Malware Analysis Report

2025-01-22 20:17

Sample ID 241020-b7htcs1gqh
Target 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock
SHA256 8ebba18732ca21d3a0df3c5cad95cf867de57ee57a1898e82bdf25ab1865f23d
Tags
discovery evasion persistence trojan ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ebba18732ca21d3a0df3c5cad95cf867de57ee57a1898e82bdf25ab1865f23d

Threat Level: Known bad

The file 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence trojan ransomware spyware stealer

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (78) files with added filename extension

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 01:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 01:47

Reported

2024-10-20 01:49

Platform

win7-20241010-en

Max time kernel

16s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\NmkcgsMc\UKMsskQE.exe N/A
N/A N/A C:\ProgramData\wSIQkMEU\qwIscQwA.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\UKMsskQE.exe = "C:\\Users\\Admin\\NmkcgsMc\\UKMsskQE.exe" C:\Users\Admin\NmkcgsMc\UKMsskQE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwIscQwA.exe = "C:\\ProgramData\\wSIQkMEU\\qwIscQwA.exe" C:\ProgramData\wSIQkMEU\qwIscQwA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\UKMsskQE.exe = "C:\\Users\\Admin\\NmkcgsMc\\UKMsskQE.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwIscQwA.exe = "C:\\ProgramData\\wSIQkMEU\\qwIscQwA.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\NmkcgsMc\UKMsskQE.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Users\Admin\NmkcgsMc\UKMsskQE.exe
PID 2380 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Users\Admin\NmkcgsMc\UKMsskQE.exe
PID 2380 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Users\Admin\NmkcgsMc\UKMsskQE.exe
PID 2380 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Users\Admin\NmkcgsMc\UKMsskQE.exe
PID 2380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\ProgramData\wSIQkMEU\qwIscQwA.exe
PID 2380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\ProgramData\wSIQkMEU\qwIscQwA.exe
PID 2380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\ProgramData\wSIQkMEU\qwIscQwA.exe
PID 2380 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\ProgramData\wSIQkMEU\qwIscQwA.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 2016 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 2016 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 2016 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 2380 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2920 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2920 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2920 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2440 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2648 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2440 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 932 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 932 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 932 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe"

C:\Users\Admin\NmkcgsMc\UKMsskQE.exe

"C:\Users\Admin\NmkcgsMc\UKMsskQE.exe"

C:\ProgramData\wSIQkMEU\qwIscQwA.exe

"C:\ProgramData\wSIQkMEU\qwIscQwA.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-96927588-1668594510-887566661985858318-4356971971979325582-1812838372-889206768"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10523067692020779955-1127036797-1703213784-190081027165455230216255769902020240584"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSQsgYIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1624564826-1341162525-461603915-1404551727-611285910-10263223491959541007-1613676838"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1894398354-50555070619662414081819523470-423553393-20347316051746727832-1002694356"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "484354889897427547360261057-10037893-881549763-1830999624-1383428051069622988"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IYcsQgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8366479201518248138-1447293176-813617347-1697186716-1226312944-185198298900379486"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "928035502177052007-16482928181618080931470169011-906718073-376917964313804764"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgMkIIog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7853300141890733519-945325211-646789712-212546877948974789817924700042061934448"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-898961557960953032519675052-472436716-1644251723-2069564828-420538587-810478299"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12728390385977493551728153371-1165155019-3049194931023703816699810039814534179"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aygUUcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4519587986888702482116920432330424505-13063313691233104552-7926845-1414123231"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGcQwQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1559083879-11956845932956316225347778752102289263853310029-549014872-1149169380"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-49866507910707152713003501161538028929-4364082972093313673-1478984823621706561"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6289257541384748297-458251954-10589014948558095111132650703-5143687431828109277"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1969475220-1604239486-2082071968605044267-2055165147-139907319612258800921070355695"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xkIYoAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-115598300811518824431938331054-2095825797-8836629838702776311612604070-479479646"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "636994672634486071316387306-2126423677-1502385107-84850701813358996-972295654"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1214867645-53002834916559984201943082562-965786566905733290-1089183395-540328873"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1337642666-1659695474212935115317228090492005852940893985012-9791417002130732524"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ROMcQoQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-6837964761371277231983843737787976689108716885-13877538101584112388521402968"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1620300222306261122-992033286-745429151-1536556741-384864955547407223-1256095045"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAcMYIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2157387847924763687020022491290696381096085670-3428909011814037163699584340"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ToooIoMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1530200683498081135-732834702927599540744640287-1256711030841204628-369384763"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-80241425497831803981617133163497003-20733660851107463006-9426870851554085287"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RMMskUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "115019031618917829139874109442478614211464039961-146146543324804237-1773244427"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWIsMMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1627668436-568099902-100079469978194185-924916165862281659-20691266541437654482"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1312606308913435742-18894033291240639152-191706573910490766427009472361835106311"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1602600968-1947793605-786113304474340932-1675112622142738286442893294755876389"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1618513775-437617888-215439393-1463684725-985295609-30039182-848851792-2140607645"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGEIsMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "326056743-113650188510618360194099476919700033131098276522-891819379-2114437385"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqowQoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMAkgkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1224945665-1264253406-786896081-1086952836480203210-374520565864848189981128581"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-280484291-1927959670499750489-1546149661-202022077-144742598250254017-856633236"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qwgwMMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "453681834-4799067112776066240921451915318598082107745475-11640197001958268671"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-265678018-595666918-90594439-9127867812100107950167789040415098138071592124904"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGgYogMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-477656641-796885770527049102-2141036879331880387-753714214935895067-511932416"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9831972133594465425239678961033563046-905492111-201537980916694130901577730787"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qcQsIUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-77368935-1992668752052964838-423993723-781584794678784771-20630781331769283695"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sokQEkQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1454875663-731331871-10716870771690146508-2018105662-1756000875-2947296341036167650"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SkgIoUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOcAMwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fcgYMQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQwgQUYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "181745945-4946002414155066151656241246774450715448015381-577277865127937228"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAIAMAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "206433086143582815211608370541348255893243541504-1943338261313623502115643343"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nyUYMUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-413104290-905221223-18480389251582888124-17238281956080803-333488511396502647"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqUocEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1204171168143484035758988365012961189701195626912-694263564423131416677325833"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "927169843-168162840-193989403-1782111341111669316212804495201413502480-1403593387"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1397093556-1560264093207699278817238789947079218097983238-1052554183-585347065"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DwMYMwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\waAgQsMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKcMQooc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14845443931115460899-1432916479-20013062468752380921166894350836959887-1347336382"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-786086120165394696-21372948902109850831-1945072811-64441740315207216391008177499"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EwIssAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9643856134395682211175099982-1801882062627740521-1552875015-1713800750-552402736"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWQAQIoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2985719251290789397-1801076257-91536717910480145981697038988-569819235-1132604781"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1178861881-211741177-1705770481311792975-155405625-928018654188552750-1201201749"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-200564270520223160581862197499218127108-154579820519279425-8681391351755952202"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oeYkgosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QiYEsMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1949095885544577039462478573221059065-1653222448-1087496355-251202222002481616"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "208958291-125479062821049251001740757213-836897458-177408729618548103721299608765"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IkgkEMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-185345254-1565425049-24080441840098313-1089532849-1481745316-16723655601299893405"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1984242923-159879651381665481411020245-1575826922406057725-1280530590335120000"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20397656442816389732053858418-8781265481971981905-20718300151027738395-2145311168"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hsIMUsIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1731047197-1594902201-80938045319178951691359993501166684029-523347001-826463524"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGYwoowc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqogYMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3105593421857903657-19900935861634410259-386116240475634417104716525-479963545"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-973903011679765408841513298-12433500291190393841867515513-1135545885-411157282"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGccMMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-142152496710926680391440218646577786276208705524313277127022075590276849223"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgkUwEQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "377307340207120976735935951566913659011611434711208459511-172602440535461749"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMYkgwIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmsgwsMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZswoUooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iycscEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywMwwMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOkssAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\okAUgwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "591538666-16124271821922499862-91808205-680767913-720361060-21418747122044044024"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GAsoMsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKIwYUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMUQMEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCcIYYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HswokYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nmUQMsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15943760994967966331934908529134208816619767007361639020371980666098-2019672140"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FYcYksAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fEQgoQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcMQYkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aSoQUAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QYsUIEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KaUEcMYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wogkoogo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSUkEIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgskckIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQQYAYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hukwsIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkYEwsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgAUEgIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEccQMgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NWUkYogY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1512643181548114684-1167022928-1847262331035333381108710102-804230383-845684201"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMIEMEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSEMIUgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-187393420232593010716241810788043583241398795940-1683355080-10224291241998298677"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmMQoMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUMswwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImUMIcco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSscIsIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKYcEUME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KiQowIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iAEcwYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gSwUsIAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HOAgYsQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VKQQcQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JQEQUMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LyokoggU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQEUEAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FuUMogkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoIAQEAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\meIgQAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2098452284-296722579-229858116-2047052481638999709-198917214161296730-1335325540"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AykYcYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-665115092-11668588-11129862391044017576-1254136903-1466861868-1446757519543209077"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sIUwMwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-661791276-1873494396-1726923469-61236955415655383801646403455-1714149437-1205904541"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuYwsUsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1614302923-759221106-13258059151858668708-25203328749585827-29322556-1802041915"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UwcokEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKwcAEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rWUkYQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LyogswEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsMocggA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JGsIUUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BOEIYkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkYQEYgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SsccQQoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOswMsEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgQwcsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmEgQUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KmgUUUIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MiskMQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWMMUgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rUUUYYQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VgAocIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8024205921269402812-600660059-12651442338320822-1723454343228952611694728259"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TeoYEMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMYAIskY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwMoscEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISkkQYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkoIQkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKEwssYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aagUcokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iwQUokko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sqogAUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PsUogMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RsEAEoko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZEEcYIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HIQcogsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmEwsokE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RoMgAgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jykQkcss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HkcYAMok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IokYEgsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IEwskowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\myoIAYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.46:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2380-0-0x0000000000400000-0x000000000043B000-memory.dmp

\Users\Admin\NmkcgsMc\UKMsskQE.exe

MD5 54906ade6ff4340bc34fa3b5efee4280
SHA1 bbb58c502135157c0b2deac101612dfc1bdf3b90
SHA256 e0c99478898375e64969206610c6bae07b885fc2a58bb466b34ac513dab1d237
SHA512 9933444e5516a02a67e9ddddaa3f48a7286d7df09871ed02433029ee2f4369aa2db2ed99d668c8c76f9a34d800c925c2262ac4f770c9684b5e5100304ecb27d4

\ProgramData\wSIQkMEU\qwIscQwA.exe

MD5 f1aa8593dd92df1a31fed59abb44fb75
SHA1 9894ad6ab74fe95592c380cd645a557e3b6e9d04
SHA256 e6a387e85f7a371fc4bfa0ac25a67985cf6ff2b5e81811f6946c08b91fa1551f
SHA512 afdf9f233cb009bcef49644003d7cd091ecc8484260c61f9ec792e504d45ab425098046b4b9f6cebc89493780c96363db21b612433c34ec524036d5a89333279

memory/2440-41-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2016-40-0x0000000000140000-0x000000000017B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1196-80-0x0000000000120000-0x000000000015B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgMkIIog.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/3024-102-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1692-124-0x00000000002A0000-0x00000000002DB000-memory.dmp

memory/2212-170-0x0000000000120000-0x000000000015B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

MD5 8069e690a23c6c533e7209fc672f9b23
SHA1 7c4c896dd84d8cf02eac5f74282a18323a0304e3
SHA256 e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0
SHA512 6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

memory/1340-237-0x00000000001D0000-0x000000000020B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NkogMIUs.bat

MD5 2166d16409d8f1d2b0057fdf75d05a86
SHA1 76c516ffc902ecc2499276be466f5ec8dbde4082
SHA256 17c1426582d22d103c0c418fa8dc670301f74d97ae68aa53b988e8240677552a
SHA512 45ba8b617cbb95066f1cdc3f2751a009744bd84279eb6fa878a9b714ec32b64263cc9b10d61191ced223cc5b54515033bbc2b8287eda85e17c22547b4857d9bf

memory/316-260-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FsoQgMgc.bat

MD5 4eea5b8ed7e69933df770134dd8a936f
SHA1 c5d4127024e6fd4bc20d65bc865c9c3a5e31ab87
SHA256 a632cbd09b8afcff15b1d308f880b81bf33962c60e64e78de8ca7dfc43e8859c
SHA512 18d49e47e960c48f08344f2fbd086f661330df48b779c83821dd32dca8b7ccdae324c34dbce47d9e8fd1ce046690e3f6443c95a5f520156778f660e974409256

memory/1688-317-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2340-362-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EKsgYUkU.bat

MD5 3f436732f7336fc519d51423279ad24d
SHA1 73206679a26839be303065af871dd55cd749fe9b
SHA256 b22aeab8a4e1fccaf770e1a4375b9e65db2b1fb6408c918418c24c6d3d6cc0c1
SHA512 01c23c9326f1490fbabcf46bd214bfc4ca3afe1e6ff0aeda08e107f2b2d05378df61b53bff7cb4b7af85471afa5872741b6110773504d828a0cd72c5c3f26d3b

memory/2144-387-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1772-409-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\NmkcgsMc\UKMsskQE.inf

MD5 60367153f96a3fcd7ae4c97647850f42
SHA1 0a34e45651216139fc8f4ae840bd7b0bdaac792c
SHA256 215c6431a943fa3926d03ea748f88b317bf1b8553f9cef343eeebae8a1cbb169
SHA512 a519f9462d89cbb6b45eec56f8a3decbc7b434fe7a50b412048c8111903f54798e9415e7b738a7d008ca129a97c74d4e2c7c29396a9bcc7e2dce84138215c650

C:\Users\Admin\AppData\Local\Temp\NUkoIUYQ.bat

MD5 814ba63ecba4ae0cefece61b0cc8f7b4
SHA1 fc484fedfa726e2bcd657d77dd50ca13807c66e3
SHA256 6a3d121c606daeff2028870b785934e64266cdfd013f5da9683bddddc1ebc750
SHA512 8e060db8e7e1bf7b0c92c69870a064c8771b124cebc2aae9da0232f31f612f11ebcb52843abf91c0df9343c724f1c74353f5df543a8d32948c71084e776b7b9e

memory/684-549-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2928-569-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xOcQMkQM.bat

MD5 926d65c88fc1ccec3387b9d91adf01f3
SHA1 545f4a79da77ecfb20317430b91bd2f373fe49ae
SHA256 2c892e96171bef328062fb89ba1699a53aac215fe3f515fe1529336b84233fb5
SHA512 f17b703f1421125265abf182b939418409bdb24f6adeb31910ea50b13cc3519d7494458a988248b5607efe491fe6a4702fa557d8cf7d9053a0b28ec9384c73ff

C:\Users\Admin\AppData\Local\Temp\GIscMssY.bat

MD5 1e7a0d68824964d3b1feeaca67c95487
SHA1 166e1e4abe9849d72e1b93efab9469382f85a1a8
SHA256 02fd91295475bee64b34eb2c7fc6e85210bcfe5425426dea245401ebc6db56fc
SHA512 6786dc90f88eba712b540a3d2a5d47f9b7e60e8bef22dba07163f21426949f68cdf5beb9810f86b57fa9d9ea9b39b94debf715330fba5f7ffbd9d94ff78f9c16

C:\Users\Admin\AppData\Local\Temp\oMQMUAsM.bat

MD5 dad9b6776117510a3e10d52d10689dcd
SHA1 2d45efb887e896acb3ef54eb18b86395b55538c2
SHA256 e0e58f647a069821c486c25fa53d22d8cf636f0d9c7b6ccda699ebee18b8eb9f
SHA512 c7c6164b4ccd66bf0c96a387a5d2eac8304447ee791616909de550ac3faeaed703d4c69d5c1cbb3af02092192cf22adcd8a34274cc7ce8cbdcab70ab590ebebb

C:\Users\Admin\AppData\Local\Temp\kokUAsEE.bat

MD5 dffc656d825a03448da6038abd5ad7b1
SHA1 0f2c3eabef6980c093ebbc06ca44744d04a5ffab
SHA256 fc364a6837988df2cd7e953ee3f85839c7156867659b48a65b3d1474855195e1
SHA512 e0bc645edbae129578e3a55e684c448b204dc467c7aa9c795de6e5e49de47b8aae13f7a6995e8319a68d4c0fdb2d31d999972b47490f763bb2a830219311acd8

memory/852-744-0x00000000001B0000-0x00000000001EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\twUkUcYE.bat

MD5 6cfb3028e215ac529f67de6bc7cf052c
SHA1 81baa7b995236b49bc67231792f4976e37a97421
SHA256 db78d6939b521c4b9203d8a453e1cb760ad30a7d0d3e445d457cddeda56dccc8
SHA512 597011a3cb92b41053b693b4a7450d3d0b4286d8b996fe1697fae5185cc541894ed38cbe5bdac46f72f7d2d2ce905c49da2976e2e11157be3aa4be7adf05df87

memory/2660-802-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FwwUkUgU.bat

MD5 692dddcfa8cbcd215c8c72e64a8351e4
SHA1 672a8e6d4e9449c70e4bddb413be945be9bf9c4a
SHA256 3b0b72ce3523e01a0913e87bf42c92727ea18bdf9955d42f2e02e8955ba908e5
SHA512 04b76e2f9c39f7854216bb288bd290d788e34422fa273db7105a1b42f247b7ef567f225cd5121dbea9f9e3614144fb3adf8fc1014b60e6356f88b9debfd569c1

memory/2776-850-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3012-861-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cmcYgMUc.bat

MD5 44db67abb36dc3e740dad2878fddf9ec
SHA1 c3f9eea34b31ca3098c89bed78ab66a101240d24
SHA256 aed37b20f1bcf4119b24acf680f2ec783190da41a5d9d2ba0fd41688f871b568
SHA512 4d6234d3e447c8863613cfec067c69b74cf4d7ad7dc6905352cbcbb71865a20ff44db43298de1469fe7e2763557b86ac491d80bdf000bd56e87c3c322f6669b0

C:\Users\Admin\AppData\Local\Temp\wccY.exe

MD5 04cf509e94ef70efa3d8d6f0f9ce36ff
SHA1 c7b3cea12b3c5dcd1a7582ac01daf996a4341375
SHA256 0a1910302392070db0cec541cb324b29efad01f7eec86f8c9dd5e7cdaf0f47f8
SHA512 37747d2ec2ddd685430054cb9fd6e3a100e9700fd58fa54086c45cece6930a87af55b3a307952454b1a2b93824ca244b76c8473c2154498cff2b2225d2b0bc77

C:\Users\Admin\AppData\Local\Temp\Usgq.exe

MD5 c871ff3f9a8b84f4275055bccb2d6ade
SHA1 fe7f66024bc95c654846e180b52d985c549baf62
SHA256 88566c2973a2462a28dcc82e8ae5f837323b2070fdab1900828f8f912ab2dd83
SHA512 41c29ab6cf90b8e6eba6492254cab6c466fa6dddb37388bac2c34269a2df904f92e4076784db48a960e3db71e31d31fb65a4c20e18b538372466044ad5e2a7f9

C:\Users\Admin\AppData\Local\Temp\eMUokQAk.bat

MD5 ed74dcf3f4da39f80d9e560ef2d5c9b4
SHA1 01198ee59c9ebc5fb3c49017ac2ede6b7d087ae2
SHA256 f85a386f2f923734225c43556288b41183b0147bd9cc386aa5e417a315eaf570
SHA512 35e48cfc3576835a3e75f7dd82dad7c90efb3606ba02522483ca03dd845023553c7fdb5c50ba6dd4216cb4dc7f846dc8f282a67cd754b6634c3a9b7cba5728f0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 f2f5d4d1d921057ec11769a37157c3f0
SHA1 4dd3f9f0216d1b1f559a4d64c3cf001cd2d28514
SHA256 88f8603c332a46f114d9d460c59b616eca1c44d1df3f640b6a2d0c7e402652f8
SHA512 b6a1ef5c4fcb9771c17c5f882f40b0e4d6fbd894b07974af7294ed58d96cf19814208cf86ff1bde327b6e9edc59c893ac5d1254f7dc4316101fca73cbc78112a

C:\Users\Admin\AppData\Local\Temp\IEsw.exe

MD5 41b18b81e6b4fe09ae06314a5348ca01
SHA1 d94c00b722b8d52f922c880c84be7d5ccb2ee204
SHA256 6deb31de7643676157b488f6b35972a1222be2697046624533efe6a252f54303
SHA512 455d1f4216c9847db36fc626ea292add9d3c19c456d6b8fad144e866f604e5473fb45012ef188d8f37a34852240120f49b8f2169899ef653c18f1ecc40ba4367

C:\Users\Admin\AppData\Local\Temp\acEc.exe

MD5 a97cb9dfd2dfcfd6af988b77b273f13f
SHA1 084630a0ffbe34f26d08d0292827406e3e40e57e
SHA256 869615ee65e159401462dc0eb4114e933c55c33af4fc08c5ef394e98caa06bc0
SHA512 1b7138b1c755e468c4a419523566fb0c9decd5ca01c60ea5cae38b3819bbd5c1ca431840b1ce13261c19ef7b8a528f7d21a420bd63a9d3f8cd3f7fb1bf15c490

C:\Users\Admin\AppData\Local\Temp\kcsY.exe

MD5 ca6f37fdadebcc83999c35deab41200f
SHA1 8a73fbf47f30d34316647feffda5656e01be9220
SHA256 247046daf3dcb30675625360d93016d550e0460cf225ffd755a4b3e6c009a002
SHA512 02dcd5a4f4f346bf2158876d4c200bbcdabc39695411c0f1754525653a1551421e91e32663788aaf6dae8a166aa355896556a44ead7e9d01c86424213b163666

C:\Users\Admin\AppData\Local\Temp\Ykkw.exe

MD5 a7f6bc53ad5fd6da8cd3a9f89906ee9c
SHA1 827c7fa02dbbd5190eda092099e3a09e7b295fd8
SHA256 8d445bdefb78986ba2438781d6bb6ad4318206409f487c595f247cb6c0d5a3b8
SHA512 2d348ff5c4a2880e9a53fc40bc90110055ada82040f5b88d2d20bb0c88ca05a5fa38993587875a3dfa98a23eeea31af1485dc1ad0f35deae024a6980fbc43e1b

C:\Users\Admin\AppData\Local\Temp\wcYE.exe

MD5 41d2f29214f151097b6c667a006179b6
SHA1 14f41e172c43d1970f5b74850554a108750e4ec9
SHA256 86b4c536ab0b0971566f19a3bede1c4cadbb20da3552de57f3d7136db9752e23
SHA512 89ad40fadb7c4d8fb9908a1f752c6eb8120f0e70b15a34f8eac5135455cba7bc0a4d225ab52c502f2bf4d0c46d4ddfd33324b9a8adef69f74cad73dc1508a7ec

C:\Users\Admin\AppData\Local\Temp\GQsc.exe

MD5 511828843eee812201f475416e20e95c
SHA1 bff782a1dd78028bff98cb86454dd2c321b35e87
SHA256 1d452416905d9b4315235a3dcd95bac0696eace6ab12ff801c0723db954ca9ca
SHA512 951b95a0894c75a7f7d0bd242f40d93363c176011c3e7d68ffd1b9c3798b9a20936608c38ff5748a9d69c9e8734f1dad757c3d3e7cdb36eaa367d23ef84b1c38

C:\Users\Admin\AppData\Local\Temp\uIwu.exe

MD5 dc83afe9a1d09249ae473e0538003928
SHA1 dc2cd16d716b6a4a9b5c92dd70b3a566185596c3
SHA256 038d7643770b8e596f4f20613082fc00c95ef262e5b24298bc5ee73cacbf770f
SHA512 977f081de34855fa4061331337a17d6a4c416e4393303d636e577ebf605fc2dabe572a7dd5f55308b153f51af446c3a94d5370a086f0e07dca875021cd28321d

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 0439972ca6504b1b74152e1f3289e14d
SHA1 3dfd82766979613634a98490bc1f5cf1f09c8276
SHA256 be90b9e7cd72fad989670d7bd8808c27edd898b31e43f462d19ab0228f3ff765
SHA512 06cf3761f72cb2ad33e22f93326018d834ce54dd9235e2ac2b48fdff8f858f6cfa421eb833c95a98c6f39e1d273934d7e71bd36d76b157687b3eb0892f772b40

C:\Users\Admin\AppData\Local\Temp\Mccg.exe

MD5 0c9fba6c3a5e997cc83fc67de3b17d47
SHA1 3b321a20924eac2960aa0082ea121acf14b10ad8
SHA256 641f4208d6c5f8cb038b572e3ca3edcbcf47937ba03d05498fdc68557063f20e
SHA512 c1a285afc62f83197041091a9729d67da6a380ad74911e1c2a57cb755785dad6dfb84c94da695ad8aa14b10949323cd96066f0b5f521b4b90b9dfbdfcae73ac8

C:\Users\Admin\AppData\Local\Temp\QoMQ.exe

MD5 3c5769e1e4794b731a262e40a63d1e14
SHA1 7ddb1c173b9087542f8e9c4234ce9dcc4afb1d60
SHA256 c766f82ac8b30004823c47fc795c3949b2c495f1579af5413424e966f250a7bf
SHA512 1dbef2876b7367deef2067ca18a8b041bff6066aa6dd9cde482cd8f0cf83ddfff1e64cc379e224ecc719552bc8e71886b77eb5ff794c14793824327612c1b2f5

C:\Users\Admin\AppData\Local\Temp\QQso.exe

MD5 1186ce244ca50edb8fb744c6e83d297a
SHA1 18f30e72d6b693322d16c2fe608e816c9e85ab40
SHA256 476bc431cb7dcd4861c0d6cf8ff49795fb58d4e1466c14827ce8752986e0dd36
SHA512 46ad9281abaaeb7d96ef76fbbfaf4fbc49d7b2dfe356e2804d9d272a612259b82d3e13b6e60782ec9591d9f3acee469bdf0ac3ee2a2de5769be4d0d90c94f176

C:\Users\Admin\AppData\Local\Temp\Ocgs.exe

MD5 32d3c7f802a13c97d464a7525e79ff54
SHA1 f66befbbda382677feb1b6d203ed3ddea6ab0fb6
SHA256 f4743940f7dc6c361c4b2dbbe6c983538c894f8788aa6215b998b8e8dd478e42
SHA512 11d5aec8e45c66c056d274154bbbba2c1892d4320baba1fefaba8d7124a947597bbdf929e550e94752537eae6deb6c79c401a98bdc3dc741bb84741d43a72b17

C:\Users\Admin\AppData\Local\Temp\QcMO.exe

MD5 c7f6038445b49ca2115a70f36497c26b
SHA1 e498e249c06623c222b9ba17cfda56b986f6d055
SHA256 b78a03955699f67f5b62b0408c8d191275df671ba490f1966dc5c648a9184d0b
SHA512 8bb1ac56bc3d92b5c9b8ed4af28d583e83b5fc7d8a960dbee1727be4bea79135a8a4c9c7fc49e01855ca8552bf7c55f8f6c30868eee5db20cfd6e8ddcd32f156

C:\Users\Admin\AppData\Local\Temp\MgQY.exe

MD5 58e24fc3d481cac896ca1d44a1f74528
SHA1 347d5ebd791ba84a442e5daef955137c2cc8dc8b
SHA256 a03908ce1fa3d59cc4f6855cc12543fc624c33cb50a229e9e4519d65a0d2055f
SHA512 baa1506441f76a04f612023a109ac2d729c04e15ac08a6172d3db6d339edc9c11833435cdad3e181b8096316a93280b12319816f23c1092615e82b348d31440c

C:\Users\Admin\AppData\Local\Temp\oYAk.exe

MD5 136e82401bf8c325c8f33202452cf4b4
SHA1 367cbb5389c28707d95d0955492c967bc936d258
SHA256 69b37b76b85f114a192588104efe7b64010939ce3bc3fcd415e23f94184d2c78
SHA512 da22dadedce2ac65cc77906ce23efae4c35545991108613a1ffdd6a2a560fe7a56e21ce4ea626637dcd92e6491fc1d5a286a5349b83cd72e0c2add264e9258d1

C:\Users\Admin\AppData\Local\Temp\cIoc.exe

MD5 f9470e5998f801ae146afb264080aa82
SHA1 cf19c79044e98e1b30f24739526f39947e139b18
SHA256 3affd99bb2302f66e9563dc3c3e4f157835afa0c96af0a3524a4a541216edf2e
SHA512 9ae30def9599bba50c8119744b77281c0b3e34514c328d7faeb1382a3b032791a202806fda98d0497c40874f51951991b62ec6ce854bdb8602d9024ef261bed3

C:\Users\Admin\AppData\Local\Temp\nWAgEcwM.bat

MD5 5a0c33798f9a3f400f908461fe455cc2
SHA1 3a7f8725f72efd7821e9e807c1c2ca6e0cc609d1
SHA256 7dccfd2ba60f8220e17a8ca171fd3f7c4a59c5dd70da5ea74c9de9da150e4ec2
SHA512 523e46cd9cd8dc037e054e5c90a5d9f10a5470a54a12fbed38617dba091515afa1abf5d8e7c44ddd0a268774dc31a6fd5ad3c9055387365d1bf5ecaf01d44251

C:\Users\Admin\AppData\Local\Temp\laQQMwok.bat

MD5 612ece5821d3812193836f07b84cf8b9
SHA1 b680854230e7199b18e9e20f665de5452042f3f0
SHA256 1ef54af84ece4d5d7550514566776741f7c5ca0ad364d1b1337da7fc5bdb8457
SHA512 30eb717ea2427f27a90641a4288b6abb29029a20548ac6436e29c23c40ac775fda6c4c7d196ae3ff528e37300fcf4f250a906e79081da92bda6808a82ef56477

C:\Users\Admin\AppData\Local\Temp\KMIkkMgo.bat

MD5 a2052ed1542dfa10949e66170a73fdd9
SHA1 d4b3035d4bcfd23a00b88297ba3562418a6aa99b
SHA256 0a396d41460cde0c8143418ae61d1af420783b4c5b73a47889f83bdd0e6510db
SHA512 952d9508673bcb8d709cb566d92cb780b87eb7e4fa9fcc6c77de15533cacaa937bc365bd56f6d4d7344f2e191d9a85c58b21465f5801e473f6a75c897bd4a526

C:\Users\Admin\AppData\Local\Temp\gQUK.exe

MD5 969d2ade0679dbaa34116e6fd81ba28e
SHA1 49eb2b14e7bdea0bc7cb26cd05b1c64f364b1649
SHA256 4d00aef2f01cd7bf0514ad9d827709012f4817cf4ea49e111fbd66537b544a29
SHA512 f3b23ac11934d9c23757c755778e8b3b4e973c8b138bf4c58e64a66f69428fb7a9afab6116ffc94cb52ae8d97442fc8ef103b45886d671540370b16fd168a181

C:\Users\Admin\AppData\Local\Temp\yEoW.exe

MD5 a87d4f369b984c10770d04e9b9b9b0fc
SHA1 17698ff414900d9b26798faff5ad88840ad6fe0f
SHA256 c9530cb01ab50cfae2afba293b70c1e09bdbef03970e0f3ddbdd12e87bdc7303
SHA512 805a8802a9af3e6d9795cb37922dd5d0aaa0b623008f59f836735cfb31c1e7ad90dbf34e5cbc12938de4d40c04be19533fae32411a69abde9559d3fe45b1ee69

C:\Users\Admin\AppData\Local\Temp\kAIw.exe

MD5 75af85ddc3606566f0a09af2c7f2b314
SHA1 1c2d6e38d85d322123ca0e3208a349f33c30172c
SHA256 cc39ab816b397b8a1bb875a61d67ac26736d73d25dfb27409ab6815f3efef09b
SHA512 259c25e3a14ade2dcfe5a692c1d3973c865d365abdfa1a94aa18dfa3871def734e253cb34cf3f88e9f90cee9e22e453905a019365c948c4fb51414836e2c7b17

C:\Users\Admin\AppData\Local\Temp\yYAU.exe

MD5 7fde54fa90da6d60481999e218e2b1d5
SHA1 dca80a30b880ec2f4b8d660320e9d40e88a146f1
SHA256 448207e1b3161d70a7c522921e37c016724b411d8de5a3adbf010f4a8c6827e0
SHA512 1054bdec7ecb4c1e11e79abadda62e08dddb1ca713e2ce57f47843a9f7abb1fd4c10279af4f3a8bfc3ef226f6add6a3c49e2440bc6dd70b1b99b6a7a0947e038

C:\Users\Admin\AppData\Local\Temp\eQMW.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\Kokkgksw.bat

MD5 d7009f7a01d26c59b135e6b16fb99808
SHA1 7bc634f20ceff2359ff9d6aeb9db3c49f67abd2e
SHA256 8de7a7ef6ab30c7484c42f37266c75ea13fd3278916162c721f813b322cf4c7d
SHA512 0f3bc608dbceb865559461ef8d14c660dce9890151d4e468ff5083f65102ba5639e2e851f02178ef056c08cf0cc978757d2984a06b252aa41208de0cb42f69c8

C:\Users\Admin\AppData\Local\Temp\sQYQ.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\yUES.exe

MD5 a77732476e92e2c688d957bae1894b10
SHA1 5b18d09eac6529ffad680c6b6832ec6800f34b54
SHA256 468cff961a7e1658453273a4fc9c9eabb03a9857f895954d55d1064f161f406e
SHA512 7e57265b2d368fd6a2ba67ad1f4ea8918310e181aa6af7b5c674e05637be5e0d273917679e97728e7bae913b66f77da7abfda78c2fec089975a60b4912516b53

C:\Users\Admin\AppData\Local\Temp\gQAS.exe

MD5 4493ec490dfea77a06ba92b96ef9a6b6
SHA1 ba46f504482c187dcace793b74c17a219127fabd
SHA256 85d7408de9fb265fd68a2c45b3c1b5dbf20f9af924e40b0d691e75ab332280d2
SHA512 623c481bdbb3e48d22cfdf335bb89da5d520d5e9352f16b38d3686ba04bb46bf7fc1856d470b5a61159feb8312d1b148c73c03316341ffaf7da0562de70e1afb

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 e77ab5169c0f45f8539564d23530a4e0
SHA1 6ebe8c3b620cac3ee46790014a37ed91a82bb421
SHA256 74edcc9b49f11de6ace8cad6211a6f414ceb4e863ef91a0a15f0993b48dc5f15
SHA512 8b17431a0f12d3b2b9d562b9d43585fc735fbe4cbc3c088726bf1c91b672142e8619b37a270211ef251088366caa406ac023a4bd606a7f4c10ee708481163abe

C:\Users\Admin\AppData\Local\Temp\HKQYQkkE.bat

MD5 5a4600dbac1f80175dd8383cdc15a878
SHA1 29705d5194a7bf58fcfa6005064a471dc6319ed6
SHA256 a2e14ea7a16f2695f10a2042bb0dec1360ab30db413162ba058394ec23cebddc
SHA512 058eac8d36c2a936744f5b954fc79b7dd0f60ca4bc8646a806019d317156f8e2626d9c2edcfbe5958db22e54ffa4966cfe1e5b073a35e58b9f2b9f3a75da32ba

C:\Users\Admin\AppData\Local\Temp\swAm.exe

MD5 ebf0721e035c3fda09e2320d408d759b
SHA1 c1f2dd824ac0a5037fb8dec0b49bb68fa5b1d940
SHA256 537f243845c1d972d6fbee89b1beaf321df2560f851839183409eb45e8900012
SHA512 2e97fc51395045bb174ff0ed40f84ce7111efec2db34d509d60a3c8f0668ccd4afaec97b01de65d049cec99d731824339b40413b11f53d8bfdd52a442a61b78b

C:\Users\Admin\AppData\Local\Temp\AEAe.exe

MD5 2de636b48051e2e0ed3801ad1ddaec77
SHA1 b084085d96055103283ac63ed45872fa3ae0c28d
SHA256 d3cd79882aa73145dc96f3591d5cf7b0e5aaadb058b14fb64d3554553c796deb
SHA512 8d9f42da12e2239771cd68e3fdc442323f91b8aab8ce912909b8dea530397a7922b0162af20f60cf7a97aa9ccc8a8196e8709a212f8dd532eaf4a33691e0fe42

C:\Users\Admin\AppData\Local\Temp\tQkIMcAQ.bat

MD5 08cdbeb1044ccd0e7cba1e5e93fa2b4d
SHA1 74c658b3df7178bd6825138b8837b7812d2409e0
SHA256 24e22d99b62142c98aec2dda6f874035e51a06600a75e70f76678e509e296913
SHA512 867280f69c6391009b52ac41e6a27aeec15039b9304247c96773c3dc4c2a285b24db0bbaf11b1d622d8e54b8729b0b5f7d155751d5c7018c0aff1b6816f27059

C:\Users\Admin\AppData\Local\Temp\soYS.exe

MD5 555fc2bd261c549b29820c3ac97a067f
SHA1 8578001d8e8e68a10b172b4a57f4f79757cb0f23
SHA256 3956d0be1744f4d3589388c1d8fc137f05fea69b017445cec59ad827bfa7f965
SHA512 d22636b5cde253f9993901cae9df78360deda1f2826bb6f898c77ff3764ac951a473f60ce8cef0b88aac3e9696ca241211fbca14eb4e95bd86794f97764554a0

C:\Users\Admin\AppData\Local\Temp\sMku.exe

MD5 4e366d2bd3d9f254380de5c918979d6e
SHA1 c650ab728ee972fbefe222132621ca432e1d370d
SHA256 822ebb84b237e890d9209e668bb8b5d82be13f2ad39aeeb29ea7b11cd0922b03
SHA512 3f38bc8872e381c62a523ddc6ac1e3c46900c716fe8e17c7aa35fa57f8711e528db8eeca262832934238a04d042450be1d57fe9cdbd20eabd41055bc20f344a3

C:\Users\Admin\AppData\Local\Temp\CUEu.exe

MD5 70470690e7e13081b95d75e0ef4b4319
SHA1 21047eec5112d323b3ad037b67986bad303df1ef
SHA256 815e0185b84f59b95977e3de05175d56a29e73a1f82adbe7041f70d8819c763f
SHA512 a177908e37d2a5dbbf74c9b80890cb38305c86ed68d34ea1b60c0e97d19de05dd96a308bfa755cf9e35cbecd01a73cc7e6d79c4087269ddf60233ea60164f77a

C:\Users\Admin\AppData\Local\Temp\YEEE.exe

MD5 02e7d66d09a6b80e77884131157d9e97
SHA1 cdfbcf0aec82bf24803d2c501a836bbfafea63f8
SHA256 d88168c069cb969222fd313c5dbc56ac54b86c9a42f1cc89428ee26b99397092
SHA512 95d3b60ebce4a19347403e008c3c5e9404ed3fd253f2fbfcef15fed53f7091fa06c478b45460b7ea18f48233805dd8c1089a926e7e8ce6ec43fe992a6fd87f85

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

MD5 a436a5fd70e346215f85554998525fbf
SHA1 8738211c1b3ca0b78a09175ea1ea915eaf4cd5f2
SHA256 08e183c5586b5a26a572fb76e2853f388226e92bf02e0c5756c61068fbe330bc
SHA512 f2e73bca20dd8cc80207fdd8e0828bfbe421b044c8e9ee4c66b50ef05f0f3c0b40c2c5fc64e71734c79a78cf3ead8da377ef4d6be9009a2a6cb98cae4a09f56e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

MD5 75cb75dda8816098ba776771017adf8e
SHA1 0d53f93cd476fca77f9871bb7f356b0f1890a3b0
SHA256 177cb5ee1f858c75bbebe7d576554d2c8b3d3ea8312f076d34c8afd566c09de5
SHA512 8327a95c4f0e263294ee28e8f88b6208ec62294fbca7c5fae1dc867eb29670ef948bc11ce8c6dd735a9cf0bb960126247d5ecca7650274181dbdb882fb4b4345

C:\Users\Admin\AppData\Local\Temp\QUAY.exe

MD5 d09216e6a8c2518a629986a582488c71
SHA1 eee51f35359a2644682dd9c3bd4063599d61d2d6
SHA256 1fdf86c54210e7f97474273a4775e6d81567592e13b7eed1a85091129d4a75b7
SHA512 4d71e1ee9fd98fba5ec4af6ba0a0c0487aa8c1482659a047ee803759b481866f868f7abde3a9114fb35cbd9d5c264acd0c265d6fd06cbe61f98526ecb8273ebb

C:\Users\Admin\AppData\Local\Temp\sMos.exe

MD5 beb429b03bf82d3c50d2335266f4ff07
SHA1 af534166f81810c867f39772c1226e9156dadf21
SHA256 a7ee0e1ffd62fa3817b35aa830b803d661b819cd654944c47e1461c3ca7489fa
SHA512 e600aa541bacdbd9063872984ab845fafe74a1f6d8bbf8a1c5b4e6dfb1b21c05cdad0854ec424e58d9190abc6288ea6472650897647fee24f3d13d210aad438b

C:\Users\Admin\AppData\Local\Temp\mwUK.exe

MD5 01d90d86acccf05252c791d04b1a5574
SHA1 6d4d9ce45b77d581a6aa7e7ce306f151e898cf37
SHA256 3234dec20a2bd96deca9b5aa152ff9d617b72fa5bf455d3706b347deb1f2fd3c
SHA512 4082c30d3bc5d96acaf05b66ab5698779e00b3f9ddf08e36f9f0ba623fa6c68f2b92919722b1a105eff0585c43849810a1b4284090d0bebb77ace380ecc144a1

C:\Users\Admin\AppData\Local\Temp\aewcEUcM.bat

MD5 37ed79c0415e7edd894d0f6c0b2dfe37
SHA1 2bd485a088e9dfc89ddbb988cd3715fd7637a983
SHA256 84ef3a9899ecaae619f6c7e80153ce283000a4b2884dc50e9d0dfe63191aff9f
SHA512 5414d9c09a18a500e00a4b8daa62c5a8bc45a388ec6a3e973ddbfbfba953781871f07b6aa43868281eaeca5b47bd5d08de904e353fa47a6ba421aa9175d2cfbd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 8b816c57361daa1b20016af6aebd665e
SHA1 ba15ef9198aa1b78550a639f89dc9d8173fe7a3c
SHA256 374250a00923bb05512b1736a6d639f2da70651a56f4c138dd0dcca85e93756d
SHA512 17f24219cbf13f3cc33541a64a7b7fbdd76dcae4c594c2a696bc1dc862fa1c5101da4bb46fabba008c3ad13f7873b4292dada7dbdeb8d6fb673cc825164c224f

C:\Users\Admin\AppData\Local\Temp\OMou.exe

MD5 1117ccdc38b88c6a34def3a7238b7de9
SHA1 f8eeaf3ff547b33b74a3fdb155dda9d8c3289c41
SHA256 cfea6f169f45be4e6b8386b6f6101cc081f2aabee54117fab1830ece681a75e0
SHA512 53711371e1d6b91ce462d21f4916a52b45f6c2ec424161650ec0bb93e387c2342dd7f3e418ae18f0d17c7f0d10433072bffb373e2297d1888637e3f589981156

memory/2280-3161-0x0000000077600000-0x00000000776FA000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

MD5 ae648665028abb9b5a807ad74803c29d
SHA1 032e8cc164f77258f7caf5e9e7c7497718778c1c
SHA256 5a18ac9fdaec9e3193e8f683c719707db02fe53f189178590057947330ef6cae
SHA512 24008f219c6cbb3afb38494ac83140e0d2b37ecf5a6ff8dc86d0cd4e32414a1cf16d928900073a86d2d2de05bbb6af64a5ea8bb3d2319b8fb7eec1e4546c59af

C:\Users\Admin\AppData\Local\Temp\SAUU.exe

MD5 a27d1e80d239e4b9a830b0c22f8c6dd5
SHA1 b7f365b842acbfdeac34ac566e9000322e10609d
SHA256 c6463373041925bcb913381f538223f4b2b5ad88641d1e3a801354d047604df6
SHA512 e125a400ac658df48d696018ce01406089eb992d67340199c62c0314278722db24bbe94024685458ccb5f77b38e2ba2dfdc3e781e9acf77bb9ecaeffce1345f6

C:\Users\Admin\AppData\Local\Temp\sMki.exe

MD5 8d2a94c303edd4d96d794ccc4a806aa3
SHA1 91f2c2b58a269232808c72cd87739f14bc96ad82
SHA256 61fca948b527107e3f4c6e9f3b3124e0b0f16c1aa5e402fd4ec26e7b8f15d426
SHA512 80f84146e418d92073e70a662379988b0a8728361e9ed34198e0b58571fcdb3edfe6c3cc764fc40234bd8ed7ff1b5b5f56d41015b8a7c6bbe7ffe7a227cdb5b7

C:\Users\Admin\AppData\Local\Temp\mMQq.exe

MD5 1b5acc4375076ee4dc545b84a9b7affd
SHA1 64374e1cf525921bc5dd291c6474e2eb8b94147e
SHA256 1ac48596bb3f909d915f7e32c7f4de31e32de8ee3e092a6c46bc736904960c4a
SHA512 499014c0ae640dda7597bf9069de8a02ae8f19daae006d7940899afe7fdbb945a149053ca5be6df2a08a32a916c0956934985a163e3d4d3bd6dc128f020e0b2a

C:\Users\Admin\AppData\Local\Temp\Kcsk.exe

MD5 b1acf8cab2401a650b8caf7658abf761
SHA1 bc3d7582b40fdf349a94c60dea3175f736ca82cd
SHA256 2a26ac710a290745392317bdef62059c139e3498c390e41a0dd68d17ec15a7eb
SHA512 c00e21340817bc3ee3b430df600fea6c0e0a064d082169f516332f01c30cc08a10bb59e402674d0fd5c0a655ce6318f5acb4a4992ba39350d74b34a4024f80d1

C:\Users\Admin\AppData\Local\Temp\MUMk.exe

MD5 39d5ccf3ca45d26a1162a2f5a1b39db4
SHA1 7ddb721f14549361190e98e4be20470ddd9c1f71
SHA256 406808cfa806e079ed6ef19dcf0f4d924238d31089494d86eaa72452bb4fbb28
SHA512 914181bffcf26157629d9340dac2785593f5402ab1b058c0bae10d022483102708cd7e14e233bf2df6b9668d3e8c37408748f947e56073f864068ae5d303492c

C:\Users\Admin\AppData\Local\Temp\fWIgwwEE.bat

MD5 07b9600d79618717d0fc4bcc3a10685d
SHA1 fbf84d24d2e9ae3ba8294c3f908ef7479b931191
SHA256 dcd6c69261075ab1532eeef6e2b17565fd86c0782fe3b4aa7fd178cef9ceb3a7
SHA512 d871829c4be3443386b1098a91bcc8fbcc40f94f61292ad764eca645df19a117c0114595ca992bef7c9eb578bbcbfecbb9f40ff419511648cf97e9109d57c9f7

C:\Users\Admin\AppData\Local\Temp\osgm.exe

MD5 387038f79bfac872c249fa18c34e9a50
SHA1 d865910d085573f9029b2e952f6a54d62d74364d
SHA256 c939b72d0b9d1199555abdf6886aeceeebcad49dafac311da9b27d32438e9b0a
SHA512 e7560a60547684ba4dc4dc6b092946aa3c8abeed8048d4d00055fd2e2ae2e255adccb13b370f1ab80e6d2327c8574689960fe453fb034c291cad657abd29f120

C:\Users\Admin\AppData\Local\Temp\MkwA.exe

MD5 dccff277cd751c732bbfc8c4fd8a5eda
SHA1 d9cf705d69ec04a9705ddbc6c89df87c28ff74a9
SHA256 a6af5bed054b03b7ff6a53161cfd24326f4163a891128f5abbdca53a6c263f0c
SHA512 a1fc021a73386a525f7b885b32f1dec6724c65306f92531729f63001b51f8f17ce76df5cc41be54879c18696d3188795c6d8090f022cc4eefbb75cb1824341eb

C:\Users\Admin\AppData\Local\Temp\EsQW.exe

MD5 2077268bf4462662e150f964945fabb5
SHA1 3ca3244572fbf1421fe23af1e469fe2c4b63296e
SHA256 4f9d47400184f4965200043d5b3b65db16b89744efb7db1bef820147799a72b3
SHA512 ced59595e879aad253616b6954b9ea8c7eda11ce49395e81e8d65aab5f52f345c0f9ce6b2f13dd0785f0c006d38098cea5f033b9f9cf081e681fcdd5e19117ab

C:\Users\Admin\AppData\Local\Temp\MGAMkwYo.bat

MD5 f1a2fe46f0974d791b1ca795eca2c812
SHA1 b0bdd0fc5d4b0f1226107096dc900f2b9778a02f
SHA256 03a27c2d2ca0d7f955e3a9296af2700a23f4d04978a55f7dfc6a9c5677907b92
SHA512 68e38de0e28ef88645edf43db1f50906801d3712ab6f8718dce4b1a9826f70a58fc7e74a9ac325927a578657417f6581a922afbfd212c02218d7daa6a11afbfc

C:\Users\Admin\AppData\Local\Temp\uwcIcgsA.bat

MD5 bf761360545d5f57776d44c8281d9d3a
SHA1 7d2a63524122a0b243d7b27dcfcfd56a550d6cd6
SHA256 2ab280be437a6f9e18be6f7e6e49d646e5559f2c51494f71dc73c95bcedc2b4b
SHA512 525d652ced7938eba22b64d08d6e39ce1c95d87a300f031f6d587cce4ee71309d1e697afea6e75ed16bf5dd6e065ea8c4f310df3f6a34058b516f29c84833555

C:\Users\Admin\AppData\Local\Temp\BSQYEoEw.bat

MD5 cdf80906e712b4f869ba681dab05a706
SHA1 5c86affb6ab7ef869454ba55ec26d6bbf2300f37
SHA256 e27241c8f7556db3817a64945d4c9b474a40ebfc0f9fec902634cf1033598919
SHA512 c0a1c4799fe66bd9dcdd2521c1fa27fb4d1098b1eda05776c2c296d7be5a1eb57cd17cf3a082ee2294c3f64d809ce5af223fbe5d02261701010b69af1d23ed7a

C:\Users\Admin\AppData\Local\Temp\hSsQoogY.bat

MD5 4439d6e5ff28ff293b67612d91fdfe8c
SHA1 a3c03543e6c58bc8d8de259f5b975b4f2a98ae29
SHA256 40ee4c9bbe48e59a810195e023fb00c1bb0416632e65fc244ba00b1c7bc95fe8
SHA512 8cf38b4f86cb5727905b529326fc0f2b0598254ef9d83a09911dc2264828d6a1e4a0a8d30232306062f3244421a032874e34568fba9154268df34b7ff3bcd56c

C:\Users\Admin\AppData\Local\Temp\laYMAIAo.bat

MD5 40c659510dfdab4541d1a511a0c74476
SHA1 4531ab7437f5997e42a34d10b0fa565f9068efdd
SHA256 2fa1dec7f0750bb2aee7704df538daeb402f78d7a35aeb4948e23c77e6e234ed
SHA512 2bbc43fd08bf4e10f0a6446521858f8e9b2032a7c4e3920e7a8d45a7cb45beb146bf57a12aa7f111c96277c3a7391e3d85960e6ff0cf2936f32569c011581138

C:\Users\Admin\AppData\Local\Temp\nOsEwQYI.bat

MD5 5c16a5ce4b1c456bd610140fcb82ee10
SHA1 2aa6a68e6884e53119b7ac237e1ccfbef4919129
SHA256 432926d1a31905456ac71c268024b03b58563a15370e8ce6732a39146efddce6
SHA512 069261bb8e070b84bdaae0be5fbe5b4e61ec39f33796a39ed26dd4b7e6f7a200a83fa4c466a44ced1293457e7c84812f7cd246b57a6180623f9ab3a5ac6c8f16

C:\Users\Admin\AppData\Local\Temp\mkEkwkME.bat

MD5 a028f038aee5f385a1bd23b4e8715e5f
SHA1 34c1bdabdfaefcb25d1c7c4132b70ba1564a0871
SHA256 e40bdeae86d213f25caddcc736eeaec622acc9ad3d630a594182251fbb9d12da
SHA512 e9398a71e542440e1a0bbd922835e87b1cbb9838ed21f498793340574b68866ba4975139aa820345220dd91d14a9ca487da84f5d6b16d2570b9bab39dc4de698

C:\Users\Admin\AppData\Local\Temp\weEsUcII.bat

MD5 d805756feeec4f57155afd65dd809680
SHA1 154bd68ab2fda46c1d281c90626e5e2d256e85f3
SHA256 1376b240c9493656fe693e77b9cc4ead25fcfc4c428c62d5f54d1a8e74bc8693
SHA512 af9194db01a9d4de0f0b1a44f643b826e70ab8015792ce7760568ef7d0c5679fc69fa1a2cd153e62f201c3f1fadb053124aed7ff0082e61336bc1bacbc29738a

C:\Users\Admin\AppData\Local\Temp\Qiscococ.bat

MD5 666111c171cbb9795e3adec6bdc24a32
SHA1 1225ff3dad47864870325492386f36e5b64c2a94
SHA256 6502259fae9103e2fdae67f32b32ea4a7caf7f9df35468afc4f590126a19fab9
SHA512 71595d8ba23f77a2fa4f82541a686d894d707b5c507897d7a2d2c77ac8cbbce3c97cd111e75d1b70a05bbc736134d11522b910e9ae2d90880c8388c65341feee

C:\Users\Admin\AppData\Local\Temp\aWooggcY.bat

MD5 1a4c75822d96c75018572f554055044f
SHA1 0cf0353d3331821d663636c7639349fecafd632d
SHA256 e908efbf3220745db84156a09c06cf2b922675763be1e4664d7b070264028162
SHA512 cff029d5c56147232a4b00c3384fbb11db6a1af314af17bf20a795a80eb561042a2eee1945263514af25c0692857de99256fbda2ea0c304fc6c242fd7d8f5ec8

C:\Users\Admin\AppData\Local\Temp\OOoccwEs.bat

MD5 6cef1f286271923d4e4852e87514d11a
SHA1 271559b3182533480e5cb79005f9b5c80b20b332
SHA256 010f6ca01e3c1be499fb8ee6dcf04116501f8caf3c6b6cca3e7e877204d4cb72
SHA512 0e37f7104fa0d189323beb6a488ec16f5238b8ddfdf2380d78a0d28e5b842e735d1c59986037384ef14d0fdf2409530406bff150a9bebda3fe079cbca3f54d0d

C:\Users\Admin\AppData\Local\Temp\QuYwwYoo.bat

MD5 399398bf79801cd2199f932e416c1d43
SHA1 4fcf7098e7af772f121c64475b3bf396702ead60
SHA256 404e7d949e516f79e2a18a22c258ad3b63a0a90ed6c3c39229bda40a84817a13
SHA512 ef152b9501bed48d312aecd842e996fd669e64323649b26b905883ecd836e9e4f1e34bf1cb4b0537cbf824262b3c82c326a07a131693b0ad68e2f575fb85449d

C:\Users\Admin\AppData\Local\Temp\FQAIQYIg.bat

MD5 076ecb7dbf375f4233585c1eb1a840ef
SHA1 378f0e696ae99fefa462f496d0d28370969d6e09
SHA256 93540c99e551a0e28f7fee4ca6be8b7396f5168a118bdd87ca1d974254cd77af
SHA512 fdb7dcaa98aea85d7f415bec3bb0f27397352302cc831b23760aaa2cda7e572380b97438b8bcdb5c55aac883fce25d22b6032df82ba5a67787f94eacf6d769e7

C:\Users\Admin\AppData\Local\Temp\lMAUEIME.bat

MD5 de201ea54df61f208ebf55c983df2824
SHA1 46dd0ac0071f447a0276e6c6d42bb05507bbdea8
SHA256 270a942623349771ca2ac67948b386aa5c284b16a49412f90e98f1c5659dbc34
SHA512 22adae4afc6f60be1057eebfa228c4952706622011e9656333d36ce46f92062e72ade6ad997b5923ca057d411d52857a26a35c6b8bbdf134c9b6a737ef24cc80

C:\Users\Admin\AppData\Local\Temp\BIIMEUcU.bat

MD5 35f56ea43c9452641a42e4bcb6825a7a
SHA1 1fd3d8eda39112104adc23c7ee4f00ed256b3144
SHA256 10992dcdffd4f49bfeacb8867bc34c9ce316663474d4c3028ca71a4bbc7a2b2b
SHA512 724b7d17a6da439cf5942a6c50c4a98cb526e61d4a0b055cf238ce34eedef2502fc85cdf759552411f8cde1e759e89c596dc69b8fd0aadfd42427fb724a9fe40

C:\Users\Admin\AppData\Local\Temp\lsMUgoMg.bat

MD5 47804439a3e1094baab9a133c93c046b
SHA1 6b305ed9ed059a16f5d1f82fe36e3213b1cac5ad
SHA256 311204954b4c2621025e531e7f55247e903371446b81a72d8472ae519e0e251e
SHA512 4c34b66c002f2d83b85a3266432a344bf47fecbb44fdbb73c13b526fd9e57c62752c22ff90221134e351b27717bdeea7fe2faf4dff05d842f03f5db9d46a370b

C:\Users\Admin\AppData\Local\Temp\tGEQcEss.bat

MD5 fea9472a54f8cd9bc7ee5e696d5c2f5f
SHA1 03e82d5d633e217f7f2d4126081fc60d1e70d3fc
SHA256 c9f077a8cfff945ae87de5ee78f131b3e8966b38dd92e81c6c36a5c2795732f2
SHA512 d4126a4de26f8a9f43df2e609efc745b86eed22e4ce89385dfa1c845c3f38c9238d00a1f49662a1390eb00a3074a0da510480a527c7ef54c8138f7a334946805

C:\Users\Admin\AppData\Local\Temp\TooYUMYk.bat

MD5 b825f5f5e10a6ea88e751994488fbddf
SHA1 5be28c34e73ece7a277f34b62d9370e89839edaf
SHA256 a20f9dbd1084556162d712204e2385a26ed8cd1d54dd7e9bb3431da79a75c8fb
SHA512 2ebef5eb32fc67c1feafcd8783f81ec610d37f7260ab5d73420c951a699f182b6cc3ff91ada7d7866cc4bb35d60778a1811364479dc807845974827577170b6c

C:\Users\Admin\AppData\Local\Temp\WSQUMQAc.bat

MD5 9df37d3c4055fd0c2952b459446666ee
SHA1 03e945dcf7784bb911ccb63f0f7690761c4ed36a
SHA256 0efc1f1bf8a659f3fd99cc82f066f1d665dcce9234279605dc4c3aecdba3efcf
SHA512 b9b5277dd6b0edb6836f01eb9f7cf1007ecee0c4450c8c3d8ea60ffc4313c7f4f7ca05269073c8a3a8109a3fa6b31650a72ebb17a17d63b49aa59bd0cf3e3626

C:\Users\Admin\AppData\Local\Temp\cOIMQsUg.bat

MD5 cd626d3c873ed29241e8ec073adcf899
SHA1 f1a8c7bc8f15b0a00dbbd5b80f46af588beb27d9
SHA256 40608f52ac4dcbd8b41757a1405cef73046b4e59077e9671e8fb46e90af60b21
SHA512 7ca3491c6cb8d427ed96edb331d9add530f67e372535fc62c0b50d632c523d37d7bcf3a9c6973e425698cfaa819dae7a2545ca6d0ddacd73d91380414cce724e

C:\Users\Admin\AppData\Local\Temp\GOIAUwUI.bat

MD5 78e3d055d9b60fa2d19efd0c86de6bf5
SHA1 d591e1ba59d74dd6f6cead2725b544b53c5375f6
SHA256 2a8beff32b5720d3e0f2133bdcc1ddff3a5cabea6e6d8980a427dd812d0cdc4d
SHA512 dd229e46d00c3755109d8a0dd788598e369015e61066439697e3620240511c60796f00cd83d9162eaf0fda4b9305309b2ac0e7642fbff455ee31c4d6b61ce09a

C:\Users\Admin\AppData\Local\Temp\DiwgowIU.bat

MD5 5619f772544332c285b52b082646759f
SHA1 ae94fcacc8bacabdeb840218efab53b56fd069d0
SHA256 50a8770927f83991aae51f215ff3e9bf62fbc71cd9c3b264b37b4d79a7343401
SHA512 62301f21ea43919b279867f52140c104f826619b8b096035a3d3e0ff5ac5fe1cb4c38e9ee6249199e8f5901de6956dbcda5a636ecbce37a17575b466dc7c88be

C:\Users\Admin\AppData\Local\Temp\LowMsIws.bat

MD5 46e29dc0fd196772c85fbef1590e0d5e
SHA1 048e6e4ae58c83ba436e0a2cb3dd8df0c75cb3ed
SHA256 5329582d613439a189a77b293883bde4c1e2154f012782340580690974f736a4
SHA512 9a5ac40e116a014f7f1b8d1b06fdcbbc27c8c12e01b3b9209a323f28a7c5481f4ed318418c49f11b7af02d824a55140f4a66456ea68457dc87ff510e232cecfe

C:\Users\Admin\AppData\Local\Temp\rcwUUEQU.bat

MD5 9fc0123990598c4eb632d5071386d931
SHA1 ce478bb620dd2f16828af5a0b0d17163415f1a9e
SHA256 1d5bc31177554b50327815a584f9515f7c2377ca0459c976fd01a87cc7aab538
SHA512 e95ae50d2f845aded4826fffed823a845328b39dd6d58655467aa2d824c8a8b258f7a5be0d7cebf4305cd648467f2d7f80214bc834041f1889debbcd5e2e0ec1

C:\Users\Admin\AppData\Local\Temp\HKQUggkE.bat

MD5 2b986aa7ef5019005cab95268d303722
SHA1 7925bf0732bc109bfceb946bae6e135d008124e9
SHA256 d590ecec83eee9fe7f70a6879e66bb4b95c3af43a2636df3f2c6ed719216b660
SHA512 201b4e7933460e0f9ad6dcc300ef5e5a1dd83480d16cd3ffa81d4f6811f09f7a469174afd9a8f78f94a9044dd6aa973afe3ac9b44e57dadede8682221809a84a

C:\Users\Admin\AppData\Local\Temp\EUkIIIIk.bat

MD5 08434a83dd35f253d476ad933a77265a
SHA1 38eb4d57ca8f602d452c743fd226058cd9fb5953
SHA256 94d54cb48451e86906826f73f4204c16b3ad40219737995349ffb45be0fc842e
SHA512 eda5d8aa1c32e10e9512f019f9fd06d59d924f0ce2cc0b0780b982bdce59b9b86a5a1bd4c17ae019c061a4d74bed6405b83456eec8a57d80c06634023465b95b

C:\Users\Admin\AppData\Local\Temp\MMMS.exe

MD5 9741b74cd40d47475550d1db84f23b22
SHA1 732fe40aa528d32666843eb2a9794ef637156c24
SHA256 b54ede4539c81e555e9bd71329cf2121e10daeeb306d89cdb93a14999729cf7c
SHA512 144cddda4b7a1d9fc779216d1fdb3fe3e9fef964ecac44da609f49bcb2a3bd9480d02d39954191c235e4905df3cbc2643a08c711dab5d206ae98d29030a57ce5

C:\Users\Admin\AppData\Local\Temp\gOcEwkQk.bat

MD5 9111b3e048986b78de195623e42a072b
SHA1 7a138cf9a1d9f231e5d53203db8eb961f9955508
SHA256 23e6be7163b8ebd1f8e46e145785578b4f8532d31e6c67c9f9a58fafd955b20f
SHA512 ca3243f99a9c0c5cc9b05a84a0b3beec11f588a547926f0e0a02f7a7ea1935a650a6fa2b989348568fa5808631d765e5583dff519893dd2f94349d4fbc9beee4

C:\Users\Admin\AppData\Local\Temp\gowe.exe

MD5 a8d258f9c9c71e749381363501f9d053
SHA1 6e4834b996dfc750328e09d515a4a3a8811eaeb6
SHA256 19fce8bda557828bdc73ad2d659a387ce0e3a92200bd1b3094e780d4d99360d3
SHA512 829bf17a238a5536440e5a58273fc2a667c0c6db9320bc7b18060cc2f4405bc915a8b650b9d8ec72c860e4c9a48d7c4b6ec560947c0726a0378cde94ee1ed191

C:\Users\Admin\AppData\Local\Temp\Oggo.exe

MD5 9c57ce235af0ff86bd1ee6f6bb6be8ac
SHA1 bb08d5395c0ffa2750a017aa8fb7ed7257acca86
SHA256 08096ac0e4a4ac0ccefe465670d2315ab0f7c0bc04b0da9aea1b22c110a3f8ce
SHA512 605701d41f249d320a610ebbbc9db3ed6eb4fd10411d67c9ecdf9c787ebf8b87bdcb96eeaf00e4406ca0f220355abc875e53dd8b4072437c4680ba5cb92d8070

C:\Users\Admin\AppData\Local\Temp\kAYYkocg.bat

MD5 f311aeb377c75b98fe24d9b4ca72f5f8
SHA1 b9fadcd5d045981d942a0128bfef2e73c2e2a690
SHA256 a5ef954890b8c404bf8f2e4c13cbbf184f166657d8edfd157899becf737f08bb
SHA512 4ac5e4bd22cf20075cdd329aeaf2178549b5f37293d74b0fe1d8ffb3e5047315ea911310f809ef7af2336d3a1c5fa39a4db69d3f45680866fcd7b923be60241c

C:\Users\Admin\AppData\Local\Temp\sEoe.exe

MD5 732b0783f23e949617690afde96374d5
SHA1 0d4fdad1624014523627b1e722aa791ac864787f
SHA256 14d66034f3750ccd27b86967e2b938b117215ba999123eea971a486ea5fa8811
SHA512 611472e3831f2e432eb4f1f8ec3bcf3f958e780e203c5bf5e3e0d97e9eb556f8fab8aa9b7a0d89758a38bbfc5279c6a7419c502763b0159f8b574587170da1b6

C:\Users\Admin\AppData\Local\Temp\MYQY.exe

MD5 5671a788708f5cf35ba32cb0d83a456c
SHA1 f3ff60a178195b0747586888e4cad9ca2daa27b3
SHA256 e18f772596cc63313a496fe30d7cb81eee804138e2201bc3e4f7e7a73fd6c29a
SHA512 d15cdab211da9da307b05588a9f13c23e66b0d80c17ae784ba1aeb1d83b47919be8774a97ef89002e456b1cb9760365c780a3714c0c93a4ceb83bce7949fc423

C:\Users\Admin\AppData\Local\Temp\QIcE.exe

MD5 ff2461d7774861eee4921c09f2cfb9b2
SHA1 dee8389de9b0b78d8a056f8ebe680e9c07b725bb
SHA256 2f75803beb825b87329d05acbadfc61aab517a438cc1f32f162b43081dab382a
SHA512 3edbe65365c005ee3c1fc5f360b17a9a630ab1d248ca3572061885bd4affe28246052fa879bf022be239d492c53c898a47abd68e720dfc7437da5acaefc941ba

C:\Users\Admin\AppData\Local\Temp\csgsoAko.bat

MD5 9b20e7d621ffa4efef5def9e49ec5fbc
SHA1 6d388ffe07ccc4d5fc4964e28d2b4eb7ec967ae6
SHA256 33af3bea4fb4021f1488f418c3e91543d2b42a890a36eb5c8e131af318b1d1c6
SHA512 cfa54fc9d100414c530aaa6c9cbe3aa22c3050a8768e68b8bf8741ad2b06972930274bf546c999c86aae5a15a050d96e0daba94b7cccfefbcff6b779dbfcaa57

C:\Users\Admin\AppData\Local\Temp\WMcG.exe

MD5 b5173ee33f62ddf9effd072921372aad
SHA1 d0a23e05f97550d615ae49d6ef4868cada0da013
SHA256 7915124a682c2a3e366e30d8721c6cbb75c064d80e47abac0b99e0c201cff832
SHA512 a3c2ba1ecc10196010f4e773ad96044db8fe8dc981419f0494837dbb0380176fe930cb3b859e379cb269187983a82c6488c71e38205c0e37120bcb836fec8685

C:\Users\Admin\AppData\Local\Temp\fYggoEkI.bat

MD5 97af462297fac9ae1388ad382ffb660c
SHA1 ab8a83a6a7d6583dfafbc88b4f33068ae9c3755b
SHA256 6a232f5466e6c8ac3c0e6f85dba96655d6b3746e8ad19d938f1aa98893f3d181
SHA512 0c454d13eb5528b0b15dc10caabc299d56d031be6134df9890c723366151341301b9216297054090f0d2b752994df710603874929a4d628e5c85ab74cdbb9ec8

C:\Users\Admin\AppData\Local\Temp\beMsIYkU.bat

MD5 389da6a644cfbb2a91c5d2c450be69ed
SHA1 d360595bd5066e348203af75485b7b0be20c7782
SHA256 c98f48dd7903f313439df95aee05a6a6a868127102b3b011e9723b0573ddc1fb
SHA512 84229ddc55d53da3718b55c6e74a6fd98fd79e181e77f33f0a651583949b2e52dd2754c03f49df88a2a4b54385d9e432c8087745e958b7ebb8125becd3156195

C:\Users\Admin\AppData\Local\Temp\DckMYUkE.bat

MD5 945e91e2ca5554ee41f81f08dc6de4a4
SHA1 771e7ce5ec1f2b826baa81eb8e00e4567f63b33c
SHA256 77afc6f5b947db0f3f6bde72e27f64f885fdda144b9a9048869981bde9b373d0
SHA512 c52e9241bf6344b842b462446e08b0a98235c8e7eee91617a57270102386def45060be4174b9948fa26c9ad1da370625b1e422136d78981b9ddfcb803279ab8a

C:\Users\Admin\AppData\Local\Temp\lUMYEoYs.bat

MD5 95188c862c84aa2e79c40046b59a1274
SHA1 bec9ae39826dda6303608f8d526423660fe67dd8
SHA256 f39f0a384934954544f3da737a73caac160b88a7299a5720e22696ad24111dc1
SHA512 ef4169b74f7979ebf2a8f66a1332fa2cf6623f80c0effbd41e9c35ca9147376d4052684df73f00dcf88112a25e6fffcc7ba582b9e75f069dd624d575df2429e0

C:\Users\Admin\AppData\Local\Temp\cUUI.exe

MD5 b1a3567b621a02cd7cb36bfdf31754d4
SHA1 20b56d6e90a73a7f7d6567ab058781fa77260d9c
SHA256 073ea46ef0f74742da6250a1896a1fbf98dbc450f0a84364579f69fd8334a6ff
SHA512 f9b4297f4f9e58ba61f661fe772a8cb46e99700300ca28dc909ac533ef8ebaea6bb7d3d34dfbab5f8bcd65ab590009423a527ab14f29e78b657d179b1f8910f8

C:\Users\Admin\AppData\Local\Temp\msoa.exe

MD5 2abd5071d6f2eddf544140e8c7e4467c
SHA1 2998626d6cbf5d7d42dcaed46e76e36a1515e894
SHA256 4db45072aad12058f9233f5369dd3576a5ba6a6ed06b604671169a30eed86ce4
SHA512 51b16cd4873ce2e09e8ab22fd49079b3af13a83d54085beb715977c7c44d4af99bf4297e610083504cb2c05fdf45f7316429253062fece4280aeaafc81cce3c4

C:\Users\Admin\AppData\Local\Temp\HIMoQwQw.bat

MD5 3535de303c6883541b203ec6f729f62d
SHA1 4cbf7f93a5a5dd40a47e45c63c0b0e52531eacad
SHA256 bffb86a23f07b586398ca556c20176b8e100dc1eea59503d9effbaea8302e776
SHA512 56f07b9c458a35f05b7d84c1d05db9cedd3d66c1ae8deba4b6be0f230dd44951007a643bf890327bba952b1c374f8fa46ed7279ac9660a5693b3e58bb679a225

C:\Users\Admin\AppData\Local\Temp\YMQm.exe

MD5 6359b00346528325ee6351cf2937435e
SHA1 bf7ba1bda4d6e3cc89423f409a045c65262db151
SHA256 da42fc36290374d266bbb31aff0cf798eb14ef61139c447ddf2ff9d9c6237f94
SHA512 1c7ac4be9a6fc8c332089398940cbe11fe1e603a824f753c3660b795fe8873e5c8bbbc927bca58c93ddb9341641535e469baf008bed301f15144d1f02025385b

C:\Users\Admin\AppData\Local\Temp\oIEY.exe

MD5 d7f17d26d4e74dcde68ed50c1273350e
SHA1 b5c4df4f4f0817187dd631ab94cb51ed65c180e3
SHA256 6e9d119dd8c83787b3a067590026dcb95cd2d2f4e3a2db5ded16e6305b621fac
SHA512 ec7900df716f3cadfb7c29e3b04f9ac71669f48cc625397368b6f733001a3f9830d4d30c042cdf2a98c68af1bee41169d4757c6b9e4a3d8086958a6185d812b0

C:\Users\Admin\AppData\Local\Temp\gQcMgEog.bat

MD5 cbec945d38c4ffe51e6b56fc136ff5f6
SHA1 79e2b762ff335f1c9ded3501b9dbe46d1b5d3990
SHA256 4ac7ebac2a4b2376ad1b1561b1bc2a0ce3fd568b3237cc7a1a6b9fc3d4fd530a
SHA512 cf83ff79040cfce17733c1924b5b0c90fe37ffbe584598cc0819861fd2e09c189857584589d2b3b7831350992ee9cf32019745aed93d54e979adeba39a108a93

memory/2280-3160-0x0000000077700000-0x000000007781F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oOcsEAQw.bat

MD5 eaff2f27ffdd02ef59d55878aea7aa80
SHA1 aa24f6fe873e0b8a94ad70e4f60996c645a78678
SHA256 c9f484a30b520cee19bf7f64b3e5e0956ab4846bd5fabd59cdf05d533bb7bfd4
SHA512 e504a54deaad9cd4ee65dd75da72cf507657956897199139788d0d3b715b36e266faa8e7289ebe7c7f805213016bab28ae016ce230bd0cc27f8a8d2eec1568e9

C:\Users\Admin\AppData\Local\Temp\eksQ.exe

MD5 4f378128b2a4a55c33f789b741f71b4a
SHA1 6b45eb26a5e23ede317439731c1b89da02d04ff9
SHA256 db471c3a133d55ab079e03a358cbf060a65714ba8d6eb671d968af894ef1c827
SHA512 dd73207048b21ed11e69158caf2ad7bba8c712d63e18dc78e81683ab33c656c48d784a7d8e0627b2789cd4affe7bacacf2b3b3ce37e5a8c8625c22f922c7e177

C:\Users\Admin\AppData\Local\Temp\mwYO.exe

MD5 24483eebe8ba425d433a8fc19767ecfc
SHA1 f02053f87a50d4f7a25881eda4f9545646a50b4f
SHA256 cd1614761d35436d375d0a1e4d66e3c4d0c1cacfea2f3f8baf0dc1758371356d
SHA512 cb6a259177714c1cc27f83ce17a81afeb09749da7253a73c733c2b03cadea5b81cc648f628d58dea38828cbc189e98182262ba3be4ee86571400d83e3cbf8f40

C:\Users\Admin\AppData\Local\Temp\AKoAYgkI.bat

MD5 6b860c66e8c31b0d12acf0cf5f69115e
SHA1 c8f595d24d25e8418c06467533b31794d922206f
SHA256 22b85a14b44bbd1292e742449810f95c74457992f46fdf5a7b86576f6b154c53
SHA512 26418cd0fb98f3aa607151bc5c03882de9b73bd8edc6285227dc8b309244746afa9a8c88c3d2363674b6b8fdf54172748f0f2c39fb22434c4b728800f36c789c

C:\Users\Admin\AppData\Local\Temp\uwUq.exe

MD5 ec8cc6151416723ca27f3c8669ea4231
SHA1 a3c74dbbf646bf6501e67dd409da52f26d053eb4
SHA256 952c6e2b9b78e5dc421c0925e29e697574c6042fd3c183195d563882120fc6f0
SHA512 6bfc833bfbaf0fd11259f8c75ad288c949632c8e424569989f08999173eed86474f85d8850df5cf71cddacf3a4e19fdca5ddf04fed466246c59664ec9cd406bb

C:\Users\Admin\AppData\Local\Temp\WgEwUwQo.bat

MD5 410891afd81bb9604d58e2fa5e338a91
SHA1 f4bcf0b8cae798f7e846b8d11e8de24156683004
SHA256 cc6c7b74705bb96eb93a55521790b8a1c54954bcb37a0fb6a69c0f4e32797eec
SHA512 7114d31b58a9b7b54e4e2ca45ce6206af749292ce185912ad67d59e7d5cd9e9e8fb8cbd87f4eea7d248149e3dccbee0ff4697bac875a610c254422fc984af364

C:\Users\Admin\AppData\Local\Temp\ygMu.exe

MD5 ff2499ede227b06d07164709c64baf64
SHA1 a4304aff124e5d4ad902c59c5f1e9c43674cd65d
SHA256 fc9ce5c23113806bed997b847817982a2b121549f82f97e933171f6ac17817e6
SHA512 b390cc763234117ff5aa523e0a3ea7b92c9e2a8518a80346908d4a6fb7809f164f58145a383696e7544aef91cbadee5083d94977af76a654fede09f6b16f87a7

C:\Users\Admin\AppData\Local\Temp\CUwA.exe

MD5 6ed857f060622874e0aeb6d3586f7dbb
SHA1 1120e62393df04f1103f9631d9ff391592f35065
SHA256 1f9e757c6a188afc66c13734b2ef464a0a47bfc7b8daf294bdc819d168b9e4a5
SHA512 219b4f165d7ef933367933e48227294c9171d6f928b7e853c2901b664db986b6bf70682ca16a771f1cd07b3f2c091e8fa563195f0923db0fcd0a4e67a24061cf

C:\Users\Admin\AppData\Local\Temp\Ecka.exe

MD5 56a3f257da89de368f55f9b790ebc038
SHA1 f7a54327d097b6b3b50ca4a003eb17a7e285dadf
SHA256 bcc61a276bb2f97a5073b80e8c0f2f2799bd26f47dd74263ac0b2860ca7e29b1
SHA512 4f34e4d0b15bbc4223fa183f35bd21d623b42abdc3423cc0174e2a506b43885360654943b0cda9e71107b349518a7f029fc45b6307b4cb472e4df2b59b97ba0d

C:\Users\Admin\AppData\Local\Temp\quQAAQwc.bat

MD5 53facb99fa730cf16e3d55a3fde90cae
SHA1 869cec17d3f7152bb651d6983cc9f964634de11c
SHA256 81cea0e05b78f768f9b07f41135206b799bbe22d02e199c9c02499eb1d18e56a
SHA512 bf3b95421ad59b7adcafeee8bd82b0ef1b05125a36d6c3c94da23b404892c962e4fd4ad5a698cee0fcddf9def9a124b0dbd6130f558839aae745f150bd1cd786

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

MD5 bdb1fae2ad86ee2ce311b578dc472f57
SHA1 06c42ea239711bc79d710a1ab7bf4af9037a14dd
SHA256 491f062461b90d2dee936b244dfe041b4955985c50b542bce222156ada6aa9b2
SHA512 d9a793d1374b690f40595332dac77b48b0bf2e44caa67db3385913fe266286cf0be3c0c0334793ac1e18891cd631799b5e1a30acc0ee266e85f05f4335b18988

C:\Users\Admin\AppData\Local\Temp\SsYy.exe

MD5 c15d36f8961edb7157f18f56671b7a27
SHA1 b4f2f64bb952a2df2b839bc1eb2414a6cf0aa3d3
SHA256 19dbbd97d3b66248f96c71ba304a4a8de1789333c7c1d46f5080c856543331c2
SHA512 e25b735aeb83787a3dd6d724d8b3411850cea750de7ed43ff694faa19442177c5e89c1775c0cb845e7a0e7a789b250d18e30f201554f88cb79f599dac27a31c0

C:\Users\Admin\AppData\Local\Temp\XEgEcgow.bat

MD5 0db8ba1efb6e2573c7fd5d9d591b2d9a
SHA1 823d5656ce50ea7a58dd34f8e76236802e00cc63
SHA256 e1f8518bfc73a61155b6aab2c19a7cc9eb383c1ee127974bcac3d0a930721305
SHA512 afb13deae619a2cde10f2f154c71ac4bc78f2a0fc68678d658208a2a63b7d5e4a1bea3ade5d8a465e1e1e258b1b7b98bc2c055ba42ca517bfde596a5fee522bc

C:\Users\Admin\AppData\Local\Temp\Agcm.exe

MD5 b1e9c29dea658be30cb0a5c848049bbe
SHA1 0fe547bd259474ad48034003e51237f848dc2007
SHA256 6df090f777279677d6b4d6559e6918a6a28ecdcbb31344c24cea7f64b24157ab
SHA512 d7b5fb31551cdff782cc7d384249a57c265f531283569c32ac699421d272bf935106c4ffd8ce12ec5c2586629355a9199283594c903d3cd715bc6f6b24d2944c

C:\Users\Admin\AppData\Local\Temp\oAcY.exe

MD5 5982b18f9f53e696638afa011401a0c9
SHA1 72df3a2d4fa3fdff14eeb6e632f649430382b106
SHA256 4689232f51d2d7d54a374ba4d0376254e5ad057ddd3578735e62ca11c209a2c1
SHA512 8c38121ef4afcf75fa49401b12bfd7211d768dfa1ade8f9cc9992ff4ba096b9835591ebc8007475526ec2f974703ded151c5b1b02ebab0e496067269884119b0

C:\Users\Admin\AppData\Local\Temp\LCsowwUo.bat

MD5 560ff313edc587110e096e95b9667a7b
SHA1 27711365cb700e4160109651a7ff7b7a9b42e43b
SHA256 d0fc9fe10b064cba4abb9ca2cd9cd349c802b30101d3f8daac008a06789fc0de
SHA512 a8d196909b16c2179be5c69634bc1681391227d8dd23499b1c25e533b31c754c0cc0e632ad2dd0ef083264048ac856bb4e70d25ccfd10e40883ef733c4a793f5

C:\Users\Admin\AppData\Local\Temp\KgsK.exe

MD5 d96d713be376da044c6784a877e093e5
SHA1 b01f2b28f9dfe81f825c427bea0cd4ad7996e56e
SHA256 94f8f6fe9ae53aac04215d18cf50f0456768ed99121ff8afece2f65f296d7e95
SHA512 10039647ff902e76395e90484c449eaf20187a097704126e281ce6797c7bb14e8779d08a484b1ce54bae34c677281fc7c7adb6bbfaf963a6e392606615f23c87

C:\Users\Admin\AppData\Local\Temp\MQgK.exe

MD5 98e9c24d533ec9190ebc77e349e5894a
SHA1 56d8878d88f690ae9d5c3cf85a4ee148a666fe1e
SHA256 f6bb456aaa74fa0f7123dee935dbd3dde548933276c56d5a73d087b0024c9acb
SHA512 7c3e637b57bc153f828a45165d67e4f9bae6bbf61da84d184889f4171985e8d49fc27137cb9c7d36174ebca48c518a5f3be9c1e9a692afdd28e663158c80ae29

C:\Users\Admin\AppData\Local\Temp\hoMkUcgY.bat

MD5 166bb28c5b28d1ee6df1110172237d41
SHA1 4f8988b05e6a775fc559cfd40e5ef55d79188be5
SHA256 cd80c26a8e1b6c73ab5929166f19a5b2161890fcaf2efc6eb950df7bcacbab68
SHA512 14459bee6be62d4ace7ed9cdf2cf66b35f3bc38441ebf99fab1c3a6322c757199f834b86e317eafe325d3953431e9768adc9ca8665a7850ca3b256a32460d20c

C:\Users\Admin\AppData\Local\Temp\ygUY.exe

MD5 d80495684f7a93c855c4f3bac5b7b6cd
SHA1 5e3f9042383950f313b4d7b5476dd10eff087725
SHA256 788af2f0c68d56915100a21d6117edde71650480f10cb8095c745014adc8d93c
SHA512 27b39196ac7a084c65aa16acbdfef3728a35b6b76a1963461786d7c9247399a8b863bcb107330cef48151aac550c387f9509930af5b296ee10cfce656ffec32e

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 9d88f3fb395042a9e39955a6a612e9f9
SHA1 51fa33f24f3f620497b02a05f6e816e07d783fea
SHA256 6bc7f99172606843bf8d2c27f632e84c4afe2bb5b9f7495b51c6b1d82b14a19a
SHA512 f0faf7e2df1ab4e1ed5abf35a1b4ba702f04a9e870b8e62f692139fd1a4999dfbe6b77e8c370fae534d650e147493bc5d293ac9d44c5fbe284e5f6bef76dd2db

C:\Users\Admin\AppData\Local\Temp\OoMM.exe

MD5 360b80131824b1f235790017b1796b35
SHA1 53d3d7b88e0fcf160e4a55a89119d40d4329a9b1
SHA256 09ab2bddd1cfaa7aa594b62091d28972362e6baf2ef89044b6ed78b0acfd3425
SHA512 6489d1571e1602843a6c7c0be18b0f6e7ad4dc34476f8768e76d3f8ac0ef0c89edde14c07d3acd8db5ebabff907aa259e1d6c5492e93b0bf02ef2009af6cb4fd

C:\Users\Admin\AppData\Local\Temp\acoE.exe

MD5 65b8d3caa2aae88d810fd912a686bf0f
SHA1 cec48449f417fc9fd4f71fba152cdfad24232d63
SHA256 35e91b0695e00faafe05c03e130d0246e0083b1d59b09847e87b686d30d8ef8a
SHA512 1f538b2e31938f2f87b8c854aa7437e26e0887b3c7612693b3983900b350d95b39f5d5990ecfffab07e7d37202aff865bf4cda00c03ad3b0f573bab66556c60a

C:\Users\Admin\AppData\Local\Temp\tMAsIksY.bat

MD5 b26dc0a5ba536d2cf2c4253f17081f50
SHA1 eda190855f2ec1dbd816d90e32ae73c11adde344
SHA256 cb9e5cb3e24680e58a15cf9a4ff994baa79bfd93fe49d7b0454aaa2c19d4ef26
SHA512 c2cee2f31cb7a87a75d804c1e243f592fef7ffd412ce7b1c5a98f0a421ba1ce6c7af76eb215cad0fa4bb26f54dda1167e31e431bd62b79a88af432e2f5eaa7ab

C:\Users\Admin\AppData\Local\Temp\Gwcc.exe

MD5 b6fd2b0a4b88e6b930fe4ceeac32bd05
SHA1 037c71b8cd1f362fa2608e3860eb5dfda661f20c
SHA256 223f1b4714a6cd2b19bbfac15e39a2794d9cfd1cf5e11f32306851298b6580fc
SHA512 9d43b42a3fa6cb2185025ae2fa030c705d6ffbe437cb7240606a7ae79440c5f7e3af92357b573488ed94407317468bb09364b10ad133144ffeee750b8a0a0280

C:\Users\Admin\AppData\Local\Temp\kgMg.exe

MD5 96aab7118e6f65428f794c72c641e2d8
SHA1 3c082a5f23496d738d74cfb5978da57ca586f9e7
SHA256 cd491b8e8f93d509b01ff5a6ffae59d377842247eb85ae03f96793fe408b3f63
SHA512 eb6d7db224c9337fc64061e94fac95925eb1a5b7e4e908a7700bf99037f6d5e29d64390d9ba06dc8b6431dbb28e5733b7783ef3269f2c8bc13f60a0b83f9ac15

C:\Users\Admin\AppData\Local\Temp\YUcM.exe

MD5 cb0a228e7bbd6bd3ee37b6f9ce56b24f
SHA1 f420cda7545ae6ec2979712da0af9adbd7b0fcdd
SHA256 816780a6ec5b54c4166b952d8b10127e44a3c57c31fc51384fcf7e9da7a09a93
SHA512 4531424b7b708991ade7e93f29d7ef382a756fb511f06d17d02ef6614661305f801a7a8a0e6c0bfd7a642ab5013926840f3bd4a47cd97ea6013dfb1880d1ebe6

C:\Users\Admin\AppData\Local\Temp\emsYkcYI.bat

MD5 5ad9a4251bee4c4c28165b06c12aff39
SHA1 acc194c2c659f92a2905bcdb91041cb9e71df03f
SHA256 57ee87c808a3464dda8f1550328a30730dc26e9e4b0db59304d26dfc30d38d70
SHA512 6548c9a8527806735d9cdfc1645a74deb33f17a82911a2812d872a4908d3692dcb06ac63b79ecf3b5eccc359823489fed6f3f85f1736fd3c5059055de5fde913

C:\Users\Admin\AppData\Local\Temp\oUEC.exe

MD5 bb69f278ba2db6c63b01df8e886c3d8f
SHA1 ccc89e31e7c6ba1a5ca2726c6befc00ed99e8562
SHA256 45f3c7aeba35526a13ef9401867d1afca4510a32f481a34fd75557963bac9325
SHA512 3da1df77d4f2605178830b5a09e8e7c54fcf299e06e9adc4e0bcdc9da732d11a2f34a2b7b9ae07764a7db250a85242d5582360c9a63d9581dd796dd7dc5b6657

C:\Users\Admin\AppData\Local\Temp\MAUg.exe

MD5 7dea70f010e1c3eb2756990a395582d5
SHA1 548f461ca1a9f4e8aa44397bf8d194fdaf916910
SHA256 99946f8aa7797cd5d3abdd256d6b72863d7fdb00bf0d85783708e0a8aa3ed670
SHA512 d1aedd2428432ff34de4b5e143adec88201823bccd0c25ecd45091652d7071ae4f01929a440cc41760448ee40e3509c3e3ba2b269c0e580913532e0545b83692

C:\Users\Admin\AppData\Local\Temp\GCAgAEEY.bat

MD5 1573f75b0e273238f6c1834c35e3f1ff
SHA1 a226aa80074508698a2c01d037464f1a8537b885
SHA256 5742fa916348a79c46bd7e4a011cf027dc6a95da2950f6832028ac7d427ab6c9
SHA512 51c42a60132d06ec8147f41928552359284133f01ffcf52d46d84d999b42c27c7c40e34ae2b01bdfd9bd44bd4945ad0ae101f09d607973c9dfe2a0dcaf079455

C:\Users\Admin\Desktop\LockDeny.rar.exe

MD5 aada4c4c5c322b0d958f38d86060f76f
SHA1 238146976591f7032e4aee8a6baeba30d2cc5818
SHA256 6a2e670864bf245e80eb23a09510301c45adbc827934ebb49f4a61dbf702a1ff
SHA512 fd664187ba4ffda56322057feb930ca872f7620492fc41f1b0b89517676469cdce5029e29f10050e7d570984717c9d4987ace9ae32817bddcb1e2d11d3abdb38

C:\Users\Admin\AppData\Local\Temp\wAQO.exe

MD5 5166cff28761821d48663554b2227dfc
SHA1 4af7fa55c5653fbb3d9c71966ed6b9016f861ae2
SHA256 9124b9623e84e4a13ef8ba01367ad71071f5459f2f0b73adb31e7743d962e8f9
SHA512 47bb73ac5482bdc1f44e384c75658a0034009f4a279edd2a82f2b895c40d969869aeb187f3879318420c910ef89aafbd11689649e41f40061de93ceccad85963

C:\Users\Admin\AppData\Local\Temp\UOIQQIko.bat

MD5 fc46fa65dc7cc87b1f74a13efc7bf990
SHA1 278c9021deb4530e68c6394ca048117d53cacf33
SHA256 419ffdd441920cfb01120414d5eb9ad800549dd1ca2ff589654159d7e69867d4
SHA512 f309f5429eed192280f7b76c2d36288c8dfc8b42307c6b8e4ccbb97179e205a80cb37081185574068c4cd87c363c77a3da485a49c6bc6c8fe17f3754922ffec2

C:\Users\Admin\AppData\Local\Temp\cYEYckEw.bat

MD5 1bcd971939de50313bbb511abb01982c
SHA1 b1dc1de44902d6e692acc85778d9b255f2d7b071
SHA256 5705dbd7a94a441d29ff3c6d3398516588ec9778bf7e1b101c41b5e57504930e
SHA512 98d862cbcf9a009189c5603ec326f7c52c765712cf6e4a4758e81d09b4ac83d1bcda2001b2a5678d424650f0498033ceb2d133e3c14f935d3d5a988c9a7f265c

C:\Users\Admin\AppData\Local\Temp\KmYEoIko.bat

MD5 7c1c45f6ee94b91490835efeb14188d5
SHA1 6c1099d80712b04637af356bdf80e102c88216b7
SHA256 d61ebefbba42688648598b3f9b918626508a8e46e0acdc1fe5ffa9c045f688c3
SHA512 a91517038cf4d4c3fbfccc9ddc93461798fbebb7681a50df6443ca8f661c0c1d2cae5d279a96dfb76f867827661e4489994035ea3c9fc1ed20fe41a3c795c45c

C:\Users\Admin\AppData\Local\Temp\HcUMoYso.bat

MD5 69156a653c26e141a3ca997fa80d8d41
SHA1 c4fd02c3f16e0f00c6fd145bbb121859b7acc9cf
SHA256 f11f21c04922b4be9365083cf0e070920d859d312f1e183a1eb393b28deee9d1
SHA512 ad133c90007dd98bf3c23a0008f529de5016a5a91eaf141473665c5ab4bcef3c2c7f50ed2a44721702539bc8a3330c8d87d1f9694954cd7126f98af08c304abc

C:\Users\Admin\AppData\Local\Temp\vIskwAAE.bat

MD5 587f6054008002d83de1f7109a017d69
SHA1 12c72ade8d4503e1634ff2982bbd4731631ca14d
SHA256 02767bf3054e5194c6bd6b4268593fe852ade28ea5ab1383c367e5a8b2d14130
SHA512 420c5f21c9f70c55d78dce64f82d25664e7f3cd64617ce38862fb35c02b58a286646e0f3e4696f07a93cac86c508ce1296d9d3afb6882781558fc7d2e0e15e33

C:\Users\Admin\AppData\Local\Temp\HGAoUwIM.bat

MD5 abda01f14dda11194dde64d26984d9a8
SHA1 7657ec5a1988e6b76c5296c3874a311a2d83a49c
SHA256 fc433c9eda935f6d435b466a3185d739284ebf5b5211518cf0551f457bf61590
SHA512 3bb9ef3b6e1088e43fcca72dd2d8ba84dbaf2f18c87081636f2108c3ac2a350ae4754390093511ad04b1d09dc8354a2526d0d0d1c442982ca612e9b997afc445

C:\Users\Admin\AppData\Local\Temp\nyoIMgYw.bat

MD5 f2304d488844e64cc8303a3603d9d3f3
SHA1 8dd6312321dfcae27f6cfe0ac5cabc3d25ded93e
SHA256 c97513e1f3b408b7214bcc8382d4789afa43e0342eb6df7b4a23fcadf7c28cc7
SHA512 295133cd4679b98283daa23311be12e7c322e102da1d95b0421c98b793565d61e71e8b11f780e91e1461e797a1b812672d92dda21308d40f87b21eecf5d1406c

C:\Users\Admin\AppData\Local\Temp\zwYkAEYA.bat

MD5 99f4a260d5395cf7b7910b2a2a506f6d
SHA1 8000b44be5f396ff21eb4c43c51d515283dec61e
SHA256 ebe76d246fa9971df6c6aae69c85cda096ff37fe8165196aa467ac96f279dbd0
SHA512 6f9a44366969a24f5e1b130e2a3994926c7bea54692738ed2340b78a71f010acedda762afbcf360b64006ac88732396707136164f5b99ec5e46fcc762f777a5f

C:\Users\Admin\AppData\Local\Temp\pAMgAwIY.bat

MD5 3bae971a55134534e01900d36a6dffd2
SHA1 8a5a12787880e3bba1d04903a8470adefc3a719a
SHA256 3ac6dca9576c3505f674b1e9b95cd4b9e64f3f1bd2da775d9c3e6f09f1e88aaa
SHA512 dc9abee3e550a102182c363ff4189ae23fdf9e21362103867b3b12b896f261f412233be3768ed4cbe2138cb45f00889887efb055a6ce20dc211983bfff5a5722

C:\Users\Admin\AppData\Local\Temp\FyUowQoY.bat

MD5 f70dfd1a413d9c5b2b1839186d183bfe
SHA1 8e481ab09d3002b2c05cf920aa01feaf3f60ce79
SHA256 9735b3c3a2f3d35045a7f8a035660c3011fc06141bdc2c2492cd5e70b5fcca10
SHA512 cf89682bdc88002747a30277af4e3d53b30b9d6ce732fb53b1157c4a1170f2d0707c59910f2b1da963e5277f302848a20b61071252f65bc8274d4a79c45f479b

C:\Users\Admin\AppData\Local\Temp\mQEMUwAM.bat

MD5 32905b37a65c1f581c274fefdbd09896
SHA1 7383e944daabcdd66aad6987723b11b651f1db3e
SHA256 9843d9a4a516ed1bd72754e7e04e06225b2a5b96c5326634586b4c25c73da483
SHA512 4b25d7f409e6058b6d4266506a40971b96b46cae039346a6879ca43b8ec7d98a83cf5b79ebeee3602630eb3310f18df031647fa5ce6bd9ddb092c28f5d28246f

C:\Users\Admin\AppData\Local\Temp\aoUw.exe

MD5 9397e18bfd99e880bbf3311036964f19
SHA1 01192ccdf70bb048fdca2d28547d75d14633ba08
SHA256 a981e22020059d6cf05ec10d8d27df2712e784b3b9021a6b72b267881cf221e8
SHA512 eee061f851ddbc5ec9038d1352d29fc10701aa475162f5ebd8bc7853b3e75561bb40809afd7100192523e684ea0e2f44ecb60962499a53a3c93d22ee78944f6c

C:\Users\Admin\AppData\Local\Temp\WOYskgMk.bat

MD5 b2599a00da5d512a7f3722ad4b8f3bb1
SHA1 2e01eb754b2dae281bf40fec716c2da6ef134e4b
SHA256 579ad3c66fec92779120a979c6d4dc6814e2a1aa8d248e3e2c6f9829cfff0a90
SHA512 14440916832d6e06bc4442d4ebcdb995cb3f1a285b79aba7220ca5c90bd5cf1deb3c9eedde7d1a8b733a1103320865464b52c251599efec139b5813f1c08fd24

C:\Users\Admin\AppData\Local\Temp\uIgYcssc.bat

MD5 2262d041a9a8321d0be4a6469b3da801
SHA1 c2c16268065fc77668baeaf161e59c958120494b
SHA256 358fe81e9dd3b8a4077d9511fef6f4694451ce50cc0977706ba4d0efc1bb07b2
SHA512 2931c3c3e7d12741fe3c644f50ab1ad4a436a9dfed3bdec7d410103aacb0c2aafd6a07a0543faf59988e806f936f9184ecf07390e9cd56e0214e29b7c6af7c07

C:\Users\Admin\AppData\Local\Temp\mIQs.exe

MD5 c31a7ff256c855627783eba9719bf164
SHA1 7555a8ebdbb95879d67f7de15fb7e18514635a8c
SHA256 219e6be0f2bed61b03b13b62fc7ddb392a708da86de3b04e9a4e8a11f4a55f6c
SHA512 7289f9af9d0f270651012a963bd5d5674e222887651b1ca9a6d1a7673c666148f093d5178ad101ce9887363dc6c8ab45bf1fa25cb36b62600061450af59d2c4f

C:\Users\Admin\AppData\Local\Temp\akUy.exe

MD5 4fa48feb8e05819c9fcea177ca577572
SHA1 bdbc710037d522e2208c1aacaf9d1c3dfec9442b
SHA256 3669ff84365a101435ff01afc3be09093e4c91a2a99591a6907d6ad4a2ec2ee8
SHA512 97c1dd7c534657e238507d2c199844c874aea4094b819384d932fcd90fcdf46616d20b962f3b98acde425e512823d970852cb80f8d634e5e30657622464f2368

C:\Users\Admin\AppData\Local\Temp\gkMO.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\WYUAQokk.bat

MD5 79190f7af754090f7b2d860057ebd6db
SHA1 7dbcb2309c7a6036d39c9ed3e88b853cc9aa273b
SHA256 4833fbe08ecc3bf2bd58586f0542370ebb555822b018f5f226626da7fcf66823
SHA512 aaee62e4e311fe58cc08cd3f16bbb67975ec72d2f9f59fbf8f69b26191a46733d63c17bf9af5364fb53321d89c723181471bd8dfbcbf8fce2f56589b5fa1854d

C:\Users\Admin\AppData\Local\Temp\MgAu.exe

MD5 4ce74d660298ac09640218e1a747ab70
SHA1 3f30b787633cd6710e20c07cb0a46fdbdaff9715
SHA256 43e59474e079b269a4f3c4db714390b91d69cc95be921e5c74cd88c34b921613
SHA512 70bd3561e8048c2b2c2ecc7b2dc6fbc32d4fcc2213242045c7a292cfdfa5404fa169fcc5dae88fbe1fe85e00a0570e0df80b42448918bc0fcddbff70bd9fbce8

C:\Users\Admin\AppData\Local\Temp\uIYS.exe

MD5 6a671eaccb66610cd3a539d8a55820fe
SHA1 91ca7d5a3cb819fe62f2db306835fa024bf06126
SHA256 6919ce11f07911ec6725567532bb1a42f0762a89c30ba41e0e0ec586349ed9b6
SHA512 e0f424bb257db832bace50ee49263ce39abd655aa397ea346aa58213f9e93598f85b6be0a39b5230d4db5ed673d5b7a8eaa72dc0071a35f65518c057d8d57e21

C:\Users\Admin\AppData\Local\Temp\yAQm.exe

MD5 43e14a8c12e112c038bf1237720e86f9
SHA1 e4e24e884bfb7caf96f85157169367c1e509ee9e
SHA256 47ad29abebd19bb4d46f341e518b532b967b179d055da351778d2ebfd37590fe
SHA512 68cbeee9d4c239bfe93d3384447da4a0fc64951de92f96b9600049be2c0d0ba29fbdffefd37cab25533dc241aa59da095bb7a33f5be848d2ca3dc14d03bd0d8a

C:\Users\Admin\AppData\Local\Temp\uiosAAYM.bat

MD5 2259ae56c55776a109eae31a6cf4fedc
SHA1 6faa9663df6e6138a84204a9d9a6245e01e05db1
SHA256 39e15270e8fafdb8b9a285938e7dd2d54419e0ad5b18d93051b972563c2a91c9
SHA512 d48412ca3dd838826101b53c9fb5215e40fc27e4e7420589af6816533b130bb3bf2c52285715df33d64db6454ce9ff78e5a5169f5b7fc1d5b6cc9cb9d3852d1d

C:\Users\Admin\AppData\Local\Temp\sIgQ.exe

MD5 1f405a7a665f88637924340ba9acbdb2
SHA1 b09b67e59c0fd581fdba8022475974b17280c34f
SHA256 24d2c871e41b77a578a983af6d48c2e6e124c38bc9348846ff804b6b280e9dbc
SHA512 83b3bce5f5fdf2dd62a055c041303f319de1379850af60f7c56260bb90898985c3adcabf4966682145bf55795ab47f8307ef6143b5418b71b217e953c388e69e

C:\Users\Admin\AppData\Local\Temp\iIwu.exe

MD5 8f9cfd836d80c66c69621d8765ccbb53
SHA1 114f1aeeee5691f52b6dd5e1d725997ec7d94d12
SHA256 9c15d25169b35d29e63684e5880b4c5a4d7bd432ed10f9160d2eb4e5c0049d1c
SHA512 141be8d335c99a3450fb65b63e9b33044e2391c7abe065c6fae155b45dc75e4974dfcd053a5ae87b47a773562f788df1f09ae3bce5f5d1f8f8e5723842c4cc62

C:\Users\Admin\AppData\Local\Temp\CEUW.exe

MD5 9fd39958c0668a7e57df0c713baaeac0
SHA1 5391549223d29374a2a81b92a26dce85b8e86f19
SHA256 a705c2151f9316650aedb163ec76b615015d6125d6ee2347706d14b81e4bfaf0
SHA512 9a20f668e84af27e6d4419e064b05dee525d0b5214122919af6f5614a15bcb76773eb97e730045edd34c6517ce9508424e5d1d5f3019c95ae538c43b40e769ca

C:\Users\Admin\AppData\Local\Temp\MuAYIokA.bat

MD5 cef801266d0c54973dc146c8e71824a4
SHA1 87ca0dbcf5c0b6d5d6f24816933d61ed26261a16
SHA256 bd31f01f65118564ce20eb30c05ae6dd3d5d55f30a5567a17f55297677cdcf73
SHA512 97c6e4e1ac65c9245d43ac8d1ec240a622c316a5a509da6b7415245dd5e4f7dbcf3e442bcfda6ab6378655813179b873f9d3fd5b2a9c1984208aa1f10ead18d7

C:\Users\Admin\AppData\Local\Temp\wMcu.exe

MD5 1d46d3aa593bbb406f9520647d3907f2
SHA1 efdaa17c836406b105fe8e4d4d13de87fa0152c2
SHA256 93a4d8268ef49f281cbc045b37a8b9c0c9c027a171751b5db6a7ce2b14708951
SHA512 0ffea1d831175f9b08bd277585802d014f5baf9fd663e3361fceac9cd8c44de706a67df5267ed1567147a72d28e0de0dbc883715a62a66db4db173fcd44b3889

C:\Users\Admin\AppData\Local\Temp\mAEo.exe

MD5 dee25bcd1f12433541f99d0dff2b2dbf
SHA1 45aed4f7e0f50a24981d0941e88fa3b0df0620db
SHA256 08bfc5f5f4749d70d9a0881058af9621e2a3c6cc97301cf1d507cd4ae3c72286
SHA512 a6df7d9a51ec4b85b1a4337daa10144f487ca806f9f3a11e2d60a17a016c4de8fa6fa6c6cea8c9efc102ba94cb3d2be5b509259a555bf9b0f19286ee83c669b1

C:\Users\Admin\AppData\Local\Temp\EoYs.exe

MD5 a5a2f7c76906abea9663b41b139a8984
SHA1 b7b952427535b922c8de329dea10d226ff96df27
SHA256 e3edb1fe248f60c0df7f0445b408ac0dc194966c17d5a9d1e69f43c88fe532ac
SHA512 a7b0e6e6aaf064ca42ccf317872f121d4a67085ab90da905092f744c3cbf22c0790e6cf65ca8d567f0f5ace50904e674def91a53a5c26b42505aae5ec0709308

C:\Users\Admin\AppData\Local\Temp\QKwIgAUQ.bat

MD5 94e62b5877348acd9b502914367e706a
SHA1 9cc877160f7a96d2dd1254ad29aeb1d2ef75ad86
SHA256 0bae6ec5b3dc903b3a9755e272e7c04258a3dbbe9291ade9eba5de9989fb4735
SHA512 263d2dd9cacbe5e73b9b0a5277e02df266045c60af78a96dd33422cf96a0e2c81faa8db52f654a625e4ba26f875d629faa88bd0f6bff84cebd44374a3f5315ad

C:\Users\Admin\AppData\Local\Temp\kEMO.exe

MD5 d8267bb05635e7ac803906fa30a19a9a
SHA1 194ed6303aadf3132215fd9613cb03941a9acc4d
SHA256 3df22e9536969f6afabe7bf111c737bf697c35c71817d43ab374f1aa5d739fca
SHA512 2ce771b20820db68e4648167dc9fd77f52d42be6c51632482eddd63660d8c7d5457f5d6ff7215e2a9cbcdc21ee0684ea26ece394c0f3d5e9b1ba3fde3c093361

C:\Users\Admin\AppData\Local\Temp\MoEw.exe

MD5 614a63109d7f71df0e187148f49048bb
SHA1 8fa60c48bf88fb1303103369c5de993bed0da77e
SHA256 0ccf12e8019664047b1da966db37de094e49476375729bef37064197d37e94cc
SHA512 6acab22df6adf9fa8d407e3db6974e6bed6c253412fd4be1168a65dd447f9d0aecc51e86dafb8e04d1774e247b5f3926f7b67cacddf0cf68c82f6304809d3ff5

C:\Users\Admin\AppData\Local\Temp\FUocIAUo.bat

MD5 f8613224d1ee56e68350c3f933ed482f
SHA1 2dbc42166c57fea06cbadc688d91b1af76f5b1ba
SHA256 6227c376a2d29cc0c2992084e97e60f66f5cd88193eb4f56d8650a831070994f
SHA512 726a4121c27fcfa1f39ea0900e1a54b85332fba3a59e264d1ec9a5fecf2e45f43c307d03aab71a598f24d95df89bd103d1a34cf9705e988ed95730176c94144a

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 a8691b2425ef23b514fe014cd8ae6a73
SHA1 ed376baaa3cf57a3f676a609b168babcfb427269
SHA256 10cb63574d02dfbaeff55792a2f1bc06d6435b10783abca27793d47fbb76deed
SHA512 5b486c5aa6a067bc25eeadfa5d92ea6c968023e45dcb69ea7ffffc89e50460d9270ca490f9e8dba2003df360791ddd682792b285531bd816b7df7a347b0dec09

C:\Users\Admin\AppData\Local\Temp\qgoq.exe

MD5 57c6d02e7ac790e3414385bf6705bc1e
SHA1 957cea3f6afda6338b96efb5a835862f67825eda
SHA256 4731574fd2527f79d54a69ddcc97665608dab807df49ed0af29339171b7ad130
SHA512 f689098be68d985f3f9031725c7b9c1c26a36b2276c51252a3386c3428637e62a1b04defe3bb69a3a07eeaaa71d7555fb4d4b58507db9b7dc866569a4cb6659c

C:\Users\Admin\AppData\Local\Temp\kUUg.exe

MD5 29d37efa826725f80178f7a4b444fba4
SHA1 984efedce6d3a8df3093b92362f4101ad866aed4
SHA256 d264c8541d1822a9488b11534753d7a87525272305ba63f8f905be1db9cf68c7
SHA512 8ab4bd7e64ec2b0189553beebec0d543a4b6bdec47734e937f64e21e0a8cf9b9e274732354b2608e9dfcd3e1092cbfbd3941883d0a57005221d18f86ea601794

C:\Users\Admin\AppData\Local\Temp\FswUYIcU.bat

MD5 5fc88b99072727502777c4f59e677aa9
SHA1 80d9dce392eaf732761eeb09f22aad0aacfd72b5
SHA256 15a05f95d9ec8c9896e2b03604ec708d73e938c3b36e666a11a35addc149856b
SHA512 77f86f838237cc49fd8ef1376b5ec48dbf2f4303075a2760e045902ee26e99bb386dbb32ab1114ee681f7b673e856ec9eade15be846f101dc9107d0554c07586

C:\Users\Admin\AppData\Local\Temp\TwAYAoIc.bat

MD5 11a34c0ef1892f1e882de861af71d5f8
SHA1 a07e7769f1b8be34d546c15a3fc9515441426cbb
SHA256 dbbe41eae02f4f3de54ce5fdac94eca47316c3ee923ad2d20f963cd6b2a8403b
SHA512 5b657f1a056617eb9bb2d7394197b9581d7f3aa4cc94bc1bd1a9bdac03f63ed9dc68cfd76eec4cce24aa9f102d54a27c16642bbbf0f2b0435158b314d4e4777e

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 1b5e24fb0714e8ad524f2ff6620ab90a
SHA1 5eebbf64c2c17c88d61b3890fc6b79c502775213
SHA256 30197b3622f5b65cb756ec80ea75969ce574e8362fef8bc32a8a31518d33183b
SHA512 d53eda5567d1713b1cae208db14737ba039d5075d396512c15cc5ca76ebca4f0fa8fc3d43a2284fa3b8dcd5401553a1b16f2aa3f3d3bc9d7c3e331e91d02d103

C:\Users\Admin\AppData\Local\Temp\ecAs.exe

MD5 119478caeac45a77b9abd6d5c06018a4
SHA1 004495962d54ea9732f59782b37e51f6de1cd722
SHA256 132bf6fdb11a6e8d34aa2d97ebce19d5efe0545b308578e11acca892d55a34b1
SHA512 75bc0561ea9683d8ad8bb4cb0564599e1213d968e86659ef3e9df19938fe10d810f5bfc438a93f92798005688a8d4f9974f49032990697bb1200bb190ad1864f

C:\Users\Admin\AppData\Local\Temp\zyMoQIgo.bat

MD5 ad725f76bfc5265d28648b1416ef73b8
SHA1 5b7b5ac29329cb312c7cc46de313418dc56cee2d
SHA256 4ed08b01cde64c5b3f59b4891306c99ca89161861372f149641d7f378c28c0b1
SHA512 94ddfe2a5546b521688903caf7805d4fc7b3ffd22fcf91f7853ac891378d81980b86a16c70341f467c2ec9f335d76952e89003cea328f090e1861d50a98514d9

C:\Users\Admin\AppData\Local\Temp\Ocwo.exe

MD5 50a3a8a9b684893f6b5aaad80ec11d97
SHA1 721a5ab95d4c97e5cd3123293a7c8b2e9885ff7a
SHA256 37538fe466833f3b6d464a2a37edef2063b95dfae3e6ebf4b043228d277f9605
SHA512 4cf8b5ba4d19c8df0c0db614f8fd23fd29e1dd60f01e1940fee32251d6461872c30ba183d2f6e70eb2235b552943ce76bcd58e4dde1ce0cc864e565fc5c3b2fb

C:\Users\Admin\AppData\Local\Temp\rAEckkwM.bat

MD5 0d17d231bd2cbcf99d8b640fd16b7e53
SHA1 0376c2a6629440e1c78414a6fe9f1ac04dde2663
SHA256 1707c55b3506727ebfa876e11266275f63454593d442fa37406159f11c337aff
SHA512 577ce9637edf6ab0b20c95e01c159818a7ea6cbc8dbf42fce8f70cc275384437c3b4b8bb43d832b742832e97f086cd144f1ecab3cd557be1beda5b0eb80d08ab

C:\Users\Admin\AppData\Local\Temp\qsEW.exe

MD5 7be3b1129c6fb4d0c167db2e8030a298
SHA1 8459b32794189f705514e79ffdeb597bac4cfb96
SHA256 c9d42ef744dd3d4220f8fe2ba34d175c929bbd77d864d289fb4f44c4eecf01e3
SHA512 c2a3669ff73830e3fd8c55f9221a09106f8d2837b7a2f73c798c2f6afebc0c5010c2a0fc14509af676bfb97fcc146b7d43ca7d28b444dabfed338775129bd212

C:\Users\Admin\AppData\Local\Temp\WQoO.exe

MD5 3443e67dcc212ac7152065562567fc26
SHA1 5d28ca3c9df71ef4987c61539ce741e442dae21a
SHA256 b5fb289c9fea419d6b8427ce951ba7b179996b3b4243e0c1e3d41a0f10079278
SHA512 7fbc9dc504def4b91d8af2db14e7f77fe06bccb14d6fc5512ddc42fdf7ce66fc187cfb1bb45bc5391f78416cf2570dd6867f131496f77928979018483bb61793

C:\Users\Admin\AppData\Local\Temp\MEIY.exe

MD5 09b1c6741e9c75b1f7ec9d0465dcda5a
SHA1 15ac4c12b5526832564da71b4e0542013d68872e
SHA256 89174da6e59e118076fd93f305ffd45b81793b4eef999ac26824f4f3d4e29401
SHA512 fa75c336dde8f6a29f1bc57b275e6149456475c59f094065f4917afee399f18cc5965dd481ae72eb73c7be926e5dfff2945eb516c57399e29e6f67ae65c66473

C:\Users\Admin\AppData\Local\Temp\vQUIUYAE.bat

MD5 3a3a7538e5b9ab1cfe3d8c084770ad20
SHA1 fb6f82118aed353dfb38fe22a488aea46c85a172
SHA256 bf0839cdc726fae7dae37575496ce883506921c0e9320b5929b74443433f8902
SHA512 bf65634d9a493c7d45c1b457d4af4c4424bdfe7c9e97c41f9b76a9daa7a28bf695f2f9453119bb7d0eea5f261b1785ba90bfe409add615280200950b324575b4

C:\Users\Admin\AppData\Local\Temp\Mkwq.exe

MD5 a54d45e99c99bda11ac9250bce204074
SHA1 c76adf85e5b1bb503d63f6224bee696fab6753fc
SHA256 99ae2a02f8f72aa6bdcf4f6769b95924cbdc224e87625c9d67c4704f4bf73166
SHA512 134235470de52696870572cc87a3d90936b1f21ff12e38dd05d2480716483fe2e1688da83ae2ad7784f57f9d363c0e0a1167a93352ae3ecdfccc96c44b6bfc4f

C:\Users\Admin\AppData\Local\Temp\MQQc.exe

MD5 826295dd85b01be25fb3b6ab95fb6989
SHA1 e34dd4a4994af786e9c7eb8c9f5030a545f7db20
SHA256 065cb5fdc84ad84b8c1b87ed30047cd1b916c5418353f7c98540adf5017f3772
SHA512 6b14e3f6c5db159bea426551ff0a91ea3dab5abeeb411b41b726129eddd1abdf44d6ea79bc9795d7fb532164dd2f28474593468028fbe6d1575b06bde16b3472

C:\Users\Admin\AppData\Local\Temp\KsAowIoA.bat

MD5 540486151b989f5dc9670342bf54b6b2
SHA1 47e4a53e8df8fdd351a7e4f0d0d4a4e216a7f53e
SHA256 b06b59419a7cc1ad23e41ee70de74ee6389bf45888d99faf2862679c5adedb20
SHA512 b92701c739b9c85f0636359a675c145dbfca095ded44d3a71cb2b6a9339ced62a3c9c2e8fdf6a57291228b545c7b608e1e234f5d1fcc1cf0407097417a839889

C:\Users\Admin\AppData\Local\Temp\AIcY.exe

MD5 79f3d28a9d5349d6a6b4c91fbee0bf27
SHA1 be99b0d9ad04e3127bb487d7ed3033a7dd55f720
SHA256 0efcda8e17f9450e8e9536e8e5992e80b891ce7ec72956af1cf94e4cfd7d44a7
SHA512 d75eaaff1dccd2bcba819ef10b33c96244696a3bc932141985b13c4b7fd62f61c7183ad14bd2ebfb8c85b989bc0c2f82e9d4d8ffe342de19c477e86e0e61070a

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 f97df07494dd333d2aa982ed0205e552
SHA1 39183fe9d4e024f2d96325350055eed2e5772798
SHA256 5c9ae4bab3ee3e4b416057829667027d6bbc2e23c7867229dad8c5c5929433cd
SHA512 aa6d528a0052727b23ac09fc388adc8a58a88edfececd4058d784436cc7623c4780deb4f156a0456e22a0c1baa198c15a552470f395766d0c3ee2a96fd864867

C:\Users\Admin\AppData\Local\Temp\ooUU.exe

MD5 2db63c08461bf99f277d5a617e1ced89
SHA1 b489a3d7d0838f53fb78ea5038a18cf00d60250f
SHA256 7ab1a88dad5bdc3dc7058dcd8370d0ade1bf1e4c7f834a568702b338810ac759
SHA512 2704331c5277139b0fb6e09ef8b2784a254eecfcf7bbb31cebaf5bdb4e478456ced2aea56f0263584bab3ba49026c7fce87a844e0bf6187b3480ec9ce5ea706a

C:\Users\Admin\AppData\Local\Temp\aoca.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\IMww.exe

MD5 73065aad056b31ea83a72cf65b37b8e1
SHA1 28226b4a1e12910e8adc4dc28dac4e4f9c17416a
SHA256 9d9ea6a9eb6a8526758a3476c151f4737fddcdb2baa4164a4f0b6853d84375bc
SHA512 3f6e9db2ce7723dc453d5f0855af192d9290651e5592f9220768188c9feb285963c1bc152e77635719002ac8b7ceae2005095738ae3f831cf7391abbbfd5ae15

C:\Users\Admin\AppData\Local\Temp\WogAsUQM.bat

MD5 383b4eba748c215dc04e8e10a05e51a3
SHA1 396548e92bb526947bac4b7089783284f58efedc
SHA256 5411942aa91789d12bc0131f91f7ef16b6d3a1b508e95e9734004b45e223e96c
SHA512 e6dcd1def55c6f9b4ab4c37a8750213497979e9f93e10936d22090467d4238ac81d9e29c548b3069fcf766a1c72b63341213ccf34503871a8ba7d329ae386766

C:\Users\Admin\AppData\Local\Temp\sEMAwwck.bat

MD5 4fcd4cf6493ba09fb0de15c688f4f83b
SHA1 b93cea12b943e7f00e7bb63cea0b1e71071bb72a
SHA256 01def70f472d199c8755d68c4fd59b4af077c3748b54e009d240dec28bb6e218
SHA512 635f4ad1ca90207819274fb99eda882771088889648ca64f9d403191e0ab1a49be306ed9b0ffaaf6e8cbea9168006ccc0482985ce07ed95550b1abbb5fa5d6d0

C:\Users\Admin\AppData\Local\Temp\oycsYUks.bat

MD5 d289477b84285bddf81591e2823bbde2
SHA1 85bdf68bfe719f0247a687587b5ad96c328d331d
SHA256 73378d79c442b03962ff34ca213765505f6d8f488095cba94211c35527c14258
SHA512 e1ae79a00e3fb18429820d1f197cc4ab47a2ef9bde9775b78bfd30d35acfc94df98221e550845d3799a9c31c54032477adc89d13491de98bf42ab6a43e54cb0a

C:\Users\Admin\AppData\Local\Temp\GckQYAQE.bat

MD5 9d827be2f4246eed16b75518cbd1315a
SHA1 85acf639abdea6f77756b1a23194523f6ca9bc5b
SHA256 5e79d45e18f52ac956a68ed2a40369061805eaa20c05181db463409dcf99c633
SHA512 8157d48e376d248e4b5d0ed3ba426be74bf931f6d758a262fa571943395f64cbf32a9787d2edff72c685a2b01d8a7c8507743121953e285dce98d2c0bd47cc44

C:\Users\Admin\AppData\Local\Temp\JoAokgss.bat

MD5 ba1c8bd722789d6f83eef2f638c5dda3
SHA1 568b71c1faef2bf38d3ed87ca6f81fc16fbf5089
SHA256 9c801c9d3cb63f094e1ceb31e626c32e7f944879d57c8e090823f2894f647748
SHA512 4803dabf9fdf79336542eabcc54c95c5ed30fb2c6f3dfc0808125ab53f13f08f71fc6342fe2bf95eb9d55950cf3d77fd349900aebe8564ab341e6ec8a3ff63d8

C:\Users\Admin\AppData\Local\Temp\ZuEEckok.bat

MD5 143fc62e349586ab8d7c838e757fb3e5
SHA1 ba7a5b2eabfb6716a2e329c59e026edc8ca5032d
SHA256 518fcb1a23dac9ae20316b85cef95fc629190d122719daec3ecc318d61fac676
SHA512 dddc69f22b65f4fbfc779abe37c916d464a7c2be6f9ae65b28fc25d7b6d3bb4b34c4d019696b7427e68e3e8cc8635b815ac7c7de12deb2bcd2911e163f9dfa48

C:\Users\Admin\AppData\Local\Temp\FeYgQoAk.bat

MD5 5bdd846fab12eb0dda72ac59313ae5ac
SHA1 c0d46a7ea36a571a94cb7f76f23d6468c6a60f39
SHA256 d2377512bbac73d5a3639a9ea9011ccc77633038a9bf63b2fe8e9fac344f4096
SHA512 17828ea0a3997b7d6b08eff595a1ff6f127cb1fd4d883c5741bb21ca309e30f27edaefb554344b803987a601e4ac7b8dd45c55c5e0da267918c17a2c385fe6a0

memory/2560-831-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1692-822-0x0000000000160000-0x000000000019B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ROoAoIUU.bat

MD5 360ec5f3ee1b026db47ce975ae64dba3
SHA1 fec066f52f2d75019668e3cb843dda8c13471a60
SHA256 3d447160764c7023c6cad8ca8f90ad5be8b28c07ac45b4df8669d9f81e47dda6
SHA512 f3464dc3acc2dc243082da39a7b631a0f4b6b22f32dad5add6246354932bb62b9056fb3050ad75a350141933b7625c4be727bdeb07b782a3069e6968026208e3

memory/2124-812-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2560-804-0x0000000000400000-0x000000000043B000-memory.dmp

memory/936-792-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2124-783-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TOMcsskQ.bat

MD5 b576b0d0fbf03e0a7615587a69a899bd
SHA1 6153d3269cf47864466f165f1f6a506170c6e3a8
SHA256 a8470db8a2e094dbb9fc5906234483d44f21746e4dc3b7b634de6fda4ce2c3b7
SHA512 e65bfd99b45003d9d5a8115e2fa5a83030a13590c20fa0a5e392cb8db5435100e70c5aea67e4f7fb9b5b2afcf0389c26f1943a2fbcb758347fd5323fd3486cd9

memory/1744-773-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LCcEgwso.bat

MD5 3b6852844b129438c8b9d6cb66ba845f
SHA1 50bb797e2eafcc746e3494c4de23c45e093a88e1
SHA256 b8e6f3e6f3ba3e6e18953fce761ea9346dfaeb854c7176b28e74dd7f918338db
SHA512 fd08293642288d032876e20e0bdbc11520bbb853eca97b06603a18876534a9a41ef1ccd8a8132f331425e815810b753eb17f9abc8a5f51dca173f26f9bc26804

memory/1352-753-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aaEMcccU.bat

MD5 e99df6e97f598aba5fc648ed4540e935
SHA1 aca9dd717cf5766e0d7c4cb659cf5fea9d8e981a
SHA256 109eab7466bfce6d6f50eabc6c4c38bb758f9d90ca63001fa8c30d831c03bf86
SHA512 925f5034f2b9baa881568ba972c4477edbf83a3b0bcc90103c125f9e811e6e4c218d268fb14ac3fd27de48f7129c5d389f049f1704be2c6be514c58b640f0ffb

memory/1700-734-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1268-716-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1388-707-0x0000000000180000-0x00000000001BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ocoUkoIE.bat

MD5 0a03a7f65b83fc050b549d7e93c18583
SHA1 180b2e6f5bf45bc09db7efb2dfe7098cc4d9c7dd
SHA256 ef5bec06ee1b2687a86805e194106dde27f9532b82fec9843df0272ad996b8a2
SHA512 fdc26595693e4fedc3fc8044f1dcb0093d934ada5d14f9288ed12f72c58528cb9c3ba92822415faa589b40cbceb3e64b09e6b4bcab278cd9b0083a6c536bb6c6

memory/2836-697-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1268-696-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1636-695-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YykIcIgY.bat

MD5 bb6c49c6cceb1a0960b17777a69cb2cf
SHA1 41d8e6094a617f4ee57851546a5ef8773ac92daf
SHA256 dc7f7e6696cb650dbac4f0dda5e5132fc36663c2d0270287df8d8421d5c8068d
SHA512 503e84b5ca569d821802dd29c94238027c2be00b874d04027b5ca8f18d5b0747feb505866d3fdca0d0195db91999933ce8cbd3c7be967661b748b2c64cc247f7

memory/1836-675-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2836-666-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2488-665-0x0000000000300000-0x000000000033B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UIgQosgM.bat

MD5 c03f964af055be53273f7396fc455093
SHA1 f20657e9acaacd3dcad02f51f1a60ea77e676e9c
SHA256 dd4c5049ae4f7ff972dabd0a6929fda092bc224c582d3340cfa3299a3a217dcc
SHA512 cd4630d95b00ed6403acfb3c5fbc1e5c5d04d0507cc57cc8f8c3186f897f044d6df00072c7c06a1dcab0f6b89fa1658a89a8bcdc83767f756049633a38e61005

memory/2040-655-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1300-646-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2600-645-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1836-644-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2852-643-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2380-642-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1948-632-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OYss.exe

MD5 b191860cce25f382c066aec0f7ab25f6
SHA1 4f88f275abaa5c2b5a60e708d30a0fcfc0b09904
SHA256 b82abc57e0f1d81704c69dc187a3794d2dc7783f282649b31901961d7d346d3b
SHA512 5ef52edb389b996e5e59dfdfb25fd870f764af80f2528aba4a741d00a29c587ef6578f6d94a0950bd924fd6d086f59df9a44708f658102262d383dbd2077f364

memory/2664-614-0x0000000000360000-0x000000000039B000-memory.dmp

memory/2928-598-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2840-590-0x0000000000260000-0x000000000029B000-memory.dmp

memory/684-578-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2652-568-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nAoIoUkw.bat

MD5 5859008d52e6340a423c2791f68fc05d
SHA1 bfe768a81473d60b2e91e28bfe0721e688d3e975
SHA256 de3cfa233c9a0d6f52ad5041129948622d2119d8d6a7360eecb15f3f08a47748
SHA512 5b92dd6d4a8eaa4a95be86c024b5035cf2e4ec7eecae0250047fb1e4e8d0e64d2039f1df8371ffbb299c1983f8f7b1dc3f7dd80ebdd551c60deb09615af108a3

memory/820-558-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\peEwkoog.bat

MD5 f932d696015fc1f25e350de4a7393f14
SHA1 a29e6a4974a8812c50222b66201eff807db29c5b
SHA256 014f1175e48170aec17d005b3d52c79695759e338decd6f8f9924d00ffc6c451
SHA512 a0990359e2df81b1c35fc7c1169b63f173752a03342674da1adc5c2eee12e445b36bb619f1e7b21d13c7865640805c1b1e57f1cff2ff13c3a52db890e997ab6f

memory/1528-539-0x0000000000400000-0x000000000043B000-memory.dmp

memory/820-530-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2316-529-0x0000000000180000-0x00000000001BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vusUMEoM.bat

MD5 35cc8da365c92e237978c45a9a4d0f0c
SHA1 734a85acc847553c8e5385195a4f61d1f98c5272
SHA256 585912aad0dbf155e6f753685592942b3c5fb6fdeb73cfd007c9041168564870
SHA512 e5ffac9badada4ab0b10c51ec876ce318fd818fffda5ce37273a9b43cceb040cd77eb336a5adfb44220ad01f352a499034719bfbacd57bf5df9edfb842d6f6bc

memory/1860-517-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2412-508-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tAAUMsIE.bat

MD5 17af6fd66dc53b3b4f48175f85678bf8
SHA1 e2d06ff168d627cf77e1923d0a4cf35ab7169f88
SHA256 9c5d26e7f7d060f2de47615e23b5cb8dd424ca0746bf7033d7a1d01591b8edad
SHA512 f94bb7147abe138358d6ab6a9f30e72017219ed4cf9f89f2311a4f6b5e1218ffcb7207fc186443004086f6ce31c2472a751e59a2f97b2ff60da6cf3e5309d8e9

memory/1140-498-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2296-489-0x0000000000170000-0x00000000001AB000-memory.dmp

memory/556-479-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1140-470-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PygIYkUo.bat

MD5 cc0fa48be24d6ef890aff0b7df684561
SHA1 f3541ff3ead313509c3105508bb230d959ba04d8
SHA256 eb620ff74811c39fdf278e7fa220c0fdc793baf06083806f03a71af76f48702a
SHA512 9367769b109042752520e0cebe852b1a52c19a5095fa5ea6c6fef61ab7c9e20ab7d4ae3e79fd77ab47afec6e64089c64771e9ef2aaa4b2daf7225286ec194d4a

memory/2564-457-0x0000000000400000-0x000000000043B000-memory.dmp

memory/556-448-0x0000000000400000-0x000000000043B000-memory.dmp

memory/768-447-0x00000000001F0000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MmgsUwoM.bat

MD5 a5cc0f2bbc9058a6dd11904273a3eab5
SHA1 a9a31746709701b35aaff576060739b538688575
SHA256 bf85c4004450570d36c84f629dd836a756e32b659d9f4e16ff5254ad4862405e
SHA512 d50f8f83370e31200369813e26fa5b2d5319009783e42e4674ebc4eee9f1eb59cfcc300f634c050bbc6fb51b69f4034f61769403892dfcc29c350035f9e09d3e

memory/544-431-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2508-423-0x0000000000160000-0x000000000019B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uSEQMAsI.bat

MD5 549d4d696ce56bdcfa1d9595fa26b44a
SHA1 e7d66110a63562e4cdfb134b8c5a38cee8e59b21
SHA256 60a39fb56975e64c79b88dd903e33c2e7f979d23f89865f72e4e65274f80f600
SHA512 16e72eb0947fbed2f3d67758d9b2475969c34f3a02aa8afec46ee4099c81f3bb8dab9e67d9d1c4b05dd8f7679ad4a327c566898c36daa72e422cb7cd1dcc4f28

memory/684-400-0x0000000000440000-0x000000000047B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wQUkkcAc.bat

MD5 229b02de018748cfa8a6ae964097eb07
SHA1 9bc80365a096df1620fb9e7526ee44e9fe7ce4ab
SHA256 56e85e3a6f5134c3f62fbe64ead25045881c4f80564e643698059d135e11318c
SHA512 d36c287bdff31c03df7336139a7ea79ee79afcd297e4b2aa8383c389a34a777ed897395a4afa07247217e1d868c325ebaf247ae6f3879e1fc08b95a4558df16f

memory/1772-378-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3008-377-0x0000000000120000-0x000000000015B000-memory.dmp

memory/2144-353-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2816-352-0x00000000001F0000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIAMgAsw.bat

MD5 a87444e96364386118c08c31f87809b6
SHA1 f31457730890500cc3d8dcb448a5120b0e964e62
SHA256 2865bb14a0ccd11dd11b1100677724e1e16dbac1a23068593847fa9d59ffd2b9
SHA512 7442616b1ecce62834ddc3e3106a20eab00516e5d05935153db35282d9a0491ca55445b8f58164b62782843ee24664cb133bf71ee9a1b2f61693218e1d34623d

memory/2700-339-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2096-330-0x0000000000430000-0x000000000046B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WsocMkco.bat

MD5 ac7d1a1ba64ed34f1413bd026bfdff64
SHA1 f2e4f8c09f7927eb8574e8dd568ca7d0c09d1af3
SHA256 a47f9b8efcb61baf9d808dee2f319578caa5a8be249ff7dd7d2b9745cacc56ef
SHA512 535d96f9ffc8b492a70c6f5adcc473fe28f509c938873b505a94c045cbee4f9761fdaf454e9208145a055ed0f152cad1d2626cf6508122b36db809d9c544b778

memory/2700-309-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2128-308-0x0000000000120000-0x000000000015B000-memory.dmp

memory/316-292-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1688-283-0x0000000000400000-0x000000000043B000-memory.dmp

memory/888-282-0x00000000001A0000-0x00000000001DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bAwskwYA.bat

MD5 e9f2534c8b491be418c641ed37e488b7
SHA1 e07838a6340c9a9acb3ee0dbab5457ac30d68a7d
SHA256 17e3ba860677f718eb2b32546c44711e4f1271d719503d520d1e32c54ead91e1
SHA512 5b5eb15f97afcc40e8a2f2b206cfda6ad745ca291404a3dc5c859a0e0f9eac4d3222c7da1633e4a5734144d40b2a1b8bf8aa076db7a06d8c91738841b6c06a20

memory/684-269-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1476-259-0x0000000000310000-0x000000000034B000-memory.dmp

memory/3044-246-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VicIEYwA.bat

MD5 3e257108514a7129f1062d2afb5eb1ff
SHA1 e8f04eb58ca2c836e9ac64db44bf357d5b46a37a
SHA256 0813defcc2a5fd028d6a5e68070cace0c0813586c3c9b70dedfed3879d551dc8
SHA512 f23b552279679f127dd9d06c665242bf621512b78cca7b42f50f2ce610c2dd57b352cc39784db9026bb69fe395ac3dcf218bdb3237c38614403786beacf2f2c2

memory/2808-223-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vQkIIQoY.bat

MD5 01031e7ea0e13e3a5835351c1656c29c
SHA1 8794474f9da2c9616e7fe9759dbcaf8b19cfa69d
SHA256 35a46429a7ad6884c171abb9c8661e94394ba104be66130816a5f4630e2f1643
SHA512 3d7b8bd0d0e0e70ff5a50fd059ea3a02093712d1b1a10c083f5a98a4035c7ac5e3c5963f61ccafa9399b6d5153f7b93a014295819c2247ae3ae66a5272e595c6

memory/2904-201-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2092-193-0x0000000000160000-0x000000000019B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\deEMwEgY.bat

MD5 f0d54334406e8617873869a6b5011eb2
SHA1 e82f676c7b9a1c35c668fe4392ea69d68d72e3da
SHA256 5069e6530447a590432dda92968735a78a6fae89b7f60d239601e1b51dcef64c
SHA512 fdaae4f6413d121405315417b902d66ef061ca9694844b847018fa14d07eb6578fc8e09ac373a16727822fc41a335c123338b823d00fabaacffff5225df36697

memory/2268-179-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lawMYYgs.bat

MD5 7d8dfcc14eb5721b515de81b8c9dc38c
SHA1 982c48732b1dcfc658a0c8f50f8dbce3876916d5
SHA256 fbee475f6614c445d312f8422df25cd617afef50f2e6595d82e50aed507279dc
SHA512 fbb21c51b053f48e13580dcf70a5c4db0eed79361fb76bbfd5fa08ed17cea7b293ba33b14f41057f1da0644fd8d86a86edd24090fa623c92a9c4b661a85389c9

memory/888-157-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2268-148-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IoYsUkQU.bat

MD5 462127b6a24cd15c864d82450d4d0666
SHA1 093a5dab81cdeef55a17c9ed9d1fb7ccc3f896cf
SHA256 567c489beff1ff13a4b0ec23feb28eb51f797bbd049c892b0cebc3db940f8bea
SHA512 d59e05c62fea48ed3c8f14cbc661b643d0344c937471433aa2dfd7f751f2160751546ebbd3a301ca4698978a19274d980567ff4cf03f24d83daa9ae0bd26ecf3

memory/1708-134-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cgAcsYIU.bat

MD5 324161356b5dc57c371913f77c802de1
SHA1 6f17a3f0157f59841fb8820c6f298a56d8a7026d
SHA256 27c0a8e129825b80d107c7963bd76b5d82d93fff784e7f3d6ebd51ded249b30e
SHA512 277ef33e229cc43f5c1091feda46d1560089ce1161d76fab7a4b745c9ede745fd39d676801a7ba891a197b5788d84a7fc79042b7b172f0437173af58a0f52c0d

memory/1964-111-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sYYgkUIM.bat

MD5 7c2edf74b1d704fa47b2750c711d7191
SHA1 0cd2489b7f9a15ca0dbffe68eca5101806bf442f
SHA256 c7863abfc9b92bc55bedd206bc84abe5ecd099675a549297d3744a2a011ddb67
SHA512 6fd21acad183f2d04bdb80045f13e7d927e25bf6d491aa3eb1b8579dbeb7ed25231eb7ad49dda63b681045b90158097dd2491e1bc6eab7ad7227d76dc9eda07d

memory/2992-89-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yuoIMMAw.bat

MD5 a85808a7e1355e62bf97c512541ff547
SHA1 a4d339c98de91cfc1ad7f89a95a801e61a497914
SHA256 ff66d5c8e8907eed76b8cc11fcf8620f3f096ae4268e8a45201ef468c4791108
SHA512 c5c7f869581042af8238bd2b9d1ec93007ce6ba756d3cc3349c1b70472f7bff04576a0de41527213f7b0df0dca189c9510477edc2045d9c49680da42ae4b8e2a

memory/2440-67-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2992-58-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2648-57-0x0000000000390000-0x00000000003CB000-memory.dmp

memory/2648-56-0x0000000000390000-0x00000000003CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eecMwAYc.bat

MD5 76ed3dac7ac22b5577446edf4783ecdd
SHA1 774c735c89aa45a53de3f8edaf8e48284d10f4d9
SHA256 b3c9761603ea2e229db932ab8112e4ba2a7358e73741feb1f0332cca31799002
SHA512 a8e2909d4591ff35672b18c4f8559df3ae26e6294ef483348961e0fe25c2f98487c89c6e009a0e7b7c8f0c6cd668315e80b831245fe4fe27511127171b01a92d

memory/2016-39-0x0000000000140000-0x000000000017B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UKAcsAUQ.bat

MD5 2e041a42549e39372df84c936d9fdc25
SHA1 5812b6185ab8a20c426f073e20537d24f44c0c5b
SHA256 b01dabb897ded32e4d62640680e3605f6515e0d2fb509c1caad9c74cc087d8d4
SHA512 0ea97521f087ae312ca0d89de7ac7cc935a3dfa208dbbd7bc4a0fbff741aac54827edd61ddd4fb8d60839c6874b3ab24376a69161259e44a9e1c0e047e63280c

memory/2380-21-0x0000000000460000-0x0000000000492000-memory.dmp

memory/2380-16-0x0000000000460000-0x0000000000492000-memory.dmp

memory/2380-10-0x0000000000460000-0x0000000000491000-memory.dmp

memory/2380-5-0x0000000000460000-0x0000000000491000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 01:47

Reported

2024-10-20 01:49

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (78) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\vysAIMoE\xsgQoUEE.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsgQoUEE.exe = "C:\\Users\\Admin\\vysAIMoE\\xsgQoUEE.exe" C:\Users\Admin\vysAIMoE\xsgQoUEE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsgQoUEE.exe = "C:\\Users\\Admin\\vysAIMoE\\xsgQoUEE.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aaEkAYcg.exe = "C:\\ProgramData\\tUAIgIYI\\aaEkAYcg.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aaEkAYcg.exe = "C:\\ProgramData\\tUAIgIYI\\aaEkAYcg.exe" C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A
N/A N/A C:\ProgramData\tUAIgIYI\aaEkAYcg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Users\Admin\vysAIMoE\xsgQoUEE.exe
PID 4552 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Users\Admin\vysAIMoE\xsgQoUEE.exe
PID 4552 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Users\Admin\vysAIMoE\xsgQoUEE.exe
PID 4552 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\ProgramData\tUAIgIYI\aaEkAYcg.exe
PID 4552 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\ProgramData\tUAIgIYI\aaEkAYcg.exe
PID 4552 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\ProgramData\tUAIgIYI\aaEkAYcg.exe
PID 4552 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 1672 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 1672 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 2116 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2116 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2116 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3524 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 5060 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 5060 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
PID 3524 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3524 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3524 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3524 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3524 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3524 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3524 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1072 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1072 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1636 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe"

C:\Users\Admin\vysAIMoE\xsgQoUEE.exe

"C:\Users\Admin\vysAIMoE\xsgQoUEE.exe"

C:\ProgramData\tUAIgIYI\aaEkAYcg.exe

"C:\ProgramData\tUAIgIYI\aaEkAYcg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyAgUIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiEUkkMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKUsMgAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIAsMEQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAwQkcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGMYEQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcYAcwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fesYYAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XggIMYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSgAUIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKYcQwAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYscYEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oowwYkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwkYEgks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWkAIEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsEkcAMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsQgkwww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSoYwMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuUEsYMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYAgQMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEsQEQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUcgwQIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkcYYwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsgIkgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkAowEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqoMkYgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEwsIwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEswsksA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwckYQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMMIYYEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luwoIkYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMMYkAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiwsEUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGosIgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOcUYsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAYUsYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKgwgUEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSoowIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoEEYEwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUMoMUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQAwcQMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKMsYwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQIkYgcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icQAEYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAAUwYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leMksssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCEcEwIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQoogYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcoYcMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcMEIcsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siMYgwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKwgcwoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAcYMAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XqYwwYAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWsogAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQwMUcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeUgcYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwoMMgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccYkAkUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKgUskkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsYIsYks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoIMQQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGEYUQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAoYUwME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWAQUEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAggIIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgUUEQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYUMoEMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGQAQAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMAAMswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAEgsIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWUIAAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQgcQwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAEcUoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAUgcMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PowgcwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUYcMoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUQYsgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKwcUowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqQYUQow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWAwwoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKkkYMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkkYAUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niMEMwYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgIMsQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyEkUMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWEgQwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eooEcUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xccAIIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqgIUoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAQQEIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmIIIIoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOAogQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mggssogU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyUkQUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyAIkYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYwoEMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYMwYowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSsUwIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAsMUMwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kckgIsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIksIscA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQkoMQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGMEoAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKIgIUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rScAcMsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkIYEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKsQIwcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYoIcgYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awookwgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DacIIAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pugQQAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryYcsQwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmsUgwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsUEkQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEIwEoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEswwAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWAkoQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQkoIMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKQgIccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQockosc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qewIEAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekUEUYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyUAAgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYUsEQYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hosYAocg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMkMcUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUgAosgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuIAYQAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeIYYkEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeoEkEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMkEQcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOQscQMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwQQscEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKMcYIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMgksAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKUMskYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsUcoEcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOgQUAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSocIQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4552-0-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\vysAIMoE\xsgQoUEE.exe

MD5 4345475e356fbfa2bc4346940d1a75cb
SHA1 e62bf444099a6ba66bbe2997bb469fe8312a57e5
SHA256 c97d3c6d442b1806fdb5c3b32348166292c106cc7e8b5447697036a283d027e2
SHA512 51f41aecdd1c137d04554bd049e324b1be0e61e68288d14f655bac3955c5e4ae7c5e7ab64369de47514775ef4eb4b7ad1f2bb55830ee10c209db450af46d520b

memory/4536-10-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1772-15-0x0000000000400000-0x0000000000432000-memory.dmp

C:\ProgramData\tUAIgIYI\aaEkAYcg.exe

MD5 a265c608605495df9265b8c7892911bf
SHA1 8b7351bdd95b06817488d69a2c4b0e25393e7ba6
SHA256 ed11ad92822b26f7355a12890b95a2e922447f34b1fa2bd09ba9ea9812b4fa66
SHA512 424520177b7b97705fb9f76fc4945891f5a4bd7bad66a0574d3ab7a23edc9188a6ef9a31f77c5e80eebd41366c8c256ed663576767aac79014f6db043a1b4ee5

memory/4552-19-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3524-20-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AyAgUIQk.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock

MD5 8069e690a23c6c533e7209fc672f9b23
SHA1 7c4c896dd84d8cf02eac5f74282a18323a0304e3
SHA256 e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0
SHA512 6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

memory/1636-30-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3524-34-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1636-45-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4824-48-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4824-57-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2020-70-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4704-81-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1628-92-0x0000000000400000-0x000000000043B000-memory.dmp

memory/408-105-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4016-116-0x0000000000400000-0x000000000043B000-memory.dmp

memory/844-127-0x0000000000400000-0x000000000043B000-memory.dmp

memory/180-140-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1212-151-0x0000000000400000-0x000000000043B000-memory.dmp

memory/776-162-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3856-170-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2140-183-0x0000000000400000-0x000000000043B000-memory.dmp

memory/760-194-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4652-195-0x0000000000400000-0x000000000043B000-memory.dmp

memory/760-206-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\vysAIMoE\xsgQoUEE.inf

MD5 e58b3009a373c25359b8d86c4367a5cf
SHA1 7b71de036d8ab5d7766469aeb2a5d2033034dfc7
SHA256 c5294712fb9eafef52a45a4c3e4966e7a91e63f2ff3ef828c157c37175245171
SHA512 cce0168fc0015cca879af623c4a8efed26c256781c7b145f466e109842942624f2f20929e46ed5195300f167757d60111c4405579b363f36a180f0fb9e697650

memory/2528-221-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3256-232-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4964-243-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4556-254-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3960-264-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1852-272-0x0000000000400000-0x000000000043B000-memory.dmp

memory/180-280-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1008-288-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5084-298-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2668-306-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3492-314-0x0000000000400000-0x000000000043B000-memory.dmp

memory/372-322-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3132-332-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4788-333-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4788-342-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4888-341-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4888-350-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3476-360-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2472-368-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3132-376-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1692-381-0x0000000000400000-0x000000000043B000-memory.dmp

memory/60-385-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1692-395-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2496-397-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2496-404-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3576-412-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4768-420-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3524-430-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2160-438-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2328-446-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5068-456-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3160-464-0x0000000000400000-0x000000000043B000-memory.dmp

memory/60-472-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1520-480-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1148-490-0x0000000000400000-0x000000000043B000-memory.dmp

memory/976-498-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4884-506-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1068-514-0x0000000000400000-0x000000000043B000-memory.dmp

memory/468-515-0x0000000000400000-0x000000000043B000-memory.dmp

memory/468-525-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5028-533-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1932-541-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1140-551-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1388-559-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4580-567-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1280-575-0x0000000000400000-0x000000000043B000-memory.dmp

memory/788-584-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3900-593-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4664-601-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2116-609-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4896-619-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1300-627-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1944-635-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1712-641-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4692-644-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1712-654-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1904-662-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3016-670-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1076-678-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ugQc.exe

MD5 f29943412fac83aebdf9f14589448f2d
SHA1 f3d57fdd0f911272ee9929124c998c1432d681c7
SHA256 642a2a850ff7f9172e40a7399146f08c456583ad11a827c72023e85ace5c1f3c
SHA512 73853b385c5bad772547ba5ee9bfeae51b5b5444908b8f564931a146e6499d0f40848f95b3ee3f046c8a9e2e3659a8ecf2e2b69de2a14e094f086384b93b31d9

memory/4976-702-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ssMo.exe

MD5 e6550e4141f439febad1305fc9abec6b
SHA1 e7344546556fbfc1be3ea6dbd03736bb7e00a8b9
SHA256 38a0192dbe65d9bcb58e0a68f5e61dd8033a4adcbd68544a77d48f70acda9988
SHA512 3f9273c28c50857a6e507fd0abf69069128a53ecc9f14c00c77236e674cd2616acc7ee627e491d3ae325619db8137bc4b5965caaf12b5990ac93be58914cf618

C:\Users\Admin\AppData\Local\Temp\kgIa.exe

MD5 b22e9f51b4b450c01edae8cd84856668
SHA1 71f1c1f6918f4d7b9ce9a5ae41f45729f50d0f28
SHA256 1f5729023fb39024bcb67af56fbb2c06cf4ac1be65b0975978360e71575e07a9
SHA512 640fdfe2e6e49415f655d17594d702163c818f3cf2e751a0dfaedfb501bb9460856c6bd666d8d12538d1893b98a3a96127a4370873beb06fb4dc1dd2cbb5915b

C:\Users\Admin\AppData\Local\Temp\yoIk.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\gMwW.exe

MD5 c538d4029b471af7a6a0ca49aa4a1568
SHA1 50bd9b6e0e0300daca2c1bb1387919e62ad6875b
SHA256 6d8175f0e4bac16d94315a4d2614e528167b4991698a4607ed6eea079192877b
SHA512 f77d0e866f4566ca3186369abbf53979cc46327dfa835cfa310c22ab3757c164021deac9823bb3d222d246be2d56c20ad07f4eb029eeb2288e1008cd48f70a4d

memory/4996-762-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uYEM.exe

MD5 de288968a0a891cfa56c89c29f6ab601
SHA1 2745218ceab474db2a8a69a2354366642e6e9843
SHA256 fef6fa75b55f1bf82267e24a2497037b541696a5f84810b2dc227f9cb3b88dd6
SHA512 30188faaff61205323f3d560d6f386bbe41f0f93ac237c33c98beeedf75cf5aec4fce65c510f7a6a1ff55436dfcb7e38130d1e049bdb175cbac5ebbc526437bf

C:\Users\Admin\AppData\Local\Temp\swgM.exe

MD5 602058b6479ca2dba8e5afd403ccaac4
SHA1 270d6e6811dd4541dec52e0c51877161f190d499
SHA256 580c6a7c9f4e3e9ba6ecb4542755a90c175f5e919065a8ca77c776fded69e0a4
SHA512 b45f4b744631f1e9d25bf6f1e7b718e317d26061f81ddbbf4244e4227c54f770cd7fedbf22b2097aa79ac7774fde5ac84e531e150a2cd2f7b212d2d4eb1e3ef9

C:\Users\Admin\AppData\Local\Temp\WUsw.exe

MD5 1b450356803a7fc9186b0f7d2e17e079
SHA1 b136b4ecddfc45f9fc2fb517ce89d34a5cdaa4a3
SHA256 9ee7064a8f78073661ddd77eef6d5ca61e781896efe5c3e161106b52ffa9f454
SHA512 b5e5f17ff28afb4bd2c7a4d6987db131bc4422bf239b2d3310594e07be115838c55266eaf54db6c09d9f2abdfe705934b4aa39b7fad8d61c10e0a480fbb7b591

C:\Users\Admin\AppData\Local\Temp\YEIM.exe

MD5 ad892f8828318720cdd884df7d030d27
SHA1 9302cf16312a3ab8b9e49bcdb4b0b060ec342d77
SHA256 8e64775fd358be352c0d826f866d265e8a92094f969dd05c46d48360408e592d
SHA512 f7496b00e64d4a7a662be4c342344c8d01e9bfade851b153900f8079e106623d650ccdf25b48a478da2345883152100d6e3243008daeeeb547f234a7287098c1

C:\Users\Admin\AppData\Local\Temp\aAYw.exe

MD5 bf86b114b7981b2081336c1974da3de0
SHA1 cae9817b10983378c6bb36e47d1b816e963f02f5
SHA256 41f6ab4a05e94115b29ec4680309d41fc18e4a932ac8aed5ffa0209ba2a11fb7
SHA512 e31b2c73abdc2645496cfe8c56d01766d46c9e61b8cad79555df130518533677c58117c034b0e70519632d71467a3173226f5dc32dda3054c5118030e01a08f7

memory/3356-818-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3260-831-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ykws.exe

MD5 1237aa43f1b83458ce11de9943bcbd41
SHA1 986d1525deb3d16d981c389ce0e5827cd2a418a7
SHA256 ebc02dc3eafc5a6ba6a606702117aada81e997a4cbd3bc1a7b6e53dbf91a4699
SHA512 8ee6c370e8c4bcdcf5367827b8b702c32af8861d26aa6984956116ab5d71ad430db2fd10bf9b95bef9903d5824cead80c621e1717f489e63212dfb631c3fa35c

memory/3356-853-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sEgg.exe

MD5 02d8efab711f9e63fb639d4fcf97aeb0
SHA1 17d1586e6b180d297f78b5262b3a4df24037f8ec
SHA256 0a8e4af611ac6616cf1189e71811c06acc200e69073f286ae0002969ff296b5e
SHA512 e7a9ab1d35af053484cd55c05d83b81f498a2e858e489c61f6937702613b48ba982882e692c85121126b6a05bc358d6489a46f94b259860139d0ec74704ac321

memory/4940-870-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ksYi.exe

MD5 408a89fa80155730b8a08d273fa60c17
SHA1 ac248de793c01ad65fe2300a84bd56da474669b8
SHA256 55ff94f6b16bcbf7ac7113da1d69283d1b61114e736c9ad46dd70d7bc8daef17
SHA512 ca4f4ae9f227a725b0300f92a2bea2e6eb3d2a8b616aa99a3b74f5d48c73088c30b7dcdc4db108f8f170723ee37db88b30400dc511c078e52fb27844f4406458

C:\Users\Admin\AppData\Local\Temp\MgQc.exe

MD5 e6b15f81f562930a072bed9c4095188c
SHA1 0acd364432a2ba9931786cc704028907ac66c89b
SHA256 3b5eebfce71d5f1ed5d4ea9ef0e16a80aea21044664528c81fca9cbe7e63c23c
SHA512 b26cfdbef4843fa2bff68f2ab79986934e706a9fea400792620207aea875125548d4a074f84d24b71d48658d7f3d59d81ba364721164bd42841ce537b07fe0a8

C:\Users\Admin\AppData\Local\Temp\acAk.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\WsAE.exe

MD5 ae9cca76d47313f2f2dc19488530388f
SHA1 2461f7ea6f75bc998dc9cf9bde7659695bc673fc
SHA256 5d3db48d797e236b0f4f8993251d946cf001e47c79ba72eb2e0f074c411dd4a5
SHA512 e6f90b15b3ea491a2d4f23cf2a4693c1de0eeb513856639f6c50edc5ba12c4ac441b6d87c20bed225f193d71b98d239c6d90ca269c161a3efd128dd4d5ec10f0

memory/4940-934-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iEYw.exe

MD5 4135ca2cf3c5535d00fd97ae5449764c
SHA1 06c1c05f89b220f552992734476d57b11ceecebd
SHA256 7a6bb6456cf72f1fe60b1409af0281adfd464cae298e171abce26f1b4b164f1c
SHA512 e48b671a2d7590d07a3cd89f8632658b3f2d5d95397f067b9084698d495e399b44b560794ea29f11890136c48e79bc9d7cfadf32bc0912f60d0c41039335d312

C:\Users\Admin\AppData\Local\Temp\gEAO.exe

MD5 cf8614485a890b584712e561cf59a08e
SHA1 dda0216836ab1465356de3834aa762249c25c13d
SHA256 0730d7162a808932ccc7384cd3e93485809a98712687b83b132b245fa058fb2f
SHA512 50f5a605e61c09dbe2900b001e743c4a54fdd3ce736e0ea9d191d5aa3ac945a6c98b7069375c7943fbceef523fc462d10227957f7e9cd53987820fdf22240f6a

C:\Users\Admin\AppData\Local\Temp\MIIk.exe

MD5 9307a4e93bdc47f4bfdfaae896529f2b
SHA1 52f453f62054c10764bd82dec18f4a27aa0edaf7
SHA256 fc43fba5b359b272ea99914dd913206739d57bec090ee1ac8169057159939160
SHA512 48da59f415f1d1e32753144aa826b12dd9d41ba9578f755ae4215ddde8efc72f032bac54882c6108c4510fd72f0042f378fc24764bfab0eaf9501484ceb22b69

C:\Users\Admin\AppData\Local\Temp\egcG.exe

MD5 3f447fb955a0d4efaee85beb9767c70e
SHA1 95998ff91f521c1ca122b9df15babbf893e8943d
SHA256 3c9f98d5c0a96f7246e65ac8fb7653c3cff91f59112d8fe71a733d4e2b93b2cb
SHA512 164c76b851578c2bc5b41b2bec93640e84fac1b3ae4c42e76653a6ccf51bdfbfd86041783ad6554daa30d0c13688d1b472ce3fb463fd5b40896febd509eac98a

C:\Users\Admin\AppData\Local\Temp\YAMU.exe

MD5 8f51cb77c0b275c824135813476370e3
SHA1 f049d2936ee2b78f0ac76317dcd4e0d58dc84e9d
SHA256 9e8cc360db13c972c750fa390e82fa2a3e9cc75b5051b253df835e189a969621
SHA512 e276f2fd2294028bb6137fe54cf9a311afa06a8f5748f28cfdd08041a1ead334b7e0290933c4f61c11737e0d96e22b478b4f6fb06e15fb7012279f6b6863ff09

memory/4696-989-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4196-998-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AEcI.exe

MD5 ac6bf3518a1fccd4b263560879b44eb3
SHA1 5166192a3a7d8cf69a97ae95e284655d470897c3
SHA256 5b19e41e5f5079eb51f398323e4a6dcf81320d7498942d4e070ffdb3b2e0b851
SHA512 1576847ec94dcf419e019a768e60724e94590e44fc65cb147efafd31460d5d7ec1f808ce3577b9c696472b3ebd9c891bbb405717f49b331a6684c859a60a144f

C:\Users\Admin\AppData\Local\Temp\MkIc.exe

MD5 951fe6b3e6ab999d66fbf8334da89014
SHA1 d9ece62226c3928cd298721c9ea5e66226d25479
SHA256 0ad2c8573d844d87d817d0c67b3f05a18e445e82a2e15f678d5b96ad986cee66
SHA512 31cec02a5bbabb5f20eb5df5987a1b861a3ed953505bfd19b4712f226921cd5d0367562b1e3eafe368d3eeb5124598f5d776fae24170d19bf32c01cf2801ca3b

memory/4196-1034-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4740-1044-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4536-1049-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1984-1053-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agQU.exe

MD5 603a658be244f79b8f3e893faedf1677
SHA1 8e26d24ba416f4cab0a392281b34b79506f3c74a
SHA256 ae64df2e797571125fed3dd0ac15e7e8b55b61ec8599cc15e0b1f4296d10892e
SHA512 6bd7f08086ee77a032dcb785a454930cc75bba6d856f1ef0949085e2bb6fcd8a97eb79e08ac813080c0bdc98df31cf03075756d93961c0765297c1fad9eea206

C:\Users\Admin\AppData\Local\Temp\akIG.exe

MD5 3ab1313801fb6d4e462c36660477ba20
SHA1 0bd55ccbc0f2a7e7ae4b728ea6914c15a7e74210
SHA256 9ebb962c9f7db0e1a2c20dd7ef2b5b462bceb382b48637397a0e1135db43536f
SHA512 f9a66950df1ed4474ecfb14ab839f59a799284d44fc2fcbdfa44662a67ba70e28a2272249dc7952830b31ff198e0173a1d4fbd01a525915f292cb41cad2fa9cb

C:\Users\Admin\AppData\Local\Temp\WogK.exe

MD5 19c8f3876e2a6f411bfa1e8d5adfca28
SHA1 b325d9eaac6e8cdc6ba494810f84e8bb65549724
SHA256 e17be5233f7e079e5a94fd2e9452d3e1b84bf60a0745003b2fc81c423a1269cc
SHA512 8ddd1b69b770ff76e5345b4a6e3ca18b81f978d6473fe4b04199cb8e438b4914def4e9547b9dbc41fa2fdc823b724a103b7b39c9fc054757ac1d83132aa9a989

C:\Users\Admin\AppData\Local\Temp\WYQg.exe

MD5 e809c729e7103abdfcaf228ec8bb499a
SHA1 c96520625bd689d40ae0bd6cbd3b386710eb776c
SHA256 7512dd839f68e6370e6e1aea04f3cd765f0ec4f29c76d7ca640095feab7276c6
SHA512 dd41df1f5b7dd4ddebd60ec780b454094b5173d13649b855998400b18d2146a69396082c8e85b9de1f75e8b2dbf23e5cfae279622e0c908463ea9b46c2054298

C:\Users\Admin\AppData\Local\Temp\sgwa.exe

MD5 9f8efbf58066debdb2ea1e8ef54eaf92
SHA1 ebc8f7f2ae8a10e052d481526b1b01d54ba30bd5
SHA256 7f0fa257336e82ef51ac10601c60d7743639ab2ce58ea6a4e8762aff358b4060
SHA512 91efd4bd50e4d0a4414c45768cf07902be60d079e8b7212ba87f62ebdb9cf9e20e810df27cd576a5bee03742a181ff230a4877060f5a3dd71ef187f6abb71116

C:\Users\Admin\AppData\Local\Temp\Kckc.exe

MD5 10ddafb1532e821ab5d7cabe53ac4c8e
SHA1 369dba7b627cc035973ef4079b9169a74d0c036f
SHA256 eb2b4d148dad35cc384fd9161310901ca5e898f612c4f45cf188b3e56793b8ec
SHA512 16a89537650908545c512605f07b14c2d8ff4ea729e575861bc6a942297c2f204561d74bb5db34569ea8618ec8dc9a769bc21b142678e9e6a76df3c19ed64679

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 e99f09f3155a843bfb31ca5b09b4fc7d
SHA1 ef6000d9ec73d262cf5b2786704cb6e1877490cb
SHA256 182e25dd88cc7c70f7f12cffe922e9fed8c839a0595694ae4d9f3a596922f64a
SHA512 cfa0ce6b4dfbad4061dd2b33f575e20c822b293b3089512a05e064473ecde748bfbc9df52b0beaccd154aa44a6cf1f580593d3ada175b5f0c5e41df3c626a7c3

C:\Users\Admin\AppData\Local\Temp\aAAy.exe

MD5 7f43d02fb4dce146de10921b62f36d04
SHA1 ff7f5a89ac4e51cd3ab830dcf4d2b2e7e0bfa7e2
SHA256 7caa6ec1f62f3eb905c95a68475902ebad8d35b2cdb2a9fc199017657066a52a
SHA512 2cdde2df9cd747d3c11b169402473b8d1a13536b622c7d534b0496c22e4139115856cf28a779786810d5afc9354b3267ac62e88b1dfc343304628ce41800b8e9

C:\Users\Admin\AppData\Local\Temp\UMIG.exe

MD5 c158b43b352a4dbe19608054f31af68e
SHA1 6548594b97c418b042bc2ceaa036bc77458e2228
SHA256 dd271c0163cee27b980be089ca5ec84e2fde13b8f2a4bfe5c877b16410dd1242
SHA512 e80d6e1eaf4f15defaba359efe386ddf04b6afe1cafa47789ad63c07184654a43e6068f47cf1a497627715f274d5b169c7338f393b7343d70764a92c5e8fdf82

C:\Users\Admin\AppData\Local\Temp\MMgs.exe

MD5 77057532f4e02c51ce14a5dc8d6889f8
SHA1 935ba53d808086e72c0a56ee26eaab337510f575
SHA256 fdf5e4aa820eb30026b7a0c183dc79ddd253ce8f2c4d84d7a8371c5c836f3049
SHA512 4ace8534af761f1042d5a432d512b3aea98f9f947d856efb69bd14c7f90747a41f0dccd04a0b5103c1c87f85e307b4d0b7e507925f4f4fb67e6fd6aba04d1e79

C:\Users\Admin\AppData\Local\Temp\gwAC.exe

MD5 e268fee10e769e1ad844ea7a30bcfea8
SHA1 3a09769f30f0f4538af2d60dfb8a1fdb1868cbf5
SHA256 2bbaf537cc939c9b54881092812e2370bb74634cb02c00e9da5684fa0c1f57b3
SHA512 a09cbf7f6dcdf5d28e642b6d6cabdc9441d3194c6984b8c93e145f5c8a0ce053b3626201bfebd5ed64f109f038596cfa7f3fbbe60e55a7607534f3f3f38ca7d7

C:\Users\Admin\AppData\Local\Temp\gUQW.exe

MD5 3ddb10161c7e2846b6b66ec242e9b715
SHA1 a0da3c4ab5dbc1c6b7cd0bce6593fb8f82b96c69
SHA256 008cbdf7ddfccf3e3dd122607f912bbb3cc5ebf1006d3f206b58a638b03e2a41
SHA512 3a3096a907b1bf14830a4f4f80d75acc9abec85b6a36b00add78a31695b157924e971ff3edd0171fd5138328a6be23f90102d8567e76d2fb57e28d6b9bcab046

C:\Users\Admin\AppData\Local\Temp\egQQ.exe

MD5 78e389933047fea95c8a49ec17cdbc6b
SHA1 905adefa58fb0c013760fa0622b57cda3f4e451f
SHA256 9fd045683c3d5e80b3ae0e3da0aa49ea41053c89be759617bc39f52d39fc45dc
SHA512 810674b09d095d1c568526add4dde59392c2a3397ce77197985e2c9d3d32ad545aa47cc66ca442167b9bf9bda2ef626a98b4f63727c7e5e1635d955688b52e69

C:\Users\Admin\AppData\Local\Temp\kwAC.exe

MD5 8c2d764ef7a63c1b2ffb468216f76e1c
SHA1 41c6372bafa66ffa872a8da25a6475894f340ebc
SHA256 d6bd096af405942126d5caf0316ec8142d7ce93360f3be130a35751a9749f899
SHA512 c3ab8396007ff95e697261271367e9def5d2ed06a8e0601ede4775f87926ab18436d915023e231213828c63a104e5da9861702238785383471f678a2a927e7b6

C:\Users\Admin\AppData\Local\Temp\GoIK.exe

MD5 03fef2d1262519355d4d525ad702f071
SHA1 aea71b52e5ca0efec9a34da66d5156c57404465d
SHA256 85394a5f308ee8fbf84566a9729edc7c45707d0eb7cdc930eadc330ebb6d52c3
SHA512 00d745dc209dc527b074d26a154263ce98ee341ddca39f0902b646918c6c8f027c3f886793762e720eb68450bbc178d174f61e50c4fd2d5d1ca624991c2ea1cd

C:\Users\Admin\AppData\Local\Temp\UQMW.exe

MD5 a43b7473a525e899304a7d0831eebada
SHA1 2bbaecf970389f7a6fe823c83c312edfe49fc6d8
SHA256 e5085bcc53897683f4a6156e645d35630291c6ae4ed375337285ec92bba9d277
SHA512 d5cf20cd884849ddf44d50b46e4e8c46a9285593fe038477c7f41815cdb4ee23711d845b6e16ca846ed48f373c9a3627c3283d6083b7eaa5cbea8ba6f9333124

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 5fc862be46ce302eb01189ec44630ccf
SHA1 791b920cc120dd33a835f4efa3501304de85852b
SHA256 fb8d8018818b42f28821963f2702ce3e03519d9e0621f0b252cc8a29ace5f7ae
SHA512 d0de12ad713ff11a0fa791d916919786e8db120e5e64f621d8d1ca44a51554472af1f139d420764336d1a277897a86453ab740768217fe97aea2e1ab88ad3be5

C:\Users\Admin\AppData\Local\Temp\IEsK.exe

MD5 cfdc812aa5f8e79d226f8d92143858f3
SHA1 57bceb4a9066f11fe2c3c19971588ef34216d619
SHA256 bef79a0f55dba3293edd2a32724ca94947b3db2bac32b1bd5d6c62d61a6459cb
SHA512 fb30189d9eddba4cb491ed783ca3e7f995ba0d6664c008525a8469c96941f29dda263b72ba12da67b82a5289cb6eda87bf45ffb81248d78229ec0bea1a9ab8fe

C:\Users\Admin\AppData\Local\Temp\WIUK.exe

MD5 4b68772e495f4761babcd23cf3d0f97f
SHA1 46f89488fc96e633aa8c3252c3b3838cbf1577f1
SHA256 6eb85b6c9f39f24f925c922d69716936f2a641db357d78d9df0db6a3fb2cb5f0
SHA512 9ae7a812437af07d67da0ab4a4e647b2e1d7216b578a8ba7c29fa9d2c5acfd9e635ab9c5f7bbe88f279b3e5e80a6dc1e1d482525920b7447dfe2bf1984308eb2

C:\Users\Admin\AppData\Local\Temp\EksU.exe

MD5 c0bc7990b0de1c1fd2897e43e57c42bc
SHA1 5c7d0963294e1af934577453e3bec4999885ff61
SHA256 77e979ae7ddf81b55fa9f11db403aa838b91b71a7f1746fa8384e9aa2331613c
SHA512 d659e40f493ce6b56770306c181b9ded9bb8d385fc65f2fd7451ef4da24adb3d5653ead7d3e86d92b73a2bffdb9eb3f30ec8d6cf4c4c5e3202006fafb7fbc602

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

MD5 323aef5f86a0e3f2fddfabece095f604
SHA1 c6e73c1b2842de5e5592f03950f0f9251f0f694d
SHA256 c04fcd98542c87202e9d33f4b6b95428cdd90e01fb1fb2b0f45b9a1937c605ca
SHA512 ca77ef3ffd744ba0732d7e84439e2b59189763fde65df3502a9df9f5dcee5e038583d89ebce8117db42e41dfdfdd8405fd669334db4d1629c3e148ddb61cc65c

C:\Users\Admin\AppData\Local\Temp\MYkM.exe

MD5 42f86e74f370e1b145b27553a5a11924
SHA1 5051d12e6096e4885da7fb5ec8e355f293b2d2fd
SHA256 c5ac3da180dd4f69248357e62e7b82ee9785471c4e46906dbc55244055487475
SHA512 f8e30cfc68df57a2bcd8fd76f97e1d59d541ad16b4567db20af4cb19d115a3659c1bafcac760355b3d38f21b7b50c36eb60fc8dea8a711ecfc6973cb7fc66009

C:\Users\Admin\AppData\Local\Temp\cYIW.exe

MD5 160d86e2bc63aefe9a50768de41c2d3f
SHA1 1e4684b9af3e8caae7db9306f42506cb9030e335
SHA256 ddf2f3e9fdbffbdce6f6b95482e5672a7ce9fe028dc4e7e90f3eebac2b880862
SHA512 4202f4a46fcdeda11286bb9eb184e48ba533b193d32259d3e835e130bddecef3743a71e039f784aca3ed394ec90c4ec01561c7d98fdc36a633fe157b42fe6f4b

C:\Users\Admin\AppData\Local\Temp\KUcU.exe

MD5 7d6f49f1c76b7911f56cfc62f1442988
SHA1 2f95b6514dfbf85a447b9ff70acf45434010c5ab
SHA256 6d2ebd0e49f32b5fca7b03d2a8993dd8a425b26e2568f1af45ba2839925e1495
SHA512 f852f5e4735b9d99bf7162ce2ea4a2a5c184b8b68f114d6d695ada83331754f68e31007a9e937ee259e0daff3234fd4a0097d49d1f51ce67ce86a6aaeac61786

C:\Users\Admin\AppData\Local\Temp\SMwO.exe

MD5 8cd10bf42a3a428ee908f27a1d9dc94f
SHA1 bccb4ced3379054b46453e3b744b82efa0dc7d25
SHA256 206026ab4be30870fc935b72fd3183f88b881fb99305de01292bdad019e2dd13
SHA512 2e876196b5daaba3a18afa331e93cc4fb9a398760d23d36cbcabbf1f71c1d103868999a28cc9eb204c24b76c35d76fdc7c9073f36804a68c37e9a31a755b4cfd

C:\Users\Admin\AppData\Local\Temp\UcwM.exe

MD5 e5790a5be329c73fc9ef4dc5edf84095
SHA1 6c417f32959616f302cb93be81bba82968c31faf
SHA256 9d66c3a9b7264f5fc7d1662b854a3b29a54feca6c734e175831e6ae89c8db27e
SHA512 0172c8fda9f6457fdedaade705ef08878327264bffde35eca5b66b6e0501b26c83dacd6909774ff39ef134a6ab9c6e665ee9b3b845c18550dba38909baf591e0

C:\Users\Admin\AppData\Local\Temp\eQAu.exe

MD5 bd0a93b3da0726e7150351dad6a382fc
SHA1 8772c80d94f55703aa9df1d1d5c993cef7ca1504
SHA256 85686cf87d9bb7e39a1dd4f7d6e7f217ff603ef3cfead47492e7cb6c94694c96
SHA512 cd1357455b6c074fe90ce22fa07377fd637cf3e845705ea4494b6c3c830eb2d88eb02334eee60b0708392bf4225a563565129eb46c975e7daa63c206d45a8803

C:\Users\Admin\AppData\Local\Temp\mcIe.exe

MD5 69c3618769e7aef37512b4b1cfaad26f
SHA1 b65af4d724373957dfd2428eb699602c8314e822
SHA256 4e66078fe92a6d00d7861f0326a31ab337f82bd0d35c144f1e52ce5eb8f112ce
SHA512 59ebbefb90a77033c9c715f587e4fd55ad46707ff28e2fae2f3bd9e85153b528df400ac706295b616e4277592d2ed39468bd229e3a28bf113f4c3e6a3f47a5e9

C:\Users\Admin\AppData\Local\Temp\qYky.exe

MD5 a57bbd6c062e84e5309f1fd43a8d001c
SHA1 8c942c45e10a7b769326d48f1844c4dc2447e0b5
SHA256 7bdd5d9ff79e65b2df569a8f1167283198e47216a460a3bfa053002b2f90e4a5
SHA512 aac4dd1837bc00b23392ff4464391fa51cc3143bcbabfa7ec7bc8b5b3045f12aee30468f3eca8a3e6545ff33a4dc141e243ff90d34d5317a915b1529bbcc4738

C:\Users\Admin\AppData\Local\Temp\eEYA.exe

MD5 56a7ea1169e59138f7aa539c76391ec4
SHA1 660168f379e2d429c3c17b05e3c12aa3d0b067c1
SHA256 11518183a9c5b0e55bfdd9256b20a22cf33e5474220aefb4b8b7e0ebfa400fb8
SHA512 ef3ffdf92250ccde0766d3663fdaea9b9927976519a992195731648b51a3d021c4e8f86b796e7f3097da796203065e648c621bc5ac6a5767fba951e151d518ed

C:\Users\Admin\AppData\Local\Temp\iAQM.exe

MD5 c8ff07fd57b510d7687c8bd8044087f7
SHA1 03cf5998c55a7761c805c0b1b0e0d71b1c5e296d
SHA256 df8f7916c813e7a19f749a70bc123cba252634aef3cc6f2cc2488f076b5fd5f0
SHA512 3ffa78f39f0970b326d89fa901b2131fb11cab94de01739cabb97297c3c8a8b7897f1e0cc61fb27503befeb53f9b1be91a04491e6807d2f2847ef66797b22c8c

C:\Users\Admin\AppData\Local\Temp\aQES.exe

MD5 24357e3f5a32b513ada2806b000b8f77
SHA1 057465659ded33c9a705e6b307e4c18b360ddfb5
SHA256 0d6c160e6cc30513e2f559b02e8b5fdabce158e79bb2c9e4378606ad90f4d89d
SHA512 b017a5a701bdc3270afbaa7fe826b15e6744e8e470ceb579462f01a705f5f74a8f652a5cfcf5e85e30d3a6afe2d14ff58d46ed7d6ee484304aa98c8bdaf6c27a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 e5cfcdeb15262a703cf2c3d40283e748
SHA1 01d7bd4d21c6f9ce2c85f4e7544080a2dde64b33
SHA256 176b5377f4f1b38a2920725e5c2f892c5f6663843d55fa0c085382d928f11a3b
SHA512 c07e6c2d06933badc6971f345a88360fb86c23e96cab5092386e079f7b48f1154668cc9c26e0395f354bc77c2dcd6de043f5275b5a070270a6c2b3749ece185e

C:\Users\Admin\AppData\Local\Temp\eIck.exe

MD5 80f3919c9119ff03d82ac5feebc02033
SHA1 4703c4838869efc33470edc84f6ef4184233d46e
SHA256 20b393a85c156623f7ca1cbb0a607422249f13df7b47bf92bb690d9990f4df32
SHA512 f8080cafe67d62ee1eb4f1020e21f35c87f66ddf09febb40fa07a2b707ab5a11197a21cf42a1fa39d603770aac9f20d4ca0cd2fdacf9a2d5bc8abc60a3964067

C:\Users\Admin\AppData\Local\Temp\WowI.exe

MD5 6480fb2f03110f86fee42558f0c48f82
SHA1 fbeb515e9eee9a688ba67b558f6b5db20df3ee06
SHA256 22d2c911a70ca077ff4b85186ddde416fd4601a2a6568f1330a21475eac6c0d2
SHA512 4871b0aba296cb2f62a5df8af2df815370450bb5b3b805d34c4e7b81898941c4708c7c0e2fd2e7507c2200a004242ea2cd8a0ae99b4b11e587c3de78170f6996

C:\Users\Admin\AppData\Local\Temp\iccq.exe

MD5 075c5d4b27b6ffb61eec63f10bfda82c
SHA1 1fa14dc84a1b0db3a799697c2b61641a89deaef7
SHA256 12508cf1157cd6b6c5e345680b9e78a82a4c058e90179513f818eedfe1442356
SHA512 aec02c2309d08158985c374b18c636e30c7ca67d6d0827436294b4e75f064c795fca9fc38e73b9a9900ce32b25fad34d594acc0e76cef88c693d2a0897bf7987

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

MD5 d8cc130430c30f5450c44acd0b17453b
SHA1 726fc5379b1877338a7750adc2f2ec0252e13b34
SHA256 f9c4cf5351d133370d30e917428fe2dc55746a16e28ac347df3c086438b5fe9f
SHA512 4af2c08dc83aacfe79569f629b294ac4ef6aa42aaa3bc5d56ee48c41df247d11ecba70692e6bc543082a80c660acc557475252752083eb193effcf54361e2ff1

C:\Users\Admin\AppData\Local\Temp\cgUk.exe

MD5 e1a0671dbcaafde12c25dfa44889ce1e
SHA1 80fd8d1002cd45b28b85e67a039c84cf385fe1fe
SHA256 aac9b9e5a5abd7446c4f4848c704b5925ef0e7abd880ce3a57799f5563df87fe
SHA512 35d6662f4614637f315ed33cc758f06ae5fb4d19d7bd67582c19557ea8ed38de410c7489c26edf27e21e7ac19ba8a224dfb9dcef8d880ca0726dedaaa5a149be

C:\Users\Admin\AppData\Local\Temp\AwgE.exe

MD5 8dc5b2445b93254065676de664052a14
SHA1 a767e26926eac71875a6a516fbe087d2f6b17466
SHA256 c78ff77dcd1e076e5062cc86f237d42c03f3543e51aa071d9e8c95acc4a8fa48
SHA512 9c00bcfe3337d4cf55b1f35d51b34a8bbbfb407b59370b4a0943d74ac2dea3013ac725bd1cfea456fb8c18f1460c159af22e4ee6bd834266604539f4e68b3365

C:\Users\Admin\AppData\Local\Temp\EAwQ.exe

MD5 80d4513b5179de1412343fd07d9ed58f
SHA1 2a0e2136ed49958183032c66d76e454516e578c0
SHA256 55fe291a9f6836eb94a565649e9685cd5948a0e68070024ad22edbddaa00912a
SHA512 b4c657cea9d0268cf02b437c345511ab4b3928f3d470c4673fb591f3062dce514ea8be80fbe7fa0a8813228887d1be66eee3146f4543f7b51531ecf331397fb6

C:\Users\Admin\AppData\Local\Temp\gkcC.exe

MD5 f9c785acb1a4bc77fafa61ede6c5a6de
SHA1 480749b713f4d6847886d32b372d31a57a0cadf1
SHA256 61b0d4b02aa2f1878fcf99678011679ffa32bd5694e686719b6716c9dc1bac69
SHA512 44eee127f097479b79cdd4407a8cf9399f46e64bfee881d455c0da5eeab5689d86567b79933242868a538f0f34271d25f6c5ed72376158e4e6e5663ae7811727

C:\Users\Admin\AppData\Local\Temp\wEci.exe

MD5 0cbfe4df0917d4a4a32588a5be39d23e
SHA1 ce4877cfd5fa9bc8105e89ada275f4bff8fb4d75
SHA256 b953124af2651dbd0c71db689aa9df8946cdc84b795adce6b2b834f5e338531d
SHA512 d66aaa5574854c2224215754f9569eb15d5cc32b1f9d9fec332cef629c03c4a2343b2e0dffd7a9c1510f7b52bb0f010c29ff309f186eaf4998662518b7c2cd88

C:\Users\Admin\AppData\Local\Temp\IoQS.exe

MD5 3c96dd903bac05b4a7423d0e4e8dd25a
SHA1 0d519157457ef573b3aff2fc59788c511c5ddc42
SHA256 cd9ea54035e635c2c3f1c6168ee1a3b36307b054d59e44ef25162110727aac06
SHA512 ecc00c6b60a432c2750aaf1b8fca25e2f399d10e66cb9c75b42f596ec67acfc96790565ab3a20cd8dd1deafdaf4e61deb0d6df69daf3c7bf85aca1adae2d6d14

C:\Users\Admin\AppData\Local\Temp\GQAq.exe

MD5 5f978042dfa223ca3602403788767bbb
SHA1 d7df4a06836a7e0a5ba05f43d84b36e3975329f3
SHA256 a54d17f2cea0ecd11c10ada9e2899abf83f898d4a8631f8e6fdd06a089f04f6d
SHA512 10f37983fa2e38a17bff8656e2fba3096dc1d426bbdbdd6b8545aa8965f151adf17f6e67ff725e1de45d02072fd9f31b7ae955995f8913479f17e5a32fe0ff2d

C:\Users\Admin\AppData\Local\Temp\wwgy.exe

MD5 b82cddd4606e3d13b305eb7faf352306
SHA1 71148a376f86a25060db2ddb4c6b78a2470bd923
SHA256 ee5031ad3a3bcde2750ca815f62d1e91ebccae3ffb079879d66687028d3a495c
SHA512 ed1015b60ca6206c4ba94004847288664eee01144fb7c3d12902d326b82e6c6890ca64a7d885e5695c1162edf2e5a5d8978d2ffe985bfc2fabe63db68b2bd0be

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 2588ef553bd7e4cef937fb478b245cbd
SHA1 f6e6388a45d1087f52c5f1e97cd0a014134aacb8
SHA256 7278c5c6bce9608d450b42d3cc410c4a1e8ae2983586e1703e728df16ab8e427
SHA512 47bf09d0860de7a14defe5b74948602a873a5b38c6e8e7223963c8ff3afb77d97aed163da5a02700fe2287de2f27e3cb9d605e40d0a99618a4359417117630e9

C:\Users\Admin\AppData\Local\Temp\wcgu.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\qEwK.exe

MD5 ec184c48ab32c39312f70352be027aeb
SHA1 cb3436232d21326b7c8be89deba4f8ff7c07cd67
SHA256 271b6a7585affb4cf7bcfc18da5175ab82675d3335ed78c82e49e8f5e521430e
SHA512 0c96e3e69e1cca2049e69c234cfea91690fb25112944ed00062e5f0321d7c621fb342b32ef11e854d48997fdbee35d700b51f5132e60613421ced3b5f56f2f59

C:\Users\Admin\AppData\Local\Temp\osoo.exe

MD5 c0103cafffb74707b7a2307c966cd42c
SHA1 7eae601c76f3260eba6c798a53b2d98ea095587c
SHA256 9f313fa5da8b2924854967d9a3538524224d64673c6cb5b63fd98af5e953a14b
SHA512 c9fef15c1f8602eb3a0fe9a998c3345fab921fddd57f73b3a8ef720c7165694b665d24c0398ce7fd28dcf41e0aceb3d609676115a5ce253ebad7f4839dac1b0b

C:\Users\Admin\AppData\Local\Temp\qsQE.exe

MD5 d306b004850ba12acd0155b36684505b
SHA1 42de6f243a51551f8baa3220069859d244996706
SHA256 ed510712bae6865557069cc2f125328f3c610d4118e5f8d4322475d091148fe5
SHA512 f4a18f2f0ce160a5de12ad153fd780b7fb0ade608a673bd68a4a31d69c9cc2b7d7402531771c029f5dbf61960803761486d11fa01aa06f00d9868e628e86260f

C:\Users\Admin\AppData\Local\Temp\GYck.exe

MD5 c637e4776ef74c8280df69612221d3b9
SHA1 fd309b19b511cefeb27c4cba47c8cd2f1ae2a786
SHA256 8db4356e0817df6fa2af06ab3878357274996063762e7e4d4f5a3c0485d653cd
SHA512 74678989714f1c012711e84362f42e46f3ac0893088ed9df19f1840d5d92ede4114d7dda9772d2dd8a807b0a1b7e67def8016c83cd7a9f46c5cc648be61f8169

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 10b021d5f8d2e7a0ad87f9ab3d8f9853
SHA1 cfcae27bb38fc883c4d75db3d80ed93181aeed04
SHA256 47bf2d5c3f3d31b21b6d4fc4ea636b346c8995af5a10e44972843019db2c6ed1
SHA512 32fd5269443fd1ef27ddccd562f116fc538b575f606a69a5a114f30db219aede946dc81d1e9518c1181d1c12086f5933e3960873dbf67cbf37b95628b9cc7923

C:\Users\Admin\AppData\Local\Temp\yAYy.exe

MD5 143dbd27e794bbd5f93e83095d624020
SHA1 345ab50320f8b476def921834362061211d221d2
SHA256 9f3a6ab7dbb409068fe7ca8524184fb399323cc410d6b2fde911d4ac9e0e271f
SHA512 1260d7fd93d4b8eb9b20f98a8fba3c8a82d29badfe81adaf9e34186d3a7aa32c5c35576a988a80d31cfd78743c2d5b46be615780565793987d7af4baeb9bf706

C:\Users\Admin\AppData\Local\Temp\YAQO.exe

MD5 777611a2162b83949f411e6bd5486f33
SHA1 5748c366a73fd6f58b565eacbe55f20098ff7da9
SHA256 722240a19030af0c4e44fc06c589c87d0700df13ba0a961910672e2a44a23257
SHA512 1afa0f59db6c46df721a0161838ba46fa40ba05f869179cbf3374a3f82b21d9cc90311193e533767be5ec71d43fc5ebd4d73b11d8d993cc89e49ccb259bbc6f3

C:\Users\Admin\AppData\Local\Temp\kIYw.exe

MD5 86a864e68b180683a12926c273570c98
SHA1 414535763965eadd9ff6d86b6cf9223192bb4123
SHA256 9336bc316708a320e2f7078117364463d3fec7cd097efed4f6e637a40bef60f2
SHA512 ddc8dd46270fcf7b59b5a55c5e2168e35ad93d50b1954f495f989a343b6478b1a63ff00622584ec93dc92ccdd833a23aa5315fafcdb5a6933e6fcea5a62a8aae

C:\Users\Admin\AppData\Local\Temp\wAws.exe

MD5 42b75633603940b506f3c41678a7a7d6
SHA1 e81ffe1b8bade3fb67413fbafa0dbaddaf238fcf
SHA256 bd232c938818b65cc95ea7719698a08aee95fb61952cde49fe20fef8849402c3
SHA512 5839683fa2e206aa23f9291e9dd4ff163def5284d501fd4baeca41a9523f2304c7ecfe184a11829602e280a3d374220a7ca1a4cd83156df66ce3c8b47f211ffc

C:\Users\Admin\AppData\Local\Temp\SEca.exe

MD5 0db8709e192c6b89e8abd5f8d659f2b1
SHA1 831cc1716a30c28472d3d851f9ded4e84812c5e8
SHA256 54a6a1cdd5c22443651c43994045173d3ab2976243a7a9717896695e02268f24
SHA512 dff33a93078f069d6d11ecd18a472753885ae8f6e4ea8d217ec27b6cba89930b0ef1209b0f25bfb1ff6b5c35512f024c3ab5bb722b27e6d181c04cc0d1bee444

C:\Users\Admin\AppData\Local\Temp\GYoI.exe

MD5 23d407e47bd82bb03a1f7c34ad073866
SHA1 0149996e8ca487bb740ce8efc89ea272042bb72d
SHA256 b424df4dffac265de2ef9f0fe718f6952bfd3d5313b1d09ff2ab8312b19dcfe3
SHA512 26e86624e7e231c8a5b68af1cb82ef4e583c09a3f152a55848dba1ef43812aa80df23d431889445d90b0d24ae54225e588af122a196e79ffc38c18141ae52510

C:\Users\Admin\AppData\Local\Temp\QAcW.exe

MD5 c1f5b799668439a5cfc27b4b0296a6cc
SHA1 013075ba2ba5ab85dcc3884eda2678fc09d8986d
SHA256 eabaa36bb583f8f69e5a67bc66900fcd78ad504e7e2c56ae3c102681ecf5e6f9
SHA512 ef5e0a4c27bd4d70cb28f405be24d966ef860ecfcaa70c15ea4680c0ddddd1a890f6cea7a65066e969f44ce754cb74774111bf292ca8c7e1b6678adafde0bca3

C:\Users\Admin\AppData\Local\Temp\iMUm.exe

MD5 dcea40688a5e4e1948bd8beb4045115a
SHA1 e1e9e689e8c5e06adde7dc2b412aaf5bc1f13c26
SHA256 11df1956efa06a928935914a8c5dacc2058227ed293f5455dc95c57a35c6c078
SHA512 a97b98554d46cac1957ed562d0cc092aca2cbdb7cb3a17cc4909ffea18a1f55a18b0add98e4bfc5465a3433f92a69fbe66186f125a10fbf289f8dfde353f46fd

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 9edc838ce66f8993f31199699bf395d1
SHA1 4522159b44f551b9f66d6e5195e35aac325041d9
SHA256 3954dc15606580913c26cfd8ceb3bbf51c7a3d26d2e7bc4c365ad06b47bffdcb
SHA512 9c660dc295fc759a66674f2e6a2825b78e783d91d1d9bb26b1980aecec7c291ae8cb9d5a29b83b2ba6f9aeffa79b163bef0fb6466d546aa3b2337e2fe619365b

C:\Users\Admin\AppData\Local\Temp\kUck.exe

MD5 8c89a9fd71da4decd4804fd0f949addf
SHA1 41034f769c631337579bb893244449958225f0a8
SHA256 acca28d910e4f4a550d373d9ca716a7c90452da9f65dffa401d82aaaa4424db7
SHA512 d8f7f0e83ccbe42a80a840f6e9368b1a9775dd1997df1f1bb7ff0b91be80c2f1405d9a6edb06c5e22a65b1663ae0edbb537ce6ace9588f07c0384f8d795df1ce

C:\Users\Admin\AppData\Local\Temp\gYYe.exe

MD5 de7838ca3f6d40fdd31f2d21cfb2e86a
SHA1 1c724cd68d0dd8763d150d00df87a6527e7b5dc7
SHA256 eeaf7a64d7642b93401a54109f111802ba082ccba3419d25eb71e3a3fe7aaceb
SHA512 1b22cc30db1ce1ff6774d42046b47de9d15813a84d681712c423763c2bed315555058b292f27fe49fed37afff2d59440be4899f7a25004c686c7b92a2bebf39c

C:\Users\Admin\AppData\Local\Temp\eYEw.exe

MD5 4908867e91061d17879fd304d159aa9a
SHA1 b1a29bda9f0e9f4b3f279bf8ccd004c41ae95a04
SHA256 8d71a72604c52a82fe7ac4550676bbb9bc2371ce9a969c9441c7af36c2417a5a
SHA512 4dbfc14ee4d16f00571a734da17fbf5b9adc4b6217e83d1da1777afe8214e86901cbc3a2031d82a5351fceafa6ed34c0d4a6750bd63758d3f79bea9035db74ad

C:\Users\Admin\AppData\Local\Temp\EAEC.exe

MD5 0f9f2f18b83088c3e1b7199af6cb70a6
SHA1 8f54da175de4b35037e461e77f1b745b7c9943fb
SHA256 5e9c14ee1831ae74e28625e19853c45e3d3f6a048cbee99c9def47975613b9e6
SHA512 ba304e806dd1c8d7fb96343cfb356b53620112e12e7ed2c37e5d643dd638b4fb819599b645f748fae6bb5c3738433c5fb142b380f1fe9a033c01b5b44b036ef6

C:\Users\Admin\AppData\Local\Temp\awck.exe

MD5 0a9379ee825733b2e492c55af2bb29e7
SHA1 a2c6a92bae8bab4b87e19fb374f6d6fb9a0ffcca
SHA256 c5c5c1e2b1ea4752b3bcd04c419b5a76a6ef051a3bb4e7ef26674a269fc9cac2
SHA512 60001374ccc970bc6295a9063f3b9a5a38c001e58251c275615e4bc890435388fc740c29d933e9c73ec427980baf17ceedfc12a267c98ea73e69ec231c233daf

C:\Users\Admin\AppData\Local\Temp\sMcg.exe

MD5 ff05ba766adbb51efa802b51f54ea3de
SHA1 2dfd0480591148e9eda1e230e5816351226222a4
SHA256 54b449817f98f9a8300db9b79e445fc00123c7fed73e5cf1b88abac42a8f2c74
SHA512 249ed5c9e34e506cc2ceee03b8d71893536e07501dc28a50ee159eb6f53b04f58b2ed01df21706bc1d74f112f919106bef48bb4cdb07724f89b9c7198eadf212

C:\Users\Admin\AppData\Local\Temp\eMwy.exe

MD5 b26f51c9b49d6c83fcddb1e4336afbd2
SHA1 ce3a41ef2a529e318ff312509b04b399f556def1
SHA256 e6d8389143ef70b468690e24984de0ff6de09570bb291cdd1129db0a58e99291
SHA512 25f5c999e8ed414c5930dddaa67c7b8faa5c548c04fd89ae11313a1602e89d9392657a6075367d8308ffab3946b355fc76d38132412d06e9672219a9e9ac602b

C:\Users\Admin\AppData\Local\Temp\kwoS.exe

MD5 9161b2fbd013fea15bbc281361c5e370
SHA1 a0c00167bf68b86059def998e9da61191da42b7e
SHA256 ab9419630b885a0b7dd3c88c8f4ab28cd21bc76e765ff2d1ae0614dcc8c51bd6
SHA512 be08f998b8a458ddb3ae9c9d19ff8cb62652e6238719bc026075be2b0e4fff6ea1ae75a8f24f8b9e8236851cc335fef2a4fe6a8f5a105066a70a852f40b7caba

C:\Users\Admin\AppData\Local\Temp\GoYA.exe

MD5 413e919bb15acfc4b3c4e9884ea9ea1f
SHA1 a891e2f6aad73cae57adccae8959fdf8a1de15a0
SHA256 e4f7edd4f413253c0fc5d4da94cb5115e6c9dd3c0a361cd336dca5e2b44a77ef
SHA512 92f19f3f247f850f0ff446c429904d0eb276315ad4879de11852fc1142bd7f860c72fd017a5adab835365cc4084004976ef615e58ef7a1932fbf1c3ac99ce7dd

C:\Users\Admin\AppData\Local\Temp\isco.exe

MD5 cff818d721a34251086c941d6ba1f5c4
SHA1 8d1786c789dc8c933960b9119d68c0470e25dcb1
SHA256 7e982e2c4bba2b70e19e328d2110df174218ed6ae59a6ef84be89bf4fedde5a0
SHA512 ffe2cdb1a12c3516762c2cb67850a5157a063df671c336b1529ef09fd17f0b25c1b43592dde1f8a7a79ceb99fc3d7a138f08eb10b00e02a5dcf15c6e4ab0da5e

C:\Users\Admin\AppData\Local\Temp\SMIO.exe

MD5 cd7f426eb47e0c8538ad0bb78b6ed268
SHA1 391d216302fdc7849f0bfa0d4044a9bfb1216fc1
SHA256 14f9a3dfaa15f692be2a73dfcc6bb8fe016a3ed0b01917b28ad6e8c8404eb1f7
SHA512 bb290140d54bcbb2a0991f03f0d0e0336f5fce918debf2b7197baa73d9491b96f18910304293a9bbdc85d423cd4b45a5cf4f86cd7df96cd06e7b3f3cbd5848ba

C:\Users\Admin\AppData\Local\Temp\wEAu.exe

MD5 54e571c8194a9e3a25b029dc4e02dfd7
SHA1 69a8064019ccc981c6f653436a53606304f583d1
SHA256 72e53732162cda97f406c197796a286f37c3dfa286e454c448205217fafdc4a2
SHA512 ed295685107b566955cbe2816b5d0490a011888011f5d0c34ad158590170e7a07b9303c6bfd14e01a833024b61d2d8cdde5f4fb7608893e08b9c55617fad4c60

C:\Users\Admin\AppData\Local\Temp\kwwi.exe

MD5 5d5c91774b9cd623ff7ad0e30d7d0189
SHA1 2e1d43c6caba8530f7b311c3f3e7718d3129c653
SHA256 f69af9f0b951b2f3ae39ba18fd731166e600aff99d95b0225a41ee5e1d6dbdb9
SHA512 b847b785b68d35bed11c87647e44ab0234ab51a07b053c672dc4dcce89fefac2556a346b575d672b044a192d037a520d4eae9b899a2861463ceef1f0bd63ae5a

C:\Users\Admin\AppData\Local\Temp\AYEe.exe

MD5 e2d07002a2aa56d1190b428141235dff
SHA1 982ec9151aefc8f753f4c6d3cc1cbd2471bfb623
SHA256 70fd04a9c3821a7b564d9e48e30bfc7098ed85187b50420da4bb0d0ff6a0d315
SHA512 a5fbe7574ff056102bc43b6a76785bff6cd03b9288f72a46b108ecbce5b61e48d41d9f41e8bc567ad071d67279ef60a0f3c9a57639c1e16d7858badb3cada665

C:\Users\Admin\AppData\Local\Temp\kYEe.exe

MD5 6e3f301d027e190ed058be785cf2215c
SHA1 335d8b489063f42322da140a2c3fedfb92cae45b
SHA256 c9c4cf8bbd3695ffa2f1e00f7066eaa1e1c4d44600aeb54461eba588706b0892
SHA512 96dd48bd7ff6be1906119c7ee47d371affa25080ae3cff44559b9acc31bee394cce2a19feab615ca60dacec3365fb6b9285cebd3dd9a10ca4260bf6cc910acd1

C:\Users\Admin\Pictures\WriteUse.bmp.exe

MD5 a8b0523daccdd691594d118d9ec491de
SHA1 c2b09a09a2a7174618d08b6dd99788c7fe4d435d
SHA256 dbdb52d746f35c6873422b349befcf198cb0051ba653ba6d47bf7b085341b345
SHA512 34f077df6f25ee43e699f6ff16fcaa4e0c123e6d6ab8df333fcf20ca758286e9261d942b2dcf73e16c92f61c58f6e69b84bc59a9f93005050fa220c406742ce9

C:\Users\Admin\AppData\Local\Temp\IoUe.exe

MD5 4e41568abd01fb6d396898cf0f5e9d3e
SHA1 848f3b61b87661678e12c16bceeeccce2ded7264
SHA256 18897c96fca555ae2a0cfb7cf1fbf27b9bafa126c31ac7865e00e2aaed0865ce
SHA512 0390c4a9caa902caba667facf10f1e231a93a25f185fa2efcbbab26136a1db35c2cd08d8dc720db1cb31b325426b18c2fc5df811b33fdb6dc809512927ec0710

C:\Users\Admin\AppData\Local\Temp\mEwy.exe

MD5 c614478131c33bcb08872b232f8900ff
SHA1 adf05e520ea251c8e7ab16a3ddf0edcdb772071e
SHA256 906674d6b9cc3b8df6028badcb50f957fdfe1e7cc5c46453870df29cf9655c42
SHA512 53acfe1f082e4d5abbf83b1ff04c6f4906ea15251d437375a65a1421a5761e068cd711f429a7de22ca9a3712e41d9e86603d54bebf43f4933360e2b13bf0a663

C:\Users\Admin\AppData\Local\Temp\eUMK.exe

MD5 f5290ee42d52acbdd1332f27d51f6a67
SHA1 0882eccb3ac92694ac528110de0dee90b1d686d1
SHA256 7a71abce49de896b626d2d1409b565841944d1a13615aa497fe332c7410d3524
SHA512 77a5a401be93e6028a97cb644e60c1a6078b5ff9cbb56aafbdce4a02fd1c89ad0dee9a4c4bcd0510fdd68272135a077295ee44a7d1c432f3e5f05832846aa1d9

C:\Users\Admin\AppData\Local\Temp\WQcO.exe

MD5 dd4b24c06af63e17dda60c47248dad6d
SHA1 0c7af4815967d530c099c5fe4902774941fa16db
SHA256 7f2fce291094d820687902158d071ddf368d0389765a6e7cbd2b5073052e0275
SHA512 a96df1ffc5ed1baea298cf5b467807346b83b5c831f13ac79b5baaedf1dde035e1fa5fcdab77009c7e41dce6ea74278b6dae52aa7e3d57641dc50e3b9ce88c1e

C:\Users\Admin\AppData\Local\Temp\sgQo.exe

MD5 c2721629c49a0a9e84329d7f3a759b7d
SHA1 e285ebd5283a54823d9161817741a931d850091b
SHA256 01a4f46f26354f9d70d6ec589ea5ad261bb6c62cf6fce8676439d06444bb5db5
SHA512 3b193ac143f81bd6885ce48dc84eaf8b9264a119c01797f310bb6380c9ba1a5abdc1e1d4d5b3a70891a5a8945353831110dc31b4eddd41373124b7259abf55e3

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 2ff37e2b82685349a300a0eea41a4729
SHA1 78dae3eba96e7961716589d517ca9ff8f9bb7cb5
SHA256 de01244a281983b37dc59e275b2377ad79b28368e2a8ac89e6a7bc4912414406
SHA512 77aef14a7de11b9dc7b7f35d7d073cccb01fc23148fa7019f06a6f14ca9d02e3bec81fa6278d27f7ea157d7b5d00edaa775e7c4374a3c0d674c5e0cdf46853eb