Malware Analysis Report

2025-01-22 20:23

Sample ID 241019-1ka8fasflm
Target 2024-10-19_07540665a1eb01b36d37811081e86979_virlock
SHA256 42fb691ff2822651fc1de2eb10c176320d2a97c76d824e600ba4c5df4d415a2a
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42fb691ff2822651fc1de2eb10c176320d2a97c76d824e600ba4c5df4d415a2a

Threat Level: Known bad

The file 2024-10-19_07540665a1eb01b36d37811081e86979_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (60) files with added filename extension

Renames multiple (74) files with added filename extension

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 21:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 21:42

Reported

2024-10-19 21:44

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (60) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\ProgramData\RKcskcUM\WwEAksUw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\fskMgUsw.exe = "C:\\Users\\Admin\\LyAAsgEM\\fskMgUsw.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WwEAksUw.exe = "C:\\ProgramData\\RKcskcUM\\WwEAksUw.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\fskMgUsw.exe = "C:\\Users\\Admin\\LyAAsgEM\\fskMgUsw.exe" C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WwEAksUw.exe = "C:\\ProgramData\\RKcskcUM\\WwEAksUw.exe" C:\ProgramData\RKcskcUM\WwEAksUw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A
N/A N/A C:\Users\Admin\LyAAsgEM\fskMgUsw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Users\Admin\LyAAsgEM\fskMgUsw.exe
PID 2684 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Users\Admin\LyAAsgEM\fskMgUsw.exe
PID 2684 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Users\Admin\LyAAsgEM\fskMgUsw.exe
PID 2684 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Users\Admin\LyAAsgEM\fskMgUsw.exe
PID 2684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\ProgramData\RKcskcUM\WwEAksUw.exe
PID 2684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\ProgramData\RKcskcUM\WwEAksUw.exe
PID 2684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\ProgramData\RKcskcUM\WwEAksUw.exe
PID 2684 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\ProgramData\RKcskcUM\WwEAksUw.exe
PID 2684 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1012 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 1012 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 1012 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 1012 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3020 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3020 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3020 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2740 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 2152 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 2152 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 2152 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2108 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2108 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2108 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe"

C:\Users\Admin\LyAAsgEM\fskMgUsw.exe

"C:\Users\Admin\LyAAsgEM\fskMgUsw.exe"

C:\ProgramData\RKcskcUM\WwEAksUw.exe

"C:\ProgramData\RKcskcUM\WwEAksUw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACwQUYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGcYcIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NAsAIQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEYMcAwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeoMMsQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqsgMAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUMUQMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkAAYkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eSMgUQAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oyIkssUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWscQYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgEMgowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BikMwMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQIQcYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWMAwUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAEoQIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EukockkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CYMkMIoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCAkAskw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCoYQsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwcgsIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RaIgUcAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HywUoooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqYkoQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cksMAwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIkMQAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aGYwsYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmIUIgEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQMEYMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqMkgIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuAAkkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DcYQskco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIcAMEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OukUYcoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\amIAEAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUoswsso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MasgAksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqoowwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\REssEkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pOsAgEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWsckUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsMUogMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KgAEIEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\woMYIsYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcUkQYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGcUwwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGUsIsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\peMEAMkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMoUUkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcwQoMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Yukowgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIoMMoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qkocMAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HWEsscsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQIgYIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1255792555-15056911831647925687-610333821-20826438246037966703412302651752395956"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmsEQIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XOYwkoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\umYoAcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoQcoAkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KkAYscIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1774298286-323794148678702669-8340939331176269601186214126-1871917581-1014067553"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQQwwQYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SmIkMQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGAAcgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "119358663711847634251525602761718026853-18467628713099668021291348449-1718584358"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LuQMUYEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zEMwocsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSUYEAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCAUkwos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-185273788-1746813846-774726604805899968-1685681423169347366150623907516560539"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-181779551618322130961977970153-771759765228084156-3768318-1306864440-155378352"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GoUYQYco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OUkcEQwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwsYEUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hSwsYEEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nuQUYYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jAAMcUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EoYcswUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yAAkwooc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13660585781290790414-1403960033-1499756060-1332904945-484528484-2113831606-1024527764"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\keYsEscc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uMYIYIog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\siMIAcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwMEQwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwoYUsUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "413518202390532871-841146741-15290833141649374242-68055339388716474-1455804768"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PkIIsYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQkccsoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeEgMYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqAgEIEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9828457251020558643-43019175-1619995075-514467169-762778539-573599007-639875663"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QiIAoEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYcsEAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-831859042092555593-1967768850165220844717630137255782100531494486206-1610712032"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IcMIEowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1466763054-961720035-584400750-18375983192019962143-1224401526-223687372-1682349899"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkEIcIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5620601142778125951318252852199196878768716423214483669851403944201800787664"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuwkMQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20203393701317464109-301922261-881544803270763361050080478-1805640202861934007"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSIsskAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "953818630267632885-14969642731055260856-20960116581020092850-496012253851767675"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lugIMsMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMcoQEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "577032585-204929933021306897514098058851454237846-1672687814-131598414637196399"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OYMUUMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GIEoocUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1832264360-1052506733190314213-1069026238331151180445142883-2025379088484054198"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\msQkIswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1735235776-238175762-1659096085-265262534-810299313837470664-379469706-1903055674"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1052370409-1604316796-3955798001831758865-435864182379227751383495914685126617"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WEcUEYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-125539329-142489136012582387632143855650307722473-18245300291902440812-295131121"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "221465578-439052944139405272512607330041043569554264516659-5455920021554705283"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XyUMkgok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4756427485186637021202887660-1873398210539805804988846065-1720378035-189311613"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PkwQgAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-147011473014101126049292428410088089296761779321433393757-1251901133280427269"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-739766631-16905442092123514954-316374698-1514260866-14473349956160891251169347767"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "282936834-20814306451152470940-153217560015813117634813701551912087662-473336358"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCMYIUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "129728645114286129942023727054-632163426-62941853313069181402042502739212915604"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQIoIsko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqkMMkkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2051124343699645683363955411422819393-944746324482404123-671874079-1301770619"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "430430801-2215864091212851136-1982001937-17302115871379133576-1578306376-1251028644"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGccUcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-257986256909118879619833789-981957554578974477-1170420544114065216646888374"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "878946275212058401816356843161873196440-820239873158509774014963947071739429732"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIIAcEoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1353032051-1905520266-1882756006-1924514117-1375038371518053246-1196204998741206916"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7620530921220324601596184204-1823006989-728953419-7753860171925438077-436125475"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeQwkYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9011940271273443918848656117-18140922251933100253-720831285-6015521981294801684"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "508561230-1417474061155244029813175531411553141127-20511726845327655401473920012"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-156571181012120485071627230122-373256179-15972328317268192421579778971824603228"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pUoYkgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-148666921918913361311674985662-288006736-77202426228188341694395520636575645"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-514492055459252983-8073192155288378256998585631010658235-136170237-1900997786"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zocgwIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7120472771444255265587846688129362158021336285426298300713645030751200269799"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2825763001687522172-289146271903830129-491326094-11128149651312633621435678386"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jaMckIog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "877144106232079670-560268759-777900861-1398128456200410607717089872381063411445"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGcIkYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWcUAgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "48134526-2092682653-265880004414882925145879677115662493271064296942-654070258"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1126672672221702995-4734927201303456857-2121265372442284214-1719930061-1225550736"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUIwwEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cWYMocAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RyUIoMEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1679437197-2036250878950354787124738594-1341315291309540437326369689-912293532"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2684-0-0x0000000000400000-0x000000000043F000-memory.dmp

\Users\Admin\LyAAsgEM\fskMgUsw.exe

MD5 40dd2af05692705c23b487b3f2f06823
SHA1 6a24459035e73a6059147cde74c69fafd14b7590
SHA256 f949e2ea2770c9a4b7ebca3b36a84ee8a8a2f184735070a418f939c6a02f34a9
SHA512 9da40381857464ae1574eb00dd4c9d0b122fddcae07e76776c6ed360d7f0bf96fac9b1766b5ad70b70ef879084c59767bceeb251e284546024b870a41e29a979

memory/2684-4-0x00000000004A0000-0x00000000004D0000-memory.dmp

memory/2580-29-0x0000000000400000-0x000000000042E000-memory.dmp

C:\ProgramData\RKcskcUM\WwEAksUw.exe

MD5 37a9bc937da607503832351da0299a5c
SHA1 aff5c5c27d468fb9e49d7f6830bf6f0bdca276ba
SHA256 cc514704b9f6fb2a7ee561f2f4114fd9e46f07b6840b96533507f0520480a449
SHA512 57b8040f8208fd9067af986679fd8f52e23bbee3e34a9bdff96cc30642855511ca1e4d271e5f02790cca8c31a9acd2e6447468f449644741af52f455049977c8

C:\Users\Admin\AppData\Local\Temp\sqcQswkY.bat

MD5 c6743cbee2da30a3c3d7d4c9986fc121
SHA1 18a31020f2bfa4530ce74f2b1179b97c8fecf74f
SHA256 857bd647a40d2451bad0e2f76e69edd5ba6cc24866ba7e3daf39905b73761661
SHA512 ab34d8f78df3b34871be6d20d4744b819c44693b207dcdbd975e5e509179c80392ada5d677d50fb24930e0d4d9172dcd4e7d2444a2b23931fd59976e07ebc46b

memory/2684-20-0x00000000004A0000-0x00000000004CE000-memory.dmp

memory/2792-19-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2740-33-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1012-32-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1012-31-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2684-43-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ACwQUYMQ.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

MD5 477256402c581beed8f9aef56cebfb0a
SHA1 af541187d2a0baaeb1329c6234c6007c5ef322f4
SHA256 fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b
SHA512 c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

C:\Users\Admin\AppData\Local\Temp\iQsQcYYw.bat

MD5 49a793955427719c81d475c4c0f9d047
SHA1 8f31fb0bbbd2b6108323d3dd575c60f1d82940ac
SHA256 726a6063cc017cddf84daa0ce8a23e71ad6ea30511fba7100f163059367e7b32
SHA512 235d11f0c4c5225b50542bba0e7b91e2d825772dc4f1605ebc422968673fb1e501b0e8ff9710388b6ee3ae24d069747005295893c79de8535fffb618a5b353ab

memory/2152-57-0x0000000000160000-0x000000000019F000-memory.dmp

memory/2152-58-0x0000000000160000-0x000000000019F000-memory.dmp

memory/2164-59-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2740-68-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PUsUsQgA.bat

MD5 bd1ad072239c30ed18ab2e9b8c90b1de
SHA1 77649a398eeb7c863f995305943150aa90a67e2b
SHA256 5f65ecb1ad2f44da7ba835dbb998469838ca3f4a2a57e8e0e3e6a23955076194
SHA512 eded8a2bf05a7031a643a6282146ad3e8dd9c169930549d4ff9f209e534ed841b31cda2ab41e51ebd31e5b97b1935f5d11f3785030aceeabdb2d2177f0e02988

memory/2072-82-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1572-81-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2164-91-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\liMoUcoQ.bat

MD5 e0fb8b256c37813903ebce737191defd
SHA1 2e3467bbc8a3f2d89f9ca2e6b8a3a31e39f25258
SHA256 7dacea503a5c6fdc5f2422cdd7beb30f3961ec6b2470d7959677b6b56a3d90d3
SHA512 9f53cc2a1de588abfbdf53ee4a9d3637a18f027714d5df54fddff87309f0a0a0741e7a4e83e55f3ba08463f3442f920890b2ddf7c3ff4f1122d6232da88bd0f9

memory/2036-106-0x0000000000400000-0x000000000043F000-memory.dmp

memory/672-105-0x00000000003B0000-0x00000000003EF000-memory.dmp

memory/672-104-0x00000000003B0000-0x00000000003EF000-memory.dmp

memory/2072-115-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zUskkgcU.bat

MD5 da529d0fc8424f06394d3603d4867548
SHA1 676c95a5ff9f04ec260d3c04e08629ec2a2ba233
SHA256 b627cffc14c4ea8296cd9ecf33d927613b1f70b4d298e24ea6bc9f57887c9eee
SHA512 ceb8924bda7e92ee3cc450d004429ad6bac9e247497ca845bc7615617c7985944c2d25be1c1015b84e2c3031e28b3ec57c89dd81938faf8030ea2e1d4fd85146

memory/764-128-0x0000000000120000-0x000000000015F000-memory.dmp

memory/2036-139-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1644-130-0x0000000000400000-0x000000000043F000-memory.dmp

memory/764-129-0x0000000000120000-0x000000000015F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fesoQAQw.bat

MD5 4db5d885ec1c9bc3db153a8002653203
SHA1 0d81c24748a5f23b15bdd87786bca2cc06961d38
SHA256 5b0c62ca98d80ee53367e3082cf5f0222e3c8c4aed36e0c1f4a0615ad26e86d4
SHA512 e6a5e655bb9c4105ff70364a3fb6b52092b717bd03dc6939a5ac8d1322b932afa8a786d7c530574625b234753de41dff9c153c9328466a3297d7dd445d4fc75a

memory/376-155-0x0000000000120000-0x000000000015F000-memory.dmp

memory/2388-164-0x0000000000400000-0x000000000043F000-memory.dmp

memory/376-156-0x0000000000120000-0x000000000015F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eQUUQwok.bat

MD5 282a2e3a2ff6989dae6fb2addd7c252f
SHA1 fd171ff98346e7513a64456722cef2cb4137c4de
SHA256 2d043bb3144354c80f77c34a8dfcf95ffac1860a17ba47225abb6d2ba4797332
SHA512 396ba0c2fc0ccdfb6f8c9ee4586c7b255eae503d13703109142357664cb3002e64f02bb362250626e5d861d5a38ee44ba753ddbddf3c767559ac1fd318f318ed

memory/1560-177-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1560-178-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1716-179-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2388-188-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yiEAQYAE.bat

MD5 88925de6f7503a0a607d5c1d6de2e196
SHA1 4d126c9545e83409fa5eba35d0f97fcb0c785b6d
SHA256 32c7ffec0a985e4be5aaade0c381d999b55d7e885a7bd412a4ef78fde82b44f5
SHA512 7c9c247c28609a9aecc364aec3a95351498e345c42d4516ba2a72039bfeea772b5eac222eab5be7835a21b74f91acb959746a1bd7119bfbd2ceb6afd9c432fd2

memory/2816-201-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1716-210-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WOYwsMwY.bat

MD5 414eebcba3bf2e38fe70728606d19b14
SHA1 79c4ddb5bffdbbc939f6bf321346fafbfd3209a2
SHA256 cea15bfd3d7dbaac304f53636fc4bafdad8a894d99847ef7c125ca7d599a19e5
SHA512 23b2208202fd4ba50b1b046214795582444a66bc5189943ce30e004ba07c7932d823cc7e955360f4cb8391b9fa9897fd7ba25f4953c6ae60a67d508f5707e803

memory/2268-223-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2816-232-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IyowoEMY.bat

MD5 782ce565d69f796bb585a044c58b7ce6
SHA1 5bcccdf1af157ab87ac657309e1f605b7859cfe1
SHA256 fbc1a0d3c2d4c5132030d632070dfbca0d68ced560420226a6ae0f75e42cd3fe
SHA512 4ec9e1cc713e17f2d7c56f90ae3df6a053050d09e040172ff38d4fcca17f0c958fdb814f6a910ec0a5b35bf8f61f2bc7388e2b9afd5ecd91e4ad1a8c4b4ce7cd

memory/552-245-0x0000000000400000-0x000000000043F000-memory.dmp

memory/552-246-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2268-255-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oCkkIYAA.bat

MD5 ca54e36f0e1584940bbea66019ea4044
SHA1 f61e326827617fa053b0cde270210e7a5ebd321b
SHA256 9707ee2ee28017cc76aaa489ed303b1fff950f502cc60d38094c98299ac1b8d5
SHA512 87ab4a86ffb3b0ae2014bcc1a2665a2350727ff188db5c9301ab7dc2e2dcd9242a0b5b09904605810b288b5ce761123b81c1cc5fb0a2ffa26cbffd987b418b11

memory/1596-278-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\reoAUUkQ.bat

MD5 138b5dce4d9ee09e8d37028cd4457231
SHA1 b8645235c58a84fd779cd072cb25501457b51cd5
SHA256 cd43fcd39b7e157d0624276c24a4ef9462199130958d4b1eb033a3258b1b2093
SHA512 f2c8ebaaa6c2061c5b0a0f3c5b253fe9264de3dc6c8e18db92c2f6a48266deb0c20b0add4cc08957aa3c09fda37ea566e6e741838fdba2bc8aefd5c92fb4d5ee

memory/3044-291-0x0000000000160000-0x000000000019F000-memory.dmp

memory/2688-292-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2356-301-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xWYUQIoM.bat

MD5 0a8d7bfa0ff6e76ea1d79839d00746be
SHA1 d6faef21aef4d1993fddab6d0d0e3e5b30e1bfff
SHA256 627ab3b9fa54220bcee42094a7c0c642f918da9e8ad547f8111a99968c9f422e
SHA512 ea6785b875ab2b193828f5ccbce61ff120020392f27ef746e6ed3625c56dbe8f8dd9a378bddcd72b85cf37f5c60673e72cbe9b95fe79050c8bd1015db38a8ec8

memory/2004-314-0x0000000000160000-0x000000000019F000-memory.dmp

memory/1852-316-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2004-315-0x0000000000160000-0x000000000019F000-memory.dmp

memory/2688-325-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\piAMAcIE.bat

MD5 8bb69e29f53b799593ebe64c4431c349
SHA1 e5b9d9cded421285afa4563ef6daa0ddf620fec0
SHA256 b2b5731ee4397e20dd75cc931c4a5faa4e897deb2b3302b7af7a8761efbd244e
SHA512 200a369ab98feeb5f231436e845446262b79f70bff4d9a700a5d1eea03df87d3f52a127d8c539444aa9533a868cd8839f8027251b2063cfbbb662bc4e44ca414

memory/2164-339-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2064-338-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1852-348-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DowYwYEc.bat

MD5 e2ddfdee9e6270a3aacbee37d623e146
SHA1 7edb029305e98d81b3116ded156d5946383e2847
SHA256 3e0a50a75cc48269101e37027f3fbcf0e571b0592cd9d7cd0048ea638b98721d
SHA512 5a145b586d680ce500f5de7e75222cec656f789a2a25ed6c19bb9e9000d10b22183937fe1be29f0c5f0a72780f86c38ba0c31c04512868ba2e64893e08914be4

memory/2164-371-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GWIgAcoc.bat

MD5 d57836d27591cb52178125f4cdf04e57
SHA1 bd6f4bd11a9161ef1628e0fa228c6b80502f9996
SHA256 83ea190550972164ccabd8f6e07538e1c9249be63c6b2bbab0a423e1839a948e
SHA512 45f5d6062c07c1d6600980f13ff3b746567b9ccea1422647c42c93967a1cf80ecbbcc09d514586c9053d8f2daceb49c131cdef2dfeac3be7b82a5330f2c04292

memory/2976-386-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1616-385-0x00000000001F0000-0x000000000022F000-memory.dmp

memory/1616-384-0x00000000001F0000-0x000000000022F000-memory.dmp

memory/2412-395-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mIoMUAMA.bat

MD5 5437a388e1cfb0acff92bfebc1aa4b4b
SHA1 e486f2db169dd586af719854101a5d11199d0ce9
SHA256 b9605f98bd8e79fff3d98b5ed794cbf639cc3856cf5587d664ac919e765357f0
SHA512 519ce8afd57fcc196910cbcbea70531e743fa2f093a135f33837b14772a65f5e356bccd3778a5b9c20305f1e44ec1e2dfe89163ec036f6520036e718c71ca138

memory/1900-408-0x00000000022D0000-0x000000000230F000-memory.dmp

memory/1640-409-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2976-418-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uSgAwwEM.bat

MD5 18ee110803f5525bc1f5d39b036cd891
SHA1 8ea9fce94aefde3699728d070731eb92f1b00be9
SHA256 fa0634ee93f06ce5f9de27758fea403e476782acd1e5431003dc94befc71a4be
SHA512 9c4571ef8d79b67725e4d347e32c05581975d54d611c1c0fe554bb3c4a688cee8d24ee480606a303ef5d20c7aedf654968df45551d6311563ae81088fee94ea3

memory/2404-433-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2388-432-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2388-431-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1640-442-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qKcEQEws.bat

MD5 ce10dfe3441d9beec496005e482d52c9
SHA1 b3793cb5fb314bb426e7fc45a75ef94aee17afdb
SHA256 dd24734240d411a60a45ae8579a984949d15b2831afda28c4e63d1357a274fa7
SHA512 d28429f59b3ebe07d2785b297eb6ff2931b6107371d0f4b4959f46afdb8871a95a81ae8e5fc37ade46cf7f80a8edf49ff80e790859f890a4ff04d4ee731a388d

memory/2544-456-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2544-457-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2952-458-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2404-468-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SUEQYYsA.bat

MD5 8abf7e0f01ec3151f618f94b93ae412a
SHA1 3c374865196e9be7fccb63c873bb04bbd258b389
SHA256 870bdecb00a82c4499a0f9a3db624621405b42d5da8a9b1fc93be3e785bb4aa8
SHA512 ef06a1e291af3e9bf6d8484476ad1a58f6f74713ada02f5214730d07caa3e8332c978b4af81723c4c37c9c3fec309a141cc6d0939279c86150b48c76de86720b

memory/2352-483-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1048-482-0x00000000005B0000-0x00000000005EF000-memory.dmp

memory/1048-481-0x00000000005B0000-0x00000000005EF000-memory.dmp

memory/2952-492-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fSEgAIAA.bat

MD5 ac6bdb7c0f404b100ebbcb187c81ac50
SHA1 d9de210b2fe2c77610af8f0776152d9b2151f343
SHA256 16450545c55bfef81e23b660db5a5d610342d5fe08d2ce7163eebf969464a33c
SHA512 81120d42e2ffad77cd825db8f456c9d58b1904b5b7924fe7df8fa9e2a1789212b28b24dcf16049012a81dc6946c324388f084a7900dd75a972ebe5e6dd2bdadb

memory/2140-503-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2352-512-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NKMwAMwU.bat

MD5 386c43ab82358c08beed846f3e29eb88
SHA1 68a8b3ec13ca250d8fe47caa884474f0cffca8af
SHA256 dc0b0ec509aa08d57a09b491d18cf2d409a8a4b2db6f63ac0a222d46a9fda307
SHA512 b3ec8ce3cd875bbc21d9dc6a3fe9a051deb6b6a3b11bce76cf31846a68e53a6f67268e1149be6bbdbed5a9ee52d8b3c0cca95cf3408ad22032feb02dee037e2a

memory/2384-522-0x0000000000160000-0x000000000019F000-memory.dmp

memory/2140-531-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zqgskwUA.bat

MD5 c84bad552fd14e26ae7ece552b5dd5bc
SHA1 983f5aa25ad0b3e6787b882e8e3065d2ed5a7dc7
SHA256 f16378ad6e8f29fbfd838a4a0470e84014bc355d4e0472fe21e5876ce65f022e
SHA512 70929a5b14a5f7132aaa8f237bba3e56fde6fe56e0f16cb3a536cf6efcc62c345326aaa48f441538528a2e6848b839b1349ae0b35f280efba2e1f097e6e0a72b

memory/3020-542-0x0000000000280000-0x00000000002BF000-memory.dmp

memory/3020-543-0x0000000000280000-0x00000000002BF000-memory.dmp

memory/2536-544-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1704-555-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JYsMEUkg.bat

MD5 da5ca63e8200f0dcd4b272d38d056b82
SHA1 15ce9394140239466d33ac88579ae503c0a44257
SHA256 18e9526ba6a48af3810b9f5dd58c2623e3bd4b5f6fa4744713e8165a104a4958
SHA512 c63901ca8d1bd8c734662caee7f8131e0a7e392d9c8850b9cb687fe372e2e3fe644e355b0b6ceec87e421c430685988f87f46d6bcef32d8e16d93a8c93c1142b

memory/836-566-0x0000000000180000-0x00000000001BF000-memory.dmp

memory/1768-568-0x0000000000400000-0x000000000043F000-memory.dmp

memory/836-567-0x0000000000180000-0x00000000001BF000-memory.dmp

memory/2536-577-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OkgcUUUk.bat

MD5 869adc0749c05c58d87860e29855a9da
SHA1 ae830f34271b55271acbb159163a1c6e1eb81451
SHA256 f0cb44c40954dbd9a35bc294d42ee893c43e9d8acd3ab46e802ccd47918eae31
SHA512 07c4a61f82dc565c46fbe3babb2c511c090318a76894a220484bfba6547f2e39622ae86076b0048b697187b32322bbd47c60285332d3627d32f01fd76679718f

memory/1768-598-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2104-589-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1628-588-0x0000000000270000-0x00000000002AF000-memory.dmp

memory/1628-587-0x0000000000270000-0x00000000002AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cmYUQckA.bat

MD5 ab32b97d0d8a0677a6966656f67eae64
SHA1 ddab3409036625cc305cd78519872f57b3925c25
SHA256 f6cbc6f139ab834c1614c66f7c6464b11ad1f233d4265977a677b67346a071da
SHA512 6e1d6e5267a8d79cced8b1858473eb4ac5d9e65d0d2ae4df5e019ee9ed1067e1b5d227ada2b433c563276d3e511f53314cd3dd5160031f8e61392aea2c315712

memory/1720-609-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1504-608-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2104-618-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qOksUMEY.bat

MD5 1e42e9c9f3d9df8604d8096aaeea84f0
SHA1 0b927973e78b8cc4f52c127c0e078586afc9d429
SHA256 ba6c827ddc1ef17af8db7c4ab2ba5f71cd87a40b1a8a93e82dcd400d8e4f072b
SHA512 9499f1641170710f1432ffd55d0555261392ef8558c5ce339ef2d86b217c4a75184fd72dd71d8e7480787c8787e9cdf81c9eea9d197bebc25e07f09f453f76d6

memory/1860-630-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1964-629-0x0000000000160000-0x000000000019F000-memory.dmp

memory/1964-628-0x0000000000160000-0x000000000019F000-memory.dmp

memory/1720-640-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EaIkAYww.bat

MD5 1368fe18b768d4f105773214d382f8b8
SHA1 3fcc6963b5e63dbe7c09ac47bbb26c2b695f2347
SHA256 b39cd562285d7bcfc3a08225875e0e3c0740bed29d00fc73a5382b12ce72a1af
SHA512 05942ce6bb16b647fdf1b9c73444db1e3e4638f1a9fa17cf220d90b6e5d2af2d045f87e71acdf49b0513502cffed4729dcae977c4e5fc0ea843579619d15d5e7

memory/2720-652-0x0000000000400000-0x000000000043F000-memory.dmp

memory/868-651-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1860-661-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fUMIcIcM.bat

MD5 9a744598fb45223c43dbf2743eb12bca
SHA1 5511e9bf8975ad1cb488f6deee37fc5f268e699b
SHA256 5102bb977b3a996238dae83b3a0224be457da5fbc1ce8550ada930bac4d158c0
SHA512 da0b179e4e33f46eb569373e640281a43b5ce7e8f689c59397b59836844032ad963c376d65ec16cbb468b2929b1cc8b457b6d444d67d2f53773782fbb93d72eb

memory/1640-671-0x0000000000190000-0x00000000001CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pGgAAYMc.bat

MD5 00dba682923ff667d9d558e2e4ecf4a2
SHA1 13738f956c3da39b7a598979689ab22fc3ad7add
SHA256 9fdbcff1a838274b0d2b3b2e3855fa0a52292bf3d93afbc667ed3599c17158c4
SHA512 c20f4231fbdf7a3d5bb7a6d0f25722a2e4b46cd6f55f9d8ac75f18c753105fd727b38733d13ca40ead57e61337fdb64f5f93a76c16f4e6fd13485cd2605bfa10

C:\Users\Admin\AppData\Local\Temp\rGMoIgUI.bat

MD5 bd26aa39c23cfbfc0a02af000327b4d1
SHA1 3670d358b4c19cd9b334717054adf5a64c5778fe
SHA256 d16e5df65675c30c09383ce31bd64c0cb5a867e261ebef40242dfe32858ad715
SHA512 d8dcc153f34304afa625b080e762899ab659d262a7161550a30981f9e52a6dbca467a5b8c73daa8eb4ed92eb7694bf14af2f28bcf53bd6bfcd3fb319c1e25d91

C:\Users\Admin\AppData\Local\Temp\uogC.exe

MD5 e1236985f762cbdff27396861fd1f7f7
SHA1 2afb146dda65ee34ef77b0efd2f4b77777472496
SHA256 e90aadc0f800be839efcc1202d10b0fe4f4b261cbeef848539ce01dd000813a3
SHA512 6314428c0566824f51d1ee921a82646a1274c22e72e6d30a895cff07b0d227199f0de2bfefdf5fbabe4de21b29d903c3e83fc0b630214e70075cfa476d366c33

C:\Users\Admin\AppData\Local\Temp\ZQAcksUM.bat

MD5 51bb671570312113edefd74ad084092c
SHA1 d56a5d4da46969205965f8ed4d99a94cb77ad9b8
SHA256 50a5610fe1cc50ac60b01f3dee789bc855ec59fe0c942898bf45db1c82082a06
SHA512 7b27f78fac6212defa407e24b4619444c7fec3dec1418b1b3070cfd50df0a5dd2bad0b65f1b650faaa44afe4d2c2147076dcefe8d940f248c9ba1f7606651de7

C:\Users\Admin\AppData\Local\Temp\QUcYggsQ.bat

MD5 be2e70e260f8abdc23044fa79fe9568d
SHA1 872eb2df92db266671323aa207b85ce8dfe8fb0b
SHA256 58fb967a49a84ffd0e4d52431a7dd8a851d11cd5c5a409e57770c995a8353b75
SHA512 e1a5dc1c52832aad0e92cc72bdd2b0bae12dd4daa277316573ee6421f5a3382e69b36203efba05ee3fae0d61d07bc52907a994efaf6fed9b69108cf4cf828d8e

C:\Users\Admin\AppData\Local\Temp\yoUUQwcU.bat

MD5 189ca6a6a4c3df4a187327ff3ff2b832
SHA1 aa957ea4344c6a19e98c4df1d6bbe165c8f74ce2
SHA256 ea8de026b083cabad59f79ed2481e169e3cbfb4877cb8e93c4d6af5ec8c0c583
SHA512 d193f5ee5e466fb32c866de9d50bafb6e722e3709ca3516c537f1f1b7795e0855c6f9d0cb7a826ea1208ab4a097054c50a0fb6818dac80b7f1f0904ea27e4be8

C:\Users\Admin\AppData\Local\Temp\OMMQUckc.bat

MD5 5d08bf12aa6ca3f9a6ba9567d3a9f83a
SHA1 db352eca62c56b8ed8b5c8930cb9420cfe499e46
SHA256 c74b905ed7d0873bdf63af4cd22abc79c736a70a0a0f7d8e2dd016a4f4cce97c
SHA512 0837fd906ddc465d8afef99aa57d86ef0f205d7b1ae73e97f06c0c709eca882d02ab80adbc5c8300e28b94e0352c67e76bd1c6253a4a46200133e6e31bef6a42

C:\Users\Admin\AppData\Local\Temp\MoooMYwY.bat

MD5 cc56ba2788a1421027ecfd7ebb58be3c
SHA1 a5cee9c1b03d5a3d80022958167ba8ef8363bdf0
SHA256 832bddd6bbd11a0f04205acef13daade01eac8c2d13c5c83525f2d366cf86c50
SHA512 1ba4bf76eb3807cbffdda49436c559a3436bf0998e38c1c81811561d806557edc819fe64b44f49ec4778c89a605a4d7c1fc6c9e5bd8315ddd724c4e7d553e154

C:\Users\Admin\AppData\Local\Temp\yKQEAkEQ.bat

MD5 ff5f4eea3b6ab4eb1afcce22b8eb43f0
SHA1 0f5f82d1b98e7baf59e6f09a1f52609dfa13cb9f
SHA256 134ecbd55127a16d598e299408a8a138d231558cb9b52060716a03fe44d9db8a
SHA512 3cbb75bac8a7f5513fb3eb34e4b45331354596db77350b0d1ac3322cddd74330febf1c0750c66ad15d9c7096ec37173c8698d00050d674a5482cb2f2456ee182

C:\Users\Admin\AppData\Local\Temp\HaYsYoQk.bat

MD5 06a4df47d13a8176812d9e34cc514d96
SHA1 1f2eee47e2ba6ff3e0b70fe4e70e09ce08883733
SHA256 e4b18db123b63dfc2c1d98027e47015d775e8ee29641dbe19859b7d00667d35b
SHA512 8ab5a907edf7020556c6f3326efb9c9e3e5599dd2044eae59d44022797b95d52a762ccf79257334377d296a9ce3e8d4c8ec2c3a1ef3473b9e3279403271f8554

C:\Users\Admin\AppData\Local\Temp\LKwsEMYM.bat

MD5 a495dfd30f1bf1c74142b8447c90d0c1
SHA1 518fde376f04d01fe018c4a53201334ede82f419
SHA256 60d9f5befa3d234841615cd99604999bfa6682dc435ad3a7b07daba849fc1aa6
SHA512 4a3f6067e8f425e7d8dd7b24dc9b7fd46974d003b404e1a810758741c783f4d8f866f027632c2b3911dbc2fc2a97834e0d934ac1c6f490d3556c2a9843d29e77

C:\Users\Admin\AppData\Local\Temp\zwsUIgkU.bat

MD5 13a94a75485df5d6a2d42611d4c02672
SHA1 6be7f72ffe730a58214f002e4cd566f54cd08266
SHA256 cdb68bb64d17cb70e87f4b7160b3a98134a662908229c86c9c3b13a7eab7820d
SHA512 43f4f5a1c2790f6f7c079ad427d2c570f03932cf9e1488027a70a6e4bdf794ea41ed277dd664dbfcabbfacbfff582ac718bfddcd6692f0e552ac9fdf7b160288

C:\Users\Admin\AppData\Local\Temp\wUIcoMMY.bat

MD5 947011ed02280c1f43a2d70c9959b82a
SHA1 2ccdacce7c680c08f3df87ccfafc115a9647a740
SHA256 7b87da9c91db2783b95f05058e04dfaa4523f0acc4e4d0173307a342cdd4181f
SHA512 a497ca4f064591ac1b62cfed8ab8168188f69c30a6533f6f854e8698375165b53d57287edf34c96503a1946690b7f577a507e9ae3820d0f9d792b5668041b4d7

C:\Users\Admin\AppData\Local\Temp\qcEEYIgQ.bat

MD5 467417ff3789180a77a52918435379d7
SHA1 ac85ee48a6640da209e02d26793e4faa9f0a76d1
SHA256 d2dd4b3b7af47ee33c4a50f60dfd6e70559c2a57ed8bb28e6c088a303425143c
SHA512 9998642b2661ab8c8d68c5d82a824b5732ceabf136687e1df759d13ffdefca03954faa946ed90ab2bb3fb5fd6879228b129235e18ed8580298f199cc68d9b7b3

C:\Users\Admin\AppData\Local\Temp\OWcQYokc.bat

MD5 e523c7787a73ee5ebc179c74ace1ec4f
SHA1 b0e0dbec1be2d90e93d85b965d422d57fb873eae
SHA256 00fc1ff3750de4ec14ff76b298511f361cd64fec99ece3956afe20e96da13a33
SHA512 9ba7acc0268162a9d6fbb70429fe05a755101ce57ed9cf6c34488914e37b43b4f6da57d8fe24c0beaa7b6030a03a650a4a3bc6be9e1ab1656a218efd4c311c47

C:\Users\Admin\AppData\Local\Temp\oucQQkwY.bat

MD5 0af0fd9986d78648c80fbd96fe2e4286
SHA1 8685d53a15eac8ef3ca1349b208f2a3568c88333
SHA256 c9903fae99bfb7c6e78850fd462ddf9bdaf7e97f381bd95cbcad7f3b56cf77e8
SHA512 10c3561cf29ab1138a64491a5b149f574242b7a8e3c992786b0cb829e6df33b04f4718f5648e023d06386bedd831f3024085aff1ea9372a5db48d3f3673615c8

C:\Users\Admin\AppData\Local\Temp\aaskoQoM.bat

MD5 0dfe34e580db15bd4942c443f843776c
SHA1 755e56e3acf367969648ea88812d1ec74dcf334f
SHA256 3190dc6e2cd251a9da9f21b627fea2f8ed70514880609868df5f78b3a34457bf
SHA512 8c8bb23f4cf714bb3939d5f492f3a1d273588e706ed7c4060adab904d02013a33b2d46a17b248ba95a33f6e3779e84089478539a739d4e248170527044e1c155

memory/2332-1024-0x0000000077700000-0x00000000777FA000-memory.dmp

memory/2332-1023-0x00000000775E0000-0x00000000776FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PQYowcEs.bat

MD5 6f21e6b8b2a9de4a719b5e1b38f11b9a
SHA1 3affcd4794a26a4a98b06712019c0ce0ef6ff6ef
SHA256 b34642aae9e024ff3916d1281c6aee26abd68fbd133a3180872e10fd60809fea
SHA512 30c658c8826d564f6d744b8ae6ca08e4171dc6e58158c07eae1d795d022affee41c98618930f5c369b4c06768800df182365e8e9f27221d1a6b28dc5eb7d9df1

C:\Users\Admin\AppData\Local\Temp\bQYkosgI.bat

MD5 3f982cf5cc4318eb56d7ea712a08398a
SHA1 3a2984d2a017099d5b149922d07b01190d26445a
SHA256 3a8fdcf41ce16072986291b3973118839b9cf5d92350c7dacb4dd1b291f83485
SHA512 c3a041f68fcd81c0ecbaff02c9927cf9191e9dd1c7b192c4d87cc7677dc966ca98f839503084a8cafe8e783241b54bba90222850d7f88442e84e265f5340bf76

C:\Users\Admin\AppData\Local\Temp\JmYkMcIo.bat

MD5 cf5d046dcbf55b03d44bb0764d374c47
SHA1 4d7e00b4602b1e0c06448e0ef3e95dadd1dd3749
SHA256 adbe287f213b13c7c4fa7c7f3d48fd123027d3cfdc3194696a6d0fbdaaedfa75
SHA512 1b7235581767d6a4342eb6416aace1291c3ee54391e245111de73e67799d1a1c8473453b6a2bd8dd84ea5fbaabb6e0b0b441088dba2d579860bf8c4d534f7bff

C:\Users\Admin\AppData\Local\Temp\fUUgAsQc.bat

MD5 ef75da27af0a1de5a5cdd4598b50263a
SHA1 ac6a4da9a627e276311cc9b1273a3356b763b2d2
SHA256 f9fc5c43fe4162d1bdff7c5e4d84c1f86339480ab52bba2a475b9f5661075f98
SHA512 d607a6fe158638c8c9ed105c2740d8c5f527a16b0e20d0381bd8e789ced5c28c2a6ebbff5daa77eba5330d8443dd0e0d42c0c142f5c4862f9ea0cf8f7b6dd9d7

C:\Users\Admin\AppData\Local\Temp\qqkEsIQk.bat

MD5 171c3515097c0d5fab1c1c2840fbac70
SHA1 83c9ba2548dfa96fb5f3d2d485d35c61c044d977
SHA256 a76ceea180c29f175055a078738ce180d981acf4089dd6318d3c725cdacf9719
SHA512 b580c99ace71fd38de51e653d5b6cd2d784cf42caa9c963e89c7094caba2200bdd892fb0984013684cf71df8b59805c0e6867b455a3e52b4cbd83a222d1d475c

C:\Users\Admin\AppData\Local\Temp\GiYEgAEw.bat

MD5 737ca3e054b9b0e974899a896fe7c66c
SHA1 e66a93ee04171f0c771d972343d247a63cde6ff0
SHA256 bd93d4d14b9e0bdd499b256be61e225f5168e53e9705a177c7ad5f21c20943c2
SHA512 69558df33c73551062c1b660233cb401637cd4c4c2a246f94fef78aaa3b3b0b92f12d163eba72672aa7b5bccbd9c577c8be1343f2b833f872deac771ddcb9893

C:\Users\Admin\AppData\Local\Temp\YqMQIMcI.bat

MD5 c85fa62ecb73f5b5418dd885778db29d
SHA1 344e6e57782ad5ef41bbfecadb824f17b226d18c
SHA256 eb9cb9a033456b84b7a2c1773a44ac0750ca534c520f27cd5a809a8e02c77bf4
SHA512 fb8c4f8ea4eb8692c0a096883d1171a0a57808f3b04e121dca0b37b0dc5631bc264ed9f4d7bbf2384f9bf63fa1fbc3048170490a17562905e746e30a2171420b

C:\Users\Admin\AppData\Local\Temp\qcIwocUU.bat

MD5 0d666ef5f296b2ce9d013658b531afd7
SHA1 8840b1a72fed7738a3b765cfe1d49ba7368b9649
SHA256 344cb07a5020d08e00a9b047e991a6c416d93772ecb70c3fea8df912bc8a4aff
SHA512 2a37d0120b415ef8b7fdffa00d15cefac9e1c1f820452d13a3bbcf16ff70e2dd23772a043f280996b8ffe9e7d02aa7d3e3ead1a58168d2770bdaf14d73a49c34

C:\Users\Admin\AppData\Local\Temp\AssI.exe

MD5 57d0f3868db4ac0d1d73a15c6bfd7444
SHA1 681ac015dcf3edbd65f0d698dad70e975fda1577
SHA256 75a774d626be1277fbef6aed45317b789c46603d10ebb60d1fd971bfc5672672
SHA512 d9563945e3b4132e6f12e5c9ce00a15040446e7a434d90fa17b64aca414426007733db18a3a5d0eb352f5d3a69f6a6e42cc3ffe16fc739e52f21faff80d4c952

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 7a54d6d972155bf0438b2a0cd4306fd6
SHA1 1e93289c527b86aeea549a59e778a134a61e47b7
SHA256 8dc395004cc911774ab596ecba63cefd24628614c631a43e450918806a9672be
SHA512 f0fac22758a7ab4d2875bb512d20c37facb750604a15eb070a8fbb2232d19a82244e4a97aa2341859098ff17469aefae317d98f96fbebdcd6ef7d552f7d3305e

C:\Users\Admin\AppData\Local\Temp\uYcO.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\KIQK.exe

MD5 e0cb059b6aa7ffeb7977345804ab7c37
SHA1 eb01c9abb9ba3fd8df3c8034b20e6c4e5afec266
SHA256 484ef09946a7f9d28b00f41bfc1da04beb85b6006ba29b767cea1fa687e6c297
SHA512 ec8c991d2755893a0e147ac38f22bc7dd386cf8f132dbf9d7ff9ce86290dfea637d81b8567e9fa339b8d1ae70794dd7d16a975540a7589f216bf06b381443f72

C:\Users\Admin\AppData\Local\Temp\EcEe.exe

MD5 b6136ef43b51025c72f6634b99d0b3f6
SHA1 35c00ba41ff2f1263fc9cf9f489763c2c3d2fc41
SHA256 d6aab35fe4ab70f1b171ab03f6d9c029d1beb3067073c3ac80ad3c041d81d96c
SHA512 e939a5ed2b7fa497c41ad50e3b6eebec3c906672ca36866b1854745d47ea0562ea05167521900e01f452d5d394755cd7376f563ce283b89b7fa9812eab0f96e5

C:\Users\Admin\AppData\Local\Temp\WEYw.exe

MD5 6716e85b7ea1a7383a43ea530582ed07
SHA1 504fa80689e0734567c497f6f2d72c4b066399f7
SHA256 43a307fa52c222e1934e7abf6dec7ed940a3dd1cbc12a567cf57fbd1ac0a7968
SHA512 c9f9c6299d6a9a892bbe1fb7a40216adce4615ec42886a7bdf32c6d8e007a4aad895b678d53760473d4941868d0e840be268bc60e1041e32a9ad3438f5705e36

C:\Users\Admin\AppData\Local\Temp\qeIYQwEk.bat

MD5 e8969bd4e543b2482279e8ec3371b6c8
SHA1 b877ede973434760de08dc46ba77c91e02d6a41d
SHA256 2dd14b98a32d206e9c00dd344a07e9ac18b62b33764fb8c3733bba50c4bb25f2
SHA512 17dcca1eeed89f0cb61a2e317f1023fb7c9f69627d15b24982bfc7703b0ca79b5ed68eae0ea50f9a02cddf91cef31da655497612164c8349bb718ca274949570

C:\Users\Admin\AppData\Local\Temp\kcwM.exe

MD5 fad23175c3070e861052cad6eb8a2de1
SHA1 01f243f5497a090f560c66c238d9fab1f81ed099
SHA256 65000597229df8920ac3174e511adaedb81406262675780ca938fad31592e4e7
SHA512 413c6e9d76027519a440440bf66955fe67acb09d36b5997e8c1f0ada318aba692f5d1396cfff437f4edc89b4d0dbe6f4e27febecd06aaf56919fd2f6f2a22a6f

C:\Users\Admin\AppData\Local\Temp\UckM.exe

MD5 7579723efaa8ff66f3b9c87633291153
SHA1 bb2ced40fb4339ed6cb9423a4690399c6a9fd5a4
SHA256 6398a9aacaa3c46236e11b6a9024b52cb7ec17c8b4d785734d5f069c3aad415e
SHA512 86a35f3a584e5aa59b4550fcbfee473c96d3d85fe7fc9574dea080316b7b7232e841615a12b98c9cc546c8c790444d551bb02985d3dbe8a78bdebd6495d75527

C:\Users\Admin\AppData\Local\Temp\QIYi.exe

MD5 802cbc88878684b2d5f0efb597ad097e
SHA1 7e70aae08ef48f4176b156f0dd5f1ff0c78f1e50
SHA256 39416475d21f78029411444da760fe46a6f8581dfa7934cf12d2f39d8608058d
SHA512 bdce702740c9174c5b4ddc4dd20cba7a0521d5223ff8566fcbb09bb7a68d25d549239b15689d5afee69c7a718f1fb5380b3de079742df3ecea39d36723baa813

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

MD5 78400b80acff055f4a2529bcb1cb9b4b
SHA1 d5095769b3de80997c1620018405e4bba6b7de97
SHA256 eb5a6addbc172e2af062ad02aa9186ba8a5a30beecb16e8b3269c2ff019e5eeb
SHA512 6c27ab69df44f36119fabc8f8ceb9bda48e1648e21636b999cc617e732d0c7a0c8c3c202722dc7861b4aaa1072a83c239bae04f627271872dffccbd4e04155af

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

MD5 454bafd498d4f29632ff6b5107d191ca
SHA1 55f8ae43bf55231fb8ffafa17a3bf0829e0accca
SHA256 06280b24cf203f85c52518f66b64771a2278a65c4d3a8f474127145c9e761ae7
SHA512 0338f08f627a204e43ea0f69e9b149fcc2283187f15fbfcaf98a28e53bb03a5fa6f15e613880e4d50ccd9719f1a2a6fe04fa4292b5f5bf34aa706423666cd714

C:\Users\Admin\AppData\Local\Temp\dsEkMQgA.bat

MD5 cbd37ff8565e285f26692fd9ee4a9687
SHA1 1ea9f976e51c6f01547233ccc3d52f31e9685c34
SHA256 751878963462fc953c46148901e3667db4e17a43e546da7f5cd3d6a332976294
SHA512 48ed85986f66d61b4c9a512954a8e17ec45c8b2d468e9c15b7a4b9b3ad45a79cc12c01e95fff2d7feaac5a6f0a20dde081699cd1e5de90211d458becd9e4b348

C:\Users\Admin\AppData\Local\Temp\Ssom.exe

MD5 409cbefef355bd2004187653a3229907
SHA1 237a786938e6602ffb81f3505567716022c31b5b
SHA256 f830e263b808c7ccb882bcef1098e4b82b6e8402a87e7c5c072d20ade308e071
SHA512 34b0e0097a942851f4741a864ad6ab47ca5e9653f13451637f373b4b7700662df6f86b642ea718e24b37f196d328053eb63261b6961a3654a10735b44d5e3df4

C:\Users\Admin\AppData\Local\Temp\SkMG.exe

MD5 9b6e6a622a0bbab7d9cd3f7e3823015e
SHA1 6f3ef70a42e30190ab27fc78c29f864747c0ff94
SHA256 3f6023f72871cd0385ce40bf79aafd1aec90448d11f64dab87ec3a2f78953dd3
SHA512 b2e05446662d1a6772cff4bad543c0d2cbd388f7debf59730dcbdfe6bdc9effbe0802f7d75ccfb5b7ebbf9f443bbd4ed735c4ff315f59ab6736d29a41fc43917

C:\Users\Admin\AppData\Local\Temp\MEEy.exe

MD5 12aa0b26e21a02d6adf53c274edb3c62
SHA1 f0e10bf6001a289a6a08d2a8bae1a8414418165e
SHA256 84b05a36f4100b6eaf85c993c0abb73dbbb35cd30edc23fc0d7252a7d837fef3
SHA512 a8f32da59beb63b2177d97a73bf2b8d117557d3eb8544cdb10b70838e17299a95a8c0c328b01a534f921b86b50dda3995e617efaea85139d6ae2f22970c75ce9

C:\Users\Admin\AppData\Local\Temp\wsIm.exe

MD5 16712563ec7d55e4e54ddc879dbd668b
SHA1 16620e8b885b31ecfdcab7ad1840b1c49352b363
SHA256 729f447b12a77b925c97e573bd42e2b691623aac5c0d6b5a5f37b108fd180d0b
SHA512 e6119c4c9cef13db06a067c25309558a539f2281f3d84aa51fc8862918d54850a8f50d615146cfdcf2df79d5b1b37e82248cfd9b996c0e42d84d8890bdedd4b5

C:\Users\Admin\AppData\Local\Temp\BcMwkMAs.bat

MD5 b2211f44e6cd11ab0dab03b2d96ed561
SHA1 f5fea68ca49af69d08fe842969459480c4201b01
SHA256 0cc9f77f200b815afdd49e1799f9bc6a83200d02e376d2c26efddb2aad26d5f7
SHA512 6076276b9eb6b2212bf7c5ce10057032cd30f9ac279bad96bd5a7827db3cb5602c2772699092ee05ac1201cb6b8b86df6819bc91c2e6eddd36b4a0354b95d424

C:\Users\Admin\AppData\Local\Temp\UsMI.exe

MD5 fda86874dbd87a390bea4da759a10412
SHA1 b6a5035c5fb0b6733474ac2789063dd2abaed803
SHA256 288b865c87cd08b2a12c66a059174a0024eea2b75bd9265842b3f49cc5c309e7
SHA512 9d66a98955870168cc108bace076422b3419914fa2f54e63dd548fb9dfe2cddd2e9f6b8ae3eca2190d2781b39328c5d27895e2ef247b3511c36dd5ae189316c7

C:\Users\Admin\AppData\Local\Temp\GogE.exe

MD5 a61a615664890f25444f0871726e0369
SHA1 214bbd068862d37fe42c5d1bee5376580367b138
SHA256 463c2ac24b05279820ba89844bffca89792b8b481f4996228d263adbce71cf25
SHA512 d12de3de7a482f53b62e90440b03886f491dbd732d72ab34998884831ce287356c9d77bb32bf60354f2a4f9929d8432eb29f3f5ebb7138a00796d25519e20bd3

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe

MD5 69e3bf428011335456151253e3ed8e45
SHA1 a77d4c59816e2725628555b33835525d6bef4567
SHA256 3dd553edbfda4981343bf41ee551cb39314e6d6f261e3c14e9e417e7cf531252
SHA512 ae253e6046d60c764ae2f4cbacbe314c527382f57e757d68be35845c42a08812b106ee181032afbe77e813618998d6b9e424905fbe4a4d86d2da296df91a4aa8

C:\Users\Admin\AppData\Local\Temp\eMQw.exe

MD5 92f6eac09d3a44956829d4626eff9472
SHA1 045b080ce2a96ac678634ee555b183d5989ede2a
SHA256 f4a7f46c601f72e2b81ef7f20b6835b5ae8c77a4d1eaa4ed6ffd0c24e7cc0239
SHA512 713a15104f782a71208083c16cd87d5dc7eabb5fc0ebe25674492b1045597bb209c413c794d580baead5f511a10fccf75f7c991815c52e9214193bc4773e2974

C:\Users\Admin\AppData\Local\Temp\UMQO.exe

MD5 4abedb3ba2930f39adfa59de8c47f031
SHA1 032c27efe2d9afe404f50a6ca8f572e1b3c203de
SHA256 f5ddbb77d05a37f8c0e8c4f355ee62cb825d3dcf11ecf066764bb900b3b67d89
SHA512 4f047e31171d802af425109015af3e2dbe0b32c1190d58db98a2ede1d10855d57f59e66e92338373b60450092201702d5069755aa349b76fdffcc1058fa6176d

C:\Users\Admin\AppData\Local\Temp\eEsE.exe

MD5 28460281e38ecc6ab657c5b850047585
SHA1 a474a158f5d151556bfb9911b267658b8e6328b7
SHA256 1b98ceb5b287fa775563b58aaf75590ae0563bd5be6e43972e03bb5047b737d0
SHA512 b960db8a33f62eb00a73db6e3df371c6c19b113b78f4d42f0f8c264aef503ef22dfe73c48244f9cfe2788a636dd2cf4853cd613e250d9f16a8f4a89fdf2e467e

C:\Users\Admin\AppData\Local\Temp\IooM.exe

MD5 c5825b7d3a16626999a2e0816c35ce2c
SHA1 831ed2a4472e4177a13166271f95320556b3f6b8
SHA256 82ad1447daad6e6a43fc9732c4e89cad9c33288dd7f5da486ff9e173ac1a0524
SHA512 3accae9c73097a56e93209813c2bbea497dd815dd52611d0f94ec67009ee0f1ca5c3a96252f7cfae777fe3c818bb27358858d8699bf473e180f22313cee102b0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

MD5 40369e4f7c673e4e7b86f280484c9c4c
SHA1 462d96db4062383ddc82c077efd926167c687152
SHA256 ceff4dc5b5c2a46769edaa8434055a004a45bc1b42a1819b02f83a2bc36fa47b
SHA512 ef3a66728cf62d4c512497d46ceda0541fe86e7a3bd8c6e29394e61972ed57679a3fe0864434b7c021408c3dc6eeb220f0282af5ddf6ecf8794080929a781c83

C:\Users\Admin\AppData\Local\Temp\kwME.exe

MD5 aef10b4e85fa6f0ccb23d7fde33a27cf
SHA1 842fe54554a1b0829edfa0b61bc436a12d5588da
SHA256 3d5563af8160e5b567c95c5f3cb73b0a5465e0175e641dff12d1fb46e0fab868
SHA512 9df6b797b96716cb97b5af666db718ff5d698fde97835b167c3f47a49a90c7caab1f762a366f904414778617c8fe95df398dfc6993291460512cab3b3a2eadb9

C:\Users\Admin\AppData\Local\Temp\FYQgwAEo.bat

MD5 87922251bfd58c5494aa4694262a3802
SHA1 89eb2600724a549647595d8b82b3f0cb0859634b
SHA256 95055f3d9b73cb220ab9f39084fbf1018d119be7e90566d509221066bb2dc1f0
SHA512 56963a15fa5d1bb25bc63fc57f8f360e5e05150a3fa5a987810ad32f84359c6c4da7f14fa2aee9582abdcdb4935418c5cd16c804287efb1ec792cb3d71c6d506

C:\Users\Admin\AppData\Local\Temp\YoUa.exe

MD5 564e869f32dc2d669ce4e1371c34f62f
SHA1 09d1336e130fe185045288711e9393567af9cf3f
SHA256 de5e23abe8fd8e6945c0464c343c58a840132b3d1f263c2e9d9367b95944f1f9
SHA512 449e3b8468a54f00a86af75b44957cbb67b25de149317a9e81183f7d61505ceba7e111cea1a8d53fa79b1151654403d532c4fabdcd5144de890a0232c716a7b4

C:\Users\Admin\AppData\Local\Temp\CggC.exe

MD5 c60d32cda5bb08baa6c60f367959b455
SHA1 e012f4cdd2a3db7c8acb5cebf8fc6c09d373977c
SHA256 565be704a48d2848dab818955a26fc3123942b9ebcc0e2f04e2f02281a680808
SHA512 b9b025c53ba08fed10c5e160b52d66246ad0e89702aceb917d8e8e7f0c7bbaeb6fe99b87f52a93a38b67799fee2a1dcde098b3e3fd3671de3fe928aef9dccae7

C:\Users\Admin\AppData\Local\Temp\kUYu.exe

MD5 cc0dec1d1cfb1019e763baaafe2dad41
SHA1 6f5308b2dd8df41459c33973e596e7bc2e7ef7e6
SHA256 d92547e373e0f01101f617020f5901f57c821a55cd56b45c6e17b7e6cefb857c
SHA512 7a4334dcf8df2ba16aa20d3364fe5c76e2a725b0d8c92bc11a599e00e302c5e972fc4c46c2a0ef61f06e258bc10e5e2354d5451c4c0a8eec00fd1a9fe74da062

C:\Users\Admin\AppData\Local\Temp\wkom.exe

MD5 7d6ab657d85ffbae1f6ca9e5615e6fa2
SHA1 006d6902d34fddb2d91f09303ca82e99692a6926
SHA256 d3dc760b8ef0b739dd3f8348639ea963d0f41b5e4ed61f44069f2ee32c318d0c
SHA512 9d14904168662c50a42e3a1730a5177c6ef8ec805966b653497b6da1109cf042af7fb3cf92ef713389c11aadba56b22ee3746d2bb629945d7dec8dacf0e954c3

C:\Users\Admin\AppData\Local\Temp\baEoIoEY.bat

MD5 10de8e5e9cfe9217ce270a2a12e86f05
SHA1 aa2e1d5be8952a5dfb283a81ed882c6f524472be
SHA256 38811b58076950b4203cb8553021a7cd5194de982c13f70508d58e742dc49a6b
SHA512 4ccd97337cb2f8b9f5695e7f914d983af5ee0a942939b4b347b16a0aaa0be39ca8caf2796f61b17f57a3fd6586ddaa6c1e2e69b7b524d6353ee2a2dae49b43ff

C:\Users\Admin\AppData\Local\Temp\awwq.exe

MD5 d408f6adfce87ff3e484dbf19ccc6eb9
SHA1 ee6b16bea14cf6bb34d5cedfe52fcd6dd671012a
SHA256 048e1c6f9b52d4e9b17d52479c6a61c11fe61ae682f01343b0d55cfe7ad347b1
SHA512 87d9526eb857ec68e5e42f772e2fd2e94be3b2427707161e6e816de63b15e4420a69da4a3ec4101e6baba71864b9500c671cc2b208ef0165e4c9d4cbe383a6e8

C:\Users\Admin\AppData\Local\Temp\scUi.exe

MD5 4ca564e8f4598d80a0de61cd51409600
SHA1 25cef32bc5b17039ed3e0c4ca3cea0c91adc4d81
SHA256 bb7463677e2cc511249d531784831dcf769021d6194672b25cc194b109edd369
SHA512 ed8d26f579fb3a2c7bd293e2c92bb28b80652eddc3b55bd75af9f7a221bca26617d05de1154b25d4c4daf7ec8d1d248e810ad20ad53b76d20a413b6b61550a07

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

MD5 779afd8786916ea5726b7bea7f75ca11
SHA1 a75130c9f132b5308b58c82be9411b186f57ec39
SHA256 827bd3add69c98dd1f1e6e6714e3598621170ee215818d5d7f6a28b64737451f
SHA512 07a9d8111868f5a795cbc65ba49d134ce65cb404bf00273effcab39067d23de1f243a8f2bcc9bd98a6abe19b9855e20dba8347f5c8407659e6d6e1a5a3ad0dc3

C:\Users\Admin\AppData\Local\Temp\YWYwIQQI.bat

MD5 824e327dc81ee2110447a7480b4c1d1d
SHA1 c84ec01a09070916268bfc99f4c0b10c97b60c02
SHA256 59013c17fb0d54dbb7ba6639154a43e57ce82cf3d0134f37e5558e50c8ed1dc6
SHA512 676583c629063bb81503f95f462d0f4d21cb4bc558cddc20415cded70f109d53b2fc3e09918239ddb9cb347b89db8295588bee3fb372103b83a1b9b7143674a8

C:\Users\Admin\AppData\Local\Temp\ggoQ.exe

MD5 83a77b35acf6fc4dbe1209d6ac249c24
SHA1 013775b58b8e62d0643ac248a89d33b5dc5a9c51
SHA256 87df8d35925020cf1ac428680d944438c3248cbc8eeec2a88843ef2fb2a4d1b5
SHA512 0ea15a1a316a6d8e0f73512ca88fb7081636464b29a8f3b5fe16670b895f4bdee122ddfbdfb64642486f6029c53fe70f07e0e63a6363e57c3379acb95ebc22c6

C:\Users\Admin\AppData\Local\Temp\CwMi.exe

MD5 c0f54128e4cc1e478a4c961110307a3d
SHA1 0c0d4b0cf52555821beee48c2c8cf4e5dce6af81
SHA256 211016eb2d2538c3a423236f09f6c8f5b70250ad470b8ba1f7697834a8064739
SHA512 ce9701b66563a311043e3b6ff8ed2e5759429fc69868229de1823db1214863da033f3d4c315a6bd4d2ad86c0990b7ec40ef2afc4e99e398814a43b0a41c5a447

C:\Users\Admin\AppData\Local\Temp\oUQk.exe

MD5 5033a81343323951642e873cda93404a
SHA1 00a0c8b3f196a69031bcfe886e5e25edfe1ff387
SHA256 3b8df61583b9e6d9d02da640979f4d0565e936c5fdba048e6c28a28ade511ff3
SHA512 5d9ceda8f7ace5b65dbe903be0194a764e8aee18adafb64cb3a5216c9a75c1e74d1f737ab9602eb5c673dd49434e3e4f2f0df0299f9fbb207566a38e17338b1b

C:\Users\Admin\AppData\Local\Temp\wIwK.exe

MD5 2504addb3681dfe84740d00c25534210
SHA1 54ee6cbe0eb2696204997eb1a7a95aeafc53f229
SHA256 0c7a10773e0d4d197a60a17c7d209f14c39a7addbaaf8c215443724f4f8e050f
SHA512 f38314b06fa887e7bcd1c1831f63bd5ee56f911211e18ca873d2bd7b87e592069bec4d029e37c043b475500071625ecf1139fb4ee6fb06ee4e7e7c168f2a38a2

C:\Users\Admin\AppData\Local\Temp\QMwK.exe

MD5 8ca6ac87205f2467f679f69ee276f7b6
SHA1 8e75a66d281fd2ebd2e1668a3365f8725c267be3
SHA256 7d6e12614b85c297e7e223e7e68199a67bd114de3dddb5641f1d65095347a878
SHA512 dde8ffc500bf75d5161df9f9391b28ccd33838b795fbfb0045f381cbf1fd6fc9e5510e5554a7dcbb2aa1180c95ee9187b45062930bb13c5d7878925a2657295c

C:\Users\Admin\AppData\Local\Temp\EMkMQIck.bat

MD5 9ed855af11d17e5d413149d11d3568b1
SHA1 350060cb4ca19cecb9935b0ed1d8563862e2af5f
SHA256 c205f8fab299f15ffcfd4ec7eded56cf2a2327124a4315b6e8d433c09cf3f645
SHA512 a96971d2c7b1e9e79a0367288963e690aaeadce570b57eb274a33373a8f0d17ec2a6106f6b3a4ca3582e8e276aae2e0bf044110308de8eede39a95d658de4f11

C:\Users\Admin\AppData\Local\Temp\Qkou.exe

MD5 553dbfc50e921de207ead6cc18944611
SHA1 177667d14f3f5602b93b343e6cd7fab508284762
SHA256 69f6ffe915fde671a3f094baf05e00774d9e28682ca2002f518ccee96b7eecdf
SHA512 bd093b08197c009e17e5cd6b97053f13534b497b01a7805138ed0f5651e2675d1e6eef406cd1034e5d7f67ae4cdce782a263734b7caf75e8d66cbb6db8b8deaf

C:\Users\Admin\AppData\Local\Temp\GQQa.exe

MD5 47c51058a8879e2b4a8dbe1acadecba9
SHA1 3597303c7beeabdf9b7b7bd2b9b0815aa6f73d8a
SHA256 e5698072603f9e9480edc0dd0dd2fc2b9dbf690d4cef44929977168e03643a00
SHA512 43cc767276df9b2fd40a8c30b9f3dda6ff3060411a01e0ab0b5a243c25dc7ec0685a7c719732dc62a41854979d8c20a84b5b2cb545c71991b3fc1d2f93172ebb

C:\Users\Admin\AppData\Local\Temp\IwEy.exe

MD5 c3c3e9f97b941daf5633c19c995e77a2
SHA1 e1b6ee1ce56dc3ce02693347e8bb96bf8b863008
SHA256 28f71aadf33e73e7598a5eba90f98c007e770b492a1276b5dbf188f656eafe26
SHA512 50212bc474ee0ef0a276c64b7e8a3b725f27a47549296626699328b5b491686fdf6e6d7e24b975074ff27cd117ebed264ee398a5ebacbf706c81d2723c8ca198

C:\Users\Admin\AppData\Local\Temp\AQoA.exe

MD5 f1f18d2cb9de089c2423865326c9a68f
SHA1 3e09afffcb1e4ed91e3883077f5340ee0ed12c9e
SHA256 f3b054c98bd9594a347be2c7a01548dc353538059b6f28000192ef957abbc18e
SHA512 d204a4e095aed16418a016fe207b2448bccc4eb404cfa80d46c9f7b3033c7ddee40cca4c0806f5aac99807cfb3a8e327e97ca1d23df188d948cfe54638b994cf

C:\Users\Admin\AppData\Local\Temp\KckW.exe

MD5 006f7e8724aba89d6e6a3175db521c48
SHA1 83c3e405a72dc2e2d14647e8e44ede99a9280aaf
SHA256 1817e869c2616beed71b64c10d3a67bcf2c3484c93370d16b05363df01fb51cb
SHA512 a9fc23705db848f7cb0408bcf7e151464031281a820829a9a3bf8b58a954c01aa224447fd724da0beddc1da0f1562decde8fc7b35d3b088387c6f76568266c02

C:\Users\Admin\AppData\Local\Temp\yyIIEIIs.bat

MD5 d39d8c122c684eeaa6d4fa48be4d2703
SHA1 0e7e15326ceb11d9a67b718e88547183af46ae1b
SHA256 515dad6fad3cea5baa7ac31b7c7f5bac2fffbb50309bba09e31610a5ea726921
SHA512 6f9acb6d34e8f691135ff6ef91ae3e45fcaf40082094cfef8458241494bf6e0ff399f7f6898ee64676ae208b4a4d74204e7070cee71d9b4b6d97d948e18640c4

C:\Users\Admin\AppData\Local\Temp\mYYY.exe

MD5 738312554acc6d63a7870868de2bbe6e
SHA1 68156c5791a709858bf3cc37b8af391820a08c7c
SHA256 0c557529b7e5f31fc4ff4fd0119e53ba665a08f45f5a24f3c13517142f7435ec
SHA512 ab0b1f13cdd06a2110056c7af87ba8494a4f386a486e69d884a08bc80b4a7f67a85e6a7c03940f5bec01c82786d1d6680556b03e0ddbcf5020bcc5173ef843d9

C:\Users\Admin\AppData\Local\Temp\MgMq.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\cYsk.exe

MD5 7dcdf362f01baa09ffcbb6f0f75c1c9b
SHA1 070484f95a8ec111841a023af06807fd17126a86
SHA256 68f7b4fb8b4761f8e954faf74a564b9d10dcb2c6c02e18f344cc6318d5fcb3aa
SHA512 b0832507ac731db5bf057d6cb63502cf9db1e10b664f9cac6e60cc4aad833cc7f582fc8df764e3de76f8b2c2fb3ed01938261d2a329e01a49eebc51991aaebe2

C:\Users\Admin\AppData\Local\Temp\uMcE.exe

MD5 52d896ab4face91ac398c36b75eb29b6
SHA1 2b9b6005b2cd5bf9911d97d5c85bf9be4a29233e
SHA256 7af3b5b8514c898562e6bd2e64796873d3ed253ee7aea0d7f950feb7758df245
SHA512 3160d4cef767d806388eb771148c2cda0a94be2f3ae680061141d6775186b9520db01d9dee0cfcfcdc9593da7de381842fe476c7ab48e077e6f539edaaf0c168

C:\Users\Admin\AppData\Local\Temp\Ekku.exe

MD5 2cda016a1c2ddbc08c3a58706e9adf33
SHA1 02ebb94ec49c67f270450e3bd36c82b2e6e46a18
SHA256 55ee1dc6a629276824a225e6a18ace5705575950886a5df2df8a403ff32af682
SHA512 4aa07aac7511760fc7f511f804349c9fc01003863f90d304f3d9cddfdd25049073a7c937585df62340e1f18cf2b069ecd6405d5a26ba37b0d306663ad2c79180

C:\Users\Admin\AppData\Local\Temp\SsMsgYAI.bat

MD5 1c1ca1b9d5ae7a410ed04fd237d148ec
SHA1 54cffaa5725eb3e74d0a2f506d0b834945f3eabf
SHA256 76bccebf123fcf89339d5e8c80c1c94a492cce48796e517690ce361838aa2e0b
SHA512 3d9c526016901a1be00079e92a03ef91dc6870b97c6afd2d0a9a0629a893aa3a8c678a66fa1f6589c96c2e852d762b85435962b4b2a6e9b2183f3d2e50808892

C:\Users\Admin\AppData\Local\Temp\sUkO.exe

MD5 037b43300619cdce254a9e967f791af7
SHA1 1b7503885e244d7e329f62651df3d4c8cf022980
SHA256 d10b8b1222d144cf518e27067a4f1ba639ff3d98d291c1040258222a451a90d4
SHA512 831f8280603bdcb110623c8a1041138e18c992843291c294e355904a64417e53172c9cf1fe94ff23614ec209340e6976e5624caf1d9f695b3b5a634bee269086

memory/2332-2022-0x00000000775E0000-0x00000000776FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAMEAcEM.bat

MD5 9335348150b91953f44a4c4a1b6bfd07
SHA1 40e1d836a3ce6c3e0c1a26771e484d813fd6f4a7
SHA256 ebc84c38dc7646e1c55c2a8f494dbf40696796e0c7f5fd0625198c79f218b195
SHA512 91f77bd3792ae9e70a6ddcc44c4adc044bf433a7773a6f830c1b81bd0e775c925a2b6f7767a8be9c67ed703efec2e45f44cf649f9b9a68912e371dc03d1f4dec

C:\Users\Admin\AppData\Local\Temp\PWwcEcUg.bat

MD5 1994a59a160516c9eabb24742ea8e36d
SHA1 c7a1260ebcb5ecb16496c26b05c6ed50f50f4c95
SHA256 69baade98ae4b1b9a7e83bb04cd0404daaece6b498de60e6a71a878da9bf0c98
SHA512 7d0e445eb6b0b3b331cc4ae7fc525d37607502e5cf689ecc4e799be01bed350e72bcd1894f1082924e9ee412ffbc6fde2e10e8bf8fd8368bcdcdad772b858060

C:\Users\Admin\AppData\Local\Temp\BwEUAgsk.bat

MD5 48fd8c9912d0cdfef22f6f4bc5d08787
SHA1 d016b13a42fc099005f7674fc5442813841ee8c5
SHA256 c0cfa1e0f5ac243a4d15cd573590c07dfcff168c5166d47036baca08b7e09f3b
SHA512 1079d51dcbe6de70930c23bd5783fff15a9f4d9050473284288ec5199bc88f6164ea8a0da4e93e3019c51cb080b2055a3e7eca113a7dc8040bea5451ca2855a4

C:\Users\Admin\AppData\Local\Temp\VKwoggYw.bat

MD5 afc235e71e8332b8caa48cd37f751e3d
SHA1 8ad67054030eb017654e5c0108d0d7df72df6c1c
SHA256 ccbc505339d1c9900847884ddf6697d7f8d483302eeb4ec97752955b5fd99aec
SHA512 6c78e25e61be8f489d911c7db630de33acef68c500b6c6210a7c342d87ec8fafc82b9c20330991bdb779122294404a701d2ad11aa349af549937015297b96a63

C:\Users\Admin\AppData\Local\Temp\oeoEMkUg.bat

MD5 6b970da625191b7ad2b41ed8b9401913
SHA1 0b4bc4132d48b147ce41069463224c2a604695cb
SHA256 3bbb63b1e9978ecd1988271876300942eb95d4083ec4b6109fdc7218d787e407
SHA512 b446e346be5fedf34ec6e7011f1e10db2257cc39f14afa313aef0b5e73b71ff206ff70d0d0d63bbf6455efcf0e85245867117acc90ca208dbed9aa1d536dc00b

C:\Users\Admin\AppData\Local\Temp\cAkkIwcI.bat

MD5 8b353ee968b65097ef955d4d50fed82c
SHA1 86c5d9e9c6a5741ddbe68b9493a524275e027c80
SHA256 583cd6a8b6630c6b730e5ddb7caff78826d47b2fd5b3109611d40f11d0cc02b5
SHA512 28988a9dd5a48c3a17628e9a02a36f3af1177949c49ea4f2eafb0ed6face830c87692b4f9bfa3fba44d3f0eeba2d52d6ee445009d9cce64b4a1df7dd3bc0913f

C:\Users\Admin\AppData\Local\Temp\WaAMgQsc.bat

MD5 d52d18927d90d737a8a142e4f3b8dab7
SHA1 a578947a659060e2d723a3bec215efbef06df73f
SHA256 8732d3a9c1a4d85a3f40b7565e0535ab0f2cb61c353fc214f58cbd4a36b1689f
SHA512 759a40c893833c8fe76de71786374f9e22e461b983486531b1fb1caa90a6f24d3cc679846018f8f9d6e553ed1688e87d09a6aa91dee505a6b1bd328152cb79e9

C:\Users\Admin\AppData\Local\Temp\AssckUQw.bat

MD5 cbbac791e371c0a8e534eea72a2bfd81
SHA1 ddbe10839137ed4f837985283b3507a7269b2bf3
SHA256 294f77b8808be318dcff04271a82a3270923d605bb0c08463df4de1c3342a553
SHA512 7ea13b52beac2457afc66184347f8452df51f6f4d9feff1a0f3d10cd8902eabefd8ff7548b3b90ccd1fa654a26269960be1b7420bd2ce7a01b8422d087cecc11

C:\Users\Admin\AppData\Local\Temp\VQkkIUkI.bat

MD5 bb07befebb18489a79b8089b544074ed
SHA1 f1ba62b4003a0702dca848ac387ffb0098b7f83c
SHA256 e07df0037afb2f5e882e2a81d2105d8090e324917ed3d5efc8fa036047a2460a
SHA512 2002cead60a4103b3424ff9fdd7ea4d48fc9aee91fce47ac31fe022ea2b56af1d3da6b7beb6bc0da7ce0fe6c30e831a74e8e7e0190c2e89daadd763feef37b33

C:\Users\Admin\AppData\Local\Temp\lQQUUcks.bat

MD5 74a3b80525de617898d0bee92e3aa2a0
SHA1 70833597bd5e80ca9d138f0d3fb9ce6d845938df
SHA256 d1b4b5c448382cbd7882ba871c4add7f53518dbb128e0b604a020e5844c1092f
SHA512 61c542341c6ac13a21c53de32f6aa456fd8f533efd774779709972af050a9928224bbdbe28fd045abfda015e7b1d9e6b7e0121d82e8a1daaf286a8cd31171624

C:\Users\Admin\AppData\Local\Temp\tecIcosI.bat

MD5 9fa869ec05c9f5b24456d67662af4402
SHA1 6a853c647276bfea3b9d7726820dfb12a5d98b5e
SHA256 d38642c7d864325894d31144f0dd3fedcf3b7060064dfe2871976e152108a79e
SHA512 663f89078a9680f77ae828c71f1eea4a5c288acb51b2d02ccc662fac5be47f71dbd0411359e55c379c3f865c0e161f05a2903947bc51e46d054de5beee121a4d

C:\Users\Admin\AppData\Local\Temp\JuAQEAoI.bat

MD5 080b80e28e93fdcaeed83a78b119f710
SHA1 9495f56bcfb560916426bf5dd752a5e95892d1ad
SHA256 15f973eda4d2bad228e7ca11450d06697ecd7a9fcad9cffff2642ee116facb83
SHA512 329f780043c91ed35e922ac91ff87098533b6a5d28751499b43e10052b5a0aee56e720f8ea8d4d4b357774f4fb62e005c2cb1f05f90ec4a28cc30c53dc8bd164

C:\Users\Admin\AppData\Local\Temp\EwEy.exe

MD5 e1f259e102c2eb0642d86d4cdcc26a31
SHA1 4e3b7e39c141dce38b418f478eb57739e5f0c6a2
SHA256 f94c7b15298de4307327c1878346a418dac666ce6d04eec5b257d8ad35208dd9
SHA512 007afcb8e7449afd3cdf77526cb1234e7da330d0e6b257f487f7287a4c2350ee54b1859e00a0ee62e0e6c78ccd2fbf628f164b95d0e86a6884626b2999b04795

C:\Users\Admin\AppData\Local\Temp\gcks.exe

MD5 1bb6bd4a5ecc8434bc591c454f99b9a4
SHA1 b31553589d3d06c64d8d85a9b12ccb5b601815e8
SHA256 7d81db92f21976a3337ce94246cdce80653e53d6d0d755d7bba47c5c7272f12f
SHA512 7215fe08249f789adbac59645995d6f554d02cb4b172ac5e39cdefe33167db3b27d1174d1e69105176eabb2c7ec8a2d158866dea5dea23b2e94ee0829b0922c1

C:\Users\Admin\AppData\Local\Temp\esYO.exe

MD5 17e4d721697cb84935de8b4cee9567b7
SHA1 bcb9688df70dab17bf260e0966cd25c11637ed7f
SHA256 d4e6c3241768580be96549103054eec70aa5d800fffcc1249493ec98d958fcf6
SHA512 a05a0347871d5469f7086192abb6826630c7bf950ca20bd19eccde7a391b7ed2cf1e3d59eb581280851dd6198e91196fb4ec7f4633d14659f31fd9fdd9cf48ba

C:\Users\Admin\AppData\Local\Temp\ukQc.exe

MD5 8853f652a7c1d16a592be3e60a49d443
SHA1 5a07379286f93f548014ccfa193b7954e22f7af1
SHA256 15c75f9f332993467e4d18f1b458fb68170fefe3b7f11b46c45802fe10d65f08
SHA512 94b71ca52bb93c5b0ddced0fb4dcd97ca2e514daa8f7d1d786502dcf6982e26997b2ce170f8400b9d7444a0d27a8c87e6fe96202a54f255f6ec6185adfa45cca

C:\Users\Admin\AppData\Local\Temp\yMAS.exe

MD5 ec446cac8b09b113802aeb5699709abc
SHA1 ed911b86d126585221a2c05e8b864826faeccfd1
SHA256 594521c01dec39ad3017865f51ec40b79be90fddaf044a83c7080cba8cf5fc7c
SHA512 b0393dd3fb5f475c3ef557ef6baf83473e0fa093c5f305a55885cddb9d735a4f04a9c98d26b703afdd96d1d5e08be8e1a50865ffb77334af82b04d730ba1382b

C:\Users\Admin\AppData\Local\Temp\qYYG.exe

MD5 fe0dc0c4b63da6bb358cee0aea5dca27
SHA1 f92bb702a9d1460de43a2c64f3b0c2ab34aaf315
SHA256 84a89dbb3c5a6ffb6863529d2191317f5fe583f6071bd267785ea22fa7b8f70f
SHA512 87597f4085f924593cae8a015b562891addbe47e0e854cc8e91b5f07c077f31b8a83debb409e5e9085b5e72df873983a17367935344bdbe19f92b260e39483f0

C:\Users\Admin\AppData\Local\Temp\iIkQwoAM.bat

MD5 b4455ef02e95118178ea85b6085684d7
SHA1 de141b267adf36d2e9b2ce71db767542de2e065a
SHA256 dd039b735ce4cde0d4814beb3b0dcc68abc866ebbbeda7ef25ce7df19dda093c
SHA512 5a8c2686d7b8cb5ad642a3769e246991c6a013c766884d48f425703a8eabdaba8d2eb841ae809a80549fbe710d1bd06f431138691ca8cd17f6e3487bedf64dae

C:\Users\Admin\AppData\Local\Temp\ksAC.exe

MD5 4838d1f3906e69d9e9fc4c1a90198937
SHA1 2590dc5118485424c3efa86ac05068913d283103
SHA256 efe4fd2d28f8146315ad3c0543746e2217230377d46ded84171f8cdd5c76908a
SHA512 053aab25f47fe4a982e4e407ee85a6bce8228ada0c64d3eb332059c2c54cb6c73c6a0e0bffa781513186bbb8a1ce017e529ff86b563cf31fc7690a2477a6fe22

C:\Users\Admin\AppData\Local\Temp\SwYy.exe

MD5 e662d53bfef69df9fc4933a5110615a4
SHA1 799509039c1d3e34cd78cd02e6b07907107ec005
SHA256 bd25214c2cf8b0ca7aa5c7b7eb887d9ea7bbf433bdc0634e3cfe2b1ca56531a0
SHA512 9f5fbc401bfdc83c55324f6e13076b9d386d841ab11a3bd2be35c9fddf386903df734108ab04de9b6552b3d84b5154dc2716e476e05ed93c927091229ecc3242

C:\Users\Admin\AppData\Local\Temp\IYkq.exe

MD5 f9674e9c36df3582479d2023faf9dac0
SHA1 e23ea769278b302d253dc34fe396f43f418cc528
SHA256 d66364bc4190f2bac77857f5e394da139146e7f2542aaf4c704db080db4dc0ad
SHA512 39041ed9a8b522a294b4a4518074309b72f17046eb2c7e2a23b36bd1fed938827d911dbd5484c7305bc756a1734d9f08abe7a9782821b8a2fdc779ae84d1b480

C:\Users\Admin\AppData\Local\Temp\oUki.exe

MD5 195791862750535eae0d1a922a70c91f
SHA1 c2bb65d89a8788d69297dd75f645b17d335ff5cb
SHA256 2c66ba29cfa76250eca062ac6430f925bbec27c8aa734226d02b1c9de02768f0
SHA512 6ad9e3ac302883b1a875a33ee978dab964ffc9f1082c895f3f1eac4334e3ba03e71557f7a2ac5971b99b980b3ca22b8325bdf583c90d05883f3796449f044f5c

C:\Users\Admin\AppData\Local\Temp\gOMkYoEU.bat

MD5 bef7ef6d0c0d879a0b76327a7db76bb7
SHA1 42b78f62f2c8975096a0032ce1b96eb29e62f02f
SHA256 bc84c859eded51271cbec6fa31f3451c92c18cb527e1860e713bd21174641b43
SHA512 52e3d4e0224bc8496b80fe4ac24178c5f618542c13aa392dbdc0e4f379da1a3f852cac58165bb69b8914d23273263e7c451ee4333e62343ff65a6b7cff2a5b06

C:\Users\Admin\AppData\Local\Temp\YcMu.exe

MD5 a6cfcc367664c819e095ddea7ae60354
SHA1 23210c9b2b702118f70236cabb778943fa8a6e6d
SHA256 394cb26a7d3c9adfb6648189d07c774aaebda3e8c6f3897e3748ed6f73a4d2c6
SHA512 744756dce074f2cb5989c3f7e6386243e7e8f7bee5aced4fda934345c1489eea3236b410e6737b0b9fcad501312cbc0c147861340b0bf0c3c21dd437d65fc357

C:\Users\Admin\AppData\Local\Temp\KYIo.exe

MD5 659c92bf9cddc5abe5a0cc3cdd711ba5
SHA1 75852a557e93eafee24b76ed8664f6f701598dd2
SHA256 5bf74d09631646436ebf41bd305d1e61948af56ed411188fa1fc6240039e6b64
SHA512 6e5859179e582dd5e7aca2a98e13600b5910f81c6c2c24c854c35c9bdb7cc5545ae9ad8614a95539b12ad9d41d953975edca21328c9a675d053ce85f929d7c36

C:\Users\Admin\AppData\Local\Temp\IIkQ.exe

MD5 126cf3bed367acb069ec0f59bef0b788
SHA1 a53dd192a0f895bac44c949c237f520143d271a1
SHA256 78467b5238f219db62fbb270dee2bcbf4630498785b06ca6f99febf9cd7eef4b
SHA512 2b5767c8c047bbc3095873eeaf13e9f26c39bb49b4556b98fb17c1e035a87ce165cee15434dd63cf24e272751d7cfa66a0937be6e5d1245b51dea0594baea547

C:\Users\Admin\AppData\Local\Temp\SwUo.exe

MD5 6a46bf67a5da443394666e3dd02827af
SHA1 82c55d918197adc3321f7c4ba8430b7aecbf7dfb
SHA256 b95a7f4a547c1b122abad597bf36ecaf21d86b96c0db3252f5cf06722271e9f1
SHA512 e884fb9869b051f5006a89800db9f37f5ac68e0be3716321559409b703edcfcb8637bc28366dc48b5e1ec4bc58da5f471f2df71b2c6ff3e6e1eee1d849399edb

C:\Users\Admin\AppData\Local\Temp\aKQscgYI.bat

MD5 38c16bbb9507e228f53c6790fbd0e375
SHA1 95d7fd14a434768c501bc4495a9ccb634930a3a9
SHA256 75115548bfb659b8ff3fa8d7e029698947900182746ee38ebc8949dee3bdd884
SHA512 65027ac0bf10388ae9f647f6fe097de65bd613e5f421f2b17266ec161b3091bcf1c7f82e5bec3476cb2e93c7995d9566c59d97734daccc9307bff8a5060a4575

C:\Users\Admin\AppData\Local\Temp\cowO.exe

MD5 324684cdcb42d905081bdcc0d2a91c15
SHA1 5fb5ad03ec0e1173d0feb0b588d988918282c766
SHA256 dca3059d436b4ffe25be33461b39ba7d750fbacc5854cfbb532ee0df51242a4f
SHA512 a779a19dc9df2120283860ac6f115ddcc7c4bc32c1fc2b6e4dcce309270b3e5b93ba4822c70663c292efcc7c066dd0381b0257fbb2406648c40e9eb023489191

C:\Users\Admin\AppData\Local\Temp\IUEu.exe

MD5 5e8f7501758f2a44edfd5d3f79325125
SHA1 8bee2322905be12ef665a32376c323e7f8f53323
SHA256 5cb5ccde83f32a58288ac1b64afb696d3d5af3ec305de547e46a239e9c58237c
SHA512 12e95a42e89d8594c68764d29632990098fe8710f5dd9e470d3898f980be7ef7b0807dc91ca08bf8ad9e9a7e6e3202ea9c1fa1b82b78b68d1bc98d4390107912

C:\Users\Admin\AppData\Local\Temp\GWEMQQQU.bat

MD5 fb5f512cd9cad45155edca31948721d8
SHA1 0200cecbd98c2be9e05aa8a85743b7853b651a62
SHA256 3ed4c59e02290e1c2b1c4bcd76072037f274c0c2fb3803b55ec0467180981a09
SHA512 893fcd95a9b4f61c080202fca9f2eaa51b78ba96c471478e89c9c3b900cf0bb023dbf1d4ceea186c34a9c5e730d773f4a177a4277ecb19a0972919581a09452b

C:\Users\Admin\AppData\Local\Temp\Csci.exe

MD5 b88cb0c7bf628072d7a3484e8547481b
SHA1 4fb633fb8c3d91955f12455307f83bdb09dfe5f9
SHA256 9985d8c869bd4506472de8f6f3511448c301fedbe33b899ad83121e4c2491e99
SHA512 5e7174ad291197f34d70f46690b8596ffff274d93dfd5e108cdf4078057cb4843138e6c6e7dc71ff4fb7c9a4e6b40e4cb54bd6cbc486579b0904494078fabfce

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 e2745ab60cabacac75ab63699fa96441
SHA1 0d881585f8597ef5c11e51ae727153ad377bc9ac
SHA256 32464ca8f72d809895c9e536a830a31093bfb15f670c0837415613b7e7572021
SHA512 f6e226b42493bb142f93c0c28419a541d2d922d89f8228b2d2d5848bfcca9f947f1aaddd25b94666f73cbbe7e169ada0e2007ad9a53bbe0446cd587404f44c1a

C:\Users\Admin\AppData\Local\Temp\AQEM.exe

MD5 b0694de06ee5ac9b7bc440975ca92f8a
SHA1 d0cd911aa2a9b4946b4bc46c4e763933cd522f81
SHA256 53910176516a56ecc84c1bcdc57aff4787759d01f675d39cc4d70ad83901d8cb
SHA512 c590aa979f85ce202a198e9cdc93c08abf006522de074c05a0bfb626c95e4a77022b423873848fe2a947a79cf95c633a7e5e5dba3caf375001f5cfad2691ea8e

C:\Users\Admin\AppData\Local\Temp\kAQM.exe

MD5 4e24c3c89c08d6172e2bce5ff21c6eb1
SHA1 520eca89abe88ec2e23232c2bbd2147f6587a21c
SHA256 c084e0248ea4b75265f4184ee5d436a80c3592b968fea29d8bc9d36d1cdfc0c4
SHA512 eba26e379f568c812ef953f394b5a10525d79fe5db3c83eb7008cb4ad26255dc65bfbaba460d3b77c7c4bc71b6770057bb0b4fd8df983edb51db425f22651345

C:\Users\Admin\AppData\Local\Temp\OUUC.exe

MD5 3fac521cc0e73a16dee8405f2ce65120
SHA1 c2c9476fff4985d53991c87c5e992614d3c53180
SHA256 0aaf6b1331218dec1d5b1ba8006d0343e22610e61caae56493c3633507edc4ea
SHA512 8d0ed4c108b3c1e36f001397d0cf9e53d6491e691cac3fee5c3fd096a303a905260286040d1bab0c414ab5320e12c62937c7030e926bc345f53f450366438cfc

C:\Users\Admin\AppData\Local\Temp\LiMoEQso.bat

MD5 ded0e24163c5484850d9fee2f8d8ffd9
SHA1 ae7a8679ed6ba56db24dedb057094d81d3fe808c
SHA256 fe34a3620218ccc7c74a81c73d086fceb2a751d0dd0e8c1926fa6056f6c17acc
SHA512 e657f3b07cb7a786cb7b44f1407743692786ba5d26b87675fcc9b72e39db80b6a73c6c8ee84cdeb687e176e1555569aeb3cb84d294d6dfd1985baf5702a26296

C:\Users\Admin\AppData\Local\Temp\ywUY.exe

MD5 6b3875b8c8d5388abbdcdf6cd02d8940
SHA1 6206a2b66c2858de5a67f12a308f98f8ce273005
SHA256 0b1dda46f81497e8b06c509064873fa4ad078d9c0214acadb5f5ef7161133943
SHA512 b619460b6cc9cf1eb5f4066fa0175e48573634503e002c8c22806760968bf1bd2d2f95a8a6f312766163db3931f840db82fb447e58bcac2062596a2aef3b04f1

C:\Users\Admin\AppData\Local\Temp\EQQa.exe

MD5 c1aa5f11454bb57433ce57b8baf51477
SHA1 e662aa271a3e05a3554d31a24f91c5bf4691e1f2
SHA256 135cd2ff290ff79af656bd9f04deb049be851e306ddb18197c89fd965b625cfa
SHA512 57a66fb6f4bd26780064d34033b1b5749bbdbaa51ca86762ed975e89c7ab7befdf9d1626f288a03256c21ca35166bb14549d493fc2eefbfa9877ffb542455c50

C:\Users\Admin\AppData\Local\Temp\wUAS.exe

MD5 6e1d4272448d5692690aeb7d7696e310
SHA1 173d1b053d1784dfd1677ff12b3ff2d3302efeba
SHA256 c92a7376330462615f050fc2680839741df62a40233eaef80e0424cbe3018177
SHA512 82744265100d29d78cdf11e8a585728b0463702e2c817fc88c743b175d74b008237394000c635c37f9e99e7b7875bea0a5aa2dbd8f1e10823b1bbe68936d5139

C:\Users\Admin\AppData\Local\Temp\goQm.exe

MD5 0ecfe4cf1cd46b8feb94bf5449ff203b
SHA1 d2ea81ec352f1f13d9abc8f24e9824abe09de1ec
SHA256 61b6eddf9a4e74612379ca390c3440ff4bf041e9244bd87f55c2456c9b376ea9
SHA512 48648dfb2c5d58e75c0008c948cc7f5c957d01e3f35ad851641b51702e3037bdd93261b5fa1f43fa5e6f2f530722aaf8462e53efc331c59fa642df4e57b6a3b6

C:\Users\Admin\AppData\Local\Temp\xgYosYkE.bat

MD5 f5379c0c35ad8f72776ec5016e9db686
SHA1 88d6cb750e20d5e3d3d8a9895a2adebffb8fa33d
SHA256 c526b9613a714d20ea0e2367ca23cbe936ed75fed0173982f62351d98f332efa
SHA512 087f8dabfa802f6a96a4cdbf1c03a6cec7bc3f6d2efab829d5c2ec349174c38278bd20cdf4c905aece838ce437dc09b56bdf4860d68ed381258c36889dd2702c

C:\Users\Admin\AppData\Local\Temp\OsQq.exe

MD5 6c302799d402b401c28fbddb59b3a113
SHA1 a748ed115bfcc2cbe38b86f0ba9f8b853775b88d
SHA256 fa0948e56045d80b8ccb9b566abc17dd07ddaa039614ac792f2969223bc1c3da
SHA512 4604e78a3a1f1713a85d9c3928c9af865c609b6448cb2ca8929ad2e60b730e0ad938242e48f624d1cc30c7a3a1ea255a9c0f37ae3095872b0d7f677662a3bd9d

C:\Users\Admin\AppData\Local\Temp\yIEm.exe

MD5 24b21bd8ba24555178ed6f15baa242bd
SHA1 5addce795a42fd7b5d273d16835133aa6ccb505c
SHA256 b7c73cb888282d354625d8939625b9c0edebdb9356362551118f7fde13bfd258
SHA512 7337eb8a665a60239b2f2c0b64fe4a3eccbefccbe78d92ae48585aa9f4e4eb607a215a6be604057e3435ba851d5d9722ea9eafc78e83fb31879651230dcd108b

C:\Users\Admin\AppData\Local\Temp\bUEUYMEE.bat

MD5 93d616ac07a2c4f81737d13cebf99ce9
SHA1 cb3dab2400284c1524a3f38b09408615ee498bb9
SHA256 fed2726e515a662abafffc51a9863a697cbceed8e3e3649e0ba7f8dd41dff711
SHA512 2fe6d0f0e213ff2bdece5d4ee942febc8cad10f8f1f47ede161d6a5cb06e90c806abd53f4e3b7db1f76cbb0a16402df7f8d755af03e67fcbc29fb00356111946

C:\Users\Admin\AppData\Local\Temp\aoUq.exe

MD5 a49d90801fee9e63f430865f4dcfd3a7
SHA1 4952310c3055d4ef536a1931053e29828ad7d655
SHA256 ef00940cc95a040c8f2bc4e2a1929ef7482a43f23bd15cd46bfd238a05f22c38
SHA512 f8642ee8c82b2c796aa44e1f8589ca26ea1e88eb35b22fd9ebde7b4b04b8eb017c5afe31ad98b9ce0c878e38f3adf5b19d0c4a7f13498aae9c9f9539550eecc6

C:\Users\Admin\AppData\Local\Temp\nIcIIcEY.bat

MD5 c01a99730c939d877843f38b40623456
SHA1 8b15818e1b7276c784bc4303c31b0de20d651845
SHA256 fe0e73417d9921d82f1068b35041f65ce0447606f0003ca3f232bcab32a031aa
SHA512 bfde9a07a3ed5702b678c6e2332c4b96c91969d43f64d4f3df2124ea9299d993de6c8c96eeeb45701d604be246e9a8e89a4b79eca2c71db5e5663c579f37d1f5

C:\Users\Admin\AppData\Local\Temp\IQIW.exe

MD5 20f31c8eb8679dc4ccccf0025cf6e344
SHA1 872025a8d9bad779e1961635f081f51d22d3edd7
SHA256 7a9ddb3b788340af7b11036593ba9fe24417381a6e4d40c09a254b27cb5f6a8d
SHA512 07896dfc03ddcb6a78e30e2410354b8f717d7c7c2f79621cf8d0b963ccb6f3b8f25d0d195565ff10fb07f5f0fada31a6406cc2fe4a9c7c1da08b0a5b7eb71932

C:\Users\Admin\AppData\Local\Temp\ygsK.exe

MD5 833d4b21a93bf96078acb887aca15ffe
SHA1 e3d9faf35af0344f767e9a075616ed3c5d5694d9
SHA256 399e75a3b2e14c44677d84835fee92f0cd781894a8a9f4ef729039cfee579292
SHA512 930b498a72945f80ac817570b2a6baa5e15a77dc2a76bcdca5b45eed54f8dfbfee7bb11c877adbf60476f343ae39aaa9ff96acd326f68a064fe3c4e7a95d50c8

C:\Users\Admin\AppData\Local\Temp\EUMg.exe

MD5 39aaa906f4df0d6b861c528135b1880b
SHA1 20428de48c43fd8032139a7de96b181522b40399
SHA256 c9c8da02abebcaf61229cdb95ffe9a49db0eace774f088e5dad1a2f1d0942b1f
SHA512 d794c57f190da7e8becbbd8f5470dde06ff36cd89fc51d60da7903f3d4c5ae39c9c690836f83ed1b15ca76c03df77c5bdf70a07355e4be47f16edcaf2b040778

C:\Users\Admin\AppData\Local\Temp\NKUwUIMo.bat

MD5 7d6d446cb1aaf6b07a5eb85c0a8c317f
SHA1 26dba1bfbe3b7edaabf867d54f2bedb4b82afcb7
SHA256 a084153af3c8688994232b28f25000ac2bf1f6ca2382590ec8a0ab955b5d3564
SHA512 ac9de3bffd8366680aa419d8aac75d14c0a6b780eb74d20eb8e9a35b6204e38429d66a31f6aff79e32cbabce8713f26ca8916880f35e9adc5347bebd967c5e3a

C:\Users\Admin\AppData\Local\Temp\IMUM.exe

MD5 fee113e8ce0b6a90541aee28408472f9
SHA1 986fef8b086c438fe5d915b2c82a82a81ae65c17
SHA256 09c581f1f1f2a0e7bf0e3d7605d4f3ee4a86c9e51b73da63561c1743e2db7299
SHA512 188aab77dd1df94ad4021f435b2302578d21ac47ee5ed7cc4439920ffec7c30b32e084503e0c154508a23466fc50d5a4ec8d6e81bf027e4460827d09cc74a4ad

C:\Users\Admin\AppData\Local\Temp\qUQm.exe

MD5 389815125d19d13f219a9cb41db60f36
SHA1 813e714d55d683c75d6520e64191e41f7cbbcb5b
SHA256 3543f02a3f36c1568d2a014f65361f4189caad27ad027b52d06240b139a2815c
SHA512 65cbf92b55b1011406d8c46146db6f457f163830cba372d31cffbeb9e5fa5dd6a08d5003faa658fc09707388334473107c83155fb72691c76292b729316f8a13

C:\Users\Admin\AppData\Local\Temp\cEEm.exe

MD5 2ff8362ba152333a839e50b752268e1a
SHA1 f882180316c0471129be06b755a7c84ab9f49e9a
SHA256 b7355e3d2737ce14beb9b5318c5b80a41333570c5a29faccc75938504f0aae40
SHA512 e7755eda745c7a358dca13e1cf0cc27268fc460f20f9facb10af3d876f78459937f259d3d40cb0ee9c27926fe61d87cd5d51882c248db749027e4dfd139cbb45

C:\Users\Admin\AppData\Local\Temp\mIgC.exe

MD5 c00e23d3afddbdf2116a3e377a0324b0
SHA1 917f756b029903ca937847ab95231d5550529f23
SHA256 24fda837f3457ea4618683e3040d9818695839f59d93c910c64905f937620fb6
SHA512 300ec3a26efeb4e5ac69b3e454415d351b4014b0cd6d474e3c5f2aaa8c9f02f291fcb00f168f139c07681968f9674f3c8be699225bcaf8400ab80c8220427c46

C:\Users\Admin\AppData\Local\Temp\wAci.exe

MD5 bb4ee98e7bfd5a6a1c816cd0fc900f7d
SHA1 0a0e8a976fa96546521d61269038dd086cad3d3a
SHA256 36da28f893a89e250f8fab5a395df08cfc0797863afd21f222dda30aa308a839
SHA512 c74a6d51d4e76df16f9e27440aee4ff750212f44665eb3d6cff2eef44f234b74d968f2d0baf448ee199410ddd9c9c79e31de9c9d410683ee546abef55228493a

C:\Users\Admin\AppData\Local\Temp\yWcAwsog.bat

MD5 6a019eaeb982cf8452995e06681bf040
SHA1 551de5d46526fa5197782312f4c534bc05e5f2fa
SHA256 bf75492db101f326a22695e859a49109c15f2e3ec9802e2e3d208518264aa471
SHA512 fa828567fc5489cd9e0c183ae45a35f4abe0ddbec8a4b32f721bd421039240b2e4a7891ccc4a5d67b02f74705faa20b1449781ce0cab74b09cde9bb9396e6115

C:\Users\Admin\AppData\Local\Temp\YgQe.exe

MD5 1dcfe1fd665d66f0dc3840850236ec15
SHA1 9c2f48e5c4b1c7855d3e67fbf4450f16ccbb111c
SHA256 bde58b0622b28bc2bcddd08d06a11378c319f86401418c028b49072d79a89207
SHA512 2eef0087ad85c1a855b6196a477510d41f1081415db722c6571f13783186254112df667e1b2d45775f2e03cef0ef3c4f37312099c6a60b4e7a6c23ad6a45077e

C:\Users\Admin\AppData\Local\Temp\KgQU.exe

MD5 b4a0371524fcaff77398bde147a76469
SHA1 11396b86f6a9c83bbe1df72a1a6d8b673555797c
SHA256 f8a9dda0e4c07d2a0c1ff3ded56d1fe0049698f847f705af94073235f9f15921
SHA512 31d63fd79f871ca06d7e298e61d7ddb9e96107a305a6f560e74064e448fcb2157523f075e7283a42a0e2765cee4d054a101eeef4f1929580c660b6fb63268e65

C:\Users\Admin\AppData\Local\Temp\Uggm.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\ksEm.exe

MD5 37c2cc484bde222e7e2cbde4cab8850e
SHA1 abe3354dea0aad09d117381938524713f6ffc23c
SHA256 8dcfbe908ab15abad23c53e04cf57316f0663720221d05b38883f15c766f7467
SHA512 6905c0f9c1c59a490ba40e2d1ccaf40d887dc9ce54233fac2644f3969ff5abda27a65b0291c4f0d0513141a000d5b6f973aec03b89ac05cb42c252d95e7c4e3f

C:\Users\Admin\AppData\Local\Temp\KQEA.exe

MD5 c95feed84068bd2e978fb75c804c296f
SHA1 3174b686cb9db9f51ffa77da11508078f02ebf1c
SHA256 800f707d9fe0f0b4299fda74f81730b2b533a7b5d3212d4ee5b7ae1f6cb92cc4
SHA512 1bef255f55a659850f72fab49ef5c8e708d200e5ab2d7908e1cccfee5567e9e9aa6f485526edfbcd65c3b817edae0ea6817a506586c324b30dc649d594af40af

C:\Users\Admin\AppData\Local\Temp\IUckMssk.bat

MD5 32bd7c975c8c7861a0c1c4876693ae56
SHA1 be4b971867badf1ced27a36f83519e544f6fd550
SHA256 d0d710ff39c875159e311067ce927d9a11da7e8a645ba8c94bcd0e18af4fa4b3
SHA512 89b6d21cad015cd2ae3a0ba265842afb529cb0ca21dcf61773dcf4ebb11aff722815e2e393062bb86b9c6d4ad4e07f19e4791c9edf9803f0cc026e9287f4cd53

C:\Users\Admin\AppData\Local\Temp\gIIw.exe

MD5 bcebace25392c3387799a0d78c313cff
SHA1 14c1d59e2de6d9c6709ab218d61bc82bdd8f8b0d
SHA256 5096fdc6ddca6c50426c606c76e5e2e30000934589a9e41764cb1d6373f85e55
SHA512 9caa8c7d520a33c570c3f177f8b944c04a3b8110cfad45124a0ffda964d41d8cbcaceb2d0627a1b04e445eddbb3042393fe06b363e78c83c9451cd3427f351e7

C:\Users\Admin\AppData\Local\Temp\MIAq.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\oUAM.exe

MD5 6cd79cda781c622fa139d2ee61a4cc8c
SHA1 ef5c0fc4417134958536fab512789e2922670c10
SHA256 2143762c2fe34f5d3e734d0881d9b9ea4891cdd4c2581d9a91da2d119bb91cad
SHA512 aa6dfdfccae9ac16f872a9fd00a30baf1731f6f951d59c21173351583ef27ad62bb4ad96a424d048ec96b1ea9ac3ae31812f20a980b5b88f809cb630e2b12b72

C:\Users\Admin\AppData\Local\Temp\MsMY.exe

MD5 267063d0d774bf3a7e5e3ee55d8f5dc9
SHA1 41e711b7a235586a61128e9d53f6877a36ea46e8
SHA256 557788e1506dd9cbce5d87896a38814a674399cd42d9894573fe918ca135c960
SHA512 07e2e64f1f0df29eee64ae4919e298f7c04f7622d5d62b00ff1d5afa9b9367e52686edb5b737f011617f7a031ed3e6ba7f2b240074f055b8b5812026b7472d49

C:\Users\Admin\AppData\Local\Temp\YsMo.exe

MD5 c4f7479029469eaaae3491e6e520e6b7
SHA1 900a5d97a78fa15b00d0907a0ceb5f2f22984e29
SHA256 e68e2313aa5ee985be26cc5ac098188b1f98fc135a0916333ee29f3e9e675662
SHA512 4b26aee10d4a4beadae113a011bde39c86e5fe2e0a5a470c3ef1fd2103679d47678eb4ee9bcb2ed8ff293c5dd899f6b647d84902983af6702074568e0d018cfc

C:\Users\Admin\AppData\Local\Temp\SucIUYIk.bat

MD5 a4485a9ba7c9bd023415397a1d4b8aea
SHA1 b59334b213f45c86a1dba940ceff74753ea2db0e
SHA256 70df3ccc67a66964f3bbe9014aeaa128645e1f4495e2fef576393cfec88f4623
SHA512 05867a53c8e953b2f76e365ada9051b05d89c058f0c4fc32889f7d3cbef8274aed3bd8a7cb601d7b936058c04b98b8d48a57b8f4374baba35c582516ab941be7

C:\Users\Admin\AppData\Local\Temp\QIQO.exe

MD5 fdfde1a1c7b6bb5d0c9d64a2482c1a50
SHA1 3c6598ecbae0c7a6aedd850bf3dddc8029f7a0f2
SHA256 d8b67036de82295efc2b3c8eeff1dc1f6fe13b337da8998ebdaa271cf989357f
SHA512 aaf036bf768516ab4977ebaa85389a5376451553de43308cfda45c8004bd825157fc31c5b0515bc34233cb27f09a38190edc4e38f632cb04fe659bcf7c1dd36e

C:\Users\Admin\AppData\Local\Temp\yUow.exe

MD5 ba310faeb52115c4a5bee1ff0e3a625b
SHA1 d43965b900f7d66253b4a770a7fce9b2b889c67c
SHA256 1c1c0336575ed29d8cd3fb79104d4dca926139b0216202c34774ab2384359892
SHA512 1079ba26993ea28d2f005af2cb05af4ecdf3e6759575b63128c7a99edc9acbe73e125a2d07e609f8b77c9dd98b455b842755a938d873df3706d2fab56d6546d3

C:\Users\Admin\AppData\Local\Temp\qcEM.exe

MD5 8b96fc5a5dfbd2bffad2ac1d4e36e1fb
SHA1 72b0d031f3dfc189f343964801ee28519b6d5252
SHA256 37687437d943b5e7fd2382eb126d49a85d3732fc951694782fd4df4feb094971
SHA512 35e3c06e983d50e36ed0ba73b6b517181c21fd50006061514bfec1931389d090fec41fc9d40c8325b94276ed004fae1f57cc0fa23fc93e7b08b68c067fd3d8f2

C:\Users\Admin\AppData\Local\Temp\OUYEscwI.bat

MD5 313cab4d9f5a9366498d05119fcc1b44
SHA1 88ed1c96f6ae9d640806c46cb64a69e961df7f8e
SHA256 d53b08c03ff627170fa4be41507739259e18962d8c457775c73e45bc7e7e880e
SHA512 998d7de48e91318c25b06b063be5e0f49ca9798cf6517dd216201bedc5640c5385160bfd7e4ee86447d5f2f4b62f366a0167490236f0c09205b2f9bc4c90fe7b

C:\Users\Admin\AppData\Local\Temp\EsEs.exe

MD5 f7dfb625a5fdabfd95c3809197dc9a35
SHA1 bce9b3bb77d2954eb4dda589dadbfcbff0ac5f2e
SHA256 b4c24f8ea23c385574b3cc5cdc49641ed4e9cd7671f03c75bd01848aba3ed7af
SHA512 6732a9ef89adbd4da3f10aa49656a1819a5f500e969b017d2959e7e7abf51d84260a342b5d4042e41098fcabed54ae1e0ca896d53c38e1186b43b9c1944b758e

C:\Users\Admin\AppData\Local\Temp\GoAk.exe

MD5 581c281e8b0a06a8bce24bb8cb5fe25e
SHA1 48c623126ff4c24d5ad6798a359bfb049258d9fc
SHA256 f4893d32f70604a88a32ef01725c17a9ec404f2aab1e3b2f555a19611e895b88
SHA512 c45b8a2f9f0029e82f347921da776b0c99eb4fa43a2df71404c733d33fe7f6f40448a62fc6f23ecf8b0d8ac03d0c3624eba28127bfe7d206a1a00f1df745086b

C:\Users\Admin\AppData\Local\Temp\mUIG.exe

MD5 d5f9a6f601af7206a169b880a9ade175
SHA1 5021a6d5bc7714168787c48116c14136910fe68e
SHA256 ac43be5def5e596d06a2544871c2f4af79e36c72c4fc2392f6978ed06c6da3dc
SHA512 14b1c55b6da8ad1ed2b3c49d351f525fa9d26fe19b53a9176c7d7c7eef24b1c33f5849cc9ade77fb08aebe1a45ec6ab9696b792add1c84cae651a3a6c093e2a4

C:\Users\Admin\AppData\Local\Temp\CAQo.exe

MD5 e3454cebee5f0f50e8989f7e29087988
SHA1 dc9f6611808fb62f4f07cc5ba5c0997fc95a0ea4
SHA256 49481e3b993b54957d895d15f10c953e1d9bdd7b1756eb408c884ed5471f74b8
SHA512 5e62e11c12d845c9cf8ecd7395697f791cfc8e34296b3163b5d2849d221bde8014ce2b8408d5d4f0d7f025d84b6d69bf682b15880bf228a0153174aace03551f

C:\Users\Admin\AppData\Local\Temp\WMMcsEws.bat

MD5 603ae331500e9a8304cca2cb1ea80259
SHA1 9c97e5d8825e7d64df2c6b386f3366cf618b8b42
SHA256 9ffdb0e308faf1607b972e1cd999fd86bc35dc27e794074f2fb38818d8a79b53
SHA512 523a604e5b18903fa2a5991e46723f3baa6dfc7b327a803678c597c51180bf70a01b98ae8cb368879109aaa15a22dbbf1b1b08059e363a8c4eec07ec800e31c2

C:\Users\Admin\AppData\Local\Temp\EcwC.exe

MD5 e9faf8300cb5db4a195fd3752c7d892b
SHA1 134505d74075cf0b84e25f40da05975903908b95
SHA256 0420293c1d3c458bdfcd8ea27130495ff941c5d779ec91a209b8942cf020348b
SHA512 2f8506ed067d008b4acd2aae377a9b588b2053a4f9e77f7567af61d6792e02e1f9ba7f96ca4f17ab94ac214f7592994c14dd38235e6471b8d9493f80c6ea58b9

C:\Users\Admin\AppData\Local\Temp\aAAo.exe

MD5 9bb6587c0f4d33d677ac1594398f68f1
SHA1 7f1ca6f8dc5039712f1155e5470873e7c00eab21
SHA256 4bbe3241aa09cc779893cc0c6054d1aa211bc4fc0d1e889bf24f31f2a407ec43
SHA512 2131c236cf952755f2754733e0f987d700bc9a9bc3ba9f2f5b6659ac96b8a3101ced0bcd780066cbfc7fc0d69800675f354c5e255895665a8c63d47fa1918810

C:\Users\Admin\AppData\Local\Temp\LQUUMcEQ.bat

MD5 2a9990079e06544cf22b2894619321ed
SHA1 0215ad28b0ab3eb6bc204b9f97baed26a51bda63
SHA256 44071f254afefade42dda4cd8518eef9e8c38c8c72b6005d35f7343991f6f173
SHA512 fff1dde5622cbecebad116a0c72bb592b0e7e2a0fb720666941b79c2cfa25d3b424cb1e4dbefbe8c6dcb78efa1ed9c36c0992594b08f4770b4b5ea9d2a1533b8

C:\Users\Admin\AppData\Local\Temp\OwUY.exe

MD5 ca4c564ba2c18809396beeacbd581a05
SHA1 30c3663f06ab5e7fa99af52cd1cc17b008e58c98
SHA256 85d0694a81721f6392674bed7eafec1e52e7d2ef4c78e0dc9e3445e9f75a3c4c
SHA512 dd33ae5933d2d2446af8459c74a66c0c3aea18e96b4909fb55739ccff459ddcdc5971fd4e6207bfdab132edd616d662ed2d38dada669223b2d0cfcf4ba32af70

C:\Users\Admin\AppData\Local\Temp\eQEC.exe

MD5 59c6042b59df274be85e61d1de9b302a
SHA1 b201837c137297c4cbd31f436bfc0e0c4ffad452
SHA256 4b940af52c97d900d0a8a1f4131cee12bfec8a0c7ba5fa05febace26424e87b0
SHA512 c9a247b30559f9f671c11ea66b372c8e57ebb0d7d8fde0444a89065b65ce63da5439ca92202016c92b007c4c1d41e3b515da5a15b2086a1f4090798f212e47ca

C:\Users\Admin\AppData\Local\Temp\wQYa.exe

MD5 dfa12f08bbad94448ccc2e4a4d44dd89
SHA1 c2bcdfcdad1fc384095ca2f9a8149097e920a3bd
SHA256 9c0efa8824005e092abaac528897ebdb016d2739ce35cab8d9ec95bd83d4ed8a
SHA512 4e6efe8aaef2d66c208f579c0f7d554eb5af73714821b9c7c2f58f680f67c66e2df1e14565b8aeb00484f736f59069e4c6f1799a28d9a8c5cef2ecdb5acbbd27

C:\Users\Admin\AppData\Local\Temp\JMscQQAg.bat

MD5 afe74af04d7486720e94a72e8455b8b2
SHA1 79195754645a0dc9203577464b3ffc645c763a8f
SHA256 d7f8fad0a1f84256be301d3ee1c0f4c0e55aa9a6b8247f1377d1bb0d364b93ec
SHA512 86b7cc127b7e447f2236aa5ac48874548d6f3bece83f58c555ef198853ab442cbf9314b7c4dd7896a2a4ace2e0ca1235179a2ba24ade124f0eba20dd30c0507b

C:\Users\Admin\AppData\Local\Temp\oMAe.exe

MD5 99f39544e4c7d639b0321be682b39b8f
SHA1 a0cff1aeca12f8226d439f04be35238f27ff9c02
SHA256 7a1cd02b16e4511eea84569782ceb878d0c8bb3c3ad56e9321743edd8a9df4cf
SHA512 57e1eeeef314ddc1d146945edd8d3519af4f739079ba9632bd40b6cf216ef50efc09fadf2b7e3a2e0614024ff7fd21ac60e42aa0d7de69db8cd4b20a1b8c2446

C:\Users\Admin\AppData\Local\Temp\sYcy.exe

MD5 08ec31f98e07963fc4de4cdd1c7e4e9a
SHA1 297c9a6fdaa4bf83c461ab99cc3668726456db39
SHA256 115a093bb0c1cfc49fd46a3624c25dfe7eec0820508d57a7d8dad054710835fa
SHA512 21fb99bfcf7e01be62ec64c1561ac96ea40e0a7d7dd6239b81d3c50779ef871b2538a2b3744e1b582ad8d4209ea64c659ea7e240163f3cde2cd07b7ac86532fd

C:\Users\Admin\AppData\Local\Temp\FgQscEsw.bat

MD5 531a64eb450f47042f7b6c53a314486c
SHA1 6e83e2d7507abce64f5e5e6cfece06a31aa80e12
SHA256 bf20ed4753e8028897e1d4117fa5d84e0cdfcc07a71cbf3e6e9528303eafdd91
SHA512 888dc6ac7218078a0c7494163532a22370cd2a8ccbec30a265ccb7485d1e5070f24fb724fe1a35c24b692b7afa85be18296552031d2d690c12465c2035651e53

C:\Users\Admin\AppData\Local\Temp\EQwe.exe

MD5 022b20e72263ea4781ca7189acbf133f
SHA1 4a82137727366a5688ca46dffea6cb7c29d1b6c8
SHA256 7ead41470f5e419df99c2604dd76f7de0e58946ef9d4eef34cacca179b8843d2
SHA512 c19896f6399732ed863025493071b279ec6b9ac76c96e378dc37a5ea3d763456ccefbf17e320db3c149f45e778a1d9c69719ef5a9f89509a4bf87b2b13a15f57

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 beada488da90a239c75d80149ed2b1b1
SHA1 a1444a6cc6a2242149d55839527f0fba67f5f5ad
SHA256 c6e070294cc6e004ab5becd5c9d74c641401b8abe58ccafa1df1b988bb5a7ae3
SHA512 34cb751d85984a082ec9c8d752d2371e59941e26f68b2f31a1e2a7a314a32213d869ae5093e8a2ccf67834ee9d01905a5c1978ffb71b5cbdcfaa52a1d4622348

C:\Users\Admin\AppData\Local\Temp\XwoIckoA.bat

MD5 cdc19f27d85d099c6b4bc6818d8cb6db
SHA1 34befa8c0ab85b9120ee5c29256f87f64e94417e
SHA256 0b031000679aa8b96d87d1cac727f954af1210293a77d684bec45904054f7477
SHA512 81413e4a93b0a288aff0eb45dfe8f01c3d4c2b9553604e79c118b6e44c7479cfcb19526ea989a7e2fd5db2b741e4afa28fbba9747b424856e814ec27ba079708

C:\Users\Admin\AppData\Local\Temp\AEom.exe

MD5 8f8831c5fc623b701d7def31b2c1f04c
SHA1 804b0652a2919b8c8778d9fc917273404d8d4821
SHA256 a9a33d4e3e3aa9dbb579f7c7804828e05643ff7c9e7b1b5296d90556fcb2f429
SHA512 1b59c1bdff9d528600e9f0d999672ef429414c41e6b53dd6fa553e3961ab68b3f93734afad15f4fe82b900f8b26dc0334391676493c519c472fc9419f0d42742

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 7b0b9ca0e4d08e2dbbcc7584305fbbc5
SHA1 7346c4a989c157f9ab3d79b1185b0b779b60d3de
SHA256 007f2498cba36568e9bbb5ab52721900e308c143f5c4867d3d08c5bf3ff5d3fa
SHA512 7a6ba390893960a5c3b120f9490fba35e57800bf43bdcdaaede996a51dbb0b9dd250d0a102f4e0dca19447323f17ac490449fa1da433dc43554d8ec12dd44022

C:\Users\Admin\AppData\Local\Temp\mAMS.exe

MD5 7486707dd736e39c89a12325ce22a9e3
SHA1 6ed027dad97e082c730d1261438a8e56c89a4b53
SHA256 84f95e8fc25b1bb441394174cb340a4b5516b1c1b477b0482edb53ca3f6c6278
SHA512 9b191ffeb62ddc8579636a65e3a9bfbd88498331ad90ca8187cf1f46358666fc8464677faf22299d8afb9ecb930762b35a755fb633365d6c03e3f341587e1d86

C:\Users\Admin\AppData\Local\Temp\KkkQ.exe

MD5 dffa0b85e413d52c22d0f06ccdc75c90
SHA1 c9103f4ae3315e27278bcd52bcd72ac009cee874
SHA256 2b1e1fbe42f331d761163bde8f19f7cdf408938b468d5408e0fede304b558462
SHA512 d3f5079c8eab4b91e410d2babcc4d19e2d745aaee640750cfd2ad594a99990a2f0f434eb38a16d885231658343fb0027204fdb081155736824077358d9b77b54

C:\Users\Admin\AppData\Local\Temp\skIIgMcs.bat

MD5 7327f5dbae237f78f2bd80c61cb0600e
SHA1 13349d4a41d998431bc6e299d60071bd221dd8f8
SHA256 3420da5cc0816c2c726da49076d17d2037d2d499b63ef2d79b5cf4460dc8ed6f
SHA512 01d3d6bbcd35f432011933a352da9012758281aa1971a537e1ca679491f633e2e6ab50cb1525e70918ffc1cf0042a61eb429819bb9509cfd7b6f3479ee941fc3

C:\Users\Admin\AppData\Local\Temp\aoQq.exe

MD5 3a73c9fd75f9e0aadd68ed30ffff7ac4
SHA1 a1382079c7abe9c55ba91051bd2e710314a0ec2a
SHA256 9a111c0693433363085958d888fcd391c3d8b700525060ba940308127ca8d483
SHA512 46331971bc60a2f6783d39a6567cbb744b53e041116f9c1c43cb4274d4c44f43ec88538a72374eb49a2bf7754de46ac41349aa33c6f7567ee2a585a481ef50f0

C:\Users\Admin\AppData\Local\Temp\SYYI.exe

MD5 e3786634a2e87148fea07fcd74b1fd66
SHA1 93a48f58131d15a88e0229a805cff9c7ead6a654
SHA256 2ed81fb8d8b25931ffe40d7c44acab6257a7e57c93c3c0156df7b48530c5cf4c
SHA512 e3ba2f2138e6809c37afdb58680e0df0d90a5af8636a2e504ef1cf237d729ca3b439302cc2c8f9aff34c402a5b594b5ab9407e0436da03b06a71b0f395578e19

C:\Users\Admin\AppData\Local\Temp\wsoG.exe

MD5 9331eb949e30c79503d6ffc4b106ef92
SHA1 54a2afe9e93169e82c68a29d979d941f695e0d55
SHA256 9e3a2e0ea136becd0dfb881744cfc250d6de2b8582beb4d746e5663ee0c82aaa
SHA512 67b7b116402a24a629955967588264702d2f4c15c69e355ff28b23688f74150d47e43f11316fa683161b99123950c22290b9b59ba27ae633161606436eb4d30a

C:\Users\Admin\AppData\Local\Temp\Ioka.exe

MD5 09168588aed4aa5b1279d17a3c2d703b
SHA1 70fe31f7b58f6f9ef070010470daae9433ec4818
SHA256 5bc8aee112235607dbfb95473862e888737e46cba4d1b516482adbc438b34f7c
SHA512 8d231ef5023571b71932d48ff2f117f4abb0829cba657f1716447b2428996a6f9e85b02a44be03447e99c6e049ea477279c229b756aa2c628e38b3fa5065149b

C:\Users\Admin\AppData\Local\Temp\ookI.exe

MD5 7caf8713dcea7baedaf6bc57e8ce0ae5
SHA1 6f0720e151819e464e00839215074f9375e454da
SHA256 d6ac342169162a1c216be9354f75f2f983b4cae13a362bf1c23ea622a21989cf
SHA512 82d2668855069237fed4c1193537522f189b76698ae2ad3d720cb03489d3998c89229c79c0a44af5158b4cf1ffa1f67acc28e73413d19a4eefbbf7bf36e2e209

C:\Users\Admin\AppData\Local\Temp\koMAUcwE.bat

MD5 25b302b7486fc5606e5ee523a24f11e7
SHA1 603ef619c42fa40b08a28a30c64b906590a5fc0c
SHA256 1111e63e777a00febe62aba86d897a3f7066c0b7da12231e3c0363b688bea3e6
SHA512 50fde5c2d087989aeba9640eff6faf01a32852ef1565229e96a1ebf65dbf6fce83e4c09a186bf8bea1656b7a69fa80b173d5501a9d71c64afc5dfee14cb5c5ef

C:\Users\Admin\AppData\Local\Temp\owcK.exe

MD5 0ea64130e5a59509028280166e8b2ba8
SHA1 3eb936dad627bd3224e70dcff0f473a0dd28ae0c
SHA256 dda0b7241e19a0adee31594f0fb38b81d4fcab732725f67a5235eafcdf491915
SHA512 b4d950915cd86ca830a1ca896203bec39c75d24884e900e9b02da603af9882b46d35ae57a156c2bef7cd514b99b2f57c28ecb2d9ff5f310314e7e96cf38a0bfd

C:\Users\Admin\AppData\Local\Temp\sIQe.exe

MD5 22cf4c589dc954406920aa9618b6161b
SHA1 056f95fb230acd5de19f1446558429ff08ab8224
SHA256 cd318e60d5bbf848252b38884039d0494f9721d83ed2bb521c4d72e87be15c8a
SHA512 641220539e80f2dc47a647ed8bed6c78ee25be0b33da247b375d28318358e5141b15a42d8d1c6505401da893181610efa009aa3d865723723bff300985318bff

C:\Users\Admin\AppData\Local\Temp\sgck.exe

MD5 fa0b1d00c7a6fa123cdee73cfbe436f3
SHA1 25de39682b154c61e6468b1516733721f6743b02
SHA256 3c80f198a410493a5b2cd207b4ad9c3f5a5b3cbc895360d624b897aba22998ad
SHA512 ad7bb7c4fb072b24c4d7e73b898466dcd264de6e3889d1a0723d94c622cb90400a7eefec77ba5776576c74dbef81420c6781c1d0894066ad66bc4fe8e54fc64d

C:\Users\Admin\AppData\Local\Temp\qygMIIgY.bat

MD5 8dfb023113d56b97cd85ac47ba4c725c
SHA1 3f33205664bae08569a404018bfe073afb042956
SHA256 bf1ecb90a4b01f9a4fea5864a666452112a8bb204dbff23cbc24032f9be3d60a
SHA512 7dc4e8e11a2eab6deff084b14644080a29b9909d0c998e7562f857626d57053cef8171dbf1afa75acf55f7b04c650a4be438b4c6f55d1ecf7257ebeed3c1d1e3

C:\Users\Admin\AppData\Local\Temp\usIm.exe

MD5 e73ff578ada2df4348997d8bc5358667
SHA1 1f52e1bc127e0b1f01d22035c13258f28e0770b4
SHA256 b3b2515c70185485e8fde4a17fd3fc7d77eb008f2ccb0e9e55d3e51f9c66b1a1
SHA512 1df9d47c605f1a3e8cf24c8b0def7dcc25f9eeb8db5e8a0e10ee37daecd041264a8b04fc7be29ed426d7a27b011077fa277930bd80ceb29558a5b3d15f822713

C:\Users\Admin\AppData\Local\Temp\WsAM.exe

MD5 71c8a670647c0650c9133e623c267c79
SHA1 6af29e21849954d1e3b0ac0fd8b1b3ebba16356d
SHA256 a479e6ce46721842d0db87afdeeb14ae7ef7425bcea818c637295144853a8158
SHA512 c252b94ae9f6e55f72421347efb113104d11e6aebd8a80b353cfe752b76a0ffe02b07db9a06bed2f153dbb9524bd3a0065664636df266782fba9eb5ff0934231

C:\Users\Admin\AppData\Local\Temp\oAoa.exe

MD5 4c709122b041a2c49144e75d3031f391
SHA1 0312e7e61091ffe9a5415356f5d6909ecd45c3d9
SHA256 7289c4740bea608cb998f44981270a62541f78c16913281f6e5b67cc844c7312
SHA512 0bb65ec588146c8e49ffc1a08806498b52d9a840b12d23ebe71a758aa14e6480dc0a2f962df840e60c96e90dbfdada654fe97ef71c836298feb254fbaa7d8134

C:\Users\Admin\AppData\Local\Temp\sCsQAQQA.bat

MD5 a0f37daaeda70cc82f94df1a6bc536d2
SHA1 867c22a44186f646f6e2c91893a4b09090cc45b4
SHA256 1b1ef5b86dc5506d935c094b4ba1bc125d12de1671a14bd7432b9af4713358c5
SHA512 48631420dfe66b8e494320cf7bd3e6534d727b432a2474e11f0c0b8db90175e3b36dc3d03b1d183aa1a049a1de0bd3855e83e35ec881708bbdd210f7224d1c63

C:\Users\Admin\AppData\Local\Temp\yYMS.exe

MD5 3a755d00c9d8b912ac5690b243d22ed7
SHA1 d963f6036286dfc0e5b2d8d11b3e5d874c0160cb
SHA256 0def4552791ac7abb4d47e53f689b29421df10ff7b187f9cf64795b345e403f2
SHA512 1477cf41ea621b3c3fdc17d7336bb85a649fcb6269c068f64b3d9f9d77f00215bdbc464d4b23a186f8a627846eeb8ecce9fa39a9aa43c5941d1baf925c4711ae

C:\Users\Admin\AppData\Local\Temp\skwQ.exe

MD5 4adc1fa54ace3985e2ae9a50332b2c93
SHA1 a760fe439602995e3d4fe944b13600d96342dad1
SHA256 2efb31f509824898bd4c2e88cd1f448c2b0a6c94922d301d8e63f80df9eb3963
SHA512 f2ac2dc4780b657e5fc9f0c274b965b47caa94277d38b1ccb0e4ed799a547a5072ca6308ff18e07386f25614218e68a0ed6d8095b6e3259557d2a50e2f24cfa8

C:\Users\Admin\AppData\Local\Temp\aMAW.exe

MD5 d57b18cde0dbf68ac8e32acfccfcc15d
SHA1 884f9ab50bb782513ff035089ab4540a83121ee1
SHA256 5a0ca866eaa215b3f6502d819f2b9d1f1afca92191065e946cbe14a795c0be2b
SHA512 1f3ed526db3090025f451dc061b83380b3d9f215c32dbc549da1dcf1f3278f8da039513f65b6e169f4fc5f06f8f6070021d549f45977afe4f5731c5a39ba893b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 af91dd7d6a3ce455ffc9fa0036de6113
SHA1 6d712a76c455ee0980ac479fcece3585a187f7b3
SHA256 c9a36b342df6bf83eeaef62864054105739fd20b2004b31ee0645160a9320790
SHA512 cfd6c27e17243b2f830b93604b90830382ba44b9b66ce11cd6f96d437e242a28cec4fb74cd4b077ccdfecf31c2c8d6a3f96df7121ad3eaf0888df73e8d06b74e

C:\Users\Admin\AppData\Local\Temp\rQckMwYo.bat

MD5 2abbc5a6245b2853c68b47da3453f95d
SHA1 27ee166e888612b5bc6cdb829aa447dfc129a5d6
SHA256 5bccbdc27017ab59f861d281023605d30fe7151bdfd05d597d808d192fbf77d3
SHA512 ae3a0ea0880e944300f7401edc3a3bd76db61a9c71f0a021c87cc392a15c767da6f6b8ce679896b4b331f27b711457e07faba9864ac8feba57b4af49390f33c9

C:\Users\Admin\AppData\Local\Temp\aAMi.exe

MD5 8126b9bc28cb222400b9e615beab222e
SHA1 164532b50a519bc78828106d79f39b776868eb73
SHA256 8acd7a37c14da0e58dbe962591ec4fb92529cdc5ca15311860c9503d2a400d57
SHA512 281d47b11a646c52ef6c8ca58945b4bae6cd661959bc3a4481b9bcaa48b48a6bd6631af2e0e03ceb1aabc7762d49a5b320cafae85ed3ccfe6f9138ccead28994

C:\Users\Admin\AppData\Local\Temp\AgMc.exe

MD5 32dc33540e0e3ae746a4abb7313ef882
SHA1 ccaa5956432d78d36157722fc268a67bd158daf1
SHA256 8dc30a4eca375da626569ff47f890114694f50b56cd367539b6e7a0f442f21bd
SHA512 29aac0f8ba39c06741301e4c35086e4232e73b384fb5c597265e09e9627341bfedda4bda68cf8446a8f173d6e0e804648120c1a60dbdf84aad11fcb004391b09

C:\Users\Admin\AppData\Local\Temp\zKUcoEcY.bat

MD5 e2fb89048d84bbcfa2dd03cd487e16a7
SHA1 9f18cc3525ac5e1725c7d0a1ce200f746d7925a6
SHA256 e2ef6175f5e70d7ae53134d214c3e7aab47b6cfbefb8190285e72d4113795651
SHA512 6f98012fa4b956fa6bd160be32f448c8b1b6ee45d8f65c5ce1cc673c999061e51c4f4c9caaba003e21aaa570f3e7bea19bc3e9ce303b7f68ed69aac45b7e3427

C:\Users\Admin\AppData\Local\Temp\ycsu.exe

MD5 0c19d143c8df6ffaa57179b048c1cabc
SHA1 e7b29d4daf67267da1d18d19fe03f5a463b429a5
SHA256 60d838bc216aa1c2ed649e5740d26e7d6355fe77c1947c80ead03abb05485e8c
SHA512 90dc58a67b66a581097d3eeea529508eaa0ca6103df208e715380f57ceddfff845173e55eba3e97ea258b3b6806e03e11df4816015f090b7fbc02520fce2951c

C:\Users\Admin\AppData\Local\Temp\ogAi.exe

MD5 697292dc09558b3290b9a17577132c47
SHA1 b1b2777aaa7ad1fea51a4a688c135b9e6d21ca17
SHA256 9c02ed1f6e293e71a0b038eb343045d16755e2a91d02591dd438bf9e396fa40e
SHA512 b5d6c8ab8a443d55786956ad974565025ce6cb566c4f625361f61f16d93e1fd293b108b9c9810f6acf8a2c8b0393ab3c3f00949d43057c28e2d8cc9e1cd55304

C:\Users\Admin\AppData\Local\Temp\akYc.exe

MD5 649bc3ad32d04e29afbfecea2fb40636
SHA1 b5cdea8c655d6cb2224011101d1506a4dd83dcd0
SHA256 beb79b34b90a5e2a6fb85916381dc73f793507666fa5fecd5da7943d2d9d316a
SHA512 31bdd015a94bc8d8ac8461221ee3c21ac6b732eed93307bfb12d94ad0d3c7d7ff470492edbbbe870f57dbe4d6864716b74e24d60eac361453d3ef402ef602e01

C:\Users\Admin\AppData\Local\Temp\tmQcswko.bat

MD5 b793922b2b305a669058b7ee0d5e5941
SHA1 db7c85a525ae45115444b54a16428aeb9caca6de
SHA256 f2507d0fd0447b36374176fa063e83b407f57308b6a07744d866c37f02ad6c6b
SHA512 40458607d2da103f250fdf37e313bcd20226069d3d54a7f63242170ca0e192a14a8e0d9b5d6dcd1d805fd52110f87b87e1a576d0e6d2f1b2739b25dbc683df87

C:\Users\Admin\AppData\Local\Temp\UwgC.exe

MD5 a3e8bcd0ab538b08b8bd5a50fb041bf1
SHA1 ac1419e157ce6a07173d00c3ab51a445f7965459
SHA256 2643950b8fc17881386311363281df19c90a6c32c912cf03b70571aa60ade6fe
SHA512 c5100ca5bec29bb6a71bf0561c0024a5c6f8adbcc8a2998e59d10603a158dddc79abecade0385d322471717665b955a39b87716db9e836f6dd4df070f7e69df3

C:\Users\Admin\AppData\Local\Temp\AMAi.exe

MD5 0642eb78ffbd093c759b6fe18686c402
SHA1 0e838f35063effd465def228efc7c75afe52c38e
SHA256 dcb4177f5de14d0c023fd5b0e19063cbd551376e6f689b0a66a64ab34158a601
SHA512 7f76cf0755092c48d0fab3bac50eb904e5969229ac016873f7761bf3149682e731399f46b8a681b13f72580d981fec8b62a0f2168b889ad0d5e813c7ba8fcc55

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 4ba4ac393107e48d0388c507fd8f4780
SHA1 e4ec7f7d231597080e08016f87f3aa7ee8479a6b
SHA256 b9ee5508a506ac10346071337d5e690e7081168134fe7944cb77433a55802fa2
SHA512 ca0c82a96516d5cd62f815f8e4d6fb9dba073d50a19f1ad0e44a0441ce169d36e2a12d3c286aada3b71dcbe7cba1df3be1400f49f761e56c077586413c2b61ba

C:\Users\Admin\AppData\Local\Temp\jEwsQgEM.bat

MD5 2e8d500a548932b26bb5b5627d164cba
SHA1 8feaabb0b3af112f25ab932902a8f6cb06d4b7aa
SHA256 0e4b0e08a2ce1f843b596097bb04744d2cd7f66f79fc9bbd1a748142710ba15b
SHA512 08802f10594b3400774947af75bdd3851fe3a585a25937c5f56947911cc7339940f74704db5750f26528813d1925843994edf3e69fda664c9dde581000d0e3fe

C:\Users\Admin\AppData\Local\Temp\ikkc.exe

MD5 2d5bda62137d31604c427fd8222f1989
SHA1 e890d48236ec392da43ffb18dbeafdd63268adf6
SHA256 4be8291d125eaa98bb9eca25d4332288db883fca0ec924d415487a54fe12e8db
SHA512 c26e8eef0cd373617d67ffd6d2c53221ef533578ee7a58e9d747e57318765f9c1837812beeb2afe4142e1d87a5a837c54584b1c5f662c88ec785ad5f7c4427ab

C:\Users\Admin\AppData\Local\Temp\eQYcckgY.bat

MD5 65bc9d6d631e2c907b2bb9d4b1ae308b
SHA1 c575c730ebe90cfe604d32ec0c8d30214f08a9bb
SHA256 320f0577a66408a0104c15f1041b3077b6c22a91fa5675c50e78a2c36095c57e
SHA512 109d76a2db67aabef291f9dd89edcfe227a86d29e6b9ce734b7930e91c5598394b1c9f192c21cda4a72c92a88f090fc39c0deed1e3535c76c2e9958bb9ecb950

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 7c3bb7f5ab5a92ba2a4dfaac68f394e3
SHA1 fc87ac77c18b899844cf25058f46d72f7d457471
SHA256 d1bcc94aceee56bac52b6e8f0136b41e7e30d4a2f394bb339d14e3417b2d3b6b
SHA512 8d24570115e118fc1a8d6bfa2b3565687bb572a3dc41fd77c57c61a2ff83253078709ff8b6f951c19c5c18ea2ba0bfa548e30e0bdf16b723fe9b39037ce0aec8

C:\Users\Admin\AppData\Local\Temp\YYcocgoo.bat

MD5 5796f169aaa81e2056320b458333e6a3
SHA1 522fb789d235ce11e1cbde491697b3ee354a1071
SHA256 271fdda5bdbd0f920f4dac1634c974214b4df80e329cc379986513349d8bc195
SHA512 4689129cab11e6c5b4313081635467401f274d4dc9ada345760c9c7c6b3695342c9323309eafee9bf4fdbd81d9793644b0c33b01678de9b89bd7bdbcf9a6f07a

C:\Users\Admin\AppData\Local\Temp\CIMm.exe

MD5 4d8304f563780ef25c8b447ba4337e64
SHA1 539a4c71aac2ad3eabcee13adcbfac00e4376f0b
SHA256 bc3137f41f54725f846e3b1c7b2ad9ffa97fe0cc45a4c7e97db95b8297b0eb77
SHA512 b6e53c52dab049624d406b71e915bbeced1634ea2d0e19ae4edd33bc2b354658ac5524351e2e182b93199cc52a13546d20eb9cbd3b3d82f708b135e1a55c8916

C:\Users\Admin\AppData\Local\Temp\eIQG.exe

MD5 6ea88e968d045e8bf72ff876b07d4add
SHA1 80ad44302823dee250adcd225ad37c21d05e954f
SHA256 e161d17e4afcc0840e08b019dd1313b418a42d1637209a6106f3072daf1a8948
SHA512 d3b505614b5efbc40b9742abb97d3dcf50461ae399a03219008f8d96030f301c7477b6f6d8039c5313a4a1b224024d0d57bd60e5783d327a1b63f564034199be

C:\Users\Admin\AppData\Local\Temp\icYE.exe

MD5 b4a93320f0faaaa8a68fd8bcc344a08f
SHA1 869717a62adcdc02ac61d2f16f39e8e9167ac5a2
SHA256 f0885fd882037ba0c04aa23433ea7c37869afd246801a4755a948c268bfd309f
SHA512 9eba3dd802a0bb9b9a3acea2533daf0685a67eea41ce0b112acde55058451abd9ee683a53906b454d74f1cc682f9d61754dd3b25e34c5d9949d79f42f9eb5f48

C:\Users\Admin\AppData\Local\Temp\wQkw.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\WAsa.exe

MD5 8c591657b415d5797cb9f10172d3f59e
SHA1 eb2eb0f85a6420916913e3e06807341abff971d1
SHA256 e743b95707b392a61cac8cbc596b6677365f63d49f08029c178b20fcc5c1ab07
SHA512 0a31dce6041c02cffd0ea3df95298054498385d91642462728d68c192ccc13a8847397a299a00ef9187f46491157c0c16df5dd0ddb647445cdd5dc2262597a2c

C:\Users\Admin\AppData\Local\Temp\oEwS.exe

MD5 444be9dbb4ad623c2aa4c21bead64953
SHA1 83dd2b790a7f55e8626c7901552957988818b627
SHA256 5a258ff60aa4214d83da6edf00c099e0a5fbeefbe5c757111b36b8c4f306fa2e
SHA512 a6557303ed54698155d8064edf217d0c9eeb686889d64929743cc2bec976e1e58fc552f67e67654799070ddf0267e088542267d00b2f291c955ec242456dc12f

C:\Users\Admin\AppData\Local\Temp\YmgkwsAA.bat

MD5 e4ff1647c72d8b52a22f393cda5ba240
SHA1 3378178e130ae0d770fa9a4c2ba7aa5dd4825883
SHA256 f7d8d19dd6c81b9c18bbd34228e1f7ef0f91596e22a12c9cd01acff75a5b979b
SHA512 d6b6ff167d16f13d73891e00374218eb4c8414847df7d3dfe74eeeabedd0ca0e4c4f9e22e3fca5fe1c97154fc15fa076e1032e2f2852afbd6a07a0cb40ad5cf8

C:\Users\Admin\AppData\Local\Temp\OQws.exe

MD5 c72e82dcb00f519a9bf7473a6906ee3b
SHA1 23d254dbee97e619147cd97851698b6744c330dc
SHA256 29da9865627af1e0a6eca5643765ad791f408c8cb475cc5818b2a1153de84b85
SHA512 da0360d972219427763870b897b1ccf5f3208e68e9a1587e7d28f67e6cc435dcf839f2499c985740f029eae203686adc08104de17489208c766363a4cf83d982

C:\Users\Admin\AppData\Local\Temp\kcsG.exe

MD5 bf6c5cd9abf3f4459022ba4633a1c735
SHA1 7d97f0e84b8f733944d5bf6a9874ef45b2314fa0
SHA256 eecccaa639467e4be7076805314eb95ba6b233bc20c7d35630ccb15609c15ef5
SHA512 ab33f8319d6a2584a16f75dbea3731be2e46d4e346967c2c513e42239dab37d53e76a0e779e0148748b035b4fa182536447c6cf633a2f7aa4e14f712b5a3b560

C:\Users\Admin\AppData\Local\Temp\UAMG.exe

MD5 43fa6a66cb0144b9ec66e14675ac5e3d
SHA1 6516523feda7bebedd0b5c5af8117930b286c687
SHA256 01cb1b3485b6a4330d1374a0bbc9003245310e18e17116f2da5a5f84082fd0f9
SHA512 e03f7e5ce611a876293b830e9a5aaca8588f59bbfed3d5584fd4f47dd655410f4dd8e078312bc42abcfdcee9ee3be8b652f39236c99cb4e4c5a4db87eb61c3a0

C:\Users\Admin\AppData\Local\Temp\UcoU.exe

MD5 a9102d04d085a0dfc0b47997db2f659e
SHA1 31a9f586a176a232bece913845457d0bc00349c7
SHA256 93036849d28c8adf4ffa44a1e1c4aa2311d23d01f58d458b16427b86d4a0b3bd
SHA512 e99c5ad6a5727b64c1ead1727d4ae07c7c1d0aaf2e44dffbf24d1d1026426f17cf72eaf975657ef9a7a22331576694f4e0f94ebd8c4a0f00cfbf6ddc539abc2c

C:\Users\Admin\AppData\Local\Temp\coIa.exe

MD5 f8c8775832814b6a14b64566f918dd4a
SHA1 f594b6a957dd98935dc1426e76fe7c6c8bfa648e
SHA256 1a74f30695eeb15a7df0e0f05936346e88239b7a660c2cacf85c37c08fc3a801
SHA512 9149992fc4f06a2c12952a763980c385be3c487b7c6f78f6c4ccd7971ec6f32c785403e1aef096217a1c82d0209adca540dff620c59a8e8931b0546167421cad

C:\Users\Admin\AppData\Local\Temp\XwoAckYU.bat

MD5 f4c5b2847f7e5d4c1003df82ebafbf01
SHA1 a77d3067ef8d5f07f27ca0ef5755e320953b551f
SHA256 5b4aad7eb248f37fc18e94397097a5b27b6636fa75a956746e2990d81baac306
SHA512 99ea7ba4e557cc786b881e719779c1a9560eeb0bca74ba1df712330e2aca99623eb5babb2c35c0ec7abb295d5aa86e1dcde29747e623fe3c6ff1fb71f4b87696

C:\Users\Admin\AppData\Local\Temp\jsMocUAo.bat

MD5 8b31c4f62aa025419a62584de4989bca
SHA1 8b4716193a7a40e30c1455dfbe36bf51dbac3f9c
SHA256 a61ceb73849a81768fb2957553944c5b9158f56f57f431e047c7292843cfc348
SHA512 5046d4ee4f97d269ac36ba02292d253940e275735360f699025997ebfe72e0437dcf3365406bad55e08a07a07dee30f41c3993901a59dd1774a45626ac94386f

C:\Users\Admin\AppData\Local\Temp\jaUIgwMk.bat

MD5 345092b91e3db4917bf1fabb48b620ce
SHA1 b0db048bf2bde1919b27dd8d4df1800841a4a81d
SHA256 fe796c187e2d1bec2fbed33ffeaecbff7ebd861d3dbf9a5aba13bbaf52a95776
SHA512 a80f4d52f89867f1f20881f19c7f7786cb2b365d2c12d4baa73b45f3c8b5335b0461ecad188878f364bfe4399b9ce32677a6690777850863ef5e89b51563ffd5

C:\Users\Admin\AppData\Local\Temp\LuUooQsk.bat

MD5 b948c000f432e5988eff3e3b61bf08f1
SHA1 8240187b5675a7756bdf61631c6724939d4b2f96
SHA256 179497d9177c5acb00bf053d8405770871de7c604e20041a2b62e0c6600193ae
SHA512 bb42c97a336b04c76b6bd5dcfe56a46fb49d73273d9d1f82e744de6a0b72fb4f1e08c8e5135d0f649f0032734f88c85a4980f1ef4a8da9881c86757480037b9c

C:\Users\Admin\AppData\Local\Temp\wIsEAcAs.bat

MD5 df3e1b8d5fa86ae12f035353307d9109
SHA1 5b4c69c740a5ebc9f995faf556dd70a00b0ac069
SHA256 5f868f5c70282429e4a5039faff98be1087a78ec4eceed2329715cce2bfe7d1c
SHA512 adbdb810f20f198119b23542a6a499111e7d517a1edd4a0e5d2512f897bf45179d2450d0f0a2c03d338b2f34ca000a8f85d71f9690e62ab9f88058ca71d47bff

C:\Users\Admin\AppData\Local\Temp\qksYAoAI.bat

MD5 89246d90e50074b89fc8dcfd8b6c1af2
SHA1 e445c1915df64be2dcea7bf30a45681ae8ef7f31
SHA256 645efa0e2cc16d3a7c98efbfae454305ae5a2356af3fd22627122d44605b0e27
SHA512 815a7234f265b3160efd2ab079ba18e721154731227165d246dad705222c7b2a8e5d7b274eca27642a6cf43c012c23fe2f5f75af2802c2030d5968d8f0cffce9

C:\Users\Admin\AppData\Local\Temp\gAIMwsIc.bat

MD5 24f67c301394ec9296b032c0c77c865a
SHA1 51c55a4266cde84a71be33dc07d6a5851ab1d47c
SHA256 4b6052aa9926fa8ddb4b396333dfd76261a4ab9cb5b50c338e8b4519f9d5a9fc
SHA512 e8a3325754d6c33eeff336e987e860b49f47c99c2e4304bfaabb7e8347e27bf92e73961ba7ed903b8946465a7e793fb7315828a724af7f3d572d283208864493

C:\Users\Admin\AppData\Local\Temp\iCAockkg.bat

MD5 05fd0cc2988cfc519f2361ae7885ddb1
SHA1 c93e173831295f36b0dbd9498fb4e51cbde28d83
SHA256 65667270e0e217edfe7de84838e05590a441e1b415cb17dea9c8a2f71d0a87cd
SHA512 b35c0652238a207ad5a103f09de93bff68547116e65c6cbbb7a667a914600e8bcb80e5e91acd9469502c3760c1a461382bb20da4fd0403622e74bac9b47ca057

C:\Users\Admin\AppData\Local\Temp\bCQcIckQ.bat

MD5 fa68efa64509d07f702c2d7ffae44cf6
SHA1 3b73017d040f1df3de20bae6f90be3d404c92405
SHA256 274ed49da73da87878509e8303fc0f6accef904ea6d0567703d8dde7cda4b14d
SHA512 d079242d0faba7a4e467675fc3e252db2a4d77c7335c04b09bdabf8f761a0cae2faf1b7b0cbeab3b2d89dda479cc6fe75b9190d8faece8b2c6c25c6fc0c46e0b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 21:42

Reported

2024-10-19 21:44

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (74) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\ProgramData\UIkccsAA\KEskggUc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xOccIQkc\myEsgwwg.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myEsgwwg.exe = "C:\\Users\\Admin\\xOccIQkc\\myEsgwwg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KEskggUc.exe = "C:\\ProgramData\\UIkccsAA\\KEskggUc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KEskggUc.exe = "C:\\ProgramData\\UIkccsAA\\KEskggUc.exe" C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myEsgwwg.exe = "C:\\Users\\Admin\\xOccIQkc\\myEsgwwg.exe" C:\Users\Admin\xOccIQkc\myEsgwwg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\UIkccsAA\KEskggUc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A
N/A N/A C:\ProgramData\UIkccsAA\KEskggUc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Users\Admin\xOccIQkc\myEsgwwg.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Users\Admin\xOccIQkc\myEsgwwg.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Users\Admin\xOccIQkc\myEsgwwg.exe
PID 2032 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\ProgramData\UIkccsAA\KEskggUc.exe
PID 2032 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\ProgramData\UIkccsAA\KEskggUc.exe
PID 2032 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\ProgramData\UIkccsAA\KEskggUc.exe
PID 2032 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4068 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 4068 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 4068 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 2032 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1128 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1128 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2980 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 1816 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 1816 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 2980 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2980 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 784 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 784 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 2376 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 2376 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe
PID 5016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5016 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5016 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\System32\Conhost.exe
PID 5016 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\System32\Conhost.exe
PID 5016 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\System32\Conhost.exe
PID 5016 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5016 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5016 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 5016 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe"

C:\Users\Admin\xOccIQkc\myEsgwwg.exe

"C:\Users\Admin\xOccIQkc\myEsgwwg.exe"

C:\ProgramData\UIkccsAA\KEskggUc.exe

"C:\ProgramData\UIkccsAA\KEskggUc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xygMQIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqEscIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooUQIAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKEIAkgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKEoMoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgcsIIsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NykEwMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqMYokUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMIoEsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcswYoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEMUkIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoIQIkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAMswcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOMQUIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqAYwcMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkgAkUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USMEYMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAcckMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kesIEgAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LksEUsQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsckkQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAQsYsoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyAUEYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GuQAsAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GggwgYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMcwckAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcUUgUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fosIgwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSIswkkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swwsQIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKAIMEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOoMsQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgMAQAwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoEUIkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKAAAcAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUEYkYgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOowQAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUYUQgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOwwYggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKkwQkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIskogow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwwgQAYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYcUAMkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUwEEQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggEgUMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMAQMUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmsYUsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FikokIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOMEYMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSQgoUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIgQUcQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQYAQgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEscsQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKMAoEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUokEscc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqYUQgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAYsYogw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOYcQMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiMsAMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEEMMQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcIEYsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyAAYUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwUQkUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQckUYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOMAkYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIEgQMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOIogAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkAEEoUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEAcocEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwsIUsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DogscswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eskMYkAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUokUkgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmUEAIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMcgMMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGMAAQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beYMYQME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyYkgMYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYYokIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kckQscsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PakgAEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEMccgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQwIgAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIAAoMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAIwUcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGwQsAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwwwkckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAEMIEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqUoccME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmEQIIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voIAEQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWcwAUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaIYsQQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOAYsEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUIYsEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcIooocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEkEkIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiwQMwQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quQQQkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SocUUwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoIkQscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUUEgYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYQsYIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NegkwgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKoQoUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKsgAEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWwQUoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fagMYYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VswYgYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaAkgEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuUoswwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiocIIEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCoMEcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAgcAMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYwwYMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyQkEIMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqgkQcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoMwssYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwMAkkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyEUcwYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqsIAAAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncosYcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rggwMEww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcsYEIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIYwgYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyMoMQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsIkoQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOYMAAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2032-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\xOccIQkc\myEsgwwg.exe

MD5 41b405e6c581c2abdbd4c5125a3b4a15
SHA1 baa2f93269179d24906f444f7ee96adb875c803f
SHA256 09bbc96e6696b2982930e70cb9ed11a06513f57e3fe046cef9eb5263cc0193d9
SHA512 2a7c67afd9ed053e9c24fd8a1563210c513ba107bd7b5ce0f0eb818f0865141b227f1b55245aadb317a54c2f0be09529120d7ed53dead56969e4e8b0c9bed954

memory/2692-6-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\UIkccsAA\KEskggUc.exe

MD5 abd11ecbbe627ec5b26e7b6584ce2b5b
SHA1 5131cbbfab331d62fe15ee445dea05422ca6845c
SHA256 0971b873ea46ed72ffe8fca4be3b69d80f6bdedfd9bfd8b633e859326ec03290
SHA512 67c4422cded74f4254a820e71780a8978269d52f1485e55fcbb0927778a47e931cc1b650005a2fe124929c935cd3dda2aef8e3887a4f75ba304ab823264a3f79

memory/1480-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2032-19-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xygMQIQA.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-10-19_07540665a1eb01b36d37811081e86979_virlock

MD5 477256402c581beed8f9aef56cebfb0a
SHA1 af541187d2a0baaeb1329c6234c6007c5ef322f4
SHA256 fec9aafbd19c3dacbec0b2b1168d0720bdbc510b53919b628de736d15971139b
SHA512 c2d14818d3a7fe9e15627baf34527fe76213e5d515e6995a81349dfae262ee57af96850eb6c61f486870474b853237a35d85cb295b84eb9b62ba80595cbe5a85

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/2980-32-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5016-43-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4032-51-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2016-55-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4032-65-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4608-79-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4676-90-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1136-101-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4272-104-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4272-114-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5116-123-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3612-127-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5116-138-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1292-149-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3092-162-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4196-173-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1432-184-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3540-197-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2304-208-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4272-219-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3668-220-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3668-231-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2488-234-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\xOccIQkc\myEsgwwg.inf

MD5 a02bf708a8c41ff1ced08a5eb9392abc
SHA1 450d3d4729d2986c68dd700417e51062be44e7bd
SHA256 b75e66f4837fa3871a91c622ef29834e6332d4b8b0a6a989a4797c59fa6a941c
SHA512 5c7fba7eccd983ff5e00838550736f8bf7ef29703ee1110d84dfcad89a8ad75388dbf3483031930416e1049c3157f37bb353b5bc624febf0e6f9a0f8cfb864a6

memory/2488-247-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2708-248-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2708-257-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4660-265-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4228-275-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3112-276-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3112-284-0x0000000000400000-0x000000000043F000-memory.dmp

memory/456-285-0x0000000000400000-0x000000000043F000-memory.dmp

memory/456-293-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2436-301-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1356-302-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2436-312-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2032-320-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3600-321-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3600-329-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2116-339-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2396-347-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4852-355-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4448-365-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1096-373-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2040-381-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3792-391-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2440-399-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3596-407-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5052-417-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2200-425-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2780-433-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4744-441-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4556-442-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4744-452-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2196-460-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3816-468-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4564-476-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4556-487-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3688-486-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3688-495-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2196-503-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3968-513-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2032-514-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2032-522-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2940-530-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5116-531-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5116-541-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3464-549-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4692-557-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4072-565-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2436-575-0x0000000000400000-0x000000000043F000-memory.dmp

memory/452-583-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1004-591-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2372-601-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3156-609-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2400-617-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1464-625-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4812-635-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1644-643-0x0000000000400000-0x000000000043F000-memory.dmp

memory/656-651-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1120-652-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mkAQ.exe

MD5 edf08524c2ee7147e8912e72bcedbb7e
SHA1 914628fd19e68806aa98bc568691971056358eed
SHA256 b70fd5618f7cc3210bf03e72db47e07ef62be813e3b90590585d828e6ed0bd3d
SHA512 b3ea1cf70e235850227881e104e0b213b298fe24f176ed3fb27e1ef9f2f3307c82685a0a267cb89d0b4e1acd344fbb62181ee67957c4556d061db5f8fdbd11d1

memory/1120-677-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2192-700-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Aoks.exe

MD5 f9f8b50c5501e3290b9fb4b5469cae63
SHA1 fb385268d5e6903f921585f5f7541bc909db3227
SHA256 b0123ffcd3dc990637cfa8a2ad0d760aeaba2cec625d53a08b3029a866e54f7b
SHA512 9ba5b07ac42847baba6f88b3f2c17d4cf99fb30d0d1b07463d1edd87c0934655b52675f354f42de109f35177c9fb74bfc9a91bf5fb68cce9454841b36d3064f9

memory/1988-687-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EcAK.exe

MD5 af01ab4eb7ff39496ff05099a79a2ac7
SHA1 dd4b82dffec68fa84798c6f8724745ec8e946170
SHA256 d45feb930fd0a9a12a1b2ca471b6d6f0e4af468724b37940935e568880ec9911
SHA512 fd700dcf8d7a371e8da67b31d0747c349cf21926a5f29e8985183703ff862f652f9058db81fe36e115365660a6fdb87feb62b91b224d95810134935edf582fce

C:\Users\Admin\AppData\Local\Temp\MkwE.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\ygAU.exe

MD5 ccd2eccc0c3150c0321179bc02b4d7ec
SHA1 cffff2158b72645ae8e0f11d7d7cd668f9df9806
SHA256 5f85246fb9cdd422654867a1b8bd77e163c9f990c4a470af5a523e4e647c1511
SHA512 f655150f3a462a883f99db20575d4b8b66a40e57fd4c9bab25c0d2a2f298d584200d74bb322da9f5ab5dad847503200b9395306d18cd6896c1646d0cf51f0483

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 7b06b699a0de6e7c54f7eb5ac6d22791
SHA1 c71fea478cb83fd2c699b47201a0a0a13819405a
SHA256 940cd423fe4021e95078dfc9b3ab000c77c7f2910c813b5145a467a3b17e5731
SHA512 56369d10d170c9232f6f067f42747abb899cfbec25b453e37c2fa06cb1f9a6e16a042a64c8e6839293329c25beb1d55e04ca0f94c3e7b38cb6bec4ca34db672e

memory/5088-747-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YMgk.exe

MD5 d7c40fbdb19cf327f16397c68f103bde
SHA1 31c8cba1b4a944be4ad667f065b02d6850cbaf88
SHA256 ad9b2c968c6cb2137283f4134ab309041777af8e9529cf43328178defa14647f
SHA512 096ee7fc2bc373dab5081ec8d066ea424cd7f98a64fc94ae49d83ad17fdc76ce281c91b355dcc283a506f7be689df280fcd252a40cf2d729b4da9ba2cfc10019

memory/1988-765-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qUYm.exe

MD5 f322fb6734a8071ddd8b0d6781da04dd
SHA1 c77efe7ce15683de5ab2b7077108081ccdc97c04
SHA256 d7f657fae8d66c2e5688805d4355dace4c63b5ab3921ea5cb47ec5fa95b62485
SHA512 cd97709d4fbbfe747ac796104f950423e4483c4f7993815c7ca43ea269ea0c9a36db3006f00f97b161bb49af2d37e444b6a14d27dfe73ef05f0526e7d40002dd

C:\Users\Admin\AppData\Local\Temp\Ukwy.exe

MD5 29bcee8fc9937c21a3f288283f089f46
SHA1 4470e6828b4c5381f98d4bc961d80abb85164fa5
SHA256 f232c3326deda7efd575bb4c8bf7bd1625ba1ccd15acbca00796c7ba15533d43
SHA512 33397376c9bac5a27663bd3ec79f4a89bbd59225c7b6153d8c99261dbe5c99e50aac990ca73a537f414e564d7f79dac1ba53c7586bdbf2850131c2519ee1642d

C:\Users\Admin\AppData\Local\Temp\OAkw.exe

MD5 b0deaacc30efb601464388c866d39275
SHA1 2b1efc3f4dc98cb26016f8f5468257c0d7adb530
SHA256 a013983c46c309337611a79d805b87f5afcca19bd2cc6f5644787c49728a7c87
SHA512 8a97245cd9c13bd8389be446683ac6119e5c9669eca3681c465a0a9ab63c4578e3e67d4898052f0c563a5363f1b029066578156e7550bae6bd1ea8789fae0882

memory/5088-815-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mccS.exe

MD5 95afd41ee3c7ab3cc9c8d5bb54588ee6
SHA1 1122851ca350eb82fb75f753db6297b4bf6e11a6
SHA256 5145b816ce1ec177aa21be368ba2555f2f77785e1934480342bfd0acb3050500
SHA512 98aae04705068a4d71d657481400a23228260824c9fc192e4828150dda971213b2595000603c486f4f0a029c416d572e754e1c99b7f3397c5147dbb3aa7878d2

memory/3816-832-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3816-854-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AMoy.exe

MD5 3c8c888673ef356dddc5341d11f115fe
SHA1 fab627a3e1c56aab0c506e48118b2c1c23e53dac
SHA256 02d974aad7a85a7e6e0e096756e95cfcc6910f716b92dbb9dd4eb73d0661a9d8
SHA512 d87508b01865b417cb6e75078e466846158f9eab3d46384df54147ff45981ca11fd1ba12f15dfc0dfa57fec70cffcf0f67e14c384051a6374990cf3197734d5d

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

MD5 48de21041c6fd015da875e20144cfb79
SHA1 9abcb511c1cd0f9361c3accf127e0049c2f588a3
SHA256 b622aeebec95750e0afa08b0216b4b285aade4cb4c9c93839a3b8601e04c0a69
SHA512 65787829f5d28c2a650eb42ef173f10100e4b0701027a0ee37e6cd2defaa4d5813157568cd9434a1c9dcda68e2179160da04d137979a51aa5d26539a69d55dc2

C:\Users\Admin\AppData\Local\Temp\qEES.exe

MD5 ef147caf0f391662e7edf2654a208282
SHA1 3c3ff34d5eb5e5da4d33101949f33e9780b0dd53
SHA256 fb63615824b33563396e7d7a9671657c48d6e5fc0bfea3dc1024a4722320e2d3
SHA512 18196aa209337fba651a5c3439717080fa7a9ba34e393937b2ce37fc6eac0eeb80c2e2256ae614b618d890427e02b1b72f63019b88757835203e2c2ef7e0ff5b

C:\Users\Admin\AppData\Local\Temp\yosu.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\ksss.exe

MD5 e079a69a561e420ed5102cf0093cd964
SHA1 d3a088320e21a4d3430dd9731a12d730de32271e
SHA256 5d1382f13811904e10aceb22657901886b4c11cd82e1c4981ed44d97eb319504
SHA512 f133a2157f57f86c2ab1a99c5070d2689202ebe67ade9bfbc1030c8f064514c9e05d36a2022e4046ef6ac8d02d53c431f2621d292b2c0810c99bb1780c337687

memory/4056-904-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cQMU.exe

MD5 16fc2f64cbbbb308e3d8341fd55e5315
SHA1 569a7a13adb2792f80d99badc383f5d3bba04580
SHA256 f6f283897b76b6f5029979c425c07ada8ca8fd9cd1e23e70ea9803bd8713d429
SHA512 3e5dc758b53d49b0ac459ff2bffe14e4a5ca6e59e24da95ec6a469f345bb1f6de8ffc771bb517fafefa91025931eb1becebe5b27df085af0b44e20f84c9c72b6

C:\Users\Admin\AppData\Local\Temp\kAsw.exe

MD5 795a5ad75238cba12d3637eb2462ca32
SHA1 839a1c6d2f0631694b90b25f9066221c30046311
SHA256 f4b88e82137a85bc4678fc1b0f34d5423409d764a4c145ba0498d4b71300b944
SHA512 235fed293e6af8e926c9db7c18b8b643fd048fe0eeea0a1dda6647d066d4c8de1524e58fb392836db1e4d3e220a67edf25da75dce36d3497d38f0132154b722c

C:\Users\Admin\AppData\Local\Temp\ksQK.exe

MD5 8e7dc35bb2d4cfd5ecc0f01e437ac968
SHA1 5a6893e64e9bbb7891a195e0fb646b5a89d25f98
SHA256 37829f1c22ad8517f377d527569e13d1839b0ce3bd2ca112e4ef2ffa7288b5d2
SHA512 89b3fa390238b435593df6a04ffdf0865ce55fa2318e7543fdc40e358f6184f7fb4cb75a0c4642e83cc8c18c4f8a5372535ddb94fa87dcf5dab7873fc4319343

C:\Users\Admin\AppData\Local\Temp\EsAa.exe

MD5 a6427b8c332d18c5cf5708a60f32665b
SHA1 3d1aeb085ca3ef8aff2dedcc16500a58bac8c041
SHA256 3a60a7def7ba94c69defe42aa845fabe563750d7595f1627aea99aa3e73f0a5f
SHA512 b74790363b37df618585d1aefc62953691eaebc978f4b0f15b7eaa952054c4da607ee2c61bcf95a56de10e95c97ec4990dda2ef027d61abdb22f01c1c067e5f0

memory/1732-968-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ckIC.exe

MD5 11d48829a09396826c24daefa98124e5
SHA1 5f127ee3b4ce71bd941baf582c003f08d777b8ea
SHA256 4402a29c04123c0d7993b87fc4b7ca2e8bdb2315f528f4859f409b10f8e2525b
SHA512 2b3e4f76a8aa7ed344a79c8c9b25faa00494bfe615c54f4041b8092e701087505bc0911efbaf2ac4c69164b59e8b6d11bd0e350664d1a98b19d342f53966ef3c

memory/3816-999-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uYYq.exe

MD5 78168bc0c4af84b661712cf6471a53bc
SHA1 b6f98b1e0da17140673dd1ab128f9cc7ae04fcce
SHA256 0a59d8e4e9ae2d4f93e7ee0c96edf13a7ee0c2eaafbb7f943c0c85dea86fde34
SHA512 f4ef2b92da21543b02cccf8b1d8bd6b47cb5803a907f72ea2edf2d22b6f6e03c00edd44732fa8fbaf6a1b3690c522a6a508ea9d028407d0177d307b409e189da

C:\Users\Admin\AppData\Local\Temp\iUkK.exe

MD5 3eecd31c835326edbf5b2d6e86b292db
SHA1 0d372809dc3ecb1b61461b9fc8433fc65d242eb1
SHA256 558a0f1dde78ed71283c6765127e55498b604d20018a3361a0cbefdaecbbfee0
SHA512 17d1b0e328e8fa81eb4a5a94f4791f9495890e21bdad21ab8796f93d8a73e57d9e3afa25d2084e98ee9b05beab5958083252dc836974a904d44e71434d74964b

memory/3816-1020-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CYAa.exe

MD5 bfc19e6ecc9a9c5713a385b8b18cac12
SHA1 4c60b6a2cc39b30bd9860445c99ea9807160e9b8
SHA256 06af233ba8597d4133469bbcb1c4084660a0b6e3bdc746c2001a1145dc5a9914
SHA512 d1e14baada7f25c63eb8efa526cb01f87fb485f9644b69a97d87655c2174fdf23ae436063411d60016188fdb04d98d194ca2a49ff8105f5d5bac76b6a3e68606

C:\Users\Admin\AppData\Local\Temp\ewcW.exe

MD5 e7d4da535a3d896acd032d75457ad18c
SHA1 e2ad53ce1c4da8d9a1246c0ccf91f01238cfc067
SHA256 5a67a438c2181d36cbc01be569975630be48598e9289c7f5602c46701d9d46d1
SHA512 862c12f3c62a34db4635dbda9f248f10775e567e5f4d352da00523836302e27276230915bf03afe965a81d58ceb487735c447328b43fd1dbc3bc83c8e71a7c1d

C:\Users\Admin\AppData\Local\Temp\KMYw.exe

MD5 9b861943a5ce6ffdb0e76d208c88a597
SHA1 37ed9f493d85559f8f78758f5ba985c9ed6279e4
SHA256 36feb5c21456bf93ae95db7baca1b6ef6c140a733cc9a053c2ea13963c1ce0d9
SHA512 63dd0770d061a98b476102187766177d8d378964802ce496f2b36b57136329709a994fb363339bbaebbd7a258650b55e2767a0e2a76ec181b0faa91904553a4f

C:\Users\Admin\AppData\Local\Temp\yAkI.exe

MD5 724437b5392ffaac1da99afc075877e6
SHA1 d8e8f90d2e63774bba76e6d402b095aa40801045
SHA256 aca988ddd6db4bebd5febe742147e7448fb318de32bb7d36edf771e1fd024755
SHA512 779ee05666d84e888e840d99d3b3ac26e531aa6deff6b495b469ad5047beb375d5dbaa81c14aad5e35bf3b6e69549fc3a4c54f14c024918440df114cf2f373d0

C:\Users\Admin\AppData\Local\Temp\wwgg.exe

MD5 8a5716a8bb6c2d8e4a1c6e6a4228b49d
SHA1 44eee6cab120c4694c265a9803d9686a7e55f622
SHA256 0b2babf043b6bccab351251091981f3839b4e88577f3ab011d7df3a6202f0952
SHA512 8672462a862d35211bb94f1641685668efca912546ddba4effb2b4fb9842a366286d9ba025938e7d3f616ce802aee986f195cf19fd97f7e8963e0441c73c71fa

C:\Users\Admin\AppData\Local\Temp\OsUu.exe

MD5 2cbccc637dd77ed469621d0e4e537bc0
SHA1 06bcf737788516b4a74fc9571f4b3021ffbae207
SHA256 88a656535302ad9493f6d29bb0582157525a1fe0ea6d397550cdac52195192a7
SHA512 aeac588d2a0c09646f0ae21420afa824e2b25acd22b75034cc9c6400c90219a8880f92f95a9cb10786d7c4797be1b3e96d9a6e9eafac3111017c9c8df5cf12cb

C:\Users\Admin\AppData\Local\Temp\cgMc.exe

MD5 b50eaf1cc63b22da71b41cda6d50a7dc
SHA1 b9e3ac7b63ad1b5c6ae65582205df865d3601f22
SHA256 e770d742af4b27ffde39650c06a300732e0c0b46ec0ca978af9183d134641779
SHA512 055dfa4a0135e485c9aaa9da0b93e3c08a273f87d10a8c47c0415994903aa5def91d6d859ef15b226f97f6cf1dd86e9e9faddaca4e4d707ad61cd1cb66b63753

C:\Users\Admin\AppData\Local\Temp\qcIM.exe

MD5 86e7fe7f5b9047aaa416799ead06402a
SHA1 30429a31981e2bbe799d4e7dae75be8317566473
SHA256 7940645573d01e517bf5f427878472eba7b09e840e8eaa7dacdfda55806e87a4
SHA512 9be6327770b42198c11939ea685631027e2e5bece92055eda31f1d2f76b56bdf05a7fad155948b7c4da375457619054038f445ded094e3d55303b41c8c9b8d63

C:\Users\Admin\AppData\Local\Temp\ggEg.exe

MD5 d7fb8fb10152ea862337159084aed1b5
SHA1 e1ce1c49b0c729dd4d69d16c555611be5d1fb4dc
SHA256 3486cfbd47381ad0e11c8107ae398e20ebb406fb22d2b310b5cbb29596d38f62
SHA512 ad6a01aa51e108d8afebb5bd5f8c35c68d21e307068aaa308d516dd67f0d839e251049af287882a3dbc44c89fe15ba5dc88400cdd43ad067df875ed7245bf52b

C:\Users\Admin\AppData\Local\Temp\uYIu.exe

MD5 75fc0214ca0df4dff40c732b98adc06e
SHA1 dad2d23285371da2c3c2c06e126eeb73979414d0
SHA256 ff1ded87477d6e35e07079e3c2e6f007bbd0ffca99df0d50507991cc9e5f681c
SHA512 e33ffcc6c89ede76c433ad321a7105fadf5cc99e7f9db036436be9b5df58149bd7d92c955b7267cfb1937696d985dc6e60d5e57bdd44b3fadfdabbcbeffd6208

C:\Users\Admin\AppData\Local\Temp\Soki.exe

MD5 5e4881956258e90bfd39115ca15be910
SHA1 a184b1fe130237cde0979f7acfdf5ef17181a653
SHA256 4718b913ae8c7b18e78b3ee71c84d7b912139af74f652a1093f2a45ca1653f4c
SHA512 d1fd13dc5d5621bca8fa13802294cd534119f48a4d1f7bee3894bde07f43f5ec8cd865fa7274408b59cdb652d985a9e8cc9abe5f35a807bdabe59c16bf0c28bd

C:\Users\Admin\AppData\Local\Temp\EgAM.exe

MD5 a85ab83e83e826b5958d4ad207eeec5a
SHA1 ddfc161e0e07a7c1c1867fffc327e687acf7a8f7
SHA256 daa0199e1a049c9c82f8e5464e20fb9d85d671f05e61883652d44949a36261e5
SHA512 2b78001ce3f604913090050c6f3f4bd465f91a2c308ff7469485e01717027b654a3f7d3adf8d1275929cdf40d5271782d02ec6cdb39a4235878a1fe0fa65767d

C:\Users\Admin\AppData\Local\Temp\EYYE.exe

MD5 2f1f2ec6253f2606216909d0427f3d54
SHA1 bcbd38334e07631f3f9abb02b4116c6c64118f1e
SHA256 4566bd5b956d987f5b5304c413d196ba45a9db4717968bc9b710a1b0a75045c9
SHA512 29c7bdeca057f05f7627949efbc9a79f8db0aeaac2cc83c1bcd85df51ae9156997ed7abc5c8b9bad8be0fb5476c3911cce442270ab26a6847c5f9a8ff11ebb9c

C:\Users\Admin\AppData\Local\Temp\GoYa.exe

MD5 6d8ff3b92f21466f9dc380ce304fa277
SHA1 ab6f49df53bfa7579e4e9cb27df6ca5fa91bb11b
SHA256 0dc192eb0356ac6cf91bfa25d4383eedd774b2943adfc4dc26d612fb08457c93
SHA512 34b9e3625d1ce84ee9a0e35ba4bba05a934c65926f5dedb93cf53f91b0bfc5b3d01f73c4a4473c28c0eada8caf65e04e850788a85857b2090fbce8859f7678cf

C:\Users\Admin\AppData\Local\Temp\OwIC.exe

MD5 dce7daa7ea726a9e557b168ed084119f
SHA1 2bb422d899c27a1bd39e1662ee47cd9d28220cd6
SHA256 bcc7d8df22a397a0dcde995e255d5aba8bfd1bb9f8111de16c0f05f071af842e
SHA512 dff148681fbe0732e916dc4ac0179af51f3bae7d12f345fdadbf4bd3b768e0eec6fd1759fea367a30fa59c0d1f5bfe5b7d8f5eeedaeef1ac5eda4ba5e006152e

C:\Users\Admin\AppData\Local\Temp\ssEM.exe

MD5 bb04ca52f72f2302ade7986bbf0a257e
SHA1 484c6a44f1b6312ea7e158df9897f9cb7d7cbd2e
SHA256 2345a33360c21d60ef16e6e967a0948fdc793eec7dfc4917940bdf12a4731a9e
SHA512 a0036f19663e6919da8c397d388d93ee94a7180bd0f85be7bb4bec1696641be1b2daf1174d805ee818b0c66a49685b1939e0534076927c04d863de4c6362735b

C:\Users\Admin\AppData\Local\Temp\cMYO.exe

MD5 8b062443ee47014f0be24352a5b94ab0
SHA1 85dc8d6afaf4a2490a12a436574546be3b6f5122
SHA256 b050df4eacc43378b508f3013529980c8640d33a6b891a26e4f14ade27bb2dec
SHA512 769d03904b237332030ec7b7de0a55b501070acac89c528630d4044af5d7992f6b72a1dd31f3d488d308dc51d9cbc3cdb23e946467c64162403b9512233cc252

C:\Users\Admin\AppData\Local\Temp\wYoq.exe

MD5 4d44e325353e1a4175c040d175b8091a
SHA1 acaa56e639d6cdd66363943c205acb78fc6aaeec
SHA256 3ca75b63c069ea5e10586d12e8cb7ea7ec7355daea3eaa825280280ef48a185e
SHA512 ca1da8067e9b22338ebe5b41ad125624155caffd467c7b1955734b1112259ff1e7b27d981efef935fde245180fbe61ef145ee7f70fd073079490ad9a3ebfa2ac

C:\Users\Admin\AppData\Local\Temp\mUUO.exe

MD5 5b7939fa1249cd2cace590e5d9c9d6b2
SHA1 f7eafa21aa96835481e792e202fadc254bf8df1f
SHA256 e51c9acb9d31e79e6c75340454189a3cedb78634dad70dfde00cc55195f3e5df
SHA512 f45a3e87aaf8bd4ed4436dc0f5776210a5772c0090a6e7d0a01d30c838a1fdd81be4cbdb80940e052816446fe1c8859ef00a8169c2abe89b940709fc8fe78e0f

C:\Users\Admin\AppData\Local\Temp\WQUG.exe

MD5 6f9cc4fcad80990e9f6227fa5d2a2dab
SHA1 f2d340e436683d2e0a2e95a32298209cd2bcea4d
SHA256 56f665a1fdf0acea49081a236de94df1694bdb5f485ada8221e2bedad381fd14
SHA512 6799cfde510a51bb52f6f49a8111e2c22822eef7fbc66e92d01347f29faa78471b0782b6902be4550bc32f9a3de7d9ad1be1573bcc9416aa59d085c9fbe87604

C:\Users\Admin\AppData\Local\Temp\wYQU.exe

MD5 d9520fccadfa5119821d7df10630debc
SHA1 75e41e67b13e75562647df4da4f54171a6c4d83b
SHA256 9bc4c05d86091a854dd67ff863f645609a29c9d02eb41fc0e803f5c4d4f3ed96
SHA512 281d4260281988762680ea945293a4947b13072ee715afc11d64cf97f45eba8eb445b65be3ebe437a33a23b3b5773d0407b7e39a912768272f077821a4251439

C:\Users\Admin\AppData\Local\Temp\wYcu.exe

MD5 336ee0fffa38f00bca9128eca45857b8
SHA1 76f6a4cc75c7e4da7f4a3386cec7152d052623df
SHA256 d371a6092f19e2abee716dc3f5f816d175861a4e9c05704e0e925ee2f4876aee
SHA512 8e322c5e4a3f4a7475ce877287143703c303e5b78deb60801e1320d1bdf416b329e968bd59129ce2c753fd25a3486c6cebc5882f4046916c0089b7ce2b3f5754

C:\Users\Admin\AppData\Local\Temp\EcYm.exe

MD5 6bace8945ae37fdba5160e7631a1963c
SHA1 41314edc93dfaa23a2e667808a228a76978ab1ca
SHA256 0a8e07aecd441188a50a7ff8e06abdccc8bf11e813e71b3781d046ce604a1734
SHA512 81e41a28a33dadc370494086ffca1e35bb18dfb7cf83c1fc57bc7f7913cc2d08c2da626564bb8bb4e42b242378f79909c5fee7991c2d8d1e8da5c4e3ea44adc0

C:\Users\Admin\AppData\Local\Temp\Mcco.exe

MD5 9d6f5c257fbf33b2946d9b461c3b3516
SHA1 5284daa55fb9fea939a33808aeb4cf3bc642c6c8
SHA256 5fc8d9d3034ae7cc7ed3c425d7b004615aeb6218580a97971a1544bdf6a0b35b
SHA512 c360eef39fc4cb9f909e680d8bb268bf2e93fdf5ac5e2eb50996388ff4f6c1b040be87bd7bee1a81ded467e2c5d50d1330553ce2c38d1800020fb3db917208cd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 1ff7ee833c69769d11ff178a5844f618
SHA1 c1b25cded230f933514f8da3bb4a40acfaa1c7e6
SHA256 1fec73088bdabbaf40a8920878822b2284a6d4075608ed1b0d9ea8f8f3ee72c8
SHA512 bb4ed7c7b9d7ac6381d6caedba9968e261316a8b53133dfe7ecf44134ca4c1f63a48e2404dd9a4c0894bf2864308ecc04d7af084812c81ecf6e91b710096db4a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

MD5 352c16c74398c222db8ab777930ca133
SHA1 c4c15c61ced7b460999c76bf2285e8a15d2b6e94
SHA256 c0ce7cb544638d170f8feda9cc956371a6433dfaa2962ff3556903a23a323f2b
SHA512 af4a76b5f747c65864e2c5e9d786121202afc04d23c11c3e06af9ad277d23b6c6254b7493502a2fc8bc0006f7718ae0c5bbd373c92a533a726a7335fa43d8746

C:\Users\Admin\AppData\Local\Temp\SgYc.exe

MD5 54689b65b2085584051cb611b184f03a
SHA1 367399f1c594ea9f47510ba0b1ad24831426af6a
SHA256 1e0917fc72ac4dded9000cd16ebfd1913209e5764a7d1afa3d236d1cdcf324cd
SHA512 9aeae78e83404eb0d5236bff7961fd7f568a3439838e02fdebd2fe5563be7c915bb325e8b5f4f9cc0e4620eabc3c47b0b5304395c94e020ada5b11176f7a34ff

C:\Users\Admin\AppData\Local\Temp\qcsw.exe

MD5 40679e75d11b550bc6ca9e73f2e17138
SHA1 a29fdaf4f35159e2b3094f4451a49c01d3c66797
SHA256 6ec7906836ad16de964a8f1317c7173a5a87370a209fbab2d275e6ee2c65a411
SHA512 0dc6911f945ac6db9d73f1c72aac86456c4ccfd2e406f18d0891a7ed54592bb9175b664c817af49f232a3627a3ca99dbeb818fa8908e726aa6e01f3906845124

C:\Users\Admin\AppData\Local\Temp\Iwoy.exe

MD5 64d400c682512ddaa47154efb6a0a024
SHA1 3e14dcf84cdcbb66f06719357f612bb3dac0471b
SHA256 d5dc40fc457d8900838ddeb633c5b8a1899e248df1cfaa3cdddc2cf533f7dc53
SHA512 e71e6405e5c3b0dea56a1ebdf4a0425889b12248194ab8c4179c8c32364b2229bb34cb81f865cb12473138a96da3ac09fed32136423ff27d63de2a2060b34fcc

C:\Users\Admin\AppData\Local\Temp\Swka.exe

MD5 92fd8c877f0363b0237ee8bc61bd8e9c
SHA1 8bcdd6c5633eb295164e45ba7d9b57f21e69ba7f
SHA256 6ca7f29da1b6c5d2b1c6d11bfbf125aaf03de4f3b439e1a70c402176d1c15736
SHA512 4dd4f37880b6a070cb9c9387bd212462f47879a48e810d5ec5290097c075c01b510394569582eb9caccbbfd2ca327878b92cfd01f9c8c84850c934947e6830ed

C:\Users\Admin\AppData\Local\Temp\eUEI.exe

MD5 73926537d9bc86b9fe29cb56afe5fb29
SHA1 f0fffe588fc7d61227473faa85397a35017d1b69
SHA256 6af2132651f7fc107a4a8758cc7ae683c03770b985d1aa1c90fea4208c3e090b
SHA512 f6127b15966fd4a9928079fc3bceaf0f04eda7830c4e2ef3bb2d3f47e61f7973a3e8e5827bff4d5711f69462656119f7565cbbeb25614ef26e66fd27a472428c

C:\Users\Admin\AppData\Local\Temp\SQMm.exe

MD5 3ab6acac945dd75e2ba04db0a3924096
SHA1 16c5f72a7dddbafee88051885e6f0b2673e6d5ec
SHA256 785fe98d5dfa2e186704fefe301c6dfb4c7587e8d225612db0edb86e3b2cef0d
SHA512 afd20e34dd3ebc7a5600109fc21c987a2ce8b036ea8437aa35bdac62f0e0e601f4ee5aba374c0d0a412433972700139ed9be67e25ef856a002a6f2acb35c66ef

C:\Users\Admin\AppData\Local\Temp\SoMM.exe

MD5 fd018d4f56f96cf8d93bec581cbeda03
SHA1 434067d9c039fe563c9ee1c5544b7b2665864c3f
SHA256 801912a8d9566d9dcae82d7bbf4da45f375fdccc4b0a9a14e1cd3d10ab853d20
SHA512 1156bbeb43d46e44960e3181b44252753034101541ff4139cee68d872b7172180c221945a81e410211d4f0c3a0e91fbd106f374d3b1c52b53fb62ac4542615cb

C:\Users\Admin\AppData\Local\Temp\AUkG.exe

MD5 346970945754f03ef78345e23ad3d1df
SHA1 ddd338746c7cf08bac4be7d21ca5a97f811f82b0
SHA256 3ac9789e6a165bc22179903a8e1a78f38a40660e3421545c87fbd84c55c6de4b
SHA512 5d72b043a3ec2089189e35d1a803045e5d3da81bde0a8c84747a582f90a0d3a2d206abea98e2e25b214518352c999c05f6f0614fcf54ed6dc85c8f2e28283db3

C:\Users\Admin\AppData\Local\Temp\sgwG.exe

MD5 9b866197116e518d902490bc79b0e416
SHA1 25da110138a82fba0f296250ac036a947daaa811
SHA256 ccb3f171db821831b48089b8d7ae6e9905dbfe9a5ed19e20fc33db605ac0bf25
SHA512 cce825c2c635826ab8b09b08e16d0e7fbd7f562662933408e00c8212533a99c4260317547014b17f993b4b83bdee262d9450ac93ab7f14bbaa64134a15e88828

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 1cc2d6bd2d6cd9e775c324dc8e93bd7f
SHA1 1957781800a370225fd0dc68f9637afe69d1f965
SHA256 f9b0c8c58382a5fde6139840fda572c65eb95a0bf8159407eacef10ecdb62405
SHA512 15ab9ee15d09e77da34c621fa9a4b7ca2179fc8d657445c3e4087ac76246fc71e2e795b6e4b5f23c36305622a709da0c687a7b109c22ab96b788a3c060bb49d8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 e57d6e3bcc740d45ef6d7e3285838f1f
SHA1 aea202bc8968b49d3903ccb0909273e0e6198547
SHA256 b67a6e4d44a5537e4d86fe6afef81f4112e11a3ea5dcbe0d5e2d23022d114f1b
SHA512 b6daf82e66bb50ac427fdc060367b490ccf70a9a8057e9d7948b38791ce3154722381ded90114872940d9c5f8ae2db874a4a7b218c72067232a7e5b922d4c974

C:\Users\Admin\AppData\Local\Temp\oMAS.exe

MD5 642a2289ffb0226eca91e0c8454b0d37
SHA1 4a81bba7d6b6a383a94e09ea6e6dd8e919f1b3d3
SHA256 c19a042eed97efacb1a51555ab4145e855143dd35578f076371b05cc4d64f918
SHA512 ff2d15db9c75d0d6f54f2f0319a2aec7b639dc72ad2b11698b7134a422f0cc3396fb2d6640923b2d0c12ca34c5f1db497cd3550d99a9a3a8dd729d2e022c138a

C:\Users\Admin\AppData\Local\Temp\AQAu.exe

MD5 85743303aa84a3b9421eadcbdcaf1d17
SHA1 6f8b78d49e7ac04dc3c10f24ff6040b65976a027
SHA256 70f886936e4a237a7ba8e0f059a14b05b051f8aee9567193f2feb968b0aa2354
SHA512 682a23e9ebdfd6efc42e972fb9b6b0de3e9f8cadef683f584738f5362b259bb9f7f0a203c62d8b0522a66d3cf320cb0bef72a2075be44b4af93b61ea0a565345

C:\Users\Admin\AppData\Local\Temp\UcIG.exe

MD5 27582b94e99d0694eacd17002b49f260
SHA1 9c1d80f790c338bc418d41344a80175e4316c948
SHA256 e62a7eca858fb1019e5dd7732d316b262e192ca06febfeb978ac990f23743b57
SHA512 271ecbc857da226e91e7002487ea41fd0778b572f1a410f964e90b2637fff6fa3a975c75e4ffcc30f40f1cf7032570b1173cc95c33f2198f810fd2ecce55330b

C:\Users\Admin\AppData\Local\Temp\mgcs.exe

MD5 7c7df0dbec20fda5df619bf4373f12f4
SHA1 28e51a7ede383d88b14d7f68f00c557ceb6873e9
SHA256 8eab0e42c15238b1c05568c998f10b1effeda0dba4b96a989572eae4099ab28e
SHA512 63194603aee8da8201ffebba27bf6253d7000145f78726e18f77789717b6672efea75606d44f77e911ad54f86588e9bb0389856654788c772aaf838bd762a4d4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 88ce66fe6eef2e4a0e3e52ae3a316d94
SHA1 9f4ebf6b8057eea9f62015feb4370d7801f28e08
SHA256 16195499f2a9c1a64fb03c354b40fd98f04d1f4a486b0d85767e85a5b0cfda35
SHA512 05b997644bf1cd06fe0faae0cd7ca2da531f26ce41a861b48af70eed4975255a806197c22e054ea166fcd0a570520504ac3573eea8148e204f7a5f0be7995a78

C:\Users\Admin\AppData\Local\Temp\OQgO.exe

MD5 c77505b68330eb3ebb510a96f5e3640d
SHA1 f443b641f8be58a56aee061386aee5892e9109a4
SHA256 f47d0e717a32736bb30a954e6348a7d22dca1510bd3082dbe5b2e0ae59e4cc1f
SHA512 6652da25fdc2b41ca978c473fedbd931634fb900cbb7f9a5eb8471a6242ce997345018c6771abb3c46e5fb396bcc45e316e110a18d80196be4121369975dcd53

C:\Users\Admin\AppData\Local\Temp\UMQq.exe

MD5 88b7b0123b8e55c34d4c5764a0670230
SHA1 04dc7c6c045a3fa7df149705a40625d3ff5e61b2
SHA256 0049d6d43d966c4ee20f3e3f16de916d296f9f420057d1eb35097681d8d8833b
SHA512 0ac4c53e49866749e76b051d6ea5dc86c8881ca53ee560494969d1f0ebb1aa4cc28cf9eb424cd0ddd91dcb47c1f5f0ca4a923be699c33e8e8807eb6d34f1f7d3

C:\Users\Admin\AppData\Local\Temp\OAEU.exe

MD5 0dd9d4704e1f3f2bf245dae8a2f0828d
SHA1 dd39139109ee9ec3cdb1ff153827060dcb5bf128
SHA256 41977fc45c4122402d3cf9fa25243a2ecbed98f0b9be12059c33df08e71a8927
SHA512 6e312630c4bf510438788276e0f353321b44dbbdf2022f238688d2f3a7c4165ef7e9119d08e944671a76853c5f058660bdd2f94f21a9374ec45f96d5a03635f3

C:\Users\Admin\AppData\Local\Temp\ccAS.exe

MD5 2e9e46cc2ae6e8579a1bee1987feb25d
SHA1 1ed6178c154a49d86974b297fbda7241ea5a16df
SHA256 04c9bd692cd63848c2ea186df918f67d82ad758a1c7b0665eb5ebca42d42c5c8
SHA512 29f31a69134e1c68300778da5cd22ce5ca0aed6f3cd99a4bc17d0abc2d503a35fe9aaf67f5778cb113d6fd70500ec858d583f5c131703b3fc9ecf8477a0e21a0

C:\Users\Admin\AppData\Local\Temp\oosg.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 714fc8119821ca811d384e41cd8660f0
SHA1 43536d2727beec6181aa0a788a8cf42aaa968cbe
SHA256 ee86f8e81b4d17673c44943c61b22d11ecb8c226a63a3cfe718ed9808ee7230b
SHA512 c12b51c11418330b93a8fc806db807cd8aa2c60842bdff9f2f9bd819841653f783eb74fa19521f74d06a1afee604fae8d414e470605d2e3dc27882a07c864160

C:\Users\Admin\AppData\Local\Temp\CogM.exe

MD5 2fddeb16cca4f5b596350f0fd27fe1d8
SHA1 12668059f26b76a3dcc5b851ccde9284c095b005
SHA256 4e44569e78fc0e4b21e8adc6c0a88a26ea1e2943385df514b49d37ce6241e2e2
SHA512 b46ad3d93504767c9197cebe523b8ff4cd30b2b6ed9e3fd8904a4655eb23bc54f3b49fd04b5e0a3d6163e8432fbad49638d4bd26d28c3dbe8546c7c87c710066

C:\Users\Admin\AppData\Local\Temp\koUq.exe

MD5 e4d6d551cab462aeed74d1eb5500d462
SHA1 7929e311e0440e39b074f455fde19cc5e076d7e6
SHA256 d7b60b0f832ef182fc552124de95b509c1ed728a4c1c9aab61fc2625e6736130
SHA512 14226dd4b7bae7fc7193a872b5591182ce1a25f5516580eb61133b19916c2a9c85f737e1afdd98898aaa1517567b4aa78faa659b98722e5a8e3295ff7a0d7114

C:\Users\Admin\AppData\Local\Temp\kEwC.exe

MD5 7cdbb9cd45270789e5be9a94b8f9a062
SHA1 f42487a871f4557ba303ebef1929192e00e8e2ec
SHA256 e4a0f6251ef932ab5472771c27c8c01f98c309a5be954b38b3b0a64f55901fd0
SHA512 219b721b01998fb589205759e3f85821c81c0039f443eb0b5c1a5fbdf3d316805065f8616f8ca68ea84158c6977890901dc6dbe41b13ba3de285b45ae5fdf621

C:\Users\Admin\AppData\Local\Temp\Wkou.exe

MD5 76efef139f8bec25eb7a53078becf74d
SHA1 df687d76279cca96ab3157093507cb17025450e8
SHA256 dece457683ce5f54badb6ce971f4e6b8a4b72305108eaf4284d693ad676b5ad6
SHA512 f811de1368c567660bc461bd63ca4c49b2942f19dbd9680a8174f988195b1504a018222db4bc9c81ba7dadafb749c1dab4234174c4536531fe139dbc3e34343a

C:\Users\Admin\AppData\Local\Temp\ycsw.exe

MD5 701939d54de65989fbbd1a3dfbfe00e8
SHA1 27d8ac1a5839e6ca52e32d32b0b1ad402cd759a5
SHA256 a915f50121cf69a12b0c03ad3affcb09322b354698ed6e07aef14d73111e47c4
SHA512 97629d684dc18619f92874e13acf199ed7a7da90b51f37a6def458dd68b57023bcbb42f906e9c8f19ea08b6ec86354a02297b0ce450f487ab12b5e18ecce37e8

C:\Users\Admin\AppData\Local\Temp\GgMC.exe

MD5 e1c4252fc06feb91eea2b3d60c06cb37
SHA1 20674e8ead966d730bfb3815938feced4c1eec8a
SHA256 d019b953619f0d2c20504fc57bf7d9c24edd3b7b374199bfd3981fb02092cf80
SHA512 26f8038578f2f084270ebb5c94c0e5e928530689ce1bb5a90226703f32678d6adbf47824881ff09860d9ba53c681c5284f4e71ed26c74bb4446f8edfcebfee54

C:\Users\Admin\AppData\Local\Temp\GAgu.exe

MD5 32c75a8d4846a09bede0478245adcf4a
SHA1 adcf6cc0168df94d7ee645c8f810ee3ab4a88999
SHA256 4d6d43535f7fa59daf064e449a9956df03a9e431d90f49ab85c77d663c8ca8c0
SHA512 b680069fd712f417322443b12fef93f9690778bd6974da8e73deb9457680d9b1a6e931e39f3fdca2a63f8c472f07a40be20dca9843748524d79ca3d7c6f076d1

C:\Users\Admin\AppData\Local\Temp\CsgQ.exe

MD5 b6ea859f7fbd292ccbc77e66d5154490
SHA1 ae153e422bcc79786d4d816fdc24586eeef88e35
SHA256 0351c6b9bee22a8dd5b6090c33bd48524ba4fa6be6af31f0e07f25b4d7858c98
SHA512 c27aff7cfd064f66f67dc57cfefdb7a1fb23f0b977612bfd943bb2b32f9d9d628aa0570ab26e419aa9746e2858891161ca8bde993eb729cdeb2a2b6007651483

C:\Users\Admin\AppData\Local\Temp\kcsq.exe

MD5 c293bc79b23569c06e4f59c3d1b5de3e
SHA1 3c092a8de9e988affc8cd29bc8d26ae594111dea
SHA256 c20d2aad611c58c58152c2251b797005812ce194a29be06f91fd2c33934a6069
SHA512 62213e8ac05edc6a79c9a1923b97d7b19c0e7135e9f857073749940669b06982710af38dd9a54461c3db88942eb7e83478cc25b90ece0615654e9fef90b6d9fd

C:\Users\Admin\AppData\Local\Temp\mIoK.exe

MD5 498192a2793e39851635f1d0a06a19ca
SHA1 fce402d94bb48365ebe8f08f31508cb5fae28015
SHA256 2bcbd42aad20d0860c7a676d12c25d23252344753b362f5d834f50c6d091a243
SHA512 eb336748ebc414ea2e69f87921c6812428109ee115cca1205299d8c84a8e519ab10e94dc3cefa48b631cec325a97d174b4dd36353b162616f90c6771f62a5113

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 ccb848ef0fa7efbe7ee41a8fd4a1145e
SHA1 f3fdf0c901548f783b0654ec599b89cd13c5adc9
SHA256 9aab8ac1c86419eba53624d5cf4ed4f502d1f5cd42e72b020ede2c5fbd8ca9f8
SHA512 b37d1cfb6ebbb8c0a4aebe317d00b3ab4fc67d2eefeb7b955dc2b3d3afdf41450382a82981256876f86154124ac464fec1061e0348bcd1b02e16f1eb0669daa8

C:\Users\Admin\AppData\Local\Temp\iEEY.exe

MD5 31ab8c31c12220a40428a2fb85ee103c
SHA1 7b30572ec73a9a86b892e827c808df10b6deeaf2
SHA256 749fb21f15e11875f23fed5a2fa972aadf10c629bb8056f30b3b18587321b962
SHA512 4938b155f653a416e3d52c0aa171f38fd404b79fc409b12a5370c91cdd80c8015b7088e956d8170d5b1aba79c3f99743833e93967c3f6b41b205e270f797d61b

C:\Users\Admin\AppData\Local\Temp\UAUU.exe

MD5 eb0adb912f10ce08c17a330f4eda5636
SHA1 29f2441a5b0ba2f78d7ea51a4b17b04a0d86cced
SHA256 ff176f1269b7588a2a6c60b21d9395e9c0e00392f06b52cc3d9002d09dddd9b2
SHA512 2b3e5d7c364e0abe9c20186936de23d526f786cca3348fe7a7a9f0439dc4a70cb42469998b38835c8dbb1f35c6ef4df0f899435a5b933c0b3e9369d25d77aa46

C:\Users\Admin\AppData\Local\Temp\iYAc.exe

MD5 00edfa3089c4f27d7a30b5ee695b57e5
SHA1 b643adcf3d8136bde6324e00765f82671a9f906f
SHA256 833cd2d5b15791d896a125079a9c34db669e6a148d0e60b4d44d04d3602254c5
SHA512 24f8dbe79de36918e48e6c95a8dc1ba4a0659969d9e309643b7a23081f35709102234163fb40b10dac12abd82fb08fc895bbcaa0c1aade39445fe8d16660d943

C:\Users\Admin\AppData\Local\Temp\GYYk.exe

MD5 659e7050a28bcad33204ee88d8ef51c5
SHA1 151cfb80413878937f4b0cb346a92de6ef21dbde
SHA256 6eadc79d2b60ba7da8e7f0bf0154826c39fbfc459ea89f8de2fe734087e083c7
SHA512 abb09c71c49472a049f3826e10db7db70c2661dfbe416a9806d4dfcdaf9940de6814ae3fd51d4fc90506346ba29f27565ff4a60b9b479c75004522b39648c249

C:\Users\Admin\AppData\Local\Temp\coAc.exe

MD5 aaa6de7e5ea244c8bb842f8463a8ca4a
SHA1 223aa057c4a8147b54831b2380aed36b1637ada0
SHA256 8a1bc9a5beb56eeb1db58b1b5b799c48aa7bdfe25999a1e8188eb469a48af8b3
SHA512 ee3b74434ebe58160f0ce71047804d1bc8ceff6dbaefc4a2458701c0ff20f26e21b37d9b412145dbeedb2f5411898663110bd2ca6fa0e0d4f870a78a5d40e16b

C:\Users\Admin\AppData\Local\Temp\ogsM.ico

MD5 d07076334c046eb9c4fdf5ec067b2f99
SHA1 5d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256 a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA512 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

C:\Users\Admin\AppData\Local\Temp\KcMW.exe

MD5 26451994b09f8c91e3d366c93f190bfb
SHA1 21c41a31113a96fcf36fcb1d222d5f414063262e
SHA256 3e86d22c9474c6ea8f88bfa6db6a44e1bd01d6d9ba47a825b5658615252ab565
SHA512 43b7e20196d8cfa6a5519a0a6212be79adeb25d2bf58b5c96b28f1bf5c633ef7e2b5f03da860ec26922e73e113499c2de91606893db5b1e84dd24c9055133473

C:\Users\Admin\AppData\Local\Temp\EwUI.exe

MD5 0e3eec2c7115bc26e12af95f6af77e49
SHA1 8b60368ac24172e50e88fe236b0357f86dbbb68b
SHA256 e8c710fce815fa2258a90ed51da8a6a01c74f664e1c65672ad737ff622304b02
SHA512 e10c16fb8832c3b5dee10442b009e47e01db5755b65290a8a2b03d48945e8384604470865063ac8824a45b1d82b44ebd6a0409353333b59e2de97d53987775c9

C:\Users\Admin\AppData\Local\Temp\GwQY.exe

MD5 cd0721e262d19894dcbb1e744d66e36b
SHA1 853448b088dd65c4f3447d2c0e3b27722f772be4
SHA256 b63b84821dfbec435790eed4bdbba3287b7fc2dc124f09bb1596c9b33c1d9357
SHA512 24b074dbeba45f92fcf0b3e5533aeca6e78c31f8b1609b35ec7998843983764a0b22a075e0e2f74286cfd2d11c9f84dcb0412205b789442834658f64995a5f18

C:\Users\Admin\AppData\Local\Temp\McIM.exe

MD5 ab9805295b12af86f8fcf619fbc585dc
SHA1 98ed4c56a66de04ffe689e96c9d596859f8e84aa
SHA256 a69566d6076249e005123470a164689d33107637850dab7d0621fe85aff7e0e6
SHA512 166ae5249e18d09934bcb77e907a5ea4e81a64f89e5f77d1e787c7ab29c249d95f9c5d47f62fe7e1acaebefd175975e5ec763fbf641391d7490e93e038b88916

C:\Users\Admin\AppData\Local\Temp\yEgo.exe

MD5 f95d2df53527b58f2fd5f16a271ba023
SHA1 94be2733725657780f9fec03e5bb0ceb86c60827
SHA256 36b46e6a97b0c0dfaf8f29ac46f89dffa5cf8ac798e97bfaf5736f5500a6d946
SHA512 c76cb23319fbc9b3a49f393407376f52c535a3e178272f0869d7d463f6b1a7b7507c8d8db1afb388a2d9eeb707f2eda521f43a6d46b8e33257fa53de27de149c

C:\Users\Admin\AppData\Local\Temp\OgMa.exe

MD5 da67c2d9892e911dd9224a4ab4cc0620
SHA1 0a1d095f721da10961f74e26942236b003af6d2b
SHA256 4499936191856b601bc9438e94756fef7ccb256e4d32cc1088651eb94d65865a
SHA512 3712070f0abb0ab963054711d69f3ab79c30dd1cd89fc51f5215f85a242b093e1b7e3062601403128e095fa1bc7885b7629378ff3cd489f25b5f8a4be96352ed

C:\Users\Admin\AppData\Local\Temp\UIQc.exe

MD5 ac6e0ab84455a51463c7b4e6fdce377e
SHA1 faf0cba283214fac46fd64f2e24c4c9f3bdea440
SHA256 27de6929fe33afe42806a6dbee0a880f2dca7717f086a38f1d30052ba972d225
SHA512 648294d195fcdc6263c743b463f1a15ef732cdae9d9704fb6eaf1f740f0ba31db5635d67b180087a6ee44f92fc17d88a485ab072e9d5123080809ad852acec98

C:\Users\Admin\AppData\Local\Temp\oEAa.exe

MD5 a8cbbec352ff55c0031110a4cb9513a7
SHA1 65868b4e321fdf1a99b78d3e7b4dd0aea791eb85
SHA256 df8c7733d8f72e4ef29ee6932dbcecb2ce6082d23979f1dbec416444c601f5ca
SHA512 0098ef7543aeeb72f4653f3c220b879fb1c26f742928ca29d157fee29bdf7360b76e6e1185efb58d99b2230011a936b99da8ca2070622f19da01f8e7e5af3015

C:\Users\Admin\AppData\Local\Temp\YYgq.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\kIQa.exe

MD5 79e6eeb1275e7b1d388675870876add3
SHA1 c7ba4b2dc01408d99beb4a6ce2213b1c97c49795
SHA256 dbf67d519dbba4762e15d7c46445e784a590276a0bed2fa9cdc0620ca3e503d2
SHA512 9d7759daf2c737a9bb57d287f8329bdc5b94f6d2098f4fd516a7ff74c3df17a3c40642daa453f72e3272e31668b9e9dd248be2d1e6e5ce17a750fc42b9fff407

C:\Users\Admin\AppData\Local\Temp\CAwK.exe

MD5 52d10db90d9bf2be188330a498aa73dc
SHA1 c6e0bcb7b2380d362fd411c6abdc9bae28a9a451
SHA256 f458d6bb2e408af9c15b1351531e01414e786d29203cb582b982b7c63d4fdf68
SHA512 49c8626c1b0a24895ddbc7672f7e5329aeca00db1508298453f5f78a8cf11c543c3e2acbe2ad87cd8c703e670a403680d6849971f5088a2a1d0ab834d00bb70b

C:\Users\Admin\AppData\Local\Temp\Cgoy.exe

MD5 ff119a6473b30f91383ade634fe48935
SHA1 d3fb82b3f704007df5390b8e35de1af3a5cca9f1
SHA256 997f9535e0ce054e0a93a2b925355ecd2ae352d5a828b4328e2feca8055de84f
SHA512 53011f0926879c1931f91880d5dbbc70f2c0b1273c88beafadcd190dcb49e7598c14231da7b402f69fe4b161ec7cfecfb050e1ea56ca5bf58053f84b8d34e323

C:\Users\Admin\AppData\Local\Temp\WgYq.exe

MD5 d38768061ab2993c1577992e9ccc0264
SHA1 ace976ceecb014db697969ae5e146930fd8d6a78
SHA256 61ef2e3ecc067bb47710efd2b67825773586e9a921f5ea1700e3f18f3c46eaf9
SHA512 827b2bb312ca24129c5594cfafae877331cd2e9926b8c8635a058b87f120fc471f4edc35760fcf00c2bd939891b2df246951b407453a21f29bb7141f4db8853f

C:\Users\Admin\AppData\Local\Temp\gEwC.exe

MD5 20ff2818f4559841aac0b034887fd2d5
SHA1 bfeefec7d45d3b6d03ab0c0bc2b1b944f85f3442
SHA256 c60f169e56de200f5c2b25a6e73e30f48b12439ba8bd7ae10c9669f1403efdd5
SHA512 3bb32f413d4798e0843815f4caf17fcc4365745ca0a84886ff9f601f523ab8c866b4e3d37d21976f3cdcb7c94cd5b8b0ecb5a86b3efab65f0f01597d23ceaeaf

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 810295655bb352c16f195e9f83cd4385
SHA1 0a4131c7bba8f4131d06e8bd3e44904d37c8ed32
SHA256 195be72c46f6b3e52c4440e0bb6f7c138086e29281f9ee8d66f08e5b71097b42
SHA512 4e998bdd76b1bee86cbc4d3ce85b6cfe4d8f9884c8ed7f050322e5752f1b8dedd097e9e062bd46bbe124c1f9e7332a1ac5df1c4b74fed2c1857df08e545ccf08

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 e753c70a4993b3b4d32b2f540418bdbc
SHA1 637aeeed0073d1cbd703897ea73176ee177837f4
SHA256 6d9ab55cb410ed84f97535576aa78d10eb9a1444a79fcbc004eb41c44e1ebd4f
SHA512 26169525bc3df908e80b6cc1af605d5042a7282827c7c7c62d16b75c03e45e03a73e20914059808bd77757e71e1a96d4fd0906916af6066c622b099fd8c6c85a

C:\Users\Admin\AppData\Local\Temp\Kosa.exe

MD5 e90a3c26465e3ac14535d719093fb55f
SHA1 d5f3f3d9185df71141d33cc169e8b5ae1cf9a17e
SHA256 f9b966262c5f3a2f9dea13c66b05a12bd998ee641930272efafdc0fb8fa0b4d6
SHA512 ab0bc8f588a27dad5ef488728da3dd354fd019b9630274954cb9b7f0727baf6e3c2f803ac0638542607c1b39f12e9799e515076b8013f7cfd5006ffab638acbc

C:\Users\Admin\AppData\Local\Temp\wQcO.exe

MD5 b88f1682162084bfe6a39f2cac45cab2
SHA1 c884a3b6cd2422c94183d1e1ab9943253b569d7e
SHA256 06bed0e2504cface561f01a1e29d3b2f3c8bbed9fe7e0b98792d9ffa91236225
SHA512 cbadab3848071daad559624a11d2b78f67253d38b8aa6dc28ae12215615d98684b40b663bf6edddaf7a9248f723cdcd48bfd67d33711062031377b34b4a60832