a8b2292c2f12250bcafd359009784c8bb14db0bc12a329eac5f4609e3e0427e9e749804ef9a894dd119f1a0872a04bd6dd85

memory/1908-316-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kasYYAEo.bat

MD5 22aae771dced0b369920668375b5bf34
SHA1 56d61f051b43fdfdfbdbe99c4d27545e188d5f38
SHA256 03fd6ba696e29f0adbcb28d280e3ce7c217d8d8cefb7b32264707d48df79a68d
SHA512 d49518c43905d0bb4d6d926948515686a22ad10305afd68f87c0c6d56ab85243328608f782ae0c9ff43b83dbf2c61cb799f69cad4c7a74aa8305fb5ec4d5e684

memory/2228-329-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2012-338-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qEswgEcw.bat

MD5 49747533a6ae21d989a33029263b95aa
SHA1 6e93aed7b9c7fd7e11e0b446cf0f67cbd8cfada5
SHA256 d7e47882d055429249ca47cc483de4ae52e750ac0e26a67bb50ac6d100b32a78
SHA512 b5ad6523536fde293fb4fe7e591cf50acd68fd3e520a5ed01a88b6d5b783479019be8de974a1674713b4b88e5cf071cf91e884889bf0aa7ffae6940c69d2b5d4

memory/2156-351-0x0000000000400000-0x000000000043F000-memory.dmp

memory/596-360-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QmckcMcg.bat

MD5 eab3dbf675f5502689cad60cd7d9d1a1
SHA1 bb647cbede5d75da63bbf70164ba74815fc3729e
SHA256 cdff794a00df3b765a076e98b792fd68753b0a3e8fb94097289098628d383a30
SHA512 b8e74a43882497cc7fe9ce5447e53e51a9c4709b69006900f3ec8b65f9ef93829e9517e2db839fbcc20b16fa200dcba19305764ab43b5b2d1996faa10c0bb974

memory/2040-373-0x0000000000110000-0x000000000014F000-memory.dmp

memory/2368-382-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dgokkEcU.bat

MD5 bc1ec91390918f7f4ef804a511abe51c
SHA1 34cc9fd1bb3148a25ae05dbb8d0cbe82903a0679
SHA256 e671da4adec5ff880c15155de0dd676a8332090cd02fb515494cb6318af98a61
SHA512 7fbf087ab279cd481000db7b0ad72fa61da85160546e787519f0991b934f1d78dcf4da9946831d5e6d15d0d4dcf62ae4bdf42f0cd051973e339fa001071797bd

memory/1012-396-0x0000000000120000-0x000000000015F000-memory.dmp

memory/2124-406-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JOkwMYwg.bat

MD5 a3519e4d1fbec9ac263448de77d6893c
SHA1 7156223e817270a79a2f25a2f62619016e6ce1c7
SHA256 4cad7f121f51f6135192874fddeb529e66029e2376bced0507d9db739459a3ec
SHA512 b2e69df5c5647bbd6fdb9a434dffa6895a96ac561704f8e8c5e9def98956a6a2c5a1ac9750a2eeb20166a7dfd952fc72679791d31fb86aee1fa1018a6457505d

memory/2536-427-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\XawckEwc.bat

MD5 3f96a1924c349deface055da54a57062
SHA1 f3af01a6d8f58de7560f774d25bbb71713dee8e8
SHA256 d5b587515e5b2e9473df47aa6c2422af0aeb75bf6829ad07557fb45636541254
SHA512 48504beabd94b1703240b8f305b7faf701d80fc0f8ca2e2934f6cf81abc47bceb51e20fcb0c9dc041b54b303ca6e9daf848bc163b1dc727af617672f0bfd369f

memory/2664-440-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1776-450-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3000-441-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZSAogsUk.bat

MD5 0d1ac4ef325dbc9bd2e8b27f113d3e0f
SHA1 5d7196b58e0aba4de8eb8032042f22357a4505f9
SHA256 e61a41aae256477d0df9391a522d6e7ab2e6c1fa8dad209166f6ccc2878bd809
SHA512 3a87c555f27b42e483496fd728526924db546025e176236252c12ac300339d2c36e46a5bdafaad32da0ecccf88d298771d28f2cd007c5499770dbed0c9539571

memory/1544-463-0x0000000000260000-0x000000000029F000-memory.dmp

memory/3000-472-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cmcQgwYo.bat

MD5 26cc3a23dca19db141236407a3c6ceac
SHA1 4647fec3a96b5f00a09f160bb16cdbe0b4998cfb
SHA256 51582a6f01fe3c5240422681a264398ccd857b54cb99eebb2971cb07b96afbfd
SHA512 198a171cb46d5aca3c1a0a0706b3d157a05fc0bc092393d5c23aa794315e5f3785939f1b6fc85355d6c71af05c4a8bdbb6bb32abac659f58e1fc705390b25892

memory/2348-483-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1284-492-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UwAwMAsk.bat

MD5 7096acc3aaad31b5adddb6a43d852e02
SHA1 dfca563962b9e01dfe0febee5f45182d001a2122
SHA256 e671cf57a310362dc074a5bd061d0e0802e2dbd0a116574a1892efaf3f500da8
SHA512 e7b93601ef377b849fb15d0ff5d6a58174b33b33937530f418eed24773ff55c92d043b892aede9779914958787ac381b7a1efb181c82cd1228f6ff0cdaba1a4a

memory/2152-504-0x00000000001F0000-0x000000000022F000-memory.dmp

memory/2336-513-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WacYEIsY.bat

MD5 d99b738172caf095648391b26abdbd9b
SHA1 aab4b9f2be0fb2d34160dc1ee6109f8d0eb68833
SHA256 bd66bb46f03835c6ce4919a1702cf50c831204231b81d9cd5e3252da32f39fd8
SHA512 e9ba85a4e1b0870ab5e35b0e61887c3206f260786981753e51d97ba9ed2dace40f67578c7e31f7b5d740f69bbd049ef2c03152bf0a01dc66225b7523a9680c44

memory/2272-524-0x0000000000160000-0x000000000019F000-memory.dmp

memory/640-525-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2472-533-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CSwggQss.bat

MD5 a82d8c8336de25b532662f21fd3ac328
SHA1 48b45a8bbc81b56db850669f547670f3e1098bc9
SHA256 01993dd04ed6425cb96ee8375f53ba3a45b033e2f10b974b347ebf862cda41f8
SHA512 083ef3ca7fd5320f605326e82971ce2e79e2094e69d97adddd7f4a28079596445b0e9ba78cd3f2d42f9bb89d37557ba57d084bde3a54aa338acb8c32f8778dad

memory/2032-544-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2688-543-0x0000000000210000-0x000000000024F000-memory.dmp

memory/640-553-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VkswoUMI.bat

MD5 6a225e0b283f30fab565f819a6c9ca12
SHA1 d7aa972a34adfaaf01c56c2e5c7819deecc0ec78
SHA256 ac016b08b29532eb8635918e77f91353fdd380bdd59c30dcbc66549077edd19a
SHA512 d587db9ee71580730cf4064cab7b162470d25849d4b00fb4aaa2b0a29088926d14a984d606fe3f344276cb6f57da1d7ef3ccb5c3f75e259a69dc9e784f9b614c

memory/1620-565-0x0000000000120000-0x000000000015F000-memory.dmp

memory/2032-574-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hesYMAgo.bat

MD5 5aae5d8fb6b4f85280c503bd87086db7
SHA1 7345c805473098209a1d8d0ef1367cb5d466b24e
SHA256 6978a2430ce0f5067fa1df40c959af9accb4d1e0740473d1aa433b544bbc02e9
SHA512 aa43a7b49d5c99599fa3b6a4911ad281d4408b1265b674b6f89779468caed0f983a3e6a8b6afa8e102361424b9b2f7bccf9b2d6cf5787233f3a442db25a69891

memory/3000-584-0x0000000000120000-0x000000000015F000-memory.dmp

memory/1296-593-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JsEwgcUw.bat

MD5 9e95c4373ef92d85cab06b38435a4ee3
SHA1 e50ef4061ee469c94893cb1ebb14eb62aa861727
SHA256 07be991163f3f6505a4b315b75f6ad346152d57d592ca8330164d67b26a1fd69
SHA512 b6f5ea70d1aa2340f9c1ca0de9c6067837c931a5768ebe53d063fac6268f270e39cdef28a17928dd4ad0f74e5fab914b8271dcb613eaeb3624bf3c9a8933ed5e

memory/2692-603-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2716-605-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1300-606-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2088-604-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2008-615-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmMAUoEc.bat

MD5 7d5ad1cb9f532dfe9b9be612a9397a3a
SHA1 14572f7dcee605d7a2253c2b24f3e8e43a280a5b
SHA256 cd64e5aa03e3a5b143599e07e34fe72a152949baf623ff198d655e985ead2fda
SHA512 d89d6b82d3d910e46d1ace1d5828c888e4385ee45834ef4c15adf9bff66c5d309c0dc7dda1d0d8f7f29362e1d01e9e547f7a9cf41c06b19321fd4514411999c0

memory/1300-633-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YUwK.exe

MD5 3f9ca85327292640ef0d61bfdcd22856
SHA1 743883f932975c9b44ab7ff725cced0b0e56701c
SHA256 f7414e290e5a514c6006f8cc9dd514dcf352fef3d4e6a19de25b04a5e7c69a3e
SHA512 c1ceea010f237ffc1c4cf5642ccb584c6a6150144d7ed9bf2ad859750a8247eb6d86f14885629bbb72e4e745c9e905927bd22b43764d8eb268c694420659d5e4

C:\Users\Admin\AppData\Local\Temp\uqQIMgks.bat

MD5 359a0757ba8a29d1ddc7f7ebbdfddea2
SHA1 e39a5c62dd36e860ec89c30feddf820d5178eaa9
SHA256 e1c31654ae495e9ee2862a7f94aef6ad0879a70fe370781b4f8f8211b6dbb6a0
SHA512 8c6b08ad4c0e205a3a2cdaf05cf67e4acb9b2f5c437b4e6ec4cd3af1fb9dd13a98921c97a258f25acd6de2e44efb43a9a068ac5ad130d0b2706bd571c624eb95

memory/2516-667-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uQwocwwE.bat

MD5 d20bf07590e9239736a47f6cc96c76d1
SHA1 301e9e85febc67235d6da6c2a93b8b4a3cd37bcb
SHA256 e9c72f802289a004ea3e37b858fef197389621cf501414c722a0db4eb1871286
SHA512 93f810e505c8498efe5642c4175fefa9899193ea6d65e3bbb9f385831459203f23f203b6622af4245f86360d3603315b18c5659a950ff180d9936fdc012e8634

memory/2980-685-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CsMAggQc.bat

MD5 0b5b93060a5c614858932654a9048be9
SHA1 3eb03ddf18c6c2786bcb6df7c47c7ce27fbe6ae9
SHA256 42b6de4aa02fc227d6aa906c42ce135620c263929fe4916d9f6ed3ef323eeff6
SHA512 4140d9834b199d0f02987541686779db234dc78bec3a66cd813407636b4a32b54e8a86ebccfcc872e66ce3e241e219a3c7d9c9f600432f8fa15bc0774284dc8c

memory/2688-695-0x0000000000140000-0x000000000017F000-memory.dmp

memory/2140-704-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cSAswsQc.bat

MD5 6a6b3e3b4e498ff130a1777987fc9019
SHA1 43a09379d9433b32728904e08feacf4887f5539c
SHA256 9ab0a59b525979c893ec9864f0d5543e53d2a9c94afea538f8c572dc0d8d75b7
SHA512 fe9a28aeb26f6c00fcd8c6d5f2171eed0f07d0965b499895c2d6457cd43832335d5ca57d2c9f2382adde5071fa322ea391334999c691fc44f3a2bc3f0b0aedfc

memory/1252-722-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VicEksIA.bat

MD5 56c889bc9b7af9fafac9d73224ea0b94
SHA1 a79146521dacb862c8ccaf9272294dafdc899288
SHA256 ff6a9429d1c8e108a1661e50ee408a0b46ba4422b834fe3865b0eae335388c77
SHA512 b577c1929e4c055dd74dcb77b7ef5834399477786f83cbf6fa8b8561b6a0ab9d8ea93555558dd2121ab89038d855f1b31342793fd218538c28651ed1e7d1d84b

memory/2860-734-0x00000000001D0000-0x000000000020F000-memory.dmp

memory/480-743-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PYkIkIoY.bat

MD5 3d998776774f8fde2b56d7017bf5a90c
SHA1 fcaf1ceb51b547a1ae229bc90b4d4da90e9c8ecb
SHA256 053d7f5c68494b26d072ff666a88a4dba4bb8d7ee7b6bdbad8ee86c0536a6f9b
SHA512 2633ff49d680833542487b6b4dd23ecce8e8b0e686a7ec88471054211c2dabccd252bcf39e03fc2257cb78b9235fa63df4a9de06cf4f4699799bc41b5fa7fbbc

memory/584-761-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BMIsMgso.bat

MD5 0015f1a97753fb436543bd5fadfd8cee
SHA1 f2fd64a1a7eb205ddfa21e5af2cdef34423379ef
SHA256 96e3cb8c970ddf3c796cd7599cff4c07574482f859602029c763c2bac9b39b52
SHA512 d67c35083641c92e3ae2c157490c2ee149be3b0145b39d2bcab94af8137d92ddb73c66a7ad9c37cb5f96c41206d075565e4fbeb3fe8d04870cc6942b37c02683

memory/2436-772-0x0000000000120000-0x000000000015F000-memory.dmp

memory/2436-771-0x0000000000120000-0x000000000015F000-memory.dmp

memory/2132-781-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DmMQgkIA.bat

MD5 77a5c606306b00ea85490d8815392c8d
SHA1 256a0e6413512be9367083708ef0ad4cda4bd35b
SHA256 3f4b7d3712f0ed2495b527d2b5f5acc07fee2e6b5dc16814e2e30dcae8be05f4
SHA512 cdd67a5c896c82cde6bfcfdee6fd3abce09043c77df1a962c3715098d03aa8f88f55e899d75ce96604437083e99150a393927c0cc1d1aa92566820a4274fca70

memory/2452-799-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gQEoYUgo.bat

MD5 e1154ce5927495f7e127d68cc0ec329a
SHA1 ee7391502871d365773544ef5162650f680f00e6
SHA256 93925e5aa71a470643f2f2f783419e47948d1feb4fea0311be1a2319f8b7512e
SHA512 eeb1182109070e3f090d3f8dd405f666c30d7a9e003b5ccef5ff3398c1eac999b80830807378ad55551810e094fe073afec9f258c7dbf2a264200779ac170a9d

memory/2980-819-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oeQUgskE.bat

MD5 448b244e375c9d3edfd153a2002dee9b
SHA1 543719b37bdbba9ad521d2a0bc1dc23b671d18dc
SHA256 a5cc76a5e7434f15e0c25b9aed8110acd288e09aca911443d152781828a25f39
SHA512 ca0cdfe214d3db6a70c90337834ff8b6c49cdb054f0de28044be804ea22fac322e9dd4c9c0fe12cf4e66d46785e7a93097da7ff2e6adc3747f9e3817f48e3ee0

memory/2404-829-0x0000000000190000-0x00000000001CF000-memory.dmp

memory/704-838-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GEUMksAw.bat

MD5 340607ed9b7a83e234514b79b50cd138
SHA1 1be869a4d94df8ecc27e2cd1c4e16690e045270f
SHA256 66ace8f0e6dc339045811e1521c164a8fdeaeeed1fd7bed05899b5a9da2b36e6
SHA512 76c2a1b03b7b90e04b2d05149402e2f31d02d4986f56f279f846aabc116e300816488ca559f572c85b16d8fcb2e32cdec8bac314981899063906e47d6b0412ac

memory/2476-848-0x0000000000500000-0x000000000053F000-memory.dmp

memory/1252-857-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rmoAQwwI.bat

MD5 b3beda681b307860d444d934cdbeba0d
SHA1 76d2590377d4d7a094960bfe1403cee5b8347c2d
SHA256 cbe584c82136c55107c9572c05b87c6796db19a977d82be109dbf82354b3e0c7
SHA512 6da6c9a5f59f782845fde993b0569aab0569c8bb1e8eef3a6992db343b20701dc1d05b6e6a53cab8e74179f02a37843faf4c77ba4c1229d979d0b77a29748ba4

memory/1944-869-0x0000000000180000-0x00000000001BF000-memory.dmp

memory/2548-878-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fGcQwwks.bat

MD5 a06d7643fc8c105cf1601415c255bd0a
SHA1 649a9aebe95b073b3c09c61e5b3f6a642e05ef5a
SHA256 8dbcb2710ba9b369f15c9d94f69c91e78cedd7e2d3dbf8e44975dc04b03f016e
SHA512 57c009072371fd941b4b10412841d9a56d8fbc117af06cbd05e9a24f086b838e752fa27cf5bda97f5f4f07422f4b2adc4d2a95d3b1121e6bfef2ab5a794e2539

memory/2652-888-0x0000000000270000-0x00000000002AF000-memory.dmp

memory/1704-897-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XQEAUcME.bat

MD5 999ec69078f8e7f97b4144d31cabf269
SHA1 3ed9b7ededc6f15820f1c6bcdebe6a1a78bbdab8
SHA256 9c0c892ed7dfb6865344a8fe7adc79364ad96b1d01adcfa06ec2beafc0c3c207
SHA512 4f76ef561842208f5015e7aa79cb224fb2a56a4b03d78dd408e36982255ba777092f4c1f778ca9fa80736301d3dfe178b26031c02089ffcb3f3e5f73d8ca38f4

memory/2616-915-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pGsMYAAI.bat

MD5 6f8bd6653eb9ae4658c5b2819172b407
SHA1 5a641774c0426f85efa9605c670eff1f773da238
SHA256 eb9e186d181b003adc3894924c34dfdb3be31f3b9f648e8dd885272cd012d823
SHA512 951739327093120ba03d6890cf43bc423fd8f9b2f60007d5deb88b06588b9fe2b5af4b0fd5998fa5b0032a2880b085f4f451dc0042b2a01b145c61781d5dd27e

memory/2604-925-0x0000000000820000-0x000000000085F000-memory.dmp

memory/1028-934-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQEAggME.bat

MD5 f3ef2d00ac42a9024dbcda1f9265ef2a
SHA1 10334a957635e82c6b168ba34992a646a963a5c0
SHA256 53cdcc1b6cf9373f4fdff28db0464922e6ef0c701e9c6c88ece5998558932515
SHA512 5d878de911256b3de395155d6c9c9147e479ab9db3724d55fd6a772cc46c03a8e1b841db1c715a7a82f74b418f3f6e9b837f30f0ed9bbbaedc90623b38b2693a

memory/1268-946-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2988-955-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WmUgocAM.bat

MD5 017628469387ad16c089fd874c6283dd
SHA1 80c7db737e8f77b1dd202e5c9060d142177b95b5
SHA256 cd365a0bd5ab7c5658fb7a9de3b083050ee615e9b377b3b540bbe122449457ee
SHA512 a7895c450773353b5d2069e1183be23bec588bf2cbde9ae400033743d98fc7068815949ef000f8c95da0d03409d2c5a996e804775675915b61ef7cdbd7711f32

memory/628-965-0x0000000000260000-0x000000000029F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CYowkMkk.bat

MD5 d743bee7d4ae7497f092460a495de21f
SHA1 eca9344140c92e09912002408fa4fac30d6188b9
SHA256 4b13bbd1d10121f3b8afa29b7ce5cf528546977b3b28fe6ac4dccef87dd49cb6
SHA512 96f1394495282afbd8f4610fe041f6cdd8074bc015c78c19d2bb9d0df3c7bca4364eb65ff532d28a9b7b237019ea66f219fd5bc4a6dd1eef9bdb8070f1075cb0

C:\Users\Admin\AppData\Local\Temp\SIAgskMM.bat

MD5 c0dc7ee99baaf4636ea16d2ddce98e20
SHA1 16f1c09d6c0afe01506156ec8eac5b9df270e38a
SHA256 3d09c855f690d399483544f75962f950128a53d27f26d59c0f20c86750265d94
SHA512 e381ef9a99b83e1f17fc8d75c8a04ecd27309579465ef0afc77f0ae5d78cd54ced474003b9da2a1b02430d7b9a7e19b2609614bcdd6871f1215c78095b6f87ec

C:\Users\Admin\AppData\Local\Temp\fKgocsAE.bat

MD5 d27f1f09c55f6344298d021f6d10ba76
SHA1 9c857ebc3b084fce48909f667eb1888a7b4214fa
SHA256 0f5d4e0542a599160a468a18d85d6324a02b07cacef5da8314922d0d27aa797e
SHA512 f163fa873d31aaaba10380172a71b17d1d7953e3ad2a8c62ba51367ecc23936076b2e17cff487f670141aaf1ab10d7d56d67cb5a939c126ba3ae7c61107bb4d7

C:\Users\Admin\AppData\Local\Temp\KMQY.exe

MD5 207919c5ad055b824e8a0723da4a5896
SHA1 1aee280eadd1818874ee7969a667f142b974c45b
SHA256 76e2e14f69f4292d7dc05ff1757bed5d0f15fca4353d383ce7f39870dfdf66ce
SHA512 fc851285beb4755e888df292a6fc2b62c1bb5323dfb32254dbcc682ed1b2d5751029f0d8e0a7e7e1b76ea601022af730d1ddbaa4924ea1fd09be1ce062144fd9

C:\Users\Admin\AppData\Local\Temp\eIwU.exe

MD5 6a02026b8f55b93c8f141df50a6df6e1
SHA1 9ade98010b9af7b179bfc6f0d37614c841a4c8d8
SHA256 45ef2d33fcf4682b91f7af95b7ea9628ff3c843a3d405879cc0b5ae2ce2cee3b
SHA512 7007c305a10a125edfed8773d36cf8ede9bbce8fd8b96ffc76c2c144c151f9e8521d2e76a73b0d759ca5977f25e953e920a61df10f41622b1dcf7880d4518062

C:\Users\Admin\AppData\Local\Temp\deUcscsw.bat

MD5 5c3d6623c0a7bc8a4483e3951e613c29
SHA1 d0e2694a4f795c79c1d5d97cda6b8b9f33ac71ab
SHA256 09514f757d97a7eac6cb54359c06215b3dad4b8a723c1d4c2ea234d6113e3e55
SHA512 5a521ef74649829c8ef831402c07381c1f3db0404cbaeadf7082aa0917cdd1e61a4b43c651ed975c9ecb2821e9424e2a8af94986d8ccb70f49547db99fe14292

C:\Users\Admin\AppData\Local\Temp\yIsq.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\kksQ.exe

MD5 246762574b3d4866e893a09f7359c32f
SHA1 91df4a692ccf3b0b9293e2d5abf88e37e1b192bf
SHA256 e2072776895250ff5edbcb9e38d3beb3eb9664c37b9bee45877c52b0590d2640
SHA512 8b18b18ffeced89d169ad4176a3f453298051ff623faf56d4a39f41206ba091ac6d02fc082276973efc41c02d22f2da2d036054d2bb49b832379636f7c576c75

C:\Users\Admin\AppData\Local\Temp\ikIY.exe

MD5 a5f84f80d357efbf7846b2e493a4d096
SHA1 93c7347d8b5a6c59031d47f0477711dfaeff652b
SHA256 b6deddd34164b5a091a60c34e5014af85049bfb76bdb522ace24cc73da13ffeb
SHA512 091bc2c25d5235e7a758717caf557d1d28519a1ed84fc351a987af1db91015f6d6b3e5701fbf897b7184743bfa9d0e60296078a2af59f941554a7c6efee6a969

C:\Users\Admin\AppData\Local\Temp\uoga.exe

MD5 1178c58b1768409369a80f17d9527512
SHA1 53c6117ff9450ca8112e05b066dc4dd513756685
SHA256 4da2ab7e341b2affc4a973abb27862693adb51a28c502313a7c07db50cbeb292
SHA512 623c371ff69b6bb30eb0131ea36e8c0be12013f5c89d5401bf5e654f328c60f26bbef889c94a25cd61ba0cb4b937242bd0cce13d16068d755af466e27492f7a9

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 6b87b694c18b524123e20b570cc6fc76
SHA1 ae6d4bb45e79bfac438d1a264d2bbd6a8e7368b1
SHA256 93b056ba2823c4b0c76c01ab2f16230309139ec0414d92cf821a8bbaf15c239b
SHA512 033617cd5b143d5ba93badc14eb4e4cff9984bce8a45b9d37ef8d159a02abdf532a6fbabaa4fbd39e290bf1f9488609668365421f0a651e2360de9253c737e89

C:\Users\Admin\AppData\Local\Temp\yYAQ.exe

MD5 b32111db7f138f636a07b029751db744
SHA1 3ac7f911c72aed55efdecca512cec8f9b4ca569b
SHA256 02dbe2a5f25278b3b2b60a5bdcb72c00c316c9a95454789805f02e403cf8c2a8
SHA512 06ec1255fcac785630811a4a2decbaa6472df08832bac9edfad43c13a5b93e8c05191cd0681a7558ce8e65dc23308a3875e2b4d8ebb784529e91e63e263897c2

C:\Users\Admin\AppData\Local\Temp\sscq.exe

MD5 eb11bfebe32ac2c84223411a17590b24
SHA1 5f0c4f014df9920c5f94e9212e75cb2c60b97538
SHA256 2c5a86c8d7a09d37d2fd797ee713daa3da15bb14322b6ea5a9d5b6b959931e7e
SHA512 c23db8b09e7ef7436973469b0ed5f81757c431d234d17f741f154f8da5836829a04e0d7e0f7e7b9930f8ef77cee480388d6b2d5c806b0c9cc0a37adb841831d3

C:\Users\Admin\AppData\Local\Temp\gYAI.exe

MD5 728f38309c57c9154a62f01afac01175
SHA1 37d1d72e6d0be5f28ec193f84f6c9ddce873fc07
SHA256 acea5b97bb0cf9f7a8985ce80d3f244b7f639e768388e4acc15135d394d889ca
SHA512 d3dee9bed5924eef78604106442afca86e74570e1760590fd5bf7c5cf5c5816e020bef84f3918044f5f1bac3c994c22c36532b836cf536f140b6dac21d65145e

C:\Users\Admin\AppData\Local\Temp\XMYoUMUY.bat

MD5 1e8b2ac79f531ff562a8978da9cadfd4
SHA1 5c0772b708d33446eac5f34d878c8038618f9057
SHA256 9b36d7b61f4dd0ef44aaa79e67b50a60ce40d51c554652873533c172e411a5ec
SHA512 2871802bce51fb9f962d77eaedaf5cfd16aab8cb828c7c29cf5ab41632fc9ceb9317159fbeeaabfd59f242ba69cb50e5e8185aea3aeb5f18a0a17d61d4a0cbd8

C:\Users\Admin\AppData\Local\Temp\AwUI.exe

MD5 e056be0445c6d357c49222b2b7ce64d1
SHA1 5235cb9b0330430dbbd663804c8068ab5d93f82e
SHA256 feafb2ccf7156af4c4126c1241b7ebce9a284d807813c35ebe8aa9a9e7f7bf35
SHA512 9e33b73f44c229650a0340431222f4d43171ccd29d8827a6d87201efd283b603e347a7794064d0de703d7970d652a4654ae6e2809ec5247d7fa219a4b593cbd1

C:\Users\Admin\AppData\Local\Temp\gIUA.exe

MD5 0a12e085edb9a15916c712cd610fd514
SHA1 f2564d575b0c83532973bf3c4db02f4a709fd95d
SHA256 1c6e4e5d084e11230b31ebe424d24e13b91cd22439bb014b1e2bd795c5625c5a
SHA512 c3f84de38832cc66298d4bd1630b6aaa7d48d9b969892299c421c66eff3dd4de752f734f56e017e326a17645ec18ea47bbec7f3b0a7b1c27abf92f33b4e27556

C:\Users\Admin\AppData\Local\Temp\kcIM.exe

MD5 7fd8dfc414927a7b923eaed19a0b3d28
SHA1 d4d4953e5125f995943deebd89aa78946ca9500b
SHA256 229634912f8f264cd78d7b6c345eb10c47398179fb044aed1e271fb7156c182c
SHA512 bfda28a5407642c325b751af794f6646127f140352083c3dafdadb48968681a462f1953fc0ea8b7ea2930459f5ce81257f10f50fdd4badb793ac4a90b04d519f

C:\Users\Admin\AppData\Local\Temp\GgQi.exe

MD5 4181e437919a22c3cbb9e95cb4f066da
SHA1 5346d6dfbc820a50c63d23200f56668c9a5e3957
SHA256 898a1b59dca9e0cbfbc2f544dd8bc990a3e64663a82735e578e50da8ed6a1bb3
SHA512 4b829cb8c44d1b319b409b8f75cc4aff607a7c1cb22f92e3f23864b9d331e84bbe0b99b8da71c6a49a5ccdeb3d5a64d1257a2765a736556b4667645a2df7372a

C:\Users\Admin\AppData\Local\Temp\mUAu.exe

MD5 2b96cbaf7152526888405e4cac42ed17
SHA1 62a49f7ef7992bf1b9a7a6597b2b5432aaa61ca2
SHA256 3f6bf60e5b7d377938af0f619ad91911963a0e771b78138ee575223da1f85afd
SHA512 f73e5693e169f29ff6fd79ca99994216d7b29dfea47938879d8bf72f874e3a35b7cf91ebab78b36f07c24a0c4ef0b480e5df2012dd54aca868794be2d6727ddd

C:\Users\Admin\AppData\Local\Temp\iwsA.exe

MD5 d067dfa16011cad22b668c4727e0dc61
SHA1 a352dfbf2648021ae70a3663729908a101b158b9
SHA256 d86cc0757850e05abdd9be862ae936608e101cb59ccefe8a3016b10046cd2841
SHA512 6c6b81e6e25c7a48763dcf14802bf547446eff5e982d3808d484d14e6e3d5746d6a0e3fd89f2ce5923531da57e702ee4e9d361ea5ec281a79436a1a337160c16

C:\Users\Admin\AppData\Local\Temp\ococ.exe

MD5 0c292864ee8e974c278ee33ebc83353d
SHA1 0a31f9b6d3801bfebf3a1f8c1477e653590d474d
SHA256 791afe4e5177a58878755cac7a642bf0b611d3e0a66a599d90f8ab52fa770cb1
SHA512 a1aff03309943ead6ae2ebe384a8f4675a6ffcdea3619efdc2dddeedc62c9e44960aa1d3c1fef50e651b6f38a348981ddc779649d90306a9275cb027c2e8a2e4

C:\Users\Admin\AppData\Local\Temp\leksMAwM.bat

MD5 4f12b4d966228fdadad89b4d30828e5d
SHA1 547e105bfeb7a75107e28b22607a788e2887378b
SHA256 fb8a449e372354f487490b2863831322fd91fc9053bb9a53c333bc40eaa4269d
SHA512 9499915211438b7572de7b12b18c2e808c87acf900bf9c20c301f53dbda0d6455fbfca656e8026a7a40295434bfce377b666aa085effcff66b826cb2422a9845

C:\Users\Admin\AppData\Local\Temp\EQYe.exe

MD5 549931050dd233e9c0ad741550f41581
SHA1 5c210649430146b3431a613a8e959c6a7be2e328
SHA256 9c3ff87db34cb0bb09b01e5fb8eb0a6a4c1c5da2d3c083f86313f89cea51d711
SHA512 7172a3ab13a08683a609ad36cfbc5b716c9e4d9590660b3d31070f33e3150e72ee17cebe954a6c931d7db592e4ae553a97bdda99380d78ca59ae4a9749373959

C:\Users\Admin\AppData\Local\Temp\esMs.exe

MD5 af1100a55f490e1d3a9b0335f82341c4
SHA1 9998a390faf29fcf9471afd15e60ff226e27af7d
SHA256 ae4d99a88a07639ee9bcd715e9b18d70715ab891ac3e91c4a87bea61652d6e94
SHA512 f9fbbc07edba3879992810b92bc7aa58d17a2d4f17029f9d0e9c068b13d6f3e1cce7b5806910d450d1b81ff0dfc83789f2326a95a9a7068e2bc04b79a7f2a8fb

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 ae53b6fed3ed847ddfe1ca0816c1b946
SHA1 ca1c831e142a3bf4c0b7410d681b2c7c74615693
SHA256 4d1dc20e05a74993aeff9c63995ad41985ebffa6f08c3c0c3341bc98079a9b8e
SHA512 7c6f1d7c12ba3f6ff9e93cb4b8aaac0e76f055745692f8188b5f3554aac17165c1a20943a6daadd162c63b76d7e3bc4e44be82645f47edf0eaf0195e0051935a

C:\Users\Admin\AppData\Local\Temp\AEEq.exe

MD5 fd86e88e4d0e50b6a5f62ed24a267cc4
SHA1 86eebbca3f37d9ed43f53723f5e1dfade720d836
SHA256 befc3d99ec83f0db01ba324c29a527dc1337ecc7b166898c84cb1efa42d7d8be
SHA512 373b8f673d485f5b8b67809181a3eda883e81f3a8a6942ca441989822253cabe0c80a805bcdb63b0c550aea25ed25a9d8083d2feb29dd7c039e00c9d95fc96bd

C:\Users\Admin\AppData\Local\Temp\ekYQ.exe

MD5 d90fc548d4126a9fe7707717c9ad819e
SHA1 2f5daab57afbfd5a48c7d409995b09f22442bc38
SHA256 3426dffc41993b2a73ec6682003c5e67ea032717ede077570db7b80c4da3e362
SHA512 6ac4af39801e7255ec57016e51c23bfe0d4a2279192f681e612900379a2b9e290a27ca795ec8607188c0d2c68c66354a2363b98c58eb093d256c50a1e4756958

C:\Users\Admin\AppData\Local\Temp\CwwW.exe

MD5 c10ece6f05d6eb930f94d8bfb4c555b2
SHA1 10f938cb1157385ec2432bbe682e7744c2f19ff3
SHA256 a872188b333e8ba73077922c31347c8853c1e06536375855a643a72daa7e8a96
SHA512 b025631db58a4e36734002f4dfa921fa70b39a3468d3115274fc4d9d9d64e5af569013b9fdfad850d283265495662eb069afc033df79f57a923d155f5f1e5845

C:\Users\Admin\AppData\Local\Temp\OEAG.exe

MD5 bc1d76d51b9b785a060994c977472176
SHA1 9fe852399b64059aca1fd2a7b16136997c8d6ee9
SHA256 55f8e7bf32846af781fc9fec3b4704616ca0243f096c5555881b0c0d983b8640
SHA512 0540465dde274488fddc65f42df344ef5f5932ba871dc83933b40aa3c5201c000e9704fcd450e77ea72c0567be57070a9f1b058bf989871fb80c54a667a25de6

C:\Users\Admin\AppData\Local\Temp\EUcC.exe

MD5 6ae34e8d73f6bf9a9bc42f3cd7d6ea9f
SHA1 903c75102bccbb2194c2b8159dc4cb363b876156
SHA256 69d92ca9a61bc0c6fa9e17a927aa6a055c553591d306eef158e141ebfa5a86e2
SHA512 47b2057786316e5f0210730b788507501cd25799a1a1c14370eb310578528f860a9e4d2047e1acdadcb53d5f17f24d4297b0a786dbb5d6f5644afee2cf716f0a

C:\Users\Admin\AppData\Local\Temp\qGkoQIsY.bat

MD5 4c6cce77828917271f8de031ba43f1ea
SHA1 5702757b858278e7dd5ad2d42c9635c06f410ae3
SHA256 034ffcc761ce20eb0826ece35164a088f52f5770cc8b85af1bfadf1a4ec385a6
SHA512 23b0ee1a43db1fab0e0e056c22539925b6bff95efc98fe9913a0b34e6bc96b22cfd42e3454818eb26205bd179693f4c3cac96de60632ffdbcceb27a1ea5aff38

C:\Users\Admin\AppData\Local\Temp\eYAe.exe

MD5 0c83222cd4b470b511efcb5df61db496
SHA1 7afc85d0ce3c5bda86eec61c7c91d23b86b1932f
SHA256 71c6a80985771306c1d1cbd332f200596ca470ef41c63eb2ec2d48d3ab579ffa
SHA512 bbb0320b0fd6336dc12d4854eb4406e22d7d1728894997018c2640fc08313f1ba93ed1bed8fbdd693da1cba7cea8689bc82f2b4b6dd84ae7562749796d235df1

C:\Users\Admin\AppData\Local\Temp\GEUo.exe

MD5 34e736ff41c715dabf5c3da826d208fb
SHA1 3f2ed9250da21b7f13f79cc07b148eba759a870b
SHA256 169713f67c1ec9ac3c1ee5b3a47dcb5d80cadf94f78c33a34fb8741a79b6fe86
SHA512 92aaba435944f5377185a2add13958115a965a6cfa9a60cba56b672d825eb419b141f6ba2fc1395d02eb451b0405a20f0b477187ee79de13167d37b0b02d366d

C:\Users\Admin\AppData\Local\Temp\KgES.exe

MD5 e126fa7e1f9c3bcb751d8f7ec1322403
SHA1 40d1d02090b640a46f574bb566382fa81fb3523c
SHA256 eab4145398bbe49bd24c7e1482c415f0b6712533402d25c92318c56340ea46c7
SHA512 3b4eb2636e6afae65299c42533a875db1722fe87e643881ce1e8a1090448f6646797d62615e3638ad0f9a4b2de63002c35dc1341c92a6636fc16d43821c6ed11

C:\Users\Admin\AppData\Local\Temp\cYQE.exe

MD5 3dd02aca321777905b74446c48e7a12e
SHA1 2e3490651db2c2061d0553250565faf0afd5a707
SHA256 09ed160d2fddd1f361ebf43e8239f0cc8093107159ef53780aa08dc9bd1f44ed
SHA512 cab1409b257299029f1335cb3c94b51b457a727b32097d16b0708145517b4698877c7becb655eb47d7ead2f27de53646cd9bd0bfcb8273062492949df7f1cafd

C:\Users\Admin\AppData\Local\Temp\IMoU.exe

MD5 3218005f564448b24f1d98ed25b0d236
SHA1 9bda99e5ba0286453d2d71258defb41261c7bfb3
SHA256 085d403d8c7fa08c6aa626a703198aba827834ccb8308b537ae754a29edc44c3
SHA512 bfae7de2f8d612bf53c58a07770bd998cc40ed47c27a88ebfb40d01dbe356561ef66a0d0648f14eb7212c40a82b4b12fdcde1dfa1538b976d0e30f16b469a2a9

C:\Users\Admin\AppData\Local\Temp\EmcEAQAk.bat

MD5 c759b43f43bfe4fc6bfb385ff7f7f72f
SHA1 e7f8128bcc959299e61e61a94258fb5f1f8022fc
SHA256 7f9846a76f02d9a107ebcd11e7952c603ed972f6ca5981879fc43d3bec633ba7
SHA512 63ada67b027927ae99a403de42fa2570a3dee1cc89a52b23d312ef0371cb02c2fb271533a395df3a8f84fcd87c73bcba2dd22fb798553ba038d6a750ef883c28

C:\Users\Admin\AppData\Local\Temp\Owgy.exe

MD5 669c7bc5fdc3ceae4ea5072663bbd23a
SHA1 4ee5701864350b43408617959815c9f60bc95d5d
SHA256 c4666cd4c65bba7fd88c63cad367c7a442c0a04d99b069191539471cdbc474bf
SHA512 2546a2ea219ac16e7af75aca99a3874965bfb7af5d1423016cb356c01030fd938c78eb1bb625c9d76ff3053c16f44f9c9b138740f17ba3e91a37ab58e0df684f

C:\Users\Admin\AppData\Local\Temp\awUU.exe

MD5 4e5aa56a4acff2df7ca957e4aa56fc40
SHA1 b2fff09e7f30641757d03ef46109121908cc9abe
SHA256 e3152250063043ec254a20e8fe95193c21b7bca6dbbc7d2c72b6ead4e3fafc2e
SHA512 1d15d3328829c0dd5e8b67d291cb11e1041586849ac82397abca3d63a2ad6c820c6c726ce6330886597e91ece7774467a817b12667bf92a8350acb9d62394671

C:\Users\Admin\AppData\Local\Temp\aswi.exe

MD5 f8d2c32d5d650992fdd0bb02fcdf3c62
SHA1 67fd9c5cf623c4e21d5b7ceabb68524d4844430c
SHA256 ac340939349faf3f466ff69d3ebc982e310712579c3d64e6af562f6767e0875d
SHA512 1460d9280d22558c2e3a4a381faef98bf44d71a0661d65a39b7d855d07198bb2762532687d528d27f535076bf704df431dffc4303132d981e4c92d6b48e730ce

C:\Users\Admin\AppData\Local\Temp\oEQk.exe

MD5 24117928c5803c3d1e1d9b0f0c49cee0
SHA1 51e07366a9dffff07ded63649d46b2fd0ad57863
SHA256 0ce8626f080bbfa1b6de0ffeec0c67fe8095d1cf183c230de934424a335f312c
SHA512 ca65a65a6ea3edeba1df37607493b560c682a770b1a2fbc4898f5500acc6d494f40936fb3ce6e8e72cae60dd402f426d4e1a96ec00a89fb162b2975f147cd168

C:\Users\Admin\AppData\Local\Temp\EgsS.exe

MD5 9b4a27f76a8244ccdd05883794418591
SHA1 15ca24894ad8c2c3a1937dd4b0036fd4af50c032
SHA256 ccb7a6e03a27826a396f31ccc493c49a73bd1358e69c33ba693e62276eb5995f
SHA512 082ee6c180fec09a37b798d40c607e00f3304d568331e962c989c371f561fb95f38b1332f7151e76a73d612f3cfc1dfb952d8543ef110e19c924ddc319f23174

C:\Users\Admin\AppData\Local\Temp\Coww.exe

MD5 941337a28c418923829fed8cc1f947d5
SHA1 2916919a66149d216627b2e9fc7c496e814cc34a
SHA256 7cba20be0f5daeacb072a3515b7be6971a4b9750f072942a4143b963fcbfc772
SHA512 5fb0aa7ba392e6456623a7ff55f15eeaad84cc66ad1cec7e6c6fecd70f4c7fc49cdcfd6b3f62a03bc8e5750f30ae4aa4ed95494d8579b1b8ef289516f3dd5eee

C:\Users\Admin\AppData\Local\Temp\wgUE.exe

MD5 2e69c75bee1daaa9782fb6c669356b43
SHA1 5a93bc53166fa3f5667480a4f138b29667e74d70
SHA256 0b230b22d20dd6b441e3d792f2e852d390020e451491854733fc37ba2ca46cfa
SHA512 ac59143a7c3aa97fc1dc66517c043982fe946d6dfffd2686041f36191d3adff44d5428649ef6f4d1bb19dcfb99558dda2081bb5963c4972560382ab93fa124a1

C:\Users\Admin\AppData\Local\Temp\isIa.exe

MD5 904a90298428b25a1ace30741c77447a
SHA1 66df4ccd472d4a2cae9933621d5b579f27be7c2c
SHA256 2b9d71d3b1a277b5ae271d6dd25f7b061e64df6e491536029dc6e087805a3edb
SHA512 eb29330af21a56dccf188660766a2ef3a16dd7b67353de9e61e74d17d63592ba872e941b21b1cd280a53ad60f1756048a07c9e038a6a399fea543d36b9bbc527

C:\Users\Admin\AppData\Local\Temp\UMYK.exe

MD5 ecea5118137b67608fa083ef80a9c4fe
SHA1 27320b78c3ce0c4143e0ce351c1740bb9e3def5f
SHA256 90a1a1615bda7abb0421b22c46ef14645078886119702d61e2968dd483be9a92
SHA512 cd2ac0fda6fd1183d67b3ac2295bc4bcdc89f3c52e2d063c626d9e6cf078473d94de4ffb92261a86ce4337a61a4f33d4b7ff30ad78bbf5e147dc066c17375f70

C:\Users\Admin\AppData\Local\Temp\gaIEksYo.bat

MD5 d69bc8ca68fc0cc8f657ccb2742e21c0
SHA1 ede80555bd12f7f19d14209d7d32151d9e43b178
SHA256 4d5ca3fc06f7cdf9ab43a64ad981fad2a676c955fe9991462817d65e61273f35
SHA512 c032bc8f6490c6452f9033d3d5b9da13feaa416ba13660bc4ed668269eae0b70e32dff7a007853408a8a776e3acc799ac1b4430860663b278f926b6bb09dfe3b

C:\Users\Admin\AppData\Local\Temp\ScYU.exe

MD5 a4e41ce8fd6bcc25161a810ed42aa71f
SHA1 ebfb47cd3d59be7affa1c471d154a5002b8c40a2
SHA256 ccea800e489beaf60102ba805654b19e6fdf4f029f5a901d4fdd3f7f5f2538f2
SHA512 def4e1934e20a987b67dd6561d4517a72c7bcd11b772c9556ff3af7109ad711838b659de4b07bdb23be8b916d29ddac9e0b6841e997a6fba046902f56104e332

C:\Users\Admin\AppData\Local\Temp\iksu.exe

MD5 4bcb75d48beab3de321d9ea5690f0afd
SHA1 0844c06304b6fc6d7d6ee18557b7072543e454bb
SHA256 f6fbb99a49649f29d18ffd6c6cb514670922995266fc0eb40ad6f2648c62d085
SHA512 0a371207d69039a1a9b5eab29d857dba3e9398b62ad60ed48f9d6f19cacbb00c823e8c85f2fc233b9380f9ba093cc510cbda2389d1c417b5db47374ea0914bdc

C:\Users\Admin\AppData\Local\Temp\EkQc.exe

MD5 a76b5385d458187e1fa87f78d278d6c0
SHA1 fb4ba32e47e5ffd901081caf47d7378201601089
SHA256 aa04701cfdf4a0003fe86387c1c9b7026270ea771a865ab4e5bf1aec4b62a07d
SHA512 d1c19bffb27ccfbf8b967981313acd9344826cf26d5d051d0d27aeacccad2adadbd30c222c64c332cd39f946c21840f6b6845eee0f2096c82dfddadf72dda43f

C:\Users\Admin\AppData\Local\Temp\wEQK.exe

MD5 45700bf399aad59ec6d5da85b09449f8
SHA1 2203ad827b702b75030fdb8fd2d71b8259e5adc9
SHA256 73c706a8ffc3cedf2307bef0942465a45959d0fced055cee8459f41c00c2e9f5
SHA512 79ef2f6add89479a5cf0082adb31da8b8f86414c9047154d21e3e4a8c53a7611c9292c789863e998eb11ad2bc30ed927cc63bc7d3325ecd4cb7f9e17060502e4

C:\Users\Admin\AppData\Local\Temp\QsMQ.exe

MD5 625c9bcd6a846f30b7728f53293bee1a
SHA1 d815dfffe6b929602b249dcfa2bdf4d343c92683
SHA256 4e7e865e74c025b60ae73af31d7a4da2391f1a0eeafe3d967bca4b37189f19b9
SHA512 ca15d7357bb7d96725a34de0e2b5110311e240e4a6f4b2c1f723e4840429ea5652a5999c03f87141d790feb6da3062b31d4dc2c08ea5417be217bdef59367a2d

C:\Users\Admin\AppData\Local\Temp\uIMI.exe

MD5 bddc1198ed6e642626e75512eb741da1
SHA1 21fba523c24312885fbd230771b4b4b6e20d2821
SHA256 07cce5a5f6689a9e1ae9e9767995513a169ff267747a6f07a8ee60d686a87578
SHA512 d3525e40358bc3e99d0fc31dbeb806f71dbdbbd39e4223838a42f098c876d9e408075d86da42e26af8935655dd31505fbb334e4d18f8432beed76cbefbab1121

C:\Users\Admin\AppData\Local\Temp\KGYEEAUw.bat

MD5 204e1945aafb2e07b8d5ab82c6868778
SHA1 92b86fd776d4568ac54114b3b52ee72ab0c96358
SHA256 27c2b55bcbb8e1266da19813806675f15fcf722dc8db8601bd06b89d09f10015
SHA512 aa1f00daf44b588fbc3aeefdacbe803b38149c3415287dccd2f511e5de53fb1f11a65f47bd84fd90f31f3128379c58ac1de39044890223dc45ecab29d82d84b2

C:\Users\Admin\AppData\Local\Temp\WkIa.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\eAIo.exe

MD5 038aac5b3a58ffa2a5db8f4f70986fd2
SHA1 3d6acb7386de796523155ec4d01f7ab24f77dab3
SHA256 1df153010749fdaab6b0717207c72dbabb8966a0f510e63d12601411193c96c4
SHA512 e4a951b2b8894f71d167673bf48b877d9375e86d0c19fae81b72dd0604f4410eab3d17aff4c82706ea8f30a99dc75ba888aade00694159b3a081f5c2622cab0d

C:\Users\Admin\AppData\Local\Temp\uEoG.exe

MD5 d0cf71da670aaf7b960ba5b99182a7d3
SHA1 e2c6f154935a16ae65d2b0fa965d246f5f9f4d6b
SHA256 ee488dd4c3899af43948da3367f65254469816fefc005214017d18e9f9a3d6ae
SHA512 f6b4089c639642118256ed78b6d7fb71d98d3a02d84073cbab991bdd44666f2e43406380576f89a523826d042ef3b3b1af5a212447c5bc9d9c4f1135f19895c5

C:\Users\Admin\AppData\Local\Temp\mIcy.exe

MD5 4ee0983ef7c3b1ec64a89703b1ef1d17
SHA1 3b7dbb0ee57513037699286394b611e80cbfaf69
SHA256 fdf2b33641d274018796bbf7a08670aacc188f91cf761aac5608e2ae26804d1e
SHA512 e3cbe8497845af6bcc4cf9018aaad1c6ad6f9d3a8282e4ba57733097a40041ca38405458a671a178cc5424ea3105512a94b858bf1246052334caf5f5518a21f2

C:\Users\Admin\AppData\Local\Temp\wQAS.exe

MD5 1b66bd574cae5ddeea28069207d72ad0
SHA1 5acf00c0bbc8dd2b6ebd131241c275b4a011695d
SHA256 78ad8f20d83f84242b9e1121abc467ca022e5ef0565a82dbb374e7fee89400a2
SHA512 e4cd6dd699d8b35ff511bf563de1ae9d2d3615858c1637fac2119eece74589371d631464877d8ce40e5b22ef3664c410c408e74c6d43753db7310f0e48b5d503

C:\Users\Admin\AppData\Local\Temp\hAIgkQII.bat

MD5 5839c00ed09e3a8cbb86c59436e7bbd8
SHA1 9028a1c01c5023d88cbb67cc2a137b080c9d1675
SHA256 d701b0ae3b5daf02f67ce328f0fcf319315c7e5466d6bcf548306b82f0366a57
SHA512 22e8ab4c991ef9773890ff07ce027333ab276ffca28ed4af65e5c81518d51bd99a8500928c9bac02a5db632e1918b9c961f4282893dfa6e937a22bf5f6426dd1

C:\Users\Admin\AppData\Local\Temp\vCEAEMwA.bat

MD5 4d1d1e0285512dfe62b216fb854c9730
SHA1 98f44e017186e5e75ab52beb60f46162563d8dba
SHA256 ce9f871ce4ac4d53b4e2a9c65464decddd67791d5ceb4ba0151c2244f0040486
SHA512 4310b84df1fdcc9cadf459205eb19e65d37c54478c22fcc3fd9d94086a710a035f1cd8c67d2cabceba35ec948c370fcb5b5312f962542385b7a1fa15333bacc0

C:\Users\Admin\AppData\Local\Temp\xOUoEMcc.bat

MD5 46689c80bfdc4ce3b7f9c53aba0dba12
SHA1 7a32743f9a30df6e79f227d48e3139a9e839000a
SHA256 d4428cf716c2dab2bd7b4df590cf62dc69f2ca83261ad1b49d0eb22df14134bf
SHA512 774e13a0ae6e3eebb97677dc5aa80b3f27487fa36ee36c1fe948cf87f3699c5936856cedcff15c8670d42136e083db968b68c11513840f17a8035d3cb2c14ba6

C:\Users\Admin\AppData\Local\Temp\tMUYIMsw.bat

MD5 5c2e5d4647232fc3adf18deec6567674
SHA1 48a01a8cae1d74502bd13d331d45b7e00e29acbd
SHA256 d36dd3254a522e31e738e53f90a06163e0f639caed483abb3c44febbe8a47161
SHA512 d5a309c90693b99e088baddd270a29af32132914a199ebd4a3a0fa8239412c3a6cfdc66812434d70fa49d587bb2c361c1205ccf3c84a61912657552bb6e5492a

C:\Users\Admin\AppData\Local\Temp\iCQggcIw.bat

MD5 5feddecebe6db724e43371667231fedc
SHA1 635e835fbbc6188557ae623c479ec4d3d2da5970
SHA256 ab08aa6ca1e2f5f6c813b4a4ffbce51ee203a968ff495662f3f6dba60abc438a
SHA512 09669ba1654cf4251f979594420d54da99466af071d6de668b8cad9519cfe01797801f83f6d9111a36f7399fc555bb5de76f9f656301308fa1d12bacb1a06ef6

C:\Users\Admin\AppData\Local\Temp\KUssUcYQ.bat

MD5 0aa30f1be4dd63d6f9ccff9fb93ec11a
SHA1 e104d36bea990dcd4522b170f126cacaef100dfb
SHA256 cce3757463c70139632eecebb7b6dd95af09811a515532f8a8ff7555e95b208f
SHA512 158c8a0a9ed0d32fd74dac243f647c5ff859bc780908bf60006af51dd72b758e493dea7967596c82822e43168a394e66c0c9160d5544e410e451d9a158b54ad4

C:\Users\Admin\AppData\Local\Temp\UagsEssQ.bat

MD5 e053dc3e8fe36bb6ac030483a2974d43
SHA1 5fde8303779a5e96715b57336dba39c6c790bfc8
SHA256 5bff744e7c47de680502c94fb07f95f9da2d0abcced1183c9eb1b8adcd7dc22b
SHA512 67ef21ebf2e7459d300f257d181c03b5844df51170070b5f9155ca2d770734b09b62ae2f456495a7a127750812c16f089f06f4ef67a52a6875d88ce81441e455

C:\Users\Admin\AppData\Local\Temp\rKwkYEAs.bat

MD5 e6f1d29281d674b88d2e2742cab6c98a
SHA1 f5ea2d23843aa4923bd2ab738705b90bb821be91
SHA256 635bef8b400e6c74bcf7464321c44a5c969f0174fbd19a3aa356d0bd65968fa0
SHA512 b674864604b8ad336575c3058d65e7523e83831d9f6f1b8a10d561368ba8c6e604f34191043c03fee86cdd307daa95b0439542892fb8534bf71be6c372edcd70

C:\Users\Admin\AppData\Local\Temp\rGIYcgwk.bat

MD5 a7252fb9ad2b4bb710a3025ed6f1e831
SHA1 ced71592c9571fbce7f9011917a1119c0b5aa32c
SHA256 f33cf52bfe9c7869ce99af6abe8c0059dd9a15660252ad7c53dce495c347aaac
SHA512 f84bc1fd342259afc492b6f9678573798f1991d9c51e4b30050206baec1af64920f7f85b5de2a02fc50f1810c9bc01012980048a8e30987a3fa57fe75169cc66

C:\Users\Admin\AppData\Local\Temp\vQIYQQow.bat

MD5 a2c8e9bcece3d0b0c964f1e50a23ff2c
SHA1 7e40e798540cfbdf5ff3459dbd90f8ae01e169ae
SHA256 44a574109ee001b1a787cea6843af4bdc876fc0f1f4634da44d43a030e9ca942
SHA512 2141f8a78799a0beb2f22e11464c7d022d8f2197d93ba3693a9f0d71dcd25c737eb08db53389f783426c20680b8402db74e99b1c74f4924b7d4339500fb1f09b

C:\Users\Admin\AppData\Local\Temp\aEkU.exe

MD5 95ccd178c57feb013340c1d34a2c84f9
SHA1 38247ed1ee788be34b87c67a3727d1c9f2dc1403
SHA256 15c488bcd08fb0b3ecd40f758598a512a6a32de7d0e0645c707df0d9b8c088f0
SHA512 3fc79e0531159aedd5ea9403007e4e490ef53582330c56016949be4c531d102f26169bad69fbbb644024b1cd1754259a07aa9a33820c63bc29ed0506ca7ad108

C:\Users\Admin\AppData\Local\Temp\MIAi.exe

MD5 ea555f65b60f538c2bcad1d60b905f4d
SHA1 2736dfd4e1c755173b48440425d342de402e4369
SHA256 509cbf0bc79adf1d19a2be970a516440d4ffac4dc94889cd3d9ff330c68522d5
SHA512 68b1d228982d92e204e7f7c700d107e4e94bf2a9e0db5c0d48cf028a65778dd39ad45c97f7f9d5f663a9ecd9d03cfd461750b0487937228a559b5a6e9423d45b

C:\Users\Admin\AppData\Local\Temp\MgQu.exe

MD5 ab3621559b48494112993172a9c8cacd
SHA1 f711563dae2b3282cbb61e93330513b99bd11a6f
SHA256 70bc4d2795ac1d4728756274bf09f42a5a8a20c013d19ba7b64a90a685feadbe
SHA512 2c69c9dbdccec3336f246abfb00e0bb7f1ba7a60875ebff09140726fb4fa522fa4047c8b87654f0b7d0be4f96236a31cb91851d5f8da540f194e0f99926ff755

C:\Users\Admin\AppData\Local\Temp\wQEO.exe

MD5 33ff04f13f5e4963b93cd44fbe9fefb7
SHA1 e91a7ceef54d966125d6760b3e6a428fe689b08c
SHA256 d98300b95e2de28a40dd786452d5a22dc112ebb98e79b17ecd48e30b528d5a01
SHA512 72ddf3baff38794f5c90f7317aed683ee96d0a6ec73029e979adcaacd571f6e556de81212dc77b2947f41c11b8bb23e569f84e20d076f20472c4b8f1aff7a15d

C:\Users\Admin\AppData\Local\Temp\MsoU.exe

MD5 a7a712557c538afbd58b2b844b13f302
SHA1 40adc9b73195a419acf4f46d707eb4c6a7dfa6a7
SHA256 16222a1541c33d38b9ea9917ecf8de63417e4b22bb0f0a92c42b85623fa67157
SHA512 72f05d2fa76525683c117c2eb6a45fe6aaf7f0d542e56c714c7876dccc64760a7312762e578211dab78e0e08b719ffc73f585a84b12b046d82c6033786997cb3

C:\Users\Admin\AppData\Local\Temp\ocky.exe

MD5 6634c1b8129cccc0d39c609fa30fca0a
SHA1 a439bb17c9d3a266829851831783b1e0848324be
SHA256 85c3355a34fe159b49a67c67c6a0464216a6f4357ce16f662c7ab992a87ef73a
SHA512 719174821e76622e7ac77cdcd555d910625e594c619968dc6b1492626d38d758f1f3be480b568eaeaa241cab73c23772e5057f503626cc0cfb246d1ccadd27fa

C:\Users\Admin\AppData\Local\Temp\boowocoE.bat

MD5 2dc0a77cabc23996964538c30c686d21
SHA1 6973dbdf5e2eb2713f9eaf516d01aa243ffe860a
SHA256 caf8ff9f03e8392753b966f9a2016ea175a276381566c4d27b1a54b40086a9a0
SHA512 8f5a98be3bc0b70bf40edaf4464a1859e1fbbcae32d0d16aef25828b75bff8d85ecca6b8715aa486a7880e5e32bf5cabf55a45ef2b1697d9a8f4f8ee33502261

C:\Users\Admin\AppData\Local\Temp\EIUK.exe

MD5 1890a1b14b187747484889b2a55b2abc
SHA1 f6d0ac98364cd983f206d602ea1743fe536d391a
SHA256 9a60b293dfd9c4c29603121f6ad3116319535782809e09c5039eea0484f51095
SHA512 77207f9faded50d42fd4638bb273fb8fae2be2a73362b78448fb4319e96382615f17a9030d687572cb097f451ebaf49f5ba0c4be24d5fb6bd836a8a07bf73be1

C:\Users\Admin\AppData\Local\Temp\agIQ.exe

MD5 ba248cf5c751ed0fee66dc44b7395dd6
SHA1 7cb338f4d2d35e124991217ff60181c3ec3bec78
SHA256 783c4998135fb77da4d25aec93e85983a29c3d18152d13dbf6e2465cea4be9be
SHA512 67e372117c64f504100bcfb295aa7a2e6207f18c5fd5c2bdaef2dd29faa7431cd27528917ae86df6bb03dc68622af22332216535ff41e385963ffbb90e75fb90

C:\Users\Admin\AppData\Local\Temp\gYUU.exe

MD5 08607034fc48abe5f5a1d27f32c03fb2
SHA1 6d2eaf42d8510218b1e249c24bba0c02737be31a
SHA256 ed4ba49894024eb000858eda394fab5a1fadff366281137b61a0e32b0d3565f4
SHA512 d06b49889f060267734e75c8f7b1152de2bae2759a95ef89470282f2dffce589eed5ca3a34cceaa7ca6de6892f3b80e4bea0ec38e5ff82bd8442d2f650532023

C:\Users\Admin\AppData\Local\Temp\eEIU.exe

MD5 0f8bbf67bb1fcbb02b00e733f1d53cdf
SHA1 4d44834030b823cf1979daf80e1617a3b310e892
SHA256 07dabe0a8f3189fbb63afbcbe7686187653ffb27b63caa5b1a4fe969beba3ca1
SHA512 f9c9af760d476b0480097cf8a531f7842acfcbc9de479963b9f4529d2b99aab6f7a6a491713a9a0173ea96a91912d2da0837fdc6ad74d8fd456306ebd0da33b9

C:\Users\Admin\AppData\Local\Temp\EAsW.exe

MD5 7566df40aeab16354ce2e0653667b2ae
SHA1 aef913deee75ee898f08475625c97a5bec6b95b2
SHA256 1133562b5ff21a72ae89e2874f17797cee2b73cef29bf8b20980953f0870c5ef
SHA512 bd9e08fad2421f8f3da153370c35bc8a722c210a4fa6929632274f355dc7e263f07d63cbb8214add6d9e68f9505026808bd3c00f51c2de952bbd16141192b331

C:\Users\Admin\AppData\Local\Temp\vgIMEYUk.bat

MD5 a55ab1ee5a996f58e0a62df0ea93030b
SHA1 fbfb5198e8e0adbdfb0768300fff75d000117bd9
SHA256 d819583fe39470ea85928636d3544165f3b379b370b97d8fadf25ff42032a87d
SHA512 e990e4aa3d0f9053d65d18d482ae38b2554958790d9f985b76a490d2c02ed8ee4d6ad7bbe1cf901e72a93aac475a3bd9ea1ace0f29ed797cf43a854a7bf4bdc3

C:\Users\Admin\AppData\Local\Temp\OsEK.exe

MD5 a0deb945f6daa65e82ed39b73c2e7bc1
SHA1 7b2e9d8c79ac9ff615ad53d0c1671d1c3b7929c9
SHA256 3fd332c1f3a94896a44eed312f392bc6ec42fc3a92605981713aa10ff33ddd1f
SHA512 6e0bdd718b6f97074a6a1e16045a5feae61acd59a489053dd9f16afcebdf9330bf4defdbd5162d8e7d5ccd6d8b3e5c626f9e1e67f957f23b9b1b7eb5866eb5ac

C:\Users\Admin\AppData\Local\Temp\uUck.exe

MD5 be67dcfc5468d80e6c298dbe6596159f
SHA1 05d15b139413873c7f40259ac43bc26fc57d8f05
SHA256 78190157f52d4215a62dcf56e979705422c98a8bbe2d6d4b4efbc0a6ff24883d
SHA512 9f0f98f8672bd41d513fec1e506b1bf4f2b6d1cd444813ee13f09a4c699a0712406d07c71bc5d5967a6e31bce0f2a4a4d1f0d1134be0e5b0c29db7f0da1edb17

C:\Users\Admin\AppData\Local\Temp\yQAA.exe

MD5 c985928fa9b90c47c7d751a9a1aa5b24
SHA1 49fd4dea32ccbf462debda87e6621d5e2e71b8b2
SHA256 4c19a67db301687cb0a4498b23389a361ce31730262f431f2c30c601c4921745
SHA512 6a0705e7a5518f2e691122922d4ac1e753681009198b587e33f118ffe8bf3c1477994cd112da120418156f37d727aa5547e35bc51e820518955e5a2d7fa89c57

C:\Users\Admin\AppData\Local\Temp\uwAMwkYg.bat

MD5 8cea2ec5cbf97cf9bba41fdb53d24107
SHA1 032e00b78f4d5457807f0ac7f193fabdb7dc4368
SHA256 43e086d64071950ec579069eca8e02253675ca0de2b1bd6e659ac74592a66ef9
SHA512 b1b66feb622d7b007188600dfe272bcd29cb70f27b83b4ec2b1ed6d98fa2813038a903bc905af63a90360974ef136f81688007fcd27dd52d6b908d4c5a62429b

C:\Users\Admin\AppData\Local\Temp\SoEw.exe

MD5 9bdf7bb45a348978aa72b9ad0542ca82
SHA1 7f189d01f1b03354a394736241b7e53573578089
SHA256 af56eaf1db8e7739f41a99807ab0efd4c008d06b05e51fb72bda56c10d43360d
SHA512 a04b36616f4e0939c9674a2872877bbe2e674ccb16bcaf87f116e62e55224378be259fdc8a27ec05e2abf668bb9de8bc9e52451e6695d5885f9ec83a7b8f8691

C:\Users\Admin\AppData\Local\Temp\sIUG.exe

MD5 3769501cab7e4209cfa1e791ee88f484
SHA1 c81670f90985bb343e1552481d80cd1495566e0d
SHA256 8e48d0660bd04d56b5ac413e85d8f94ddbb164daef869a2d4074416e4ab4ac53
SHA512 997e7de4d1c592708d8659cf93a656fdde490f6b6285faf911f4dd8387b19f90e10b9410594411d4e81a312dd23951d0a2074415597ac3e6d2a9a07107e7b4ff

C:\Users\Admin\AppData\Local\Temp\mYIQ.exe

MD5 747d322674d7bebe30aaaa7fbc5b9c32
SHA1 5fef296a3ee5cd4c26ef64ee754b2eea52d448c9
SHA256 aa9c159031a18693fbccecef32182413a32aea8c5bf9af49ff06c54d51d1be87
SHA512 953e305778d1129597652f0d18fff4cf77ad0ff4fda3b13c0c696cd936473379f1ec536b3c76d70d3ead23056bf2b524e0b869566c9768dd466fae11abdbc0e0

C:\Users\Admin\AppData\Local\Temp\GaAcosMM.bat

MD5 89df20177969a7972dff977528b5c775
SHA1 b66c3951e7a43cb953918f3fc46c80812dfd67b5
SHA256 d638ab6809540f3ab42f731ce1054cb402d94275ad8dec9a6d20d636350c1de2
SHA512 05336508aa6dcce650a5d58b26309f282511617065c09df86f00550189b58a5633f4f34b7add131093724673b98ad4d56968cd5a0f0ab9f64fdb7029dca84a42

C:\Users\Admin\AppData\Local\Temp\UEEQ.exe

MD5 02264a176c9020860bab321be78e8966
SHA1 29eaf3799f3e1e6af852d04419406a8b6a397517
SHA256 c2eb7fb3127891994364792c7e0f1f6f2bf5c34640edc108cfd6f12d6342b2f5
SHA512 232645c8e6d8cf0b191a965144e5f7651c99eb0403abf4d52b7cf6f82ef4f2d14fbee8420ff116bba31640d07dd7e4d0d850e4432178f1f91ab180c0c4e3b4c4

C:\Users\Admin\AppData\Local\Temp\AsQe.exe

MD5 f237f18950087755e0d5d401ed999482
SHA1 2756dd44fcfc36f2a9bfb440815452a7050ae9d6
SHA256 efd3b8dde0f186b99ef893ffe16aa6f9623694373f829be231fbac008264d49c
SHA512 910d57102ea475faea68044db076f224953d2a983e425b7ab5bc0d1b4dc34bdfe076dd5c47a6356b0f3f7ca70c1a693ce60a9f47b9697eb0d2b02d35d4d7227c

C:\Users\Admin\AppData\Local\Temp\GscU.exe

MD5 32601ca76947e95bcd8d2863f2d55b19
SHA1 c471f2942b1ecb59d2de527e728965aa3680870d
SHA256 6e5e1df799355466de5c2e4b9bffe59b59c93e37c11d86a5e2ad6e0c7a648991
SHA512 4c4d2355a8abb8b4826d08fd01192e1fac25ec9c2a1db98dd841fb91356eb43465bae887715fadc50b7342dac3b27f75743bcd95fae666a1ce28caa41ee6e6e6

C:\Users\Admin\AppData\Local\Temp\eYAc.exe

MD5 74348bf10ead10be667aeafd4b40f195
SHA1 efb6f86c1d0db43039a7b4b2996ee15b75ef2f75
SHA256 6c89854601a463fcec812b1c8ca984a050e74bc13651ad01f4218a41b37e00f1
SHA512 f7f51582e91602dac6da7e5ea036625f18793bd9e2419709847c2ffa2d6dbb3d33bb442bb328a8644811f7d64e28dfa67b65e978328d57d54a4a58fcdb588e3d

C:\Users\Admin\AppData\Local\Temp\MgsO.exe

MD5 7e6750d39b0672d66a197497d0ba2920
SHA1 742b9f6a919ebe4667564c79270fb63682b69437
SHA256 521ac2186307cb79af9a1a93bd8a521a54727fd572336748909b9aff9aa671e1
SHA512 b5d923dbb0903957c5414bdc9e1c7c44e78130f08266f6de125b8b7dd692dad096eacbf11392151e0d5c5f00c1fa3194f879741bdd9f7ebb3a795f390f9794cc

C:\Users\Admin\AppData\Local\Temp\gUYk.exe

MD5 a9022159fbbc5976be4895aa734f0ebb
SHA1 6debf935e14125fa4005a225ada6c19b4717698e
SHA256 4ee007340874f8b443d6548741070a1b6a036961eb98466f75f59924918ba9e5
SHA512 ef030d18dd398b927828b748b25fd8c920332c20a1bc3010a6fcdbd568ef623629ca015f37f368b1728d7db0a4295e8179ae7cfbaa3faf94d5bda86cd9e90bcc

C:\Users\Admin\AppData\Local\Temp\kecokYUc.bat

MD5 71f376e92d24a8ccbf542f160d2421bc
SHA1 eb700ae48877ee7dd4f7dcc6fa7d8f422418a6c6
SHA256 f2b55bf614bbbfa6926c10b40f453c98ba596502a625a1696188640f204f2387
SHA512 bbb2c0a4cbde4482b602ad0e6a6f7b61ffd04926bbced64358a49f503ad75120c0b40659e53b11e4df000226f72d066c61b243f8871253e2b7558dd6f8bc5828

C:\Users\Admin\AppData\Local\Temp\eAQC.exe

MD5 58d09e1521994614d76d741e3abf3356
SHA1 2893965174684a2f87cdb4977186cc73d52884e2
SHA256 c504d81c4f700ab6034fc4cd6120e3e25e9591b3821cf5fcd1370f20f695b306
SHA512 8336930b07a4d64e783d18bb344ec2ba55c89de861a32d9c929ec03a484b409f3bc92d77333a4582d00e24553b3846f338f4557397772fcc65f8958efe30a9be

C:\Users\Admin\AppData\Local\Temp\swcK.exe

MD5 7f20efdfcd505f77c08d0b2adf97101a
SHA1 72b56b1e0d20745e9cbd1c312b57212cfe57b46f
SHA256 0336d8470206443d866dcf74a0cd1e3ad942158e2c9af494f69a02d72e9b43b7
SHA512 95b34c061dbe3814059c82b8968bc3a6d4a9509f1da08ea38857c92ec3e0473778f1b8c701cadf4591f3ae91a23253f7b4fa5908f9c7e74caf845b6697d7a33f

C:\Users\Admin\AppData\Local\Temp\iowU.exe

MD5 3440020c925301527a5cd9685e26fa32
SHA1 ab507af1abc34614a7d0cdc3f6056d6e9eeb3ac1
SHA256 5b801c2f9affeea878f6760dddaca6d582133abf478b18ea95b0b9d786c42a1d
SHA512 b3e4fa9da04e909c363091c4abbc2475b4e235798b5175e92e405360758813fe6505433cac21d8f1c8592319923b1b4287cf1f8a5bd098babf43099edafe037f

C:\Users\Admin\AppData\Local\Temp\oyAEcQQY.bat

MD5 d5266eba79a1df621c8c12fbbd62c008
SHA1 6f6b64abc45d1ade9a06011c2fc9725c5ecc6802
SHA256 3875ff67ea2df17f86466087b657bd32e962ca5b0fdaa18b58df62b7e5c29c5a
SHA512 80aa8871bc86d6583b0a6d8828f59e9746800d904a5951fa5b523797a18c8f1e3ba54db0ece81c30002b8c658ca6d52b70e9dad05a239f25d2da78d56286b86e

C:\Users\Admin\AppData\Local\Temp\JEkMAIIs.bat

MD5 c94358adc85c2c16695980c8b90bb60a
SHA1 884d6b42079074b0d529468ec5bb1ee67fea42db
SHA256 396157cf8b129962214d35af1cb60d3fd8cf9c60416fbf02675f2756ecd3f24e
SHA512 04f2f5684ca57215015aadf41b920453441db8578e84a0484e2a215857f6f3db7f57c6be89d8c66892f50197ba10b9de82fecafa0eb6bc81ea9fb15d8e7f10ab

C:\Users\Admin\AppData\Local\Temp\Asoc.exe

MD5 23c9048eeee49faf577e3502d7e191b1
SHA1 3acf84fb7e400928a0a9ac48b442853103afd38f
SHA256 06ea403953b1a4e173c6011379a6e0ec57920d7465d7f51059b5561bf36d8903
SHA512 6cc43bf695443baa3fb9f96debef0bcfe7664866ec122638aea0c51c6eeded4b519020c0fbb30b2234f1dc409501bb4bd8c64d7c2bed47c9d284cfd95b76de60

C:\Users\Admin\AppData\Local\Temp\gIAI.exe

MD5 3d824f341f09594a46df5a4ead521f5a
SHA1 5e0dc9b6bac215f6c17b08e49826e0a11d82a154
SHA256 6081ec9f908047ba5cdba32320ebbab1aeeb17bcc64097bb7ce098788eaf2fa2
SHA512 23d9f1af616f28ce29b0ffa6b6ee8757b82ff02231acb682d8d47ae14ff869e2ee795fd24c652b8f22bb627a6ae508bd32ea1aaab65ae28915cf21b90a83851d

C:\Users\Admin\AppData\Local\Temp\SkQm.exe

MD5 639f735f982eb5a76d4b129a00fb9235
SHA1 daccbfc193fca3c9e89301eca137bd18898bc2f4
SHA256 971f539b6130ab87ce46523e723ae4eb02dca01482087e721af96e2b99203931
SHA512 60dd8fa7b0210fd69d3127f657bbf20914f33535c3d3d35d59cc42f12e7713cddfda4ef4bd55da416601ddc69fcbbe69377c5b5271e57cb6a3713552efb368ea

C:\Users\Admin\AppData\Local\Temp\GEko.exe

MD5 6190819616ee7fe7ce9a936eac8b12f1
SHA1 ac990b967b83832432872e92c5f9a4f45a7d8ec0
SHA256 0fe0d905cd4a51bed8670508565bc595bae6d4720918edf03cabb18baa975ecc
SHA512 5e953d067ca0da54f463e477e3a8bf312bd57651c305b18443d86a884eea5e2f55b2528547d4e4b28e769bc8b6689a847cc059fd860185cb222c38b793fcd711

C:\Users\Admin\Downloads\OutUpdate.png.exe

MD5 c4c96a0d087bb4d49c4bf0b3054724a1
SHA1 f79f1ce0e562111d73d8502811aa712a9a585a10
SHA256 53991613183a56920a3903a2046159e0bbc49afea0fe2775ac67259410291211
SHA512 ef313d5b42aed941da606ee9ab609df72ec74022a54ad8a5cd6db3968941a5cdfd9638192b32d22150bc45007ad092b7faba79bc9c64aec7920450021871604c

C:\Users\Admin\AppData\Local\Temp\CEEy.exe

MD5 fe545a0a9d5287b600ca65074417f1f8
SHA1 9b2bcdc152b33449033b076ca672c3d491869cf4
SHA256 cbc09e9e8688388bfa883653745d7eb125ca85cd48e5a342625ddc63c6f39640
SHA512 f181fb3ac350120597b62a9ec11454d21becb562322f18c08afb4c2dbb6a37fd9cde606e87aedb3d0722e14a67d9c18bdf0f8488d75c9db650f0803e0d5ed3b8

C:\Users\Admin\AppData\Local\Temp\Koss.exe

MD5 8e79d38a342368ab9e3e39672389d7bc
SHA1 ef1753461e1294bf8558792da5e8b0a96703c5ce
SHA256 5328bd90ed824974f6c117e8bc06d2578aaf511957c8c012833a08a4f84a2b17
SHA512 4a11ae9bea2e5e5a36e1201a80fbc82a67890ad01c806ecc608de811908b32f1beb92c683488209c9ff568a96b1e1fabd765113f8a49e4a0accfddbdb0c38e5a

C:\Users\Admin\AppData\Local\Temp\mMIQ.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\mccY.exe

MD5 ae5e793c0806147867a09d7875ec6d70
SHA1 5776555edf58b3794d072b65dc472342c9eaefc7
SHA256 ade09921975dd6de2c71dafa195eb03a8e3510d7b19e8bfa02f6f5ca924abffb
SHA512 fc5d139aee1bb7cdbb9388e7dc1f99e86b39ca579d47c55d81ffdd04c49327488b961d683b9eaaff39a7bcdf3d7430eb1824cb549fd0fc7bd143adf7820b8889

C:\Users\Admin\AppData\Local\Temp\rGkosoks.bat

MD5 f44a4ec26841bc173b520a60c081f101
SHA1 2421b3574774a317368ceebdedb1fdd7b699eccc
SHA256 00cb18de8e49b7f62a64d7c4f3a7dcac1f45137062835c5a8d20a5c5a84258b0
SHA512 ef7c341f22d279f8ada2a24b81229a831333011c07888c53c7dd7a440109dee7dbee5df58fafdf01075929bebe5df219a7ef906b9d44d79a016dd49d4fb00f06

C:\Users\Admin\AppData\Local\Temp\ikoe.exe

MD5 c319674ce884c3528fe5075cae70e989
SHA1 7a80e85e2a0487fe465014bb33cbe04e52d94f42
SHA256 23e47d7c2b89f3bc98641be051ada6bf6cb3ba98dc85287a01185e51fb083206
SHA512 75d4285b69af4a7d56325e445ec876d8bf22be752b65fe72ee2b449ef6ac46cafb1b0e48d411ac948ebbd855c39dfa9ebee4755cd51a86f022db269b1657c7ae

C:\Users\Admin\AppData\Local\Temp\EoEo.exe

MD5 a41c14d0d1af9f4047fea6bd2e69c44d
SHA1 341b42275d583e45251a303ed64eb5018ee6c6d9
SHA256 3b2ef58c4eda673d66a935ccdafcddc5e5b49a8772caee2f33bda580808ddea1
SHA512 5142b4d8dd28291cde9e6c0f7eaf2f1412b50e6d7b1f7d136d09a0d433deb863ccdd38a43630b4657846161dae701203c438f501ac512da693416d82a8381924

C:\Users\Admin\AppData\Local\Temp\UYIc.exe

MD5 b5617ac3b46ab306426078bd4260f9ab
SHA1 b128ddfbae4230e489254566a7c84832d36b9efd
SHA256 4edd0312989452b3b825a81be838743e92d0d87601be22639e92bd8c1bbb3dda
SHA512 9ab41b37e93008dac7080eb61c761f715a64c5b4fe3db482f0ccf49ce5f518e56819881fcc0f6318e99a51a0d272c9487febce3a39cdac9bb247e17891d7bc4c

C:\Users\Admin\AppData\Local\Temp\cokA.exe

MD5 4b257ed8d601fd7954083e625567ed06
SHA1 af922ccfc84b9dda66cbdb8fea2ce41e0052329f
SHA256 291edabaf358bdee32905e61cb9d65039cb9051b6aa2d12d07693287ccf510a3
SHA512 4bf0d26aea0168e2248a34cf40df53bbbb98eca73ed4cafd83794181339419d14f2ec8aaac091de18e2c9d2eb92c821ec44e2fc37a95cad303e3249f0b867dc5

C:\Users\Admin\AppData\Local\Temp\BSYoMQMs.bat

MD5 1207ac435bc20566c6f168ff1fcae3be
SHA1 49acee9f740c50efcc53f87838b94ac747a96406
SHA256 aa6777016c61d5e4c821b0a57b9a6f70e87ada2bbcbe8fb6d0fc552192530c65
SHA512 e042b2ecf4f8d3d84c85bd9e1f776ae0d5ad9fd3d96eca1ce22e421888348f82f9438b7cea9f8e86b612d87b1a6d04f23d90e5417b0ea394a4d0283982253b02

C:\Users\Admin\AppData\Local\Temp\IwgU.exe

MD5 c2375e25ef2655a14d471b22999c4fb1
SHA1 2110ebd23744399fb313625310932334696fa5e4
SHA256 89d8fb4d9161c8c98b4c91d65d25820a2c72df6fc88acd44d397c7f8133899a0
SHA512 b7db33fe8a5bebc9ffd617cffaaf7d958104b03055da5ad41326403414e8a6ac8c9b7be560c9fda93dd8b8f3cf1246721a37aae9e080a2db1b2e2ce4a2d1f931

C:\Users\Admin\AppData\Local\Temp\aAEK.exe

MD5 05a659e7e101d87f2fc61b1bd023128e
SHA1 7e922bda7ef29d2df6ce37db4f0ddffc15068577
SHA256 5fe31045b60dd1ad8959a0921f2ee23abb95b90c0266aeeeed08d2675ae974a5
SHA512 87c43b3fcd8c85f2b5ab38bf369243c992acc2c320662ff3018b15c77279047d9e3d9d1b2a5911ceca82b3b339b242f9e3e93110553877cb083831c3a20a594a

C:\Users\Admin\AppData\Local\Temp\MoQu.exe

MD5 fde9c38bdf7175f7a2a099c2dcaa3a7c
SHA1 3262582a0f940dc6a13161376fd60a553268f56b
SHA256 f98ca998c9917957d35d2363fe36c7eef119fdf4a0e4fc0f4a627bc82c2c0bb4
SHA512 1087f46083e84b3472f3801cd9fdc4abc02599ee1b229203aeebd4bce746a5570c1ceab988edbb17a385b5ccffb01a5bb20aded8d45c9b66973042eeb9b742d1

C:\Users\Admin\AppData\Local\Temp\LyocoEQo.bat

MD5 94f66fa076afee2b878e28f8159888d9
SHA1 76818e788a8ceead5a281125698251f98f8ba6d5
SHA256 08fc1894e5c8ec82c781cf2ab71bf69cc996c8c0506af43475db967468b5efe3
SHA512 b522bf1dbd513d4722d08a42334bbb268c69682be755919ee9c871cbfa9dfa7146882da8d335281838b3ff427857d418bad094142b8500e02944649bb042d938

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 91c320ae13cebafeebb996fa8ccf72a1
SHA1 685f7c9dcc3444f027529a6f6ef9ca0aa6be2d72
SHA256 ff3fb496f7b6e397f5e805d186607d06ec9ec27b2d276bfd92b30ebb88025164
SHA512 fa51f492fb6694d48f75468b03f2335ac764304ec14457bd65de157c96143a9c86da465f226da64cbca59e735688f364c85b280ebcc7f6240d57241dc4a8b935

C:\Users\Admin\AppData\Local\Temp\mYcu.exe

MD5 59a2929a7147b2399b38b4ac7e9ae3d3
SHA1 6bee87f74315073710cf22e58d92d5c57daf94d3
SHA256 e637104eed44755affafa6339492871bd4ecd8339c420a30b80a7a382dd9e2fb
SHA512 1c42cd888e36895588257c5bea47028afc0e73d3aa5e47c1fccdd52e04f374bcb5e73e62f7783835b56a447778dfebc0cca1af9c8f06b3a43f06ed929fd60b65

C:\Users\Admin\AppData\Local\Temp\yoQG.exe

MD5 98eab92b6d9aa5897694b1cfee145d8b
SHA1 0ad5ab6c99d0af396a46e0d94432af7d5aec14a6
SHA256 441e31e439f668e54938c06d33d000d5571e777f36ba892bd5b94ee652b73a53
SHA512 6a1edfcf51b5da83d8e87bceb0d471116f2493347d679205a966eb146427bc6fc2a0126e671898f03b72a66908a67316ad38606af8fa4beced58ca2f8022d5fb

C:\Users\Admin\AppData\Local\Temp\eMso.exe

MD5 a62265109e9a9352a19fe60a8e8fb726
SHA1 590b4593cc58e5cb9a195015fa3247e9f552be21
SHA256 1bfd669ed0b99791a83374aa5fb6841bb7055fdb720326efb2faa90d8c97bdf8
SHA512 672711505c5dcd3cd9c67888fa159c5e5a000d318ed10ed038b476b8838a19d67fd00bcc6b96104cda93a7671d736d0b8c1243dc360145a5493df52cf55add47

C:\Users\Admin\AppData\Local\Temp\cWEMEAkI.bat

MD5 72d101598f37f8ef9cd34653d7f3a0a3
SHA1 79579aa76cd0e91c2a7c6833c2d54f8a5355b483
SHA256 551cdbc406007c597bc31ce8bd4b2b550c207357906221cc64ace63ad40726e4
SHA512 97a3ef67b224accae692df64ae570a751fcd14e41c506d028ae37c1ae656830db0bb75623a1ddee1b6743ad2b07f70b3d39da538e44dc5c05aa3c891ee0df393

C:\Users\Admin\AppData\Local\Temp\oMki.exe

MD5 fd18e81dc7daaeb26979678d2390cb1e
SHA1 a2b9d82f18e391e42edc7759a964f6254beaec40
SHA256 1c20942a74f78838d8bd9f518e7e1c19020bf1cd787105fb9e8488246ab84067
SHA512 a0f9fb167376a564751409d43236ab578645d271b31328b0a4403af4dfead658f51749559d04026e72af7920120103dd27f5e2307da49d26b286dda7d592ff76

C:\Users\Admin\AppData\Local\Temp\KoQu.exe

MD5 53a1c108e0db656b5d20bb42cc504744
SHA1 fa94e567dd83839bf239fbb0aef00e3416ded3b8
SHA256 a2871bfc5678d36402952aa05f683f321de9b093305501afae3882f13736e135
SHA512 ff4663521855db3a128386516862e824b7248eb2944cb82f9f1f0eadab264030b2f0f0f15209360c7f8732b84322572fa118bc13c82f93018f1363525e30dd42

C:\Users\Admin\AppData\Local\Temp\msIQ.exe

MD5 06cd2853ce4ad149ffb0bda0bd6a4e53
SHA1 80ec729dd6c15c4744252b6d27469246feaaf2da
SHA256 4b5f97abed079e60ddd5c3d3de5d85563309d49781cf841c859d208cd34a7f0d
SHA512 7b314ed1d934b1dab24dd983f8e854753bb989735a327464fc38da46a7a9e04ca92c0804e2a8d642234862a6e8d26d309c220670f701bd646c0fa3e865bb11b5

C:\Users\Admin\AppData\Local\Temp\sgEIUgws.bat

MD5 71646387dcd50994b6b9c01d36a5d2eb
SHA1 f4891fa7274f23ae36a7414a560f6784326fca4e
SHA256 94264cb41d02d18772747d37aa3b34367681f2ee3496674d9ebfbcabc72383e2
SHA512 667be0077c70d553bf3dbab04e9cff412da772190cd1bc2bb91b9fcc63f35ce3055adef47573e16210a8c8825dfa98bd323322c1566b110950f191664b46662c

C:\Users\Admin\AppData\Local\Temp\IoEK.exe

MD5 a3782c8a0f9a2cb81afbddf4a441b367
SHA1 9457864e1a8e55882d9800f7ad8e95c5b0c6e038
SHA256 e05f92b89e603ad8b0af8f04d0895dc8e49d426d867e02b62879d0f170307872
SHA512 73f26e9617b50863bb34a4b052dd91b935c6505db24dd1d8465f240d7ca2a03141f2bcc895a56f2612b3dd71da3aff8b4c83c4685bc1e8207d30e146de9070cc

C:\Users\Admin\AppData\Local\Temp\OgQE.exe

MD5 a0fe9935738519eca3bf2501be7e59b0
SHA1 ebe1d330120e655c07f1f0b79c2265a6f721f293
SHA256 e73483e1776af1bd5d65c053551957f7c0945fe32cdc512c4ec04674d24c1fce
SHA512 0ce739200520a70d094d00fd70627d75489f86351085a1bc3e9f47b134fb60c7187c4634d45f7750ea934b84b1dca587255e4f42af296299358a50d46bbb86a4

C:\Users\Admin\AppData\Local\Temp\WMoU.exe

MD5 154b055bd4ffd90dd961de5a558df36f
SHA1 3dae38e75eb723049b17d4cf6b285221ce579f33
SHA256 701e7c8742c30a8f58f7ce787b55850ee66385895f5983cd91ca16ae76149532
SHA512 8ffa0c8b13d083bcd6f7fedd01b0b67a6f9e153156ff8893b0dcc6f2919fcd7171e73d2def4b36d805d99273097c0e9d5d95000e103a7d504692958d986836c3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe

MD5 f07da1cd43e1c37556e576ebf954cf11
SHA1 5436c1175f16a1f0538aef9136b6ae4a8bf25670
SHA256 a6527b61bd367f7c218385972fc7a98dd9a86881ad4e10b313d192ddb41ab91f
SHA512 eb7ddbe3bbc85981773a43c209d67d107433f740d080b8ea69c18bfd28e4d08226ab29ff07cf46534351d8a6448182186ff0a188a8a3e03f92e3a80865c18dfd

C:\Users\Admin\AppData\Local\Temp\qQYMoEUQ.bat

MD5 44a0791d6841eba2e6f8f4a50999c5bc
SHA1 59ea7618f6b7ad5319acb2024a63c700080170d3
SHA256 8333dbc0b50b9af61fcbf584c7d6916c04035b8fc5a1e554189072df6521d735
SHA512 a642a261d14307bad552b4459cc80dfe6af7f3c235120a424053b7c0b60388d033a5b7767252c07ab00cfe06c54898cff85c68eef058168876becf297ec38e40

C:\Users\Admin\AppData\Local\Temp\mwMK.exe

MD5 1dd2d9ba01e2b5f5966ed95f8c51b7cf
SHA1 260c761ad3e2fce217d6506ef99c13d0393a9add
SHA256 e16a930c31a965947796a4503453ba676c884dbd06becd478f20dc8aeae364eb
SHA512 5b4cdc9f3b0d9ce4d8c98e6b4a5a6b3042489b914d5122cddbba2f7508ec3f23d0bc68653f736c44215ba3ccc044715883d6b845378d60b97d33f57572efabdd

C:\Users\Admin\AppData\Local\Temp\MAAi.exe

MD5 38b9d6d5157bdfa944ed33c03d69a4f4
SHA1 61ebc0ae9ba315d83825961369a1b8dc68d8b6ec
SHA256 7e0bc0895d42137e9b9b77c746b0169cc3c2a8127de804a388c974eac31b7247
SHA512 e821f5025e14e71757662d1f854432831b054d5c2a45c2576dfbc1784dc73bef393e37d1ec78a455c3d017b28dc0a37548f61efe47d44ccc73c0806b09ded7b7

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe

MD5 0427983ff64a19d68624301b04ebb8ba
SHA1 4f21cdb1d38febdf9e4fd87b725e06a52a153f67
SHA256 2f1af2c8cc8261a1e9902cca855bf68c6d0b2e12af06786ba70d07daf77f0038
SHA512 6367f0863e743a526d11a75120187b8b72548f134b18976ae1c2b07db825256a72e6864a683398dffa1444517e65de19eac1d5ee8c8a5c6d1d699b9b1e166b99

C:\Users\Admin\AppData\Local\Temp\EwAu.exe

MD5 27972624abb501dbf748ef197a9f449b
SHA1 440b5611f707752eb49210e62effce8030651f01
SHA256 a7040d03a529717611212547ae5df7381194ea5248e64f46384b515dc6f531a7
SHA512 4489a6b2f35263ecf3e9ce8fca8f4d1bcf3a066f0f9e3f2b03459c0b16a4d8b89c9e4260f07511110001599c425aaa2e373e4712faf2d9adff304544ab83a58b

C:\Users\Admin\AppData\Local\Temp\OqIoUgAI.bat

MD5 4b0511f4b896d3b93926050dd858bf37
SHA1 bf9164fc7db21da683685e4700270739c8bf4f05
SHA256 3f088101fd66d25c3270eeee58c1e1c2c7bff0dabb3318190f7e1bb5040b5261
SHA512 2b93f159625f1698e1df9fde01908852269e8f904da74e82fa1da5d9ab4ef4784703ee0b5cd699477782fb6400c5e4630ab5fbe8d36411ebc2dc7c63f5a3ccd3

C:\Users\Admin\AppData\Local\Temp\okkS.exe

MD5 579106f2dd9ad8fa44ef7e6e961ce63f
SHA1 38cc1be5c305a7061763a2f32363e3f1690a059d
SHA256 48869aa9474c3e75b6c391ae1d45419be5cd0e0e00f6ac5666c1eacd8f8d7657
SHA512 f849d72594f35ffb1a3b9ac1caad325f2ea5503bb6761cb1351a3c2d395e17f347983a8614fbfc4a91f1f126f39c1b656d889a7a65c32b31a434c931bb11ed70

C:\Users\Admin\AppData\Local\Temp\iIkQ.exe

MD5 37d9e5d6a9c5ae672cfd63c402666b8b
SHA1 72f7113f4a8f95ba8071d6faf21af05cb7803d0a
SHA256 4d00f8c72e19f23f88b4d4ddb39d50ce891f38131d89a7e6a5074d9fb4e2baad
SHA512 c1e00a8246837c4f3dc1f77832da1f56342d2f5f67442464c206b38cf02b961b854920fd53b3337c0e85397e985132eb3750ef08dd81e7de584b3a4a36bdf675

C:\Users\Admin\AppData\Local\Temp\eYIO.exe

MD5 7814d14f2a29e5ae2d00528415405813
SHA1 708ceb75f4c6cd6ea3e8cafc0853ec05f6bb2d05
SHA256 6143b95128cff1b3abfc87bb203941e490e66f69a319c8e51ea0f21aaf669cc9
SHA512 37b623bdcf99b213e2ebb9f9856cc9912a355a35383260af9c62c413ab88a640f3a58b10b419a5433dbf16828e1a51ff05016987c7839990831abe764c62f76b

C:\Users\Admin\AppData\Local\Temp\HUgUgQgQ.bat

MD5 c02d1180c80bcf083776d5695dadd399
SHA1 36dd1b113e2615b44429a9151340203145ce5f45
SHA256 ca35fb5b1fb15e15b84a1c880d4e61c2b6ecb274ce5e54e7f74da6de660daa94
SHA512 89325cd1f4b29b92433627e96f99883892f88ddb16746dafd5b984a62ae04216d1b5b7e45bf925664f3ecac43e33ea99e186a7c8967bfbb3ff71ef5d2f7ea85d

C:\Users\Admin\AppData\Local\Temp\KQsw.exe

MD5 b5be670daf7752925e3417b4e993676a
SHA1 d74b44dbe533e41a7522663d3b574a070e146a79
SHA256 4753c22c79c314951d414fc34bc734f7f938eeb976dff3329368a988250181b3
SHA512 dcb5283d1f10912554c20bea566b4dcb0f689c23256a606ebc1d6366489d53b04116ee3d7da3660edca4ebba626f7cc0c330096c088440bf0c6429a4493c2f9c

C:\Users\Admin\AppData\Local\Temp\WoQa.exe

MD5 0aaf801b976f9d7b9d8711ddf45f312b
SHA1 1545a5b498dad38ae469f3eeb3ed521c76c4043e
SHA256 251f90a5580a3c072877a7cddeedb447f963daa390170cbd1b06cb7b5b339054
SHA512 ca211eedcfcfeb8ea756bf1c4a4934a298648b8b355fb1b8d7613c7ddd68619497d40c6e89cfe5491f3df909a7c64b9092760c7bca9823b91521b9e8ddceeb3d

C:\Users\Admin\AppData\Local\Temp\isoi.exe

MD5 d442df7ede21647baf4445c63bccb50a
SHA1 49843155994d0a84f6e762d5dc56aafedb234d97
SHA256 6fafac953d79240018cfcf4c6644594c7dfce6b1dc934ba0bdab572897339d9e
SHA512 d56a7c0ea2b79b557b4ae9795f942a2ec812067d434adb3c987773b51489e424ae15bcfb95dd9df828182d5a5adce260302d0a0187c2b8abd942fd008532a1e8

C:\Users\Admin\AppData\Local\Temp\ggwC.exe

MD5 b6189ac04e4d388f3f0e14baacbdc200
SHA1 e0dd25d47cbac6991d432f8a15ad1b291ead500e
SHA256 97e6f364536115212cf1ade04f6d5b591c9c6e174449a5f17f647225d9782a37
SHA512 198282b510830cfc95420b430743bea41771afad56bf80c638028c7931c286c67af623a2134213673c26c6e9691b81f1508fd41b5cc28bcd06e58f3051ebb231

C:\Users\Admin\AppData\Local\Temp\rIkQUUwE.bat

MD5 8cfe3ca4479bc6766fa4ff92b052b219
SHA1 94e6ed1a9616ddf6a3551a1da7e4423e20256155
SHA256 77df2a8ca5d8f61cabe5a76cce5cc6f13a54e51e23adb49a9d272fe5a95ea603
SHA512 a5c47043f8b088f2f19880ea4453806a1bfcb7a377595364f2ccad1192ba3563abc565ddaee0573b82c0947bf0928f2ced745188eddf59a0a1c2e2b1fd71859a

C:\Users\Admin\AppData\Local\Temp\cQEy.exe

MD5 17e7d86c6f2d61fa063377ad807a385c
SHA1 582900e0aba5958a222af7aa0990c63da4cb479b
SHA256 f1a95ef4d096070bce8046bd35c837ca5b1c81bca8de4a5b11645da803c3dd66
SHA512 0361da2d155f17031351d9344db9e1a9b3dd25d984aeab3af513aefd9d26021da3e53d445d86e07516b949ba17454c215c594150748e78de9275cd24bc9f29ab

C:\Users\Admin\AppData\Local\Temp\MgAe.exe

MD5 1051b07b9a21d32120ad303da67e4827
SHA1 ca7d83a94ae9486cafcf74d4fbf980a5d12e8229
SHA256 0a5d7ae1a245c4ec46284098288bb1ee6b6a9c20659c055aa1d9f61a503074cd
SHA512 9049ea06cdef295cc603d1a34f09faeafb27f21bca7a137cb2933ee0a40a14b5647a88e2db5a0418b3b114a658ed6df26180b81437840a4ff4ec848cc83c2dd7

C:\Users\Admin\AppData\Local\Temp\bQYAYgME.bat

MD5 434112964d8375522fc710a70d228471
SHA1 c7da83a89ab47e3795497796aba5043adb7b5d34
SHA256 ba37682c4f4e4021d22818398aa4837cbc2e6ffd1c5fac867cf8f17c1ee40740
SHA512 65a76531e426f9ab85af32d6996dcc83d2b6d633a07cf1b6619b66df6d2bc23923295cce3c49fe9b7599b7ca69937d59f560f545277fbc88476df93eaf3d6325

C:\Users\Admin\AppData\Local\Temp\UQwo.exe

MD5 4e7763fba79d2240a2971854fd079fe2
SHA1 38798ab8eae4e780dfad8e0a74541b121787a199
SHA256 75cd5f788f1b46c4769ec5d8b4b76e02727211f57565e2e387960cc0ce56416c
SHA512 3b94430b825cd9f6afc5816271fb24a55cdea6415b7bfdcef2e0b3f447a8a8a92ef0a6ddd09af2021b5536d148b87a69efe7b85a40d8eb1e45c593a102d0d034

C:\Users\Admin\AppData\Local\Temp\ggAy.exe

MD5 3e0c80c0cd0b562169a81e945706c5e8
SHA1 2575e669c94905aa5218d501b2bdf139c13e0782
SHA256 c9d60927b58e0b3f08c3751c2b8193ce3eec876817d2fc35bef86d75cd33b285
SHA512 64feadf8d5c556c73afd000b5014251a699d84d1ef6baaa19033367e666874fbde26c48268853b7065f7b04ab840b45ee060144d1ec54f9f0ca37fa8696e7c16

C:\Users\Admin\AppData\Local\Temp\KQIA.exe

MD5 a754daf4846f63d2c5556689f167cf86
SHA1 3b62d947d23418dd18f63eaeea00b4b2cb5e3374
SHA256 fa14a5950a542aa76d07eff2ed0b1893a7f4f1531917877ab0a96d7aca5041c2
SHA512 79d94b53a9804ac4155390f16e4304e6dfe9cbaf2629883cf1dd97ef0224b4f4dbac460ddf463a3efe65a81193118b9c01b563ed82568e3ed658809c9e228db9

C:\Users\Admin\AppData\Local\Temp\AEMS.exe

MD5 d6521f49f450b02fe3d0082d289633a7
SHA1 ca5b7f4ffc9dd90f4b47b8bce01575ac3e63025e
SHA256 9b0f29b418a4a3472cec727b17c33007cdf2c84ae2d0c71fc0f684e720e5c777
SHA512 7fbb1ecc144e07cb9f6787684a87fc62ec1f7c33a41c479c51b337760c55d9765f037eaf04e2832161c5d55bd31b2599bf804b0273f9f32256f9ffe1da1d59fe

C:\Users\Admin\AppData\Local\Temp\VuQEkwoQ.bat

MD5 0ff651e590416830a6a15b1c332ca809
SHA1 5790c99f51eb1cc198bfce021731cea4d75971f6
SHA256 fb5eed572505ea8d521a9a9e7042e2b63f3f76a064a6a441c5ff2b0086a7e26b
SHA512 44d60f4efdfb1296cc0e937c18d5478d5980d78f89ef6c17ffd8d4c3ef241ce1f8bef0a52503cd117d52f8826dbe09c0d6f74934004c527b9a335def4a04db22

memory/1844-3387-0x0000000076E40000-0x0000000076F3A000-memory.dmp

memory/1844-3386-0x0000000076D20000-0x0000000076E3F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\soUw.exe

MD5 5dd19e1e9fe0473263b8ccafd4749777
SHA1 8a1804e5b4a0ccf6cd156349d6a578c2f31c8376
SHA256 f2abfece228035b4cf81ffd2fe8a275d0e099705525b18caa253543691808f00
SHA512 698d3e46a1a0fb5fd8c25f62c26bb4fc9362c7dca2376f31060abcd9155e06f92a8748153abe735d8e6956f7586697e6d7ca58cdf9449afe5d64b823be8e6aec

C:\Users\Admin\AppData\Local\Temp\SEUG.exe

MD5 711909dcaa688da5211a6fbce4bc989b
SHA1 baabd3043702621d34b514df356b24d19a1f9084
SHA256 189dd0465ffeaacbdee24a3104bf8ae100b017d893933e436774609358987f0b
SHA512 d60a1eb536552f6adf964afeeeedef55028bf57acc734c75b0f4c04fa7c313513a012d866fe241bd3ce3c5f132fe20ad24abd5d4f2a0ee83f8cf8e53bc7ef6ad

C:\Users\Admin\AppData\Local\Temp\cQoY.exe

MD5 551c307c9772cc1524ffd6b4ae5bc81a
SHA1 ff7be748dc5de6731c5ef7cc7e8bc914a91c5c93
SHA256 3bf13c092c7af796b5c51788ded93433af2a8f732b8b88d41b8427b989220dbb
SHA512 c7292ebeea03d509b4d275af8ef2d80603b27ab7468494487d0cdbfae6f3077e38b17ab0b63bf274c463e4ca9db9c4f8d59d46eda8ac9ad85255e677c1bbd490

C:\Users\Admin\AppData\Local\Temp\wkQu.exe

MD5 a32d7fc57a4cdf4c109e90bb14713408
SHA1 af1e11cd76fe96cba625f9b63582d5a315717ea9
SHA256 9d6f62d600be8078cfa111d9ae512040faeaa95a3bdbbd1611d3cf5346bcd104
SHA512 2f2755250f829e8a81550c896c5df3fbb9f4cdec49fcd199a368a93b76c4bf06f04159d6aa43803dffc97a13cf5fb5a6729b2810f1331f5f0596de6e398f5bcc

C:\Users\Admin\AppData\Local\Temp\bygYsQMQ.bat

MD5 30a1297d1cef2e98b31792fa189a63ac
SHA1 baec89c60ec9ca8377e8bc6c666f271d0ab1c78e
SHA256 60851d3a621080c0eeae566e4bb979047344213c7da426e5df4c47734e92eb2f
SHA512 c5ca5faa6aac24c5db8c140b4110a5afb234d0197f55cca0d86f88092e9fa7f0dcb44bbb99d0f4ff93e267f133baa7f1cc39057f5f9152e41123032c84b1ebf3

C:\Users\Admin\AppData\Local\Temp\OksY.exe

MD5 82083311a22dc87a831d4247378eb603
SHA1 6381738f50351514c0ffac16b8d1cd3bb5c53dbb
SHA256 3c3a89bf824b625d354b439c00c7abe4c27cc37db4a5390ee082563d1216da47
SHA512 e341ad51f3d29cb8030df6423e7d79cbe18263ebb60b0504b3b287be0350eeb58038c92619406161d9fd62b3bb280ccce639f51376848671eed72e67f04e2c30

C:\Users\Admin\AppData\Local\Temp\Sosq.exe

MD5 c619a85f233bf7fc4296e7a5935f0adb
SHA1 303d254b90c383c6d48c1df612187eef49807b32
SHA256 3b83a4b9678ff2cae4ef4df3e3f7b6d74c312d36a25e7ed18b4427dc1d1d00ef
SHA512 7575f1574aff510c57519cc761a6709a99cd880a0736c4106eed0e5910d67b67e196a9a4efb5db5073fef7e56a1c109e3e719b74896b16bc7aa2dc19ff6c7e9d

C:\Users\Admin\AppData\Local\Temp\yAUMAEsk.bat

MD5 f67c99ea88bdc86792573f209b20e3da
SHA1 602a20f13b36e92df94629a1e9c9d87789aaceed
SHA256 230b848929ec542f046ad925d0adb3318d939229a6e049e9511ca6303c604831
SHA512 4c307fb6b0d8b7e320055b116703ca954ec8cdd7e091b9e43f2849ed626fa87136405c46273c1c4c41dde394bf77356d5fd0c4c21cf18f0b22fcac0b9bac66b9

C:\Users\Admin\AppData\Local\Temp\yocm.exe

MD5 19e883bc5a1af78cc74965af4367ef61
SHA1 6a7a6ee800054f82edb96b4561c17e0c962a14fe
SHA256 e539e890ccf3caa8faeab63390a7f58cab6d4ddda8b1103e9fdeb6aaa663e75f
SHA512 31cc5441e77d7e57029587a60a2a29878dfb17a607a423b2ceb537896743582cd21c1e437c17fc3017859da78626e6f70955a1aa8af75be5244c9d11c290546e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 c336c3c449f338c2dd1a21806efff9c9
SHA1 85b23c94af94ae3f51d728264b581aebb4d1b116
SHA256 ed380e566e653a1bd96bb3933c5a98ace99874cd2fd4bca0e18d2827caad089c
SHA512 b89bc8c1ba92373310f607a13163b0757415a9f76e047fad6326b62bfba821f395abb6eeb97a13750fdc0d7d7efba0e64ca552c739c63a5f6e994341d68e5543

C:\Users\Admin\AppData\Local\Temp\QUUM.exe

MD5 d7ee700b586d724a178a1138f7c80d77
SHA1 803bbfaecd87fc80c52acf55fe4c8893525649ca
SHA256 6eba12cefcfd3d9bad568b524d1db0df3fc953ca76609f48355551ade2a11736
SHA512 2f4067d84a5de9e0e22d7bb7ca6444f7c747b93301364e364b567f4b86fb7592c0b90a2a53d6bcbcb0bb697086bcc59178918532d6201379b5481f572820ae7d

C:\Users\Admin\AppData\Local\Temp\OgYu.exe

MD5 59c8cd5d0db2c595e6d3c3a751901d85
SHA1 baf5e8b2355acf6492025c4e6782a111f33ec06e
SHA256 328f480509e0fa0af59db87fbf03a48e5371e5b651cb02f879a7719204b62ad0
SHA512 5929f9b303fa0ccb695d5f8e3082ba3778d924c5f9865da52a55b9b82af24cea2e9114b59f834a3d140361cf8d165059b0ce09068eb0cfb5c3b7cd1ef3b2ead9

C:\Users\Admin\AppData\Local\Temp\UwAgoMAE.bat

MD5 a34aa0a97da41e455473facab31615e8
SHA1 63603bbc1f80cff471316c4ab862fc363b4e005c
SHA256 59d5a322eb700c8305d6097a3b36471dfbc1fd0285af56ee762440f7b06d25c0
SHA512 538540a654a4da04f76098c186de1a34436c6b427eac4a81ba865b0ad71cf25f2fb7174f69df8f56155d7134224333e27774debe79fbb27809010597e64807ba

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 2832e5be992946d7f411c91ccbd0130c
SHA1 e215cecd48774da3d1a7dd136dba0d934932c7ea
SHA256 028f55505f2a81db1bf41632cf0a07570094d978b1195b782a187598c7686137
SHA512 267e7045a1c8af5fbc2466fa7e85e610fd3d114481f357f4f2e7ac4a49ae16cfb04c781bc4d0b4a365791ed5e1eda121cdfb7f4fe276bcb8a0edd8c8d5be7b67

C:\Users\Admin\AppData\Local\Temp\IAEYsQQs.bat

MD5 5c6438e1dd331b1fbc73f8e13a363e98
SHA1 04466b15f7da79c3b1f1699a115992594cec11c3
SHA256 74dea1059efc1bb1088cd6317c6bf45854c629ab6b37d9f62b724478b0a8497a
SHA512 55c7389124bb24d30896b9d933bb9f46b1be480c21a462d57ed9d46b02cd0acde421f91435c26ef3af9d120064402f348d6ff441b4c6b5ce693f199e0a937b62

C:\Users\Admin\AppData\Local\Temp\YswU.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\QcQu.exe

MD5 2a925b4de57921e66131369aef3573cc
SHA1 7f828a584e9fe4dad18f7522d06205e308e9e85c
SHA256 626e7bc825f0f72e0ab659b85784e14a42ab57ff24d1e74f5a4328f822cc849d
SHA512 78ba4460f97de9c1f3823117af2bd1fd275e255449c4254d17f38f310268dc7d371e496d1a905134383368c27ab29a62c43fc8a8f6ed2d8259b986adbcd4cd13

C:\Users\Admin\AppData\Local\Temp\AWMoIsQU.bat

MD5 6f0f65f99f897f2527d9b22f4fa40ea7
SHA1 9d20c248d5a76ceeb914ec6c502201e00a2b5b87
SHA256 6ccd82a70cb3e24d1031a1fe262aab7aff9fe5b0a08b2cf6f77d87db42b555a2
SHA512 b19c954f12c0fb54b3de7999229f94b31e4eef0ae86561dd61dbc3861d4d01f053a1aa1c0737b4f0f2881e9996e69e80c3a500d98531124b4603408b3abd06fe

C:\Users\Admin\AppData\Local\Temp\icQc.exe

MD5 0a736493c0eb257ecc0d6cf9fdf76628
SHA1 7210b40e6b7995aff0e2d3658cfc04b8f22b8750
SHA256 8ad360806df95610a4db71e014ba9e9244e9de923e5276b9828b534a48ccb1a3
SHA512 f6cc5d152cb6d525d8f2e1b6b9d5d58ab37d27d6af80f7ce4a23f77ec113a8f5a3e9deacb2b6f94cac47488574d763593239c3407584feb17288ca5c17b16533

C:\Users\Admin\AppData\Local\Temp\YcIk.exe

MD5 ad54f207e16116c533af20fdd66da4e0
SHA1 81f71328031806dce5b5f3a5c9a801368f7234f4
SHA256 0142be3c918dd1aaa79483a8d149e161bbe0dfaabbe06e8bba356da60373466c
SHA512 0bef9e6871d7d990e2a7af9ec8e89b8656de9ece0e7bf61976575f741454c16c0e2441749f9176a57f80c65c7be81f10122c66ed8a8e4b32a83d679dba9cc669

C:\Users\Admin\AppData\Local\Temp\UcIo.exe

MD5 e32499cf8e13f614156b11ee8437238f
SHA1 3803d544843aa4fb9ead403577beb5bf44290f94
SHA256 971f2c88c9e0785e0e9b18810afc1fba56529d4d2c44d18e98c750d459c77ad5
SHA512 4a4ed270fd65c5a22d47a3254e79cf43becf808d7384f928ab8fb925167b82a0c983cdc80d5af6bf1120d0581f50ea320f75336373234f390ccacd3332910081

C:\Users\Admin\AppData\Local\Temp\sgoo.exe

MD5 654bfac8fe848a3838faafebfe6c5530
SHA1 9326461f3b9facd477040fe63075b65ee46c3b0a
SHA256 16bbf11c3281facc9c0446dca90b4754c86e407d213e7e078f09c8d8a437f74e
SHA512 6f36f58325e9554e1efeca9be8b0affd085a68305c298a9844ec2ebb05ab2fc59f6c6e36c72b477a99aa096e9545642c20180daa9b51ef03b53e24f7e538c6a0

C:\Users\Admin\AppData\Local\Temp\Ysgg.exe

MD5 983fa63b9bcc81a842fecaec94e4623e
SHA1 cb3e66f8f169deeb16cd755914dc1ba4ef712abb
SHA256 2982a92a0c6495bed9afd5b14d61bea31eadc5541f49edaa43129c4a44e23bc1
SHA512 1cad0809ae8be6a202c0be82645715e2879ad7b5a6b9aa8eb67c83a95f5f4bc6be2c95a219294a5b794c5fcf0af2f74d49c5ad3f2f8b3d82a2753e5403eaf0d7

C:\Users\Admin\AppData\Local\Temp\GIMU.exe

MD5 fa0164e2082b757bbc78cc6d7518d8e5
SHA1 8ae9809c06560668f242713fe4f2e3efe024f1c2
SHA256 d1893449ca2bd28768517ec5b3b3b1eb13424b8237269c994677268ab99c2674
SHA512 350d1af1f05fcd61c9d0bc54530aeaef34f4de2fee0bb5c6acdd92293755a4e4c824dd9e2c0ac0719ce386dd17f9a7fe41870ee04f876b5edc98c3b49dc41ffb

C:\Users\Admin\AppData\Local\Temp\usYw.exe

MD5 125b561e418a7a2dd4ef53efe79c33f8
SHA1 76a2b065c4409b5068ddc13ad9d57a503390027b
SHA256 cdf6a9c15fff709e69f7cbeb13c61873b2c6215dd9f27495e83f73550118b530
SHA512 01acae7a644482900a4de1f56a7bad3b5dbf9a52a622824bdc0f6de3ee977a2276555fb450151d99bec69717cea8bb396fbd7090eeaaf87cf7036baf8134507a

C:\Users\Admin\AppData\Local\Temp\goIc.exe

MD5 34585dd59bdd13f4c65d03caa104a9b8
SHA1 4fcc5fa2d45a154cd30f35de003107b873c35159
SHA256 879d222ac8db43f61fbd75b0205e0e1171f95eb23805e930dac152316839ffcd
SHA512 7c04133ce98847e174987675b4681157e014478b331a44758c6f17bb862639cdd368c3e8a1b3142588f4c748283c7de60a269dc084ff541b16178560eecb8626

C:\Users\Admin\AppData\Local\Temp\mwAk.exe

MD5 e9ae116e861dd3dc9ce97dd29d1c25f2
SHA1 85dfd0679ca34eb9155d5e55e9498ab0e0552f6e
SHA256 0c6fa68e943bdad0d5db402dec14702e5e4a18dad569e47c739de5e1c940d011
SHA512 06763f307a271d6e0ffc9c67685e103828424817e63d485b79ded7b3993713c9ee4a9cf8e9a4bc337a3724cd5055c5ee60c4862c96e12c99d558d5a352ba5a1c

C:\Users\Admin\AppData\Local\Temp\SAge.exe

MD5 b2e48f5ff64991c22c3509f543108e81
SHA1 61764dda292b1b1e99c1dcbd2512f05a8021dcd0
SHA256 4144c8214b800ab6b21c053762ba07c62bc44b12f70e66b9a2a17512ac896fa9
SHA512 77d775b3a1693830ffe3d664cb7717f0780a788c3f710a8c87f8976509060ec5b594b1be1bcba59f5576e8e7f8f56223e791564e066b22f43ca9c61d7671661c

C:\Users\Admin\AppData\Local\Temp\veAowQYM.bat

MD5 8427726335fc45947616bc67648ff147
SHA1 860eadf9005198c53491e75880879a29eb431b0c
SHA256 63cc167a77cdeadd768e99a7674d7b6119c1273092318f96c8dda340d746481d
SHA512 d5cefeb218d73afdeeec6ba163c0e0cf5dc00f3ac3dc7d022cdd26f7eb694cc11a9c78c092b0be22d2e746b6969891406fa6ef6e23f0348cb3405f47618d50c2

C:\Users\Admin\AppData\Local\Temp\lMUQsEgM.bat

MD5 782685681d87a6eadf5d3eb59bb6ad6e
SHA1 ac6f843445181a390365416c3fe31754771680e8
SHA256 6e4421f93fd136b5cea44ea1f624925b1e23b84cea737d0f5772cba32df46276
SHA512 734b5cb5ba354a5bdeffe126396da7ce98b4b45f185bb3448b936e724f1fdbd6e7811cfa015ced8c83059372558302f981805bcd0a2c1928382ac7f1660a0003

C:\Users\Admin\AppData\Local\Temp\MIMEUYcs.bat

MD5 1903a3443a397660de69904323b54533
SHA1 2d4aa5a5271bf55bf5139dda546f0f30ba06a6bd
SHA256 44d2fdff9c8e04cda1999a704f7bbf6260636c63880dcea65e2ab197c2e031e2
SHA512 7ea8b8c2e5a7833c13c07d9ef6b5c7e774ba86d43e1bc89f899230e1f87e9fe52b4a8ca02127fad1063c0d57a9cefb88204f33ba35cfc789284f1ee0bd058918

C:\Users\Admin\AppData\Local\Temp\wcowkMgk.bat

MD5 edefcf38a75135a3bdd9d1365a794ada
SHA1 dc644b8242f61ef107416b3c7e29b77e68a1eec2
SHA256 31f1ddb689b3d3df97f7f946aa2a631b2523ebef19824a11fb38bee05b3c72a3
SHA512 f65c24f850955a9f046a8b75f7c96cf43171cc20cfa9bf8791c677839223621c26c69e87d7777f11d0a0b3b655db907f2af26970cd40a60a5057c347ec5fe2ee

C:\Users\Admin\AppData\Local\Temp\mgYEYcgQ.bat

MD5 381e7c4dcb6b2129456cf7ee3abe84a4
SHA1 6be607cdf98562b2621c83abf61d80de6701b399
SHA256 b3cfdc677605b4c0b316be45431da3bd2802f37c99dbe88e67256e83a7ad56bc
SHA512 6be5a03cb63de069035e59105a5d96e538d99b8b59bbfbad37c41bf3df877141475eb6ace10db3d2a7feeb147499556453609982671a3bacaab98668d2be1580

C:\Users\Admin\AppData\Local\Temp\ggcQgcwg.bat

MD5 fecccc54d877638a91a864d269594e9a
SHA1 e117c4d9db7ed34d083b12dd6f9b626bd849e1b7
SHA256 7809a18a44348f67f3090eebdefacf436562f3c28359f506b56dab89923731cf
SHA512 0a6d4cf08c6b8fa3f9ed96d28809024c3ebac420511090f871d1bbbe7b0740c92811b07557350f7179d7abb8da7c25a384c99b9489d620df438d5ec9b3420c5b

C:\Users\Admin\AppData\Local\Temp\ZoAcEkAY.bat

MD5 426bde8efdc787055744656a4080848a
SHA1 daac319172caa8c177dccfd30acddfdc546ce635
SHA256 5e90741c8c7f8449adbf2e89ced7d16db079587e05faa41b2f48c003b3eafcfb
SHA512 4c2b301d2e5f7189c1de78564d543a379670ec7355ee031a238e8a16e629a997fec2aab3da06819c0a3a7f928eb1ae4bcbe28bf9ea7b06e46bcbb65d50c54192

C:\Users\Admin\AppData\Local\Temp\HOgAUMAI.bat

MD5 513da49152d457bc8be19a709aa1c564
SHA1 1668cb8c419cd260d9a051fa9696eec4776da90e
SHA256 6e7347e6d1bea2686df2a7a1fb80546a5f869d7234b2ccac8786956cbcab3a86
SHA512 a4611eac32981997ad254829f144886d7dfead607fa7895a84c1cb1f36b8b973edeb549de39d0a95ffc5908bbdc54c6baa4d69de2b5de6147d52bfabb70f3232

C:\Users\Admin\AppData\Local\Temp\dQEAMowM.bat

MD5 c703549d0146a8f8cc20d9599c5c4807
SHA1 61104beea380e8dd40c24fa92d32415f4b4c91ca
SHA256 d7e9ec425556c780d63339388e6ab98a7409b8815a5f1ed09b12dd190c832d8d
SHA512 ae4f86bf35b055a49091c0614ffbeafec7419d00deda132954f2d5f10d921dbe6923fa6bd508e94f58a74147e8d282cf715f83f6464bd9a7ee04c7a73ae24a74

C:\Users\Admin\AppData\Local\Temp\boEsUgIM.bat

MD5 775303c5a06d015dfb54ffa2aeb8d792
SHA1 1ee2eef131ed551ba2958d5320cae9db8219fac3
SHA256 6a4ddf684a2c721aa66c970ef2c9bd8e2293014996397870576e7725de6abea9
SHA512 9cf1419eb11e57558ca03a34284a324ef0c1457c77e01426828bcdd1c0cd51b8aee8645006963b9e8e80803aff180e89c20d926ff343cab6c16cd2beeb465661

C:\Users\Admin\AppData\Local\Temp\uYkgQsUQ.bat

MD5 83204ae71375348446f5058d61b85f3e
SHA1 58d7b192a6340c59dd2d89f048c527fa539d0bcb
SHA256 023380ff8c3f4ece9821b26dd38f55dffb2289b09a346a6e37e9a0008a98f740
SHA512 056d3458363bf50968215e6a6f857e35f84ef0a3d463625c1da398744fae8c294501e171e4811e33a726875938faa99fac95e1bfc052c854942fa05ef3d03c16

C:\Users\Admin\AppData\Local\Temp\gcUMMUcM.bat

MD5 8d5b058c158d6f7fc23f958c5baa48c6
SHA1 9c5ed7185b72b6967368905badee0134eb447eb6
SHA256 b071d80bb185bc92cba15df39f430ac4b3602fe5162a8b492ccb6ae1779962d9
SHA512 70c4c64ccfba55891b3c9909cf5265e679cfef719323cc2ff7704684181701d5f5ee9b22209a8da06fdd38ed32f68cfeca4e4f321afe024eedbffff5fe0d4d28

memory/1844-4081-0x0000000076E40000-0x0000000076F3A000-memory.dmp

memory/1844-4080-0x0000000076D20000-0x0000000076E3F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cIoIEYkY.bat

MD5 8a9aff7f31d82226262078334068f595
SHA1 462c361c637d5e0c2d860822d3aa45362af3c3b5
SHA256 8b3e453033bdefa782427078451ab0663e7878d55a43e6050ca2a33ebf46210d
SHA512 d526f95662c39bb0a09549f49bb6fec86c91f98ada562df07e6a44eed928126bdb2e68b50e357739aa1382d99424d86bd007b1f2018c627404940628504cc512

C:\Users\Admin\AppData\Local\Temp\AeIMUAQs.bat

MD5 f6641bd5340a6f108dc283eaef233b34
SHA1 236fec89071535471333b72575c4a8e1fa262a58
SHA256 c040d787055317edc84f5ccb6a4d2b77c6cecf2f64d8ad12e5b61a6782aff583
SHA512 66046be0c673834f804f9fbca3a0bee85f0c3c460475ba06a182ac5f32f43eea7799eca1846e475c0cdc74acd19dfb437bc420d06c12d7ea8686bbf289f21c39

C:\Users\Admin\AppData\Local\Temp\TKMAIYAA.bat

MD5 3bdb2bb2c57f2e6644bfdf5cc4261f02
SHA1 12ccc9d3e337bd6be7ed89b4fe53771866dab828
SHA256 d2d4984f12289aef221edba7221f151fa400191721bffd0c349fcfd36cb36195
SHA512 49a44224d1b9577c327aba7c7dba3fb9ee8331f498250c0a332998c4b9632df003293d4da23d6ccfc2f3232c9b5dd02f3f212a4fb1fbb3625e9b7030aaee7282

C:\Users\Admin\AppData\Local\Temp\FecwUgsE.bat

MD5 a726ea391cf2f93837d770a921e5e706
SHA1 fdd9acbd3ee03a5cf606d2a74499d451ba1f7687
SHA256 8075acd8711306a3516f3db924e43afa5d56f33c65ba6e09da676b275f9f8d29
SHA512 0280f6daec7a46bf52be39a135a6dca165aab64050ccc7559404f5d1b85ad73095014062acd36030291c5b9b77faabf53eae8c715f7cfc36b6deb1a5a2d69f42

C:\Users\Admin\AppData\Local\Temp\bAwMwAwM.bat

MD5 189dd50c502e849ff26282e2f6161c4c
SHA1 d43f9d268acf92f08fc4ecad1c1582249f3d9e7e
SHA256 ca79a82246cd38e6b8201dcd5892f3d588d7dac6c14ea1f6c398633b55b13bf2
SHA512 1d337f3b60f1a9eb9422afead8aacecc7c6ff8cd003de7dc9de35842524bfeebd567e4a87ffd911fa30061bf9d84a78488f8c8afa0cde6eee0e9f51ba474c293

C:\Users\Admin\AppData\Local\Temp\nAgQQAUQ.bat

MD5 abba493ef75b63718619ab65a3c79a55
SHA1 a01c57c1bf2c4ffc23c3c2794d42a8cee72d6f65
SHA256 ca8526f8ce740f8217eb92ad7c6ff2d6d3e12fbcc81fdda1586acc5e49f517d3
SHA512 a5ecdaf5de6dae2feee83ac3dc1960e76a5d5d591a1d8c9831204cfde59a684759ba9489b847251149e00322604b7879b98d536c6ce99d0220a2abcd10217330

C:\Users\Admin\AppData\Local\Temp\Syoswgwk.bat

MD5 74b7c9b0974ba770617bf3e807ca8ee9
SHA1 e10c944634e0c6bb97d1f4fd7bc1f5774a30c5ab
SHA256 abcac00180f660da96f67bd81f0c361fde6eb6b56abf468d71b81b09488ce9e3
SHA512 61f828deb4f58041a922141cf83c932f21c193c34eb87d31a43588737bb3f0522dd8112d243be6ad07e16270e1c354014a9886e1613a24fd5d593efcf3c0f0e7

C:\Users\Admin\AppData\Local\Temp\sgAggIwU.bat

MD5 ff492c0bec9ca2529c718cdca927254e
SHA1 b23e04bbdcfceb0df84843bd14ef80a56fafbe87
SHA256 646d47b3dfab5ea08ad0cb6914f0a27d27edadc27a44af5140e34523da9d7141
SHA512 3b0f65962006827df2663a69ae45d2b48ae9ae92f3321ff4305f5ffd6ef0ed2cc2fe2542bc9bc9218121e1e7caa1972108779a6be07233792facfb849716c11d

C:\Users\Admin\AppData\Local\Temp\IAUEIIUQ.bat

MD5 e2a38f9a5c53f2255dd6c0e31eacf0d8
SHA1 c0efc7e48bd5c2b49ba05ec7e2f13b5b9ee4a2aa
SHA256 d0ca59ed81b91afd8de1b288c602b5e60734522d780c04f0b4acab8d24621250
SHA512 8e65905787bf8960c14a43990da768428aaaef9763cd7612dae95f25bfb56e7aa0319c43495fe295df4e59ec87a72eba09baf07e22574183a4fcba24c69c7fcb

C:\Users\Admin\AppData\Local\Temp\IEswswss.bat

MD5 722dd1f96075c24d040ddfeb17ab0a19
SHA1 6cdaf2adc9e384a2515bc62b4482e89d8c9f80b4
SHA256 ec9ce22dc54d3982ae4fa02b91e97777f70ce2f0f53d08001a98e0b61837a728
SHA512 86228a6bd13b64adc755ab77b2fcac3ce3fa3bbaee7dc4d9d9c4337bc5c0d316939398cc447920bc8adc03e2fee0c234c02a68a5d6132ac0f54b2f6f6cc7c708

C:\Users\Admin\AppData\Local\Temp\locAQIkQ.bat

MD5 1b095d6c9aba89a36e8990dfcf68b958
SHA1 d58c8369253f2968dccf7ab2a6b4f2d8dd0968b9
SHA256 97c429f71353bf0e44f4c72c5f0dde8fc2441e4f5d304399ea4d1fb61653568e
SHA512 d5c34310828ca2d912a03045ffbaee15bb1ace4de403af5fca5c46c55ef64395eceadef5d60d0087597546903ab655adebc73c9723e5440ab383bdefc6a28cc3

C:\Users\Admin\AppData\Local\Temp\tIsMsoYA.bat

MD5 70ae33deef0aa1e9e95f1a1e2fe07b96
SHA1 8d7ecb9d788893e8783140d62eabd2a2b34ffb4f
SHA256 a05626c084d89a55c0cc86aba43a24dfcaf1c2acb3ce63a3804d9a4afca1b24a
SHA512 01496c27aae6f562d0104bea79cf6f95f315d773e1d1a9ba58c4119dbf0e85fdf1a8720cc97c8469ff4585acb6c40028cd25c8f3423e8cd31ea4131b66c179df

C:\Users\Admin\AppData\Local\Temp\zwcwEoEU.bat

MD5 dde6d2f5072d5e59f795ff9b6fed0b3d
SHA1 18f8175f630e6acff2b3d82520d48c5af2a64691
SHA256 8e5ae188daa7395f32f3ffc0e1410350a22d761861c352e7638af733dafcc234
SHA512 5fbbe37b49b36d0900b62cc5fcb03daa7bb010692e7688bfd8ca02ce5887219fc882fd7f3a24511cbfe60d162b161166ae4c47929edccd44d7492f122f02bff6

C:\Users\Admin\AppData\Local\Temp\PawQgskg.bat

MD5 f1679886e776c0a9faa840fbf8bb668f
SHA1 41be032be3f302efed90243f24c096c99fa755c5
SHA256 db118ba8a801839a9da40916a647b32726aebec4ba4e12a24b62dd26ac2812be
SHA512 cd49f7a19140d5083e94c65da53aaa9f057690850cb875a1f1b934c9a2cc223ca91cc7384fe8fb694e7c69c0f533da056052d98e95c07f02c95301c04194d75d

C:\Users\Admin\AppData\Local\Temp\vUAsQooM.bat

MD5 d9f4628079b8b3ac32d253d92fbf4a84
SHA1 1268a1ff6fc8d6055e736f3cc60ee1149d328a5b
SHA256 9ae9f30d2ab57393e436e07bce3cf6e13a853d851069d16716326ae2eb22d20c
SHA512 c330854ea0180db6d940486cfe4a0b9c59c578aae9e0f393edca76e11bd30941d03b1057e1fd7c27ba831c4591cd891dddd76787a3e9be6069965efb4dd4325b

C:\Users\Admin\AppData\Local\Temp\GKwQQoQI.bat

MD5 651daab9dafa4bbf52b5c89539bd2897
SHA1 f4287e2a499dfa5f17f18f4c2c8cc08ffeb6ca6d
SHA256 4c64d12ec26ad8fb7a07cde001269a6a2bd6f8499cef8c9fdacae4b8b0aab5e1
SHA512 0cd3e1f163264351515e7c781360ca7eb664710d15611c2c81cd82f70c311365d68528bd6b21758caedb694824a87808171cf7240f5808b5143e2e7a7ad06a83

C:\Users\Admin\AppData\Local\Temp\GSQMgYQg.bat

MD5 1c73af5a74741dee4ad6e0e151cdfa4d
SHA1 131a500fd3945d06435a6284316f3acfb1e319ff
SHA256 14781527b8b3810adea3343dcd0eed29d56da1489d3167b53bc76762aaab87aa
SHA512 4eb8bcdcb1544fb3cc647e71d1e64efa6b215b936ea9e678cc7e91ee1e1a1f6646c2cfe2848aa5f74a16041fed73f0ae1f9c0233aec49c29de6a58193cf680bf

C:\Users\Admin\AppData\Local\Temp\yMwswskA.bat

MD5 2fe3002ffbc6ef87f7db2b8ead5900ab
SHA1 4ad6931be659df6f489a410c7f5ba7401dbf0ef3
SHA256 5cf4d42b546179442c0b68a1853dda3e1f8859c473bd1a0988c9273887297f12
SHA512 467012756dba04ac7d71db932dfcaf2a58c7fe9abf75f632c394eb61354828e20c7451f2d78e52bcf9147ba90394c41421355287169206602677523df7d7039f

C:\Users\Admin\AppData\Local\Temp\sooocwQk.bat

MD5 2bdf0d84395be4c8eb6b842519f688d6
SHA1 6c0b512905c7ef006e7fd901833b038a0d03c122
SHA256 97963ad12864644395b8092a1b4cf3829f13cd9ddff8736f2cf13397e0a2a6f9
SHA512 fe2af30b1b0c9978e9f32bf4ff088365fa5cee24790ec432e747e828daef1eafa982328bbe953998fe0e9c187c7321184e0f0b0b6a7b66208db672901065ff2e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:52

Reported

2024-10-18 02:54

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (76) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\ProgramData\caEsYckY\oMcsEoMA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WiUskMkw.exe = "C:\\Users\\Admin\\csEMkEgo\\WiUskMkw.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oMcsEoMA.exe = "C:\\ProgramData\\caEsYckY\\oMcsEoMA.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WiUskMkw.exe = "C:\\Users\\Admin\\csEMkEgo\\WiUskMkw.exe" C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oMcsEoMA.exe = "C:\\ProgramData\\caEsYckY\\oMcsEoMA.exe" C:\ProgramData\caEsYckY\oMcsEoMA.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A
N/A N/A C:\Users\Admin\csEMkEgo\WiUskMkw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Users\Admin\csEMkEgo\WiUskMkw.exe
PID 1968 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Users\Admin\csEMkEgo\WiUskMkw.exe
PID 1968 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Users\Admin\csEMkEgo\WiUskMkw.exe
PID 1968 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\ProgramData\caEsYckY\oMcsEoMA.exe
PID 1968 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\ProgramData\caEsYckY\oMcsEoMA.exe
PID 1968 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\ProgramData\caEsYckY\oMcsEoMA.exe
PID 1968 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 4704 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 4704 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 1968 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3556 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3556 wrote to memory of 3320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3120 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 3312 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 3312 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 3120 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3528 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3528 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3736 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 3108 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 3108 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe
PID 3736 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3736 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe"

C:\Users\Admin\csEMkEgo\WiUskMkw.exe

"C:\Users\Admin\csEMkEgo\WiUskMkw.exe"

C:\ProgramData\caEsYckY\oMcsEoMA.exe

"C:\ProgramData\caEsYckY\oMcsEoMA.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGgQEogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkUsYQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iugUsYYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYcscYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIoQQgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyMcoskc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGYUwcsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEUwAcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsYYUIEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeYsQYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykgcIscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyMcwIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkIsgoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwIUIgME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe cf6870cad0d559c786d250d90ff9e91b JciWA0wiNkW/O3Fxw2azEg.0.1.0.0.0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pscEUoEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImYkkEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiQIEcUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocAAQwQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCsgoMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMsgoUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQcgwsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyMEwwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sogAQMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IowEIUgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYMYYUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSAMUkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyIMEAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZacEYQco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiAkQEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USkwswEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAUYEcYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igIQwcQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmMAkccY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcEMgckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMQAoUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAkQgwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iukYYgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWAIUUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSIYEkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCoEsAcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoAcMoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syUcwIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MssQgIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kewQYwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKMcsIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwgMwgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lskgEIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeAYocQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CiUIQEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CswUIoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYMwIEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSIwcwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuUgssgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joUEQosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twMUokMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwMMwwQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMgAAUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCAIYQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkYIUwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QikwIUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAwIAggA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYQUcAoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOoUIYsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CewscgYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCoIIEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIQEwgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EScYEwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fecIAEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAoQMoMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruYYwskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koYswgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\misIwIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGwgkQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQoYIQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOIckIUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pycsQIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAMoAkUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKEUoIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWsMcgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmgkYIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMUwAYMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiUMwIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOMkggAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LegYEokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOEwIQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQIsMsUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqAUEoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwYEsoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSIIYoQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGEIwIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWgYIwgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOYkUkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McMUgMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQMAUAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQkAAMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsQUEIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYcoAcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwMkwEAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGsEccAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGccgUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giIsEcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gssswwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv JciWA0wiNkW/O3Fxw2azEg.0.2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIwoYkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCEgEEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIMEwUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOgkgEkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aooIQMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQgwoUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuMgkwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGkAQYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwQIAsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zigMcokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VucggIMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqYQgcwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqkUEAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMkUcYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAQskIwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwEsUgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAAoMogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYsoEIwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQcAIYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMgwEEMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqUYUMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsEcswQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKkEUoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQIkYsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruUkggUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiUQsgco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp

Files

memory/1968-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\csEMkEgo\WiUskMkw.exe

MD5 47648408db258ace4a11a39a8db00882
SHA1 8645eb0870b8ebb1a858264898c8bb661280b437
SHA256 d7b25c1c331bfa911eda8f21b144f21e6a49495645fb9a81ab90dea219baae50
SHA512 6c41030a80abf5ff620fef155ae4aaff19dc8247716ad9dd7eb8b00f513b8cd9b034b16acd831fbff8c0db33865bdc36e2529a3aae094c7c0edfcdea1558abf9

C:\ProgramData\caEsYckY\oMcsEoMA.exe

MD5 b428a020a228732adb027129da48c993
SHA1 518e5a604395cc50de59094fd5d0de23abe8d86b
SHA256 b69f2f4c0e916f20fa4e9302fd475dfdb6a90152726d367b5e14cda9bbf24ec7
SHA512 b8dfed9b467d8d523eb956e70762d9a3b60559fa8c32daa3935bfa147c5204c4c2eb5f665d14bdf8fe5e6b207c63c0679e999871dfbeb58874222dd6eb3cb742

memory/4008-15-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4940-12-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3120-16-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1968-20-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XGgQEogk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-18_84af33fba0ff37b9bb00f062370754b0_virlock

MD5 3d404187efd7b9fb9810d112bd8cc368
SHA1 4c18184896e46369b2af6de3d84c25f44d3f051e
SHA256 410fd53c9634965c2b56efbf7a774d79014c98a2cd1d767adc51636e97428c5d
SHA512 5c1ab1a5309e0d2ea3f08e0e01d1291cf964de682c06812061d46d7bf8db454d36532c58fa511873564db9cfa9d215a63e752d57acb5038581b3b9a55dd27390

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3120-33-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3736-44-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2808-53-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3028-57-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2808-69-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4640-80-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4472-91-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1692-103-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2804-115-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1072-116-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1072-127-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4456-128-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4456-139-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3844-149-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4600-152-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3844-164-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2444-175-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2520-176-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2520-187-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3564-199-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1048-211-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2880-222-0x0000000000400000-0x000000000043F000-memory.dmp

C:\ProgramData\caEsYckY\oMcsEoMA.inf

MD5 4c62a3d0f4fd272894983141467cce0d
SHA1 1e2848d51f98f19c4b33a9ab9ca23e24a2ae4edf
SHA256 3bf163093454554bba06ad1426959a47d57d658dd9d14b7bc49b1df57c10b43e
SHA512 77ccdc464a91d1f96fbf71487a814855801562d50670882ff5ffcd775f7e19d2debe2f289adf46bc17256c93032a3f955cc6bb37104558dbddd1bbbfbc525487

memory/4112-235-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\csEMkEgo\WiUskMkw.inf

MD5 56860653c899832c75876b15afe41c2f
SHA1 91d81e9911850b4de71a6af903dccdd03e834a97
SHA256 ea76a089eaf4c508d902b41e7078c0a4828eb94c0e69bdb52eefd5ec5280b89c
SHA512 7928bb8ab34da8e09532dd4836cee969cbcf549f3b0189cc334644d632dc8b9225421bf719ea80a4c573497cf92b8622d16929a609b6681d6c5f975c37c82588

memory/4828-248-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4704-257-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2452-265-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3844-274-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4440-283-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4692-285-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4692-292-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3628-301-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4404-302-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4404-311-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3692-319-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4964-320-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4964-330-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4588-331-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4588-339-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1868-347-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1076-356-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3092-365-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1740-373-0x0000000000400000-0x000000000043F000-memory.dmp

memory/756-374-0x0000000000400000-0x000000000043F000-memory.dmp

memory/756-384-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3828-385-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3828-393-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4772-401-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3880-411-0x0000000000400000-0x000000000043F000-memory.dmp

memory/412-419-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3760-427-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3824-436-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2800-437-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2800-446-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1788-447-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1788-455-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1688-463-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1732-473-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1504-481-0x0000000000400000-0x000000000043F000-memory.dmp

memory/716-489-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2204-490-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2204-499-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4540-505-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2876-509-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4540-517-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4844-525-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1736-526-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1736-536-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4904-544-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3264-552-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1968-560-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4400-570-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3736-578-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1280-586-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3968-594-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4456-604-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1376-612-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3972-620-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3536-629-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2916-638-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3032-647-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2588-646-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3032-655-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1256-664-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4584-673-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4872-681-0x0000000000400000-0x000000000043F000-memory.dmp

memory/448-690-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3128-689-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\egsW.exe

MD5 6f9f3b1f9bb1abc2630e085a694cd6a8
SHA1 59e68ec3551256089b6ca5862a658606b810091f
SHA256 e5ace8c8a3e9b564580d1af46e66bda76965c13d6a45112f9c0ba014ab8fd439
SHA512 a32103580678a68a3c8262216743e31640fe6a6a3c0bde819a3fe5e25b7632fe27887e3af15a20fcfd29401db1807257e179f1276291ae490e0b75f9103c373a

memory/3128-715-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qwsa.exe

MD5 1559117ef6b767fbfd945067750b34b3
SHA1 69dcb673a6f64526015f6bf81bd00c798476b9a0
SHA256 fe814ecf18243c91b9a4a69a1b6c78b7f77f9304c36b1072bd690d5d7ab08663
SHA512 b4ff90919e8e91f56bd63b05bdfb43f66c4623ef8c5654b207f330b54492d538db75f5493ceb6a28087c09f6c1e31083c02ef92f0e9fed5866fb0b69257fa131

memory/1864-737-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WQEi.exe

MD5 9652a4707b04bf7882c1d8d7e41718c7
SHA1 45b77f5112337538619caee35f919bc0d6661184
SHA256 18f14acae5d06537a401292938bf936d4a9edfa9ab1de4e05848152aa1171306
SHA512 47cf0fe47c59590e5791d08c9cde43d7ce5a01b35b605f0898bd9d1e3dc8a1561aa03f1982e410cbb25ec6c4d67ed5c6f14b0a0bf13d19e9968e14fa70717556

C:\Users\Admin\AppData\Local\Temp\UwgA.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\KMcO.exe

MD5 cd2c6a52138239812376f1abf6c16229
SHA1 c927bbffb6e19465f1a553b23749643ebb9eabc0
SHA256 584287d99f2a5186816270063ee0921a32574081e63c8be786bb85b1ecdef5fc
SHA512 dcd1bf88df89ac9a9b21aa82c068f7a09fa66d510f689e1976ec2fe2bc8ebd0308a5cecfd0ff5b0071a08d9733db3ce383d53971f0a825491ac15d7441faf776

C:\Users\Admin\AppData\Local\Temp\OYgW.exe

MD5 ae0eef082686335e6e11e7d5edadc910
SHA1 e57d41eec3f58f7466a7d7cf7cc140cf49f6f8a3
SHA256 76e249bef63534a9e84bbe7eb01a69a90b4d471cafa98fc6790b1dbce43b2e3e
SHA512 39bbd06b13b620b60a58b87f8c96d39b15157d3e61e1f56b8561120b03810cf96ac4ac98dbd6f1f8dec7411e01826465206d7b70c04f65154edffc5b45098582

C:\Users\Admin\AppData\Local\Temp\gYoU.exe

MD5 41e3b746ef9f4d5b72f772130615bea7
SHA1 c696ad4d4b42b92c7f55a2213f33c02635245654
SHA256 a0e55be31c16dcf716dc6c9af8d5b2aa93d0c0478774c577ec425a6ce046e011
SHA512 6c05dfa72084b96ed115759f42e5e34e9e696612291a71072c5155b7fbf42043e32a3f41e921c319825110b8dbd7c22d9b0b4106d6dba498bcfc1bdc65420d72

C:\Users\Admin\AppData\Local\Temp\wowW.exe

MD5 db99763cc7fb32fc5a5a1303a3a81873
SHA1 8d16cabbe6fa5aa4329a80077f3609922357669d
SHA256 a0d62400c0709e78e054dd0bd91d2a4103a188add1ac0281f07c7c7100028cbb
SHA512 278344029f8c9f3d6c42697a918d1c08517a848d6c2241d02fb4ca43cc7f3071c42374acf8e0a8a61921f36549fbdae1612ac11bd1e4184c2b54b04b7df94fa3

memory/2664-805-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EoQA.exe

MD5 f0e68e45f48c1ff42be721615278f0af
SHA1 b8edf004e12827a2da2e2701aae0e469bd6099cd
SHA256 cf140291a5c076c1ac6ce203252aae25967555d9421afbb7548a2815d350444e
SHA512 2fb90e87e7e182f2101dadaaaba82048382a50820a275209b686d88425a0d9ca0249b1cf91a7ee0a051402f29488710f05d384d37e0a69ed092a9a44a8a8bf79

C:\Users\Admin\AppData\Local\Temp\UgcU.exe

MD5 49e66432ff85879193107e01db009e0c
SHA1 05b7b433baab137f41416b5430804726f40da217
SHA256 7725824274be89cad6d3508ebfb917d24ba9e86f2ed2d6fe09c30ac35b9abdef
SHA512 e36a9d8bd269571332253ab8550fa0125aefbaba82469edc7bd1fd6668c21a1068407349cfcdcbd25a1567176e424b783a94d50001344e387990b7278e2fe82c

C:\Users\Admin\AppData\Local\Temp\koEo.exe

MD5 01bb489a7d65b39513d48ae4826fc28f
SHA1 4d3686191ef0c13e38bb3c045f80989804249643
SHA256 aa5cddc9c07698ac0f051dc4990f39b8ae6278814c3f9324ef91236b4da61dfe
SHA512 58120fbfc1c9c543836bd401e8b3f0ca5292de1c36b0f7cfbbb0a0feab723e0b0c5eff9c70de8463f2b6d924f4e9a342877faab01bb0684ab14c9d0a6be16208

memory/1684-865-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gkcY.exe

MD5 b2fa709f006dcb45be6903f00d06c92c
SHA1 fb48d6ede82e25ef5183ab44fd1366392eeec1fb
SHA256 df4bb9a8ec4ebf5c2db452d7488665ea0117138c4335400c1ff1caf3d5f0ea3e
SHA512 8adaa55f8a719e10b72fa1690281a1fdea0b219a1b6c14cc46ad5c1f1c3a8556c8b7b05627d7384336a8802f16d9741f4c9f9e1959aa5f6f9c0911cba8fc7196

C:\Users\Admin\AppData\Local\Temp\MQka.exe

MD5 faaf6d5768330b7a101c8d951703878b
SHA1 82694e85ced26d0d1f0e45e7618017818dccbe08
SHA256 7432ac508739b55ec961edb82b27a9c876f99b47c65dba79a6fad265c7c31ff5
SHA512 afe14b556fa3d789713df5f162fc8ea27f5756435c801c59fa5c21cbdc8d2b34f98e7d5548796d4d73009bbfaf7dd497d8dd346c7addfb00a3f466a1e7e74479

C:\Users\Admin\AppData\Local\Temp\gEcg.exe

MD5 42ba9c08a604e85958bb9a41593092ef
SHA1 9f9c1be728c12523d0dc0b14f450e303f9c2e45b
SHA256 9dbf51513a0595ace8ba8280e9c77a6578c27b075c0d2c0a7b14f1a1282513f9
SHA512 721172ca0bed144410ed8fd789ef3d6ad19555c1b19a8f7c1c9e0e9ed893483aecbe1bb7764409fa5647043dd59aada0419781c0c7c541c8b5fa11a36220d9cf

C:\Users\Admin\AppData\Local\Temp\AAYe.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 03385ff21ce33ae6698475301c92f2a4
SHA1 b2941fb6f27b66336176547445eae3d46eff0ad0
SHA256 884f1303423b7319a71786af8f3e2895bf17d7168568633ebe91028261a22432
SHA512 c7c3945ea20f161ff80f0bbbcfee96ba18e68c98c3ab943857c9983917a925260bcf469a60e2309f4bb38eb091886b703cfebc2d1541ec58e22c401a2f51546a

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 00b67c9210e288ffd9b0e6062e2a5186
SHA1 4801f1c0b172e2f2e6007964d2ebac92d5588db8
SHA256 c2e24d4b57508af0547a3303a3be7d2b585bca015e4643175767df552f8378b5
SHA512 aa035a67c654523ddf5241ef4ced4af7b65bc336c7b4baa0efce267a23f139a0a7ab3947203f77de872ee12321c193799e84a028993026251f069ad9df4bee3e

C:\Users\Admin\AppData\Local\Temp\IgQa.exe

MD5 1f57190f1283c464007f4e1ec97ad0dd
SHA1 f89b55e871f0154e5a181e8319fa266b0252137f
SHA256 7f55c2795106a1b14327dca3149568841295720d933ce41364b6bd4ad9168b98
SHA512 58f3edffa8b57e890921e154f29ba4aae6706d419daba267a0b322083a5d02eed64dd203e08ee7954a876aac25c8cecbe9a3eadbdf2dce6300013b6ceaf07f31

C:\Users\Admin\AppData\Local\Temp\sUEs.exe

MD5 d3f3ad469eec3976b733dcf2d38fe665
SHA1 39661ccb1791a03e3c35a724a4486a6ea3485235
SHA256 24455ee49849e681a3acdb90ca69d315aba0e4aba7c47709305e967ce728bef4
SHA512 c2a275a9992ac54d8a58b245cbb9d0b6149cb706d594a71c7117583fef1248d18139c62d73173b2fd7eaa14ffa07478c7fd69bd3ec5d829fde8c82fb4175f9a6

C:\Users\Admin\AppData\Local\Temp\QYQq.exe

MD5 2df35420cb27994297cbc8774f720678
SHA1 cb7ff6b1e1325442a3f01fb5c106cdcfcc556cea
SHA256 bec51f45df3e0b46856846a05916bd06448762c005dd425e0e05697094b17382
SHA512 f4ecd85e0e4da98e0e567095d34207cd728ba435dded24c365cba3c95778f875d5a882a86221876d6f638165b7d7e9666b8e7fb341284662b53cb9ee6e250e92

C:\Users\Admin\AppData\Local\Temp\kUEC.exe

MD5 14882fcac20ceb867fec9e4ee8791ee3
SHA1 4bdd9f920b095939522f4915eb0b2ed485c2f83e
SHA256 4474601c708c5c36b1f0b1c1fd335b6b009c3e8166d4d98979d699749a508e0e
SHA512 08690cda76cf057a23eb721d83cb671d7e00cd91bd2baf2b56c2d5188b34c726edf23a0ea881b883c6b9c0fa3cc5ff906298e503feef7fc6c87db582af2fe53f

C:\Users\Admin\AppData\Local\Temp\MEYA.exe

MD5 925edec7cedc3eb14c4529e8266e9469
SHA1 4f58a88b2bcba9ffc9affdafa71563a78795ac0f
SHA256 0e46269e82a63e1bf5095f4c2e60a8f10ba8814c778853205da50b73893b9317
SHA512 1fec6fe80e605f61565c4103f4aff10081ec5293f68f96891a71db0b42a393f68486fca511098489a6eac6625ee2b5fe3b30c35fe9e9126cef9ccd093afe4047

C:\Users\Admin\AppData\Local\Temp\WkEk.exe

MD5 d3f2401a95aaf4d2cd99f3cec843e1aa
SHA1 93f450ce6b24d519852206a1995b29dbc51ffc78
SHA256 5a4b840a38542efc7b8d708afa6d4418e4aa9672702b795dfe56bd5f6684f672
SHA512 9c0696d8136625c9f76c14a800f53c8be67d78084df04e96a99d175e300d410c167a122175738b1f9e5f0a9c825985c7d34e14f1bc8544895ce3ad7f2f0c157b

C:\Users\Admin\AppData\Local\Temp\qQUM.exe

MD5 9d3b2914b95f6c1b643ac7b060f72899
SHA1 cf52852434ce2ad7c99776142560e5fdc7fcdd44
SHA256 a77ca6e183f1870e8e875bd7b1f09d280079f236e5508c1a7f0ed5269ff5eda5
SHA512 2abb1540d61fb6c303ecc73f134285187474de2516f48484803a324cb728780839591f792a1d4ed31678110d194de91fc990d210aa6902f25a027d8ac562cc3f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe

MD5 8765b68430e9984365d8b581bb4757b1
SHA1 952e43ced0f8b504c286a88466c9a33e0b6fcaa7
SHA256 fa0eedfa18fcb8d5703f6f43e78564f719f3a1ee4a6aff6283630f065ffba3e9
SHA512 3f07fed8f76b2c0f52eac4e3135b1ae171532c1e43f984f925c67c84c4bb94b4659c52a9a29aade01335e17409291950db651bec0bcba3078730c97b4254c8fc

C:\Users\Admin\AppData\Local\Temp\mIIa.exe

MD5 466719993f8546e32f002e58ea9e36f7
SHA1 b5cdc08d9f96b56161dd7ff6b294950844cef552
SHA256 36a5ffeae11c7d091a22e08fd1f66d49f429885a569b8255969f3f2211d6d32f
SHA512 d8e0b7c24166a198da22a0db0c7556c100d94b68d2694317f910c25bbfc6b7bb42b17eaa2b03456ab94f9659d6887086ed0fe19cb09da1b48065e39f739de4d0

C:\Users\Admin\AppData\Local\Temp\uAYe.exe

MD5 4d6f8236869ac73f2d7e920635dac612
SHA1 918f0ff63a3fbad388924467f5145ae1f1af05ab
SHA256 a48ecc25e9741105db5f7f3e27cf9c253c5e2d846e511c6a64a570e5c3c5543a
SHA512 84c69dd4641f95b6e6706f3f9933444da9946912d0a74664d61edc94fcf102cf45ebcd7989991142b6e269d591fb3057aea4ec78ae95856f39275c41b6b3515e

C:\Users\Admin\AppData\Local\Temp\oowi.exe

MD5 caa4a49952d61c2273909401a25721a9
SHA1 7bbba25a1b55f8a64ab408b7cdb651cf19330bd1
SHA256 727ddf7ee9bbc53dd54e0a3b9eb9e2ab9cb2ee2701249b57ad417daf330390d6
SHA512 1cf0d1f005daf754625cadbbbf8c042ad82175c3b4a650a612a27c710ddb6fbc65906fc44c5728ca6ba2d0b57b3e497022f082a55aa696effbedc559a7d9936d

C:\Users\Admin\AppData\Local\Temp\aQEU.exe

MD5 318829833ffe0867ea3b94c45fd708f6
SHA1 9acb01f99eda6462661e7c1a53e91a2372c23e7b
SHA256 a41dc1814242bd1d9241c679998f31eb3e3d46aa3ac4f3c0984b49b607d3ec6a
SHA512 46995fc4f0b6b85ef673d09c6dcf8c89d5d3ba8f78f3738cece5458598323b5203ce88617fd99fbb586a9cc91ff833d484e87a4d3b5dd21f78394336a79d4093

C:\Users\Admin\AppData\Local\Temp\cQgy.exe

MD5 ddf29d1bbe56acce9e3bdfcb9e1a9f4c
SHA1 0b3e2cef3a7a17088b354943e57c39b890a69f4f
SHA256 1983a555567f2c5aa9d661d3b25db0ad3419355334b38e8cc5a70dfbcede875e
SHA512 2111d211ec18e900ff11cc4d5f5e6ea272051cdccf2cb5e81697150148faffd3351b1c81bd33edab9fecbb4d11df447d3c76b906e67731299d6876be81e60b9f

C:\Users\Admin\AppData\Local\Temp\moEi.exe

MD5 7a484021a4aa69691df90e0d7e2b1182
SHA1 4520017c1ad5cdbbab048f94b73530b73ae5d8c1
SHA256 d4e432ebd1cf87c45ac21ae57d675f3a4620a6170881ad4e9d1453d558202db8
SHA512 c7c04659443195c53e0d7f9a8cf76b4bc9ae658431dd15523be7468bc597fa6df21ab3e7c1a8f187a0478036efecdbf6365826dc3af3aa8d4e88fc5c680de95a

C:\Users\Admin\AppData\Local\Temp\Mwkg.exe

MD5 55827ce3361c4e01d530e571ed16b572
SHA1 e39d82597f578a97797e223ae6b9490794069259
SHA256 8ea702d01f0003f0ae1e0886068d4843a2ac4b78c2dc9052cc96c20e2feb7834
SHA512 c1b67378fbe260258a8889ce8c626ffd2be07d1fd96cea0aefac750f9b21331ee1cd1714cba948f16d807010fa7a29d06d1509d69050e428faa6b5a8e0083828

C:\Users\Admin\AppData\Local\Temp\cIAC.exe

MD5 e5cbcd28ea96cbebe56a7bf4109c24b8
SHA1 ea6037e39c39256bf0c1a229701a71ac227905be
SHA256 0469fe00079113e8126b06af49eea0ccced988f7e07eebfcb8432d515c7d4d68
SHA512 d68912dc0f26342933731f746a0356ee9614f3c86d8f3865e7e6aa62d4435f9da523422ea55d242c55ad2a5ddae1786a36aa35c87738a4c4ed790487e9a3225e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 26bb0403eb1d8f4e0414361b49087247
SHA1 fe51145e8a61f602ef2d519bdd39c8f4331c1ab3
SHA256 89751b71318423442c13a2adb337b6e0a7fb76d26868032c07f50d03c3199bbb
SHA512 69f704f5c05cfe712fbece61a973b43e95566a5d584b9d7987ae592c330622adc5abe209a8f4c07f8cc56c0d091d849b83fe16b813eeaaccc094b5cad4ee5554

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 83b52d184044cb057cd2884ec9a5fde3
SHA1 225f555330431a13621755f4c9dbdb7d76eb1e7a
SHA256 7e96007d64c59b6e5e53f2f098452852e2cc6b3f6343bcdde108e4eef9874a65
SHA512 091fff4ec91a92008ba93adc02cc92ee19b3ec8ad07f1dc3f23af9c35885d566f13cd6b217434da800ce06a913637e1c3454a5dd7a7c60d3a8dc0a35e6ad824d

C:\Users\Admin\AppData\Local\Temp\mEMg.exe

MD5 9c1c72a28803c75eed9839222e37edaa
SHA1 8cdf4f24c25545a5e60d87ed59de89e01ac82c6b
SHA256 d7b720e07407d54f198b122b7a074979bc5267e4344636f1e2295fe7c5390a82
SHA512 55c15a16cc022d51201b6646084e93d54191ba490b9f6ea0c23751befdfa57379e6907ca73bee5067e13b2e20587e22b2e8f7675ceaefc2904de20fd91dbe1f0

C:\Users\Admin\AppData\Local\Temp\yoIw.exe

MD5 5944195131dbc9a9df78f17221ccadfd
SHA1 c5f29c7677a4dd0197adc46761715f8041a7e0c2
SHA256 e607db999a7fa3a6467675d7208097f491fcb205ded1e5466c2707f9cbde599d
SHA512 93ee5f4089ad1cfe93ddd8063d1acc4e26381f678cd7e79a6890f13c7b3bd8c789d7086b7b6a9d07a8505170f55b42c46aa7e0a2db0ee653991ca47bea89375d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 0273573c23e9374f018ef43eca9a3061
SHA1 4f27d3ee6a0b4791009209151662c16677a39d1f
SHA256 f05f6d2898aef2653560bbf543d9635732e0f8b56e5f78ca9226865a79dd7c85
SHA512 cc596c3d8720b299083a820540aab77b97a3ac25a90c232eec55bc60600fdce6ba550ea116a19d0233afc9f19e37a8d85acdd91f1f091e6a72a3d1e3ba9a0962

C:\Users\Admin\AppData\Local\Temp\KAkI.exe

MD5 2f699e70b2aef3aec607d90fb02dc1f2
SHA1 840c29e8bf88e60b16f80380a231f0b3a88fdd10
SHA256 b0b6a0ef29b75ad2e34679c95579950976f3e9b00c3b8783b5a4f4fcac95f6bf
SHA512 39e17db41c3d4e0f2b64157b7c13a94fa4760bebc83481eb43eec0199cefdb436c4cc426509cf8a1999eedb1c21090ceb914e35d265f8c4c04cbe5600964d6ca

C:\Users\Admin\AppData\Local\Temp\AMQW.exe

MD5 b082f8cb09b77e668d3bf7c184c5af27
SHA1 9b8e8b63ae797c5d0a5eff879888c42010939137
SHA256 e597a2f8d79acd71f551e55167c65fb62f0ded7eee9d0bc28799e30c168ecb31
SHA512 ba3180e12e4745b26fb595a3c1dfbeabd80cdc644762854d83013143a646f22669f8dd7ce687a48f32b580166c0538468a6f4a28192353f3be4c0a1be352d3bd

C:\Users\Admin\AppData\Local\Temp\GIMa.exe

MD5 e62a0fb99e099380e5f43d634cc00580
SHA1 8096c637eb77ae130d78d66291b8245600b9f21c
SHA256 7c15c72d10753b780313e544507f36f77a292067824657549c93bef8da84c700
SHA512 e9819c2f822069a43f53f44244a32148201a710bc351b0c443443160ce6d1e20c36de2592d650d2475153bf05af9a28aec9c7bebe5b124a2145bf15aed3544a4

C:\Users\Admin\AppData\Local\Temp\oQUE.exe

MD5 bf739cb8d6f7dc073f468660fc63b635
SHA1 7b0546813e66f49c462ed20d57b38c163c5b845b
SHA256 e57e35ae851ee16137aa1b50f732fee740364f8d7ec57cf6b9b93be26287d6f5
SHA512 c4f69cac5583570a5e98b5b1201552661fe33e53850bfc36bbd5e56007f3e1293845a198de51a5da4373b18242d30b112f061772640a46256bd68ff59ef7b583

C:\Users\Admin\AppData\Local\Temp\iIoi.exe

MD5 91be55dcd2d3692a3a4656c2bb67ee22
SHA1 e52243a288fac8df4f9d437757ae8237fc75c1be
SHA256 1f161c8ab47a18c70745570c8f401cd8a3e43500df1c949127145d8da4f8b3bd
SHA512 6e5239e7e2f7cc1db75f69c1a12958365ab582c43bfeace492966ed4335dc37e24a1414cac3f6e7da2500924158c5e43b610d039391c0f5e5330c58b3336cec1

C:\Users\Admin\AppData\Local\Temp\KgQa.exe

MD5 7e18c5c886dde238bae940d875e10d0d
SHA1 208949a15012c69550fe35fcb8ffff373b5d0a00
SHA256 7ab45fafe93b01284d664cbe6afdb7891269c24eb97e697cf0c376c668944cc3
SHA512 d98f8d85f7c8d29a72ce09ce3c3ebdb44b1194825b4f5ed3c55d3eb5a3f86052546f5abe2f34154f8c870209591aa76047d366afc09373993e94381f030faaef

C:\Users\Admin\AppData\Local\Temp\YMsy.exe

MD5 69eeec8938c3b790fd04a745f92e2676
SHA1 c475ade2dbfe3be54ca6b24bdce09cfaedd4a81e
SHA256 e658b293cd9ebfaa25719134e5fc926752e384a2c4428b08868662ccd8637ea7
SHA512 f5da57e5135289d43b55b2d63077ffbcfdb0e3ad04f3f89988aceb49778627ebc7464fb50186f4202aad93654583835c60e9c5d3b58b43bc96838eb542d4a084

C:\Users\Admin\AppData\Local\Temp\wEQm.exe

MD5 bfca4093a3115961b46d43e95ac0faad
SHA1 518407cc207e2bf52b535d1562839eea71919873
SHA256 1b355c4253e85dc1a8a7989e1bac850d91356849a74e41f724095a9536ee3bfb
SHA512 24e6d3d03d60283e6917019403e89877e56811033bc64f0e1a55ce89c47f5d5faa80e61df55c185088ced1b22e453ac4f55b4f9b6d83671d18c583d633edcab2

C:\Users\Admin\AppData\Local\Temp\kYwK.exe

MD5 245f059a80771c13b9291922211cef3d
SHA1 1557b0d0601a1935dacf71d96f5e720623f7007b
SHA256 435c0c4caf501772c4360752d5961f591326cf056f1a980b716b63338c1c0e7a
SHA512 3a1524dfdd1f52d87449fae12ff310b87cede96efd03408cbbde3359e565df91e4941838f4f5b1fbb99313131157cc8e82eb77898b18d66360b8f19c7fc0babd

C:\Users\Admin\AppData\Local\Temp\OUMi.exe

MD5 2c5d935536097d76410023ab348c1a02
SHA1 e748711b4856ec1c290ebe1fcc912adf27383be0
SHA256 36d0cadc6eb6807bb4e3ee28a8be570b45ae22cff905ae92c42243897f9cb5fa
SHA512 00f4634b0cbdbcdd8f33490291ba20340ecb47c805e48986391d4bfd4bea20ab4019a981a3352bf3a680e02d6e54f64adba15c5d309f0e281e59a1c681978f6e

C:\Users\Admin\AppData\Local\Temp\cYkc.exe

MD5 4b2cb8d05db30e6b6185fd8d2926b41a
SHA1 37d035377bd62740dbed3abd9a052795f1add72b
SHA256 b2e157e3a78f9f74621f107915c709409e30a1efe2f4a89e1de966380d8e7f67
SHA512 bd10eeaf5cd633ff93c3c0f70cf49e23df05969490f47b55194bd84610180d4b3072cfd3f3fec536f4d287232d6e6bcc1c837e7094451a0298ea1db1a3497086

C:\Users\Admin\AppData\Local\Temp\wQUa.exe

MD5 7de645dc520fbd96799050cc469466d5
SHA1 a609096c93425d853a701161e9075ef4164fd13f
SHA256 393f53c06a47afde3415b8f87237514da9ef24f08caa7f30f87c4aa82685cfd4
SHA512 6a1f22b83f38b8c0d909235253a0a5aa8c51149b2b6c24f4536ab560cfc4002bc5d2e629698441a58380c7816f8d18ddb149843b9ab1396aaea9589bd93aa79d

C:\Users\Admin\AppData\Local\Temp\Mkge.exe

MD5 e1c6c67f71992d832c671cb4763df950
SHA1 6422189a51056fd5db52eae68b45903b4acccf57
SHA256 12335ee88086415a1fc2bd28e85f7d63391b0796979c93a0c06e339d20649f72
SHA512 a41148bf86ee083346046fbad5c96e6dc1422e96cea32cfe0340d78d2075de5b142dc1d225f0334eea6adb88b702dd3dfb5c836775166c555eb909321c517b42

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

MD5 30962af6aee55f2d2bca0f3f62192728
SHA1 028cf610be049deb278fbc8fe62d6b2c49ec530a
SHA256 96da68534fd5f93037c110539947d327547c4a71e65b900d4852c74e09d577e8
SHA512 ca9937bf2b838c4d3beb244ad744141602a09789e430291e834d12ff48833cd3b555677f101222fda94556463f1df76c74c0f41ece0a0a5057959e5382255614

C:\Users\Admin\AppData\Local\Temp\WIsE.exe

MD5 0133430ba47814ad6a61c516c6706bdc
SHA1 d1825d3f4aa5c7333f9849d1c9b5d17e4338c9a5
SHA256 161d3e1968ff977a128290ba05183f025be96c7cedb33ab75fe33f924ca2cf69
SHA512 3d6ecbb7862c6e788c3bf9325492d48c46a81837c94f9c2a22bcd59636e95feb8111a00c7eb0a26157cd58bb2512cf2574a33289445561b0bbde77dbbe8f6471

C:\Users\Admin\AppData\Local\Temp\GgMa.exe

MD5 74d3a365687d429786f2ae5fe81b1ca0
SHA1 c4c4801937cb0fd080f2e144f015effb318287d6
SHA256 3749b4b2958bc47d89e8142f4d78a2fea6d01d82a179f0cd40602b3ab1a3e3db
SHA512 1793f92e4a8884a390d3659c034914f99a6d984b3facadea2f48caeda45fdb9b47a6e997d65a15b9c6a7c3257e2bae22d174722c4feb39b93639cc5c09cd5723

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

MD5 8e9f1702fb3badd336fbd857d5b7dfe0
SHA1 66f93734b5d0796b319a2eec0504dbb43ed63af4
SHA256 539b469377fb736c2d5776a2ce1ed60e3679de2f7a17d72d69e650cf19bc49f9
SHA512 177b8fd4ad34771985b3e84268f68e7f876621fa6fcdccccc85f191c44d72a14b8fa195e5ce36685490c7910e4fe7ee75d8247d14afd0a54d3d50adeb5cb45d1

C:\Users\Admin\AppData\Local\Temp\eEEK.exe

MD5 68ad5668631821248d573b1eb002fa09
SHA1 635f8bc5d0e03bc696e6818647de65b5f5d382da
SHA256 22831e7a298798d2912858cbfe7d02e38a0ebc488f63d0c27406128fce1af4ab
SHA512 82a3a1b8f4da48f7589fa68d7ef62bcec436e4db32afff4d6fb37171c8c9a9c40fd1c049c7c15a8613ed3f70fe8aff0f118fac877fc2e8d08b75803c4c72f2af

C:\Users\Admin\AppData\Local\Temp\mAos.exe

MD5 534add475ab75cc70c5275e21304b124
SHA1 47e719492cb127c6119e7b993dcedc6333b2265b
SHA256 d243c4a7eb14b491829d081c841fe2527cf3a7d4f2d5ee205fd19a2472a5cb07
SHA512 30886c631f6e4c3f3a3328d7fed151b836894a838b3ea007baa134525817f0024e84e6db3d03ff4b9cd4160fe3bc9c7ca7415e71cd2045d8abb48933931dbd33

C:\Users\Admin\AppData\Local\Temp\gIok.exe

MD5 fa7989e05cd7fb5abacfcfea0a3ed7d4
SHA1 d8a0e75dd1dd0fdf5d5df56c7cc30a94026c2893
SHA256 ed1a307c8b0366e9413510e246e49d2f6996e7ae540fbff98cbc2ca0c7508354
SHA512 f4b74605e6de8080c8de971e4acafec841dee8f485bf15632888bd3e16dd558a7d7058c809790cb3aec2d5eccd466afa9026fa503ef46567023e553e62336b5b

C:\Users\Admin\AppData\Local\Temp\YAwI.exe

MD5 82b21a8c00533fe4f24128d075a4e87b
SHA1 9db1889f8b93b721c95c7f7cdb455f9d5d6ffd41
SHA256 c767e20b882902fd26f1f52ef0ac8f32f2ef142b6a1023aa0f4d19cadef5d20e
SHA512 1a2580a91bad4fe55a0e986da817180cbc91a0709096112eea5ba00c4b6f4a4cee2d55b7421f4d78aa983b9818b6464466fc63297281eb7304ee101c5bf5ca07

C:\Users\Admin\AppData\Local\Temp\oYwG.exe

MD5 1871488a01284803c010eadee1120bba
SHA1 826329ccf657fa7577d065089922e9ac8d485703
SHA256 e3365fdf91f2c2a598f8fe63dba37ee058ac115ebfb88e6c300c7c5dd7a0a840
SHA512 7df817eac0d54058db7da9b9b5730738268e4e5e1613b6ef8ea9b94b5473074fe1f61c215ccd07d1b105742cd8fbaeed25e92ec4c93648236c35d8a9738e4226

C:\Users\Admin\AppData\Local\Temp\KUIU.exe

MD5 8108878607e6d1582a3065b9efc6133f
SHA1 d6a990df4c0719bc4bd37ad17c7ba0369aa56e06
SHA256 0a5b1a985575a29b78f73290005c7da0ea8bdbdd5b58f696d217ed422a14eb86
SHA512 43c1e4ef994f1e717d2eb44a78bb77fa20cb20fa6bcbee24b23a38cd6f54885a72e25b181404fe4e5ef8918c0413a9007f2306e30e267dad07b114aaa51a8c90

C:\Users\Admin\AppData\Local\Temp\mUou.exe

MD5 85ef7f148ff17e3e6712ea00c187c97e
SHA1 86ee1e9f5aad83371649743539ae1bbc09e2f3cd
SHA256 053505d7b36f47cf020b53bcd1850dfb67a5c642e5c1d8f3ef83476052c4d686
SHA512 bcc2dbec482d4b206829be2ffdafb429fcbda44ce1664856f54d57f0b3d89a735b6f5f1176698e4de420ba809f502eb9ecb576dc0a3bae9075bf1eabc42e2496

C:\Users\Admin\AppData\Local\Temp\kUgc.exe

MD5 25f86dc4e3dd30379b0adcde789fe06b
SHA1 345a16bd8b6724ec6e4b7c6a2a2bea8b9af3b6b0
SHA256 b903b891f718592e76d788c3ad82c813f272498e34124077242100d8723d97d4
SHA512 ad33abf1ad58add2fe7160cf65ddb0dee4e92a2d92f49f09645a8d54f31237ea37197a4d20b0ccb37c84b0c0f5e2e5664cd2962e1012eef3c39550d916608ce5

C:\Users\Admin\AppData\Local\Temp\kkMM.exe

MD5 19a32082e714c3ff88a0ba5aa1a5e8fb
SHA1 6529927fb20f3d81846bb8a70007a63c515380af
SHA256 ff186120b03bfcef5a98580fac5a9157743519861e9859966248abf97ab7b7fc
SHA512 2bacd40dcb1b6ef012d1f39db4d7bbb159859f7dcb66dd9074bf673f653afb64c42273c971228ee283b0877552566dd77a34bacc89698065b2a3a4f99434316c

C:\Users\Admin\AppData\Local\Temp\scIA.exe

MD5 70fe2d2e2ae06976c4a3f76eb66a3dfc
SHA1 1627b43666d5d7c676544730382c18a57852122b
SHA256 6c6d49df47a898bf1e3410a713702b14a54df34565bc6e90d6f4bc5d807d0cc0
SHA512 bc6e1de77d0625e947c04a0c971265896944c600ce52dcab6e5939b7856ac2f2a1ada387031183ab6f1d21de53b7c500f77691c00b9c6db1afcb6ec17a7814bc

C:\Users\Admin\AppData\Local\Temp\oIQe.exe

MD5 8ebc604fb4e7a5d04c63bf402b8e70e6
SHA1 6dca9207305c94ec2304362902eed294229ee460
SHA256 37de41b47efa5cf5cdab43f52a6abac97c23b3fa5bd4836b913a21868dce38ab
SHA512 1d800a5c580058d68b2e3c7c3d16c81ebccf0396e11e3fa21f1852b555b8fcedc2a9ecf2c0c7011dad44919408d90ea55ffdf73c64e6107f446712c000c95633

C:\Users\Admin\AppData\Local\Temp\ekss.exe

MD5 3aac97a072ab32b43436a9bab4954864
SHA1 6f0e845644714896b6948b31a6f4c17b019d028f
SHA256 003bb67d4f63b7ed364c983485268697b53fc2b0796580a4ff104b102ff9821f
SHA512 0ca5563168e93af88d0b5f335c4047fa029573c4d4b780306afeaca211b192cff092df1f20ea3a28e4a831a5bb8e28a8560c07d3ec84dd0f4f6b286f42e045fc

C:\Users\Admin\AppData\Local\Temp\aQQE.exe

MD5 382f60bcc25aa42aae08aa7b30dcb6ef
SHA1 e2d28abee5f3b27ac9b91f3bcd8ca5e502a83850
SHA256 6d261a4d3378e3b6ff261928c20bfa27aca1192be144e156074f553af4121163
SHA512 e0ad846fde5eb4066bca962d4f35a00827075d6225774c4a36a55150e38de0376f9588b4b9b496ba6622a079db400df0ba66595161c6a4b0b955a3b7fc1ccae0

C:\Users\Admin\AppData\Local\Temp\woEe.exe

MD5 85488f08d21d40e0dbe7ab97c3dea7af
SHA1 45c0795be0a434d6360e9ab8e92a49ce5dae7609
SHA256 05107d7bcac153cc54c5e9f9376f867ed399818cf40e3e41f430aab990ebfb0a
SHA512 afce06eb04c97986a54bfb169d5706fb04425005441bad19b7b8456d143f81c1dbb59e1cbbe911c1e0f92902b21569618ab0ec3c94e1b7d210758c012d4647af

C:\Users\Admin\AppData\Local\Temp\KUAS.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\EYgy.exe

MD5 404cad1a5b6d80b92f3069aed0623133
SHA1 977df0d782412bd8cd60bf47f62797ebc91b9662
SHA256 db4653b5e765d87c8a62ed961df44a73043f82be5bdb8b39d8a6c8ebbbca8c1d
SHA512 8a60f810ec70f2cb1f10b84ab279acc5c9a56146d5cc10b30b1123b6d8337014129e7433486d320e6b51f55b54e580ad7584c21986ab164674c32b96b4d4dbd6

C:\Users\Admin\AppData\Local\Temp\EkoQ.exe

MD5 d98a1b6a4fe22359b300354e9adcd71b
SHA1 296817213d0e6c5d4ba187cb691a57503a1bf405
SHA256 13983c1f80215ca546fd97064c9768d9189ced2e9ec76ba3ea5066f8475c1c65
SHA512 96c6255275867f46f4e05f565ac817e019df297f17e0749c3e6b34fa62845b160d239fa1a30984f594b25eb9757946e85d6084122dce6bf5a1650857a709093e

C:\Users\Admin\AppData\Local\Temp\AQsg.exe

MD5 1cf70857a1730857f6e08201538b3878
SHA1 c1fbb4351fbf6deb5bb8f461e6e3c75263c29fd8
SHA256 74ecb9615f2171346d1c28a90a597e8cd3ae0ab3060a5a86d9341b0ebc8287b2
SHA512 055645dbcaa0c1fdbc73efacabe2404cd81bbe0bf2deda094895f705a7864f2ac4e4de770cf14101c1415ca26b616901a5174de112f7c3f9bfd6a71635ec038c

C:\Users\Admin\AppData\Local\Temp\OEsq.exe

MD5 1ce3eb04ad64db65d532e88c2a5bd07d
SHA1 bdde125bddce43765bac8974d9bfe5ceb965c995
SHA256 c9ad678617f80f7e00380566003974566bbb6f9ceec23e95119ac94f2e3c16a4
SHA512 a04dc002dbdbe12a2653db22575ced3942f0a35f5250d6075800df66c9037bcecd575cec2d21dc400be0612a3796403bb920c5c22a6749ce74ef06db4f6697d6

C:\Users\Admin\AppData\Local\Temp\Gwsm.exe

MD5 68b4039abcc24872051841a76d80d090
SHA1 a323bda0ec73423d348e04ba5a8575de761d51a3
SHA256 f128f5f16671052429e5ca30d0580631399543d6e94d032d98bb627a7f7d8b2f
SHA512 9d86bfae5aee53c0d3f32c0a7815ad65598fb68635b1faf7828a348f3111c44f5a9a131262a0e2a970e3ab12e7198f29df202028251423878192a825a8fda520

C:\Users\Admin\AppData\Local\Temp\ScMg.exe

MD5 3e3e5a99e9481c477280ca1782f141dc
SHA1 eaab66cb99afe5c4680c576025c0cc4bae3837dd
SHA256 fca4d6bc951599094663993d2bc0bceb02e8ebbc7fba7f8cd6618c263e889ca9
SHA512 f33d96f6598444fdd2097af951ea8dbd369d06c8e2c9ac41a63644d8e394fbd35dce6215d859c181dbdda3e803094e09663ef6dd9ca9e175a7525daaf600aaf8

C:\Users\Admin\AppData\Local\Temp\SQci.exe

MD5 bbd29f450b45345b5a9a6861fa91c446
SHA1 1ed4fbb08e7169960f601adb11bc437d38ab2a62
SHA256 62dad749a34885ef2b3a1ad30075b8754e31ef09e449fd1af0d3722828b06b85
SHA512 85a4d8502a9c47a5e0651a9d8866280540cf81b6b3863eebc6f2c87e03b44b343cf9a147acef77d8209011730fa4406984c79b6e9a0e76782ce8d85567ff98e9

C:\Users\Admin\AppData\Local\Temp\AEke.exe

MD5 207fe032ba64a51ffd466258a3a642d4
SHA1 10705d7e82cbcccb86680174ce8fd25e6c0ce1ce
SHA256 fed4027732297326bea21b7487409b7da57a1b56f613e465f9d85de8fe10edb4
SHA512 223e62c57fd1226fc03e6eab6455cf8f4558d53865038be512bf735f54995fec99fa7ac5d7f8ebb224fdd8cc3e19c80b00aec6032e5b0558e659fec61d605474

C:\Users\Admin\AppData\Local\Temp\qgEQ.exe

MD5 7b85964d4e72e0cb046d4eed88102dc7
SHA1 73857b74498025e585f2dd5d6467d3a9c2a45d2c
SHA256 a67d04715651c2f0fd4e00d51bdfc8f1a2b981a139ef4495486f45c0f7ef5d97
SHA512 d1758d7416f7c115675fd37041c7a1d33e344b2f64b4a5dca35a477bb98db610e9ec528e77d7f8e5f83206b383168a94c9b03a2220bf254f4c79097041846026

C:\Users\Admin\AppData\Local\Temp\UcYa.exe

MD5 377e9e67096bea2fd5e2e846ae72d86d
SHA1 add3832e7f29683d5c330d71211024393e7d771a
SHA256 f39d4221433670ca260bc4a69a20ea7fdef803ebc9d69ee6f942aeca8da446be
SHA512 0de46aa5f80081f43a1a2c96f579e5769bc0127fcc9c36d6641933d6b2b62760c00515231387e170c36ee7fc99d20ca0c861b784a622cdfebcf1434ec11ca905

C:\Users\Admin\AppData\Local\Temp\CEse.exe

MD5 dfed5b48db123272e1655966a9347251
SHA1 2d394a4ff2705a87d512b7112d501dcb8fc707ed
SHA256 cc29709c5a9cd1b2f4a3ac7c374120171b3b61479106ec968232c0bf3e49e775
SHA512 2530e99a2aa742e9e9fba0c614caea61abcdec2ccf25a95da2003314d3b020d34f88eff8e8db92f20a38a09b9fdb6e278cc4d2d347867fc6d40e6276698b8853

C:\Users\Admin\AppData\Local\Temp\Mkos.exe

MD5 9c869ed4f0ed0453797b4d9153ba7039
SHA1 a0e154898163034452293c988cd47bd00b7307a2
SHA256 e85e8ed8a649336fcf116e7dbc630cb487702cbffa987428f66a33f6b3a8375e
SHA512 0b4d9c9948f4960882a0fb086d9d0d0d6750081de1be41ffe71c95cfcd89a5a7423ce504dd0897f3439226a85d6ed222f49fdc8390e294aa41d223683165ca1f

C:\Users\Admin\AppData\Local\Temp\WsIY.exe

MD5 de444a75a80717b13313057c442b855b
SHA1 bc54e7592a215c50dff8ecfcc791b4ddb4461d55
SHA256 409b92492155ca87e5d5ef32af57bdb9338c147a8d9d561e65ca181ad1ed8812
SHA512 f9880198834a79c77d310893781a9bf6534aad670068921631be77f631f41b480c21a9b5858849f5a6bb3b8e1936a76d7920160ca21cc98e5b557f46d9f0b80e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 3e50df0ebacdc1f727cf9a3031134d4d
SHA1 0bbe0409d4df9309363f525b821fdc5f0624bdb6
SHA256 8becb38e7f55b69fbd812b636011cdf3710059e9d8b2c46761ec99d8581a2828
SHA512 17971519f96d927e230125bea4aebd67504b1f1c5e3277f45cebfbf9e41615d1635c07d82f4c976918a6df594f0a2888ff2fd190b0e6cced96cf045ccf280cdf

C:\Users\Admin\AppData\Local\Temp\gAgI.exe

MD5 6a66c6081c98a07644e26ffee853fa1a
SHA1 1afd4f6e7efaa6a720b9b3e9500f1794ab23c5c8
SHA256 be1ac08291aa511da14de2a14f8acbdf00518c5c2a2c437728e98592073ad6c1
SHA512 26e6dd66fc2aa139783cbe3d57a9b68414fbd178b42edeab949d66cbbadb2f0a43287190f3c5bb3d2142f362b052001007ea00d776e28d69f65efee7555b39a6

C:\Users\Admin\AppData\Local\Temp\SYwO.exe

MD5 0e2e49b102c2c9fae8aab9e2d5fe87a5
SHA1 a346b2b90c37dfdcd5574bee37e9a38acee79cbf
SHA256 1546dc78284b0f7d9979fee8e5a4af058d8bddb584f68f4374c4da61a5e5e8a2
SHA512 554709f8c2cf91065dd6875bad6f2ce2919661b5a704c8fd409bd15103053d0f672ed0eab33ce9a4e61a2aed874042c9a47df0fb8dd4b8a36c834747e171a1e0

C:\Users\Admin\AppData\Local\Temp\acwY.exe

MD5 db20f5ec2157720b7c81537346e228d1
SHA1 9ebda7ca1417aca471fdfd5f69c0ff6765688615
SHA256 6e2f54ae91ec49ae1374715d1c185cc2cb4060f90ed83c6bbf6cc98112920bb6
SHA512 2e13ace6a244aa2706e614f8945246364baefbd5600510b350193757aa44a5ed3ee9fc79db42be59d272077093416eae6fdc1152d26a6f3809c47f55dff94227

C:\Users\Admin\AppData\Local\Temp\IIIk.exe

MD5 e198f3957a487a3dc6082aa75518e4a7
SHA1 b95a6041fb05d66c4ddaa67d0a47fb66cf3dab51
SHA256 a3dd6fad6ab184d826cc3870c06675ae50c6f38d5ab42753093690740be8b1fe
SHA512 77600b07f33699273bc307f8ab644535835e525ba723bdaf2da17f7e047677f6e29e6b18e9b0a0bd4b6557f8955e3cdc779be56d4a41f6d34a67679c69740937

C:\Users\Admin\AppData\Local\Temp\WogW.exe

MD5 b00a2e66a87fe398b720436dc5e357ad
SHA1 8dbe69d0a62d289d3e09bdabd7e1cd01bf368656
SHA256 4fd647ef23c7507016eeba3c5758039df16240599001a18d0ec51a606b43471c
SHA512 50cff67a165a1cceff7970f8a468ed1ddc2215fd6bd81f11289d3ed2f14566be45abec039f15fed2d5999cac7b7dd66321d641699d6ac4e3d21c812269ed579c

C:\Users\Admin\AppData\Local\Temp\iMIe.exe

MD5 dd5b253f3abf2e650e1ff24cabe91f9c
SHA1 3757d0441b2226f3a01c53c593929d7546ca86ae
SHA256 b23ed8c1747c978efc4e8f3b45eae72a0b8704db34d87847df328cca2102f3d6
SHA512 105ef5994e83f67711d98b7ea76d9429fb68b5bf81923c41ff6f2a39de2bfc4e12ae10faf08d9e372065086287ba51ff8dc605a4ebc37455f89beebcfc90fc6e

C:\Users\Admin\AppData\Local\Temp\OUkW.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\eYYA.exe

MD5 c5a477975553faa96bac4559993ac91f
SHA1 83c7399fe9c6021be1d46898f9bcd19ab2afa254
SHA256 3d6d1a211c0199e176f238d75bf1283ed7c0c8078bf6d8b6c738cd5278a6023f
SHA512 38dde6a2803570d54f34ab0bcf431b6dcc1a8bd9ceae11c5f63d2aa0e96c4add79d966098fd98996944eccd72e889f1471765034af19c606ecda6d9e5000e10b

C:\Users\Admin\AppData\Local\Temp\GQMC.exe

MD5 45630ec8e373196e85567ccac0c24613
SHA1 224f20d982b73188b9eb53326b2cf5dea6dc3ab6
SHA256 424713d35a09ee0f184140e95e61cb709aa0602688e942555c279565665bc9fc
SHA512 a612b99cc9f5b450bac00b560a2979676393548c401cc9e8c5e2cea0db1fa2e07aa299b18a20ee9d2ae343575089316292875e506dc90f6b097e6a06510cf993

C:\Users\Admin\AppData\Local\Temp\oQwg.exe

MD5 b555fdb3f4cba1e178360bb436c415f1
SHA1 52c11933c0cab3a139f2f5b2f414506513ab7f6b
SHA256 0e6949281b37d2f8ab73c1be7b108cb63bc21bf61eef216a4ccb441c96a5e06d
SHA512 878a73303c158bf82ac2dbf2b927fb162ea5e07b2820ec890ba219f07152c88fd36665d2f7bee4ea61b45aeac41828102dd10b641a617b4c0d067b211d160b56

C:\Users\Admin\AppData\Local\Temp\ucUw.exe

MD5 03ed29f01ce2fffd52847c878740ea41
SHA1 2d5d0de4d4b416dba6dbf8e205df0405682a8d77
SHA256 016839ebb2c4a138bf7e744ec59571e7745664facea4266bb9db34f8bf1f2fd8
SHA512 045379ebab504546ffa323a03cd091acc80e1dbe2d5eb3de2386f3dd833d1d47d1f6203d145502805eba454708de708c4b73975138cc1a37c017653b60f99a2b

C:\Users\Admin\AppData\Local\Temp\sYIe.exe

MD5 8166f03de89e5b684a0496257daa691d
SHA1 988f9b505bdab7edb6b602449a73da8b729e2bcf
SHA256 c62c80b1ae00029e56aef0c18062781c63b6ce355300cb834ea3b856ab33ee8a
SHA512 229c2bc909f967d548dbf97196c778fe1b0f15ce6380963a041ad2b7b47824424ccf335527210559d042d7522bb70fa18f7b881a51098457d4f6a249773f77cf

C:\Users\Admin\AppData\Local\Temp\wgse.exe

MD5 e16295bc092e6b4f84c83bd070961a79
SHA1 9a1c41cd5c57553595eb94f9e41365682b757397
SHA256 b7860fb4c016eb19c7f321cf8ba2c0fc8318a4175aa1fa421d1747ebea9ce2ff
SHA512 a5f9e2305b613be838fa8a69d415e04d19b2a3c8813a41510f0cf3c5a0ac88de85ec32377e409e58ce71c9209dc1c21888e3544aaaa94e079e2e7c7855856240

C:\Users\Admin\AppData\Local\Temp\QcwQ.exe

MD5 5d18f2d633742030154f8be0220ad6ca
SHA1 f1408e327662e9748f8fccde2b0135efb6217ac4
SHA256 8ee469f87f0733f596b82a7dffab6fab9126ec6f67d30cf5129f9e31023c33cc
SHA512 795bd6bc85d1bb6bfdafd870bcc9b89e272b28735a9d76509e57c429332709a7783557756fae6ba7585a80ad0b41d57b7b2e30ebdb267f4bc92a16fdb07a5665

C:\Users\Admin\AppData\Local\Temp\MUkA.exe

MD5 90bbb5e7ecd8dd24a20f0d7f2d22c9ea
SHA1 2ae18e8ff3a641d2e7b926e692c55f990c26fae2
SHA256 5d567042e3db1c7a48a87a8b33f5d915eabcc5f3e95fc635ed09990e2ba66772
SHA512 ff385ba261834df249567da5eae11fc2fb626363155f756f0c56458864b47f7312cfc15570777114c6b031e1c82f73b5c4965de29c9d354e3b586f4e0a7b5324

C:\Users\Admin\AppData\Local\Temp\ukEg.exe

MD5 1c7837b16decb1a6c4623bb571d37ba3
SHA1 613d8eaebd36e049dbc22a8f4d7f8e4ddad65ca2
SHA256 0c24d0b7f45ec631d9e1a922a78f74629393cd6fcfab841f7053e5758b6cf2ce
SHA512 e83de11e2412092c38ae60c239f6cd53af05c087258bdd2ab929ad543be016ede01fd83df2c7d14e08a230a56327f485d784fa9545c0b2d8ca129c924fed0f5c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 6246bb779020d20f8cd7493ae3439ffd
SHA1 7799e2a7a99d72d39790399e6b14ef1eb20a0112
SHA256 2a5d7c93d60e50090a705c773d563d8f900f1cd37a69434e4339faec4b21dec9
SHA512 8a73aba8d997dcf425a7c9bc3ca13e8a585f65ed2023e2cd83a9049e3ca48827f16a48e24a1044243e3443735330a1250a21578426f20f0d3e117f84f50bb61b

C:\Users\Admin\AppData\Local\Temp\EkMK.exe

MD5 4a7e4cd7413647c6eac0444b95b0e33c
SHA1 485691e8261fa05f90997bbcb686ddd862d8b497
SHA256 d3c4a55a2d822e69cc241de5543c00099bbac4be20cfec5cfab47f3551d0b440
SHA512 38abc9768a94614ee6e68e39c0509c790427a38775553b9bc643903591640b47d62acbbd9d2d09793992b2a02e703345c26d6525cf31f1ad9cc6b621596dca37

C:\Users\Admin\AppData\Local\Temp\YIoO.exe

MD5 e874859c2af7f532d0dc58e9f8e9500a
SHA1 d76742a0dd54d21559d9fceb8c642ea0312d88ac
SHA256 5eccd967e02adf26c9404aaf493f943173c1cbd24b43caa06d5a364c01494adf
SHA512 0b732762f707735bc8729ed5619358ff0ea6a3288a0300bf6a4bc8f3707c3b20f3ddf9e6056c59ad13188c4c1a4587f5c305137db01f3abd6e02f97bcd918537

C:\Users\Admin\AppData\Local\Temp\oMge.exe

MD5 5fa4123c2ab3844124dbea89a8d4cca8
SHA1 45582c0c88f25325c01b0837b387d27c040e3f87
SHA256 229891730fdb13413aa391771fcff95601698a296069b8344e39906fc69c5cd0
SHA512 d88116903c6ea9731ff7a09b2b116acedbd4dbaa78abee7151bf6ed4fb1071573b62293aa8fa2e714042c46eef71ddd0b0b68982cafc733ac32709809ab0b597