Malware Analysis Report

2025-01-22 08:17

Sample ID 241026-e23s5azdjg
Target 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock
SHA256 e7fc2a1ff4d393351b8bee27b7f7a342e4871422ca14f23ca6caf9730929470f
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7fc2a1ff4d393351b8bee27b7f7a342e4871422ca14f23ca6caf9730929470f

Threat Level: Known bad

The file 2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (60) files with added filename extension

Renames multiple (82) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:27

Reported

2024-10-26 04:29

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (60) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\kUkUgEUQ.exe = "C:\\Users\\Admin\\VCAQsAIc\\kUkUgEUQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rQcsAYkc.exe = "C:\\ProgramData\\bCwYgIoA\\rQcsAYkc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rQcsAYkc.exe = "C:\\ProgramData\\bCwYgIoA\\rQcsAYkc.exe" C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\kUkUgEUQ.exe = "C:\\Users\\Admin\\VCAQsAIc\\kUkUgEUQ.exe" C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A
N/A N/A C:\ProgramData\bCwYgIoA\rQcsAYkc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe
PID 2112 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe
PID 2112 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe
PID 2112 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\ProgramData\bCwYgIoA\rQcsAYkc.exe
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\ProgramData\bCwYgIoA\rQcsAYkc.exe
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\ProgramData\bCwYgIoA\rQcsAYkc.exe
PID 2112 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\ProgramData\bCwYgIoA\rQcsAYkc.exe
PID 2112 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 2892 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 2892 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 2892 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 2604 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2604 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3028 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 2044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 2044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 2044 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 3028 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2620 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2620 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2620 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe"

C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe

"C:\Users\Admin\VCAQsAIc\kUkUgEUQ.exe"

C:\ProgramData\bCwYgIoA\rQcsAYkc.exe

"C:\ProgramData\bCwYgIoA\rQcsAYkc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\towsMUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQcMoMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dUwQkcEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uqEEQosk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsQcIAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MAwsIwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOsMoQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EmMAsMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BagsQAIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEMAokwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkUUUQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWgYAkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqUMcYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uCgMYgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwMsUMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwIEsUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dGwcYMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIwYUEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwcAsEcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwUswkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIEUgcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmIMgAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYkMYYQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UksIQQcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYoQgksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOkAYssk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUgwMMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DSowcEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GgsoMkMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KwYUAkEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uaUAcMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\akIQUAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCQcYMMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgkEgQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyUQEgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcIAgMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uqIcMMcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ISAMsYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOsYAQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\asIsQQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYEooYcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZcAQgkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOoYsMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FcscQAIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUYsEYAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MqEMMwIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuoooMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eEQcMwoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RsAcgkgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKsEMIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKokYIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWkIEIUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QGcssoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKAoYMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkoQcoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIIAgIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VogkUEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LSAMwkkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmggYIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zoMMAkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WeIocsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KQQkkQYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kYcgkYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMsQgYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCosMEUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RsMwEsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\togEcoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAoIcIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSUQAoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UkUgQgEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uuEEcYUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\smAcEwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAgUEkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAgAocIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQMEAQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zygEwcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOoEQkQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qYowQsos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aYsMEosk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\koUgAUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LGkooowc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lksAkokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HykMgEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEMMAgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cykwscgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MEoAsYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUAoEgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ggUgMYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YGEwcgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BekUQQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\juUQAIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGAAsQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XmQkYIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mKAcssUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMIYIwcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecMcgkok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkcoMoUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tCIgskoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWoYggAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bgYQAEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pAUUoYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wWkYYcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IWAIoMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cikYMooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QaoQksks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZwAUsAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwwYIsIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DwYgQkMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyYskkIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VyQUsUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWgMAcEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GsAkYkEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWoAgQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wsAcYEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2112-0-0x0000000000400000-0x000000000043F000-memory.dmp

\Users\Admin\VCAQsAIc\kUkUgEUQ.exe

MD5 941458b96cfadd90d38168928eb3db16
SHA1 d9b63aa58be97590aeecc64ac688b8a2186cf0cb
SHA256 ef7efeee9a88e6be78ab88d7bf020e94d9d3a463fbb834ff3ac63beec5621805
SHA512 efc7316a1c5cb4d203a5c35bebc08f81422af1161e57568329dd20d6333d00f332b21dc340cfedebb7209a5af53ba6ca65882e7833457cc9075f6cd489a160c0

C:\Users\Admin\AppData\Local\Temp\NGocUccs.bat

MD5 4dbc41d186593e5bb73fd590636ca6f1
SHA1 f21fcde9a8e31f6fa7e2ce90c94dfa73ba677eb9
SHA256 b1e3701dbc6fc3ccc4a81ec4b7f7046cefcee41d91bc76ebab9069041888c44e
SHA512 5630d13b44caa11b6ac38e60398b9042359c371ea0fb78ea6588d9b4f5e1aaf9388870bbfe707837ba84d6778bc62962234bf273dea6f152f7bea007d96809cf

\ProgramData\bCwYgIoA\rQcsAYkc.exe

MD5 23c79b865628f300c6d6e436faab206f
SHA1 49446e8d31d69bed76138b616f592966d636e994
SHA256 bddf868c44d2a10a19d068b5637842114c9c06a36894356a81aceb796e511f6d
SHA512 b422260db55258f371f229e0a0886a030850a337b4fb50acd2559beb305c4e46382c0e235a1eb4a29851b11fd126a2a3c2e297e75c5db367c9b1324064562a48

memory/2068-30-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2808-29-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2112-12-0x0000000000460000-0x0000000000493000-memory.dmp

memory/2112-11-0x0000000000460000-0x0000000000493000-memory.dmp

memory/2112-39-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\towsMUYs.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2892-41-0x0000000000370000-0x00000000003AF000-memory.dmp

memory/3028-44-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2892-42-0x0000000000370000-0x00000000003AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

MD5 5861d4e6983be2b92122bcfb7d239eb5
SHA1 892a1af54e23a9960f63eae6369c526ef325b77c
SHA256 b3de971f88cdd8219cd9bf4a1212107b4052f468caac1f196d756ddf095acb48
SHA512 af3ce9a9c4a7be34e1d75bd9e25b483cfadc18e50cdb3229c5bc70bf965f6c478a707711154066c446f84ae5b6216917dd34935ee69772c305a00bc6d5040178

C:\Users\Admin\AppData\Local\Temp\NSAoMwQI.bat

MD5 f14841f88f82a656667ab87bd06747d0
SHA1 6c66a3d6eccc3f55bff3f21d65f3ea32efe94aa8
SHA256 826c4a722f25430c4791ade4047d7e5f4af541276fd62164a7e11ec1e6d7259b
SHA512 691c894118af038b34dd63fa968389663844529e6b22eb143d46b1069dacc0705cb87ed841ca2cd13dde4b10494a70b10856ec63f4ee820eadf844bd4c8edfbf

memory/3028-65-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rUsQwwUU.bat

MD5 485bce8a1625bf2129dfef4ea2ebc6e9
SHA1 3fa8f33f214b474d44138acebd75e79658658fe9
SHA256 405861a4be8da1846b281a98beee645b8c8b3859b39ae17a37fb785e6e1e82b3
SHA512 9815be44495726d67f12483c9dc4eb308b20f047b2eebef4994a386c36fdb52b6ed15827e8f845a5d09532e8da82031b6ecc3183d7ddba9439331e2b54aa4384

memory/328-78-0x0000000000400000-0x000000000043F000-memory.dmp

memory/320-80-0x0000000000400000-0x000000000043F000-memory.dmp

memory/328-79-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2796-89-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lIwMwEYA.bat

MD5 a5b2ffa945de721b9947db526421c679
SHA1 0ef309cfb3afcec7369931e6dbd395913b9b3c6b
SHA256 2b13074d0fb1d198a972234d3894a8c4aedfa206a075e4d23d1fe77771a2d4da
SHA512 14c6eaf540e84f48c480e1c1b08fd54cccb221e08963dc6d23cb7486d9ee265e48fa38db6e8609440213eeafb9c947fe55028f608f32333c2222545e325749d9

memory/2628-102-0x0000000000120000-0x000000000015F000-memory.dmp

memory/320-111-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WMUYosAo.bat

MD5 1ae814d56b7b5e6a6dd717e3df411cb2
SHA1 429c881fdd12836dc42e940996a923a8d10ec1b9
SHA256 21a510096b11b8271915da8e2adabddb0c868717a9d03df6c6b2639c110e728b
SHA512 b649c90aec4ac40ae4e7533ab19250a2e82b5a2601c72dd3e22e4e5137560e9cbcee5076c9fc97823f96220483f81f112a039344e58602a18689acbcdece0594

memory/1672-126-0x0000000000400000-0x000000000043F000-memory.dmp

memory/580-125-0x0000000000400000-0x000000000043F000-memory.dmp

memory/580-124-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2404-135-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sGYEIMgg.bat

MD5 9680544a7ca3a2dd6d6eb0ae2bc88ffa
SHA1 39f77a83b740672ff46ec99e016987835c8e7802
SHA256 1756dd2aac65e45cd48734c06a2be9fc2336f13c712232860751a8c0f0b9370d
SHA512 b80936ba8d0f8bdb0bebdfa18f804d321bd04a48389188eaa5613bf7779b543f88bfe00d9b457fcb111895b68d7f9bfc65bf8045afed5ca487a1d63100e4dcfb

memory/2728-150-0x0000000000200000-0x000000000023F000-memory.dmp

memory/1672-159-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WaEEEwEE.bat

MD5 13a4a4909b553e226747103ba9722ee6
SHA1 d3d9d148a5db1147c066795e6ac61070a041c8d2
SHA256 83a0ec6ba0cc8a1501bdbad5cb7e717f9646a2215b9f952182885748e38d6bef
SHA512 ffb979574e4d9c135211636ec0dc6279e9354cb7d1e949876b77e5a09a02e4140a0c0ea87e4bbb741b3c2a34a31f44debdb41960ce37629e2987563ed2dc727e

memory/2832-180-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mSQQIIoc.bat

MD5 55106fb5a0a8234f63314d26419fdc50
SHA1 ce30b0efad26006dff02ec99a6ff90af7e09897c
SHA256 2c99612c0a05dfd049b78a1484c69730418fb45829f0a037895dbe103d1ff7dc
SHA512 27e3d697ed8d746ed078946e8227f3d2361feedc31406170264f2d7a3c85687a61ec2be8797b1e122d5a28728b3c9c443617f1d22f09ee347acd72810595efda

memory/1960-193-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2884-202-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lcMQooAo.bat

MD5 6e414bde8145473d639af21891b2f930
SHA1 12b3f3f4c0360000dd9a453b4719fc4b6f6c821c
SHA256 862a17fa3df06096b90d3574292d1dec2766f039c26642f54e87d666e8ccc209
SHA512 49d366d4e0cc616ca9d0a8cfa7b1547c137a7f8aa16f5cd5e449f17bb39f3bdee40f35463a32e534aedc8b26ce4c37566fab4e419439ca3c99b5c7bf2c6a4fdd

memory/2332-215-0x00000000001D0000-0x000000000020F000-memory.dmp

memory/1960-224-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LMgUQoQE.bat

MD5 2d39ec67f691dea3e3c3729ee2ec00c4
SHA1 84e4bdb0e7e815fce9ee39d9b1f64218fa2837f6
SHA256 93bb9f2fe9c5d413cc2a103972b31d5a26076df007c4d75e55472070add4dec9
SHA512 d34095a1459eee7d8af0f9ce1a3b07cb3c10520d8e885e88d8e290ce2dc1ae3ec8e2f8c8e4f3fe637bbd1c24e30e971d7460c9be356ecb6296b654d9fe53f055

memory/2356-239-0x0000000000160000-0x000000000019F000-memory.dmp

memory/924-248-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZOogEwYE.bat

MD5 7056a437d692b53c42e8a93ddc8abac3
SHA1 cc2c0ed504736a7bfaf915fee3f29bbacadad41f
SHA256 799c27e3b09cc160238fd690f207edd46fa5beffd43cbf8fd76f542d55df9968
SHA512 a89d209766a360dbde7d0f929466662ab21e8f1be37dfc999df21ac0015e4ae8692b4eab7aa7f783136083338ce467774413d47bec768f9cd9412617729d8175

memory/1740-262-0x0000000000180000-0x00000000001BF000-memory.dmp

memory/1632-263-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1740-261-0x0000000000180000-0x00000000001BF000-memory.dmp

memory/1640-272-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LkAgIUgo.bat

MD5 4822410bfbf9bb61af768d5432adc746
SHA1 9eca433f1fe0cf0b21e2809fe2f96bf355fb6dbb
SHA256 fe731ab864c2a1f9983bad793e58503fabd05232f83c9da5b26ccb2db6c1b874
SHA512 74057ee0f960ccb62e7b50d77c16bb1d1b0f1677614a047a31ec73f87aba11959f2137859e906574414b4258a3cc8515431d5dadde62907a64ea213bcc6c8c28

memory/2928-285-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/1632-294-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uuUAMIYo.bat

MD5 0462c1712fb3409b554679cb49aa86e0
SHA1 e558034872bd250a8990f1524c046eee526f5834
SHA256 b23e258b9bdf7aee0d56cf48d01cd3a3175d6667a0631700977dcf8149c68d5f
SHA512 a79ec1d9e7ac81fa94afc2df9a30d90dac1e9f4e6ac0aa2900b349d8a78119146bd927e45a9c9c139575a448bdcbc750af5f1ee0685b62edbb799b59f55acd37

memory/1660-308-0x0000000000160000-0x000000000019F000-memory.dmp

memory/1660-307-0x0000000000160000-0x000000000019F000-memory.dmp

memory/2584-317-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qYQAsgUo.bat

MD5 aa04b7b14284d2ee4c9ca4c2fcb0ebf0
SHA1 2a4871c792184766b4508115fa20ca6e46ed68d9
SHA256 5d682a8cc9fd3fc948b9028888ccc9a8506f111248b07837208b21e3fe15632b
SHA512 ff98a8063d05e5bf8ff2c5f08575d9f139e0cdf624dee39dfb67aacef0f18fc972e15cbf1ac19b50972e45d84ffb4f89388e12145697f9feb2457a0312dbefa9

memory/1852-340-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GSYgscQM.bat

MD5 699ccf41064452f696c5920da603cfc4
SHA1 fd0558fd56e6295a5b0a464330193c82a5d09840
SHA256 a32755f87c5fa707dfbfd1916b01db719d8cde2afec9d551dd5ea1ae5b8c868f
SHA512 11160fcd5610cd86854e86e415e180f06b32f2add0206f00b5ff661360b831fe17817f6c9ab1a00e09bd3cd796addfd6b36e88425577f601632bc9adafd08de7

memory/688-354-0x0000000000570000-0x00000000005AF000-memory.dmp

memory/688-353-0x0000000000570000-0x00000000005AF000-memory.dmp

memory/2396-363-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sUEQkwIA.bat

MD5 0fb5ccd5647d959aa60a4d051b991a4d
SHA1 9128fa56e9b61d24b549c146aabfebe1454134ac
SHA256 a7724e52c0230848f91731e7a7fca2212e2e2caa7bc0daa581d22ba7036ec566
SHA512 c08e9f92ad6b5fcf70ad1e297d825e652e7ff6280a1a9707967da2c999ec1cc0f9ba8771fd8efd45a0cdc372f0ad04b37c27c87df72a7b50366a6732fc0e1d6a

memory/888-384-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Vegsosss.bat

MD5 64df8c6e7227dd66bca49f9d3f10c48f
SHA1 48f7eb2d359e0b6062e01d1e2be49b55ca350b3c
SHA256 742e07890974a860f582103b261678c193f02e7febef1b081cbd2becca7862b6
SHA512 a021b69590a66c10398f23e06b11485ef1ef7344b2efe488a2392ca599141d36cac459caf1e7fcda303c2c659b5a54a9bdadf1741dfd94b76342d6b8e0775868

memory/2244-397-0x0000000000160000-0x000000000019F000-memory.dmp

memory/2980-406-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dOYIEkcs.bat

MD5 7322d73f4a915fd0c332bf1e288a6dc3
SHA1 7caaa4b75e9b474fa1973ba102e81945fa0e7ee7
SHA256 f666466614a364da78ac38d30a94b6997e80b8aee37bdf8265d5b53a98e3fc02
SHA512 6ce5207948d9af2593b9321fc03a0a9377b81c6ed0721b041c2a3c1ce3071d6023d4e7a55df5fbcd4f91ba66e4b8208ff5110a2141a30e0d83077b6ddd914a61

memory/2700-429-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RaAUYYwM.bat

MD5 1c9e6b22d74d07462137d5ec017aa40a
SHA1 ceeab96c7a3f8c015a6c2296f4395262a9d3371e
SHA256 2e32cf8cbc540028e835cb89a83abd9c759748737e4a24493324d1fcdd003c02
SHA512 96df61fd20b372e2ec64592f6fe712ca55af42984a9e2846c7a1018450fc85dec3ed3a9f71805d56900e18a5ea2d1b525aed8bde86ea411f9a87c336b1f9aee5

memory/2784-450-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rWMAUIog.bat

MD5 db5031eb3eaa70a82a4dfb2ca953c6ca
SHA1 d4f4a6229bcd577e1e2edcbd51d40732b566ac1d
SHA256 3d2595d9b11ef3813211c55e7957455724d227f8740b5fc2de25ec13443e21bc
SHA512 02e2fa45a7fee8358dc00689b21c7abb52f6ef6dde159858e6135f8237583e9cb16ead335f0a1d7a8b045cc3c761e03e72ff41922f09e6c935836e55534a0f2b

memory/2212-463-0x0000000000170000-0x00000000001AF000-memory.dmp

memory/2224-472-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gYUokQMc.bat

MD5 377c14c34f93e7def3b87a90edc4988a
SHA1 e4db739cf847db264c0a1ffebfb614247471dfd4
SHA256 d79bf8b8d837c08a0361653089130550f4b5a4bc3c6b8385792c141929682930
SHA512 3cf54139dbdf04644e9e7fc58c5ef5baddb48347ced1533db803dd82c3372059b357c9c9b04845f6cbd912c9809f0a5694ac0bc6b24799b93282ddce17583ed3

memory/1420-491-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SSkQgYAU.bat

MD5 9956659c392be397e85509af6fa4ca5a
SHA1 242ec3725662f352fd93187f36dea907ce503ddf
SHA256 0806d56665ab4ccf1018158e95566fa3008de407b95f14d0910bc1bf47b3f1d3
SHA512 c034902fb5e7d9c9a79aaf532add04abdce8168ab718515ca996c0f7f92fe0202697a61e12908553f0c99878f6011c41e95c311497e306d11d0b84f0338c717c

memory/2824-502-0x0000000000120000-0x000000000015F000-memory.dmp

memory/920-512-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YuAQgsEI.bat

MD5 90e18e40f779f5957c62972d0a8d746d
SHA1 bae62ed8a8b4ba2f9313bb43b7ff39854d78e1eb
SHA256 4bb2c8b510451c1a3cb0978d264353bade4bbe538be6b9c43852852e25311baa
SHA512 4f97c0085255a5142f9c50e61c21049fd0acee8284fd7eccfd02acb9a12f04c1a85b58542f48654fa2fccfe978e1c0baf41746c3ffa57d78202ddb4e900659f8

memory/2268-530-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csgsAIkg.bat

MD5 9b20e7d621ffa4efef5def9e49ec5fbc
SHA1 6d388ffe07ccc4d5fc4964e28d2b4eb7ec967ae6
SHA256 33af3bea4fb4021f1488f418c3e91543d2b42a890a36eb5c8e131af318b1d1c6
SHA512 cfa54fc9d100414c530aaa6c9cbe3aa22c3050a8768e68b8bf8741ad2b06972930274bf546c999c86aae5a15a050d96e0daba94b7cccfefbcff6b779dbfcaa57

memory/2656-540-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2544-549-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lKAAUoEM.bat

MD5 807a2255fd967f4caef2a3466e3526e7
SHA1 c459df8f00dc140f0a71ead3dfddb3217150616e
SHA256 968c1d33ba18e89ca48f49ca03b3674415c51da8527bd05e46f1bcd32f0e60d8
SHA512 94492bf96ac1dceb8d0eaecdf9a8bf270757e19a17fe04542a3383d796ba556e51d988d769982fa6a3958ca04233e66e114f3b821f18532b9846bd022ba5fbd9

memory/2164-559-0x0000000000400000-0x000000000043F000-memory.dmp

memory/592-568-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zgcAMsMo.bat

MD5 0cfb85a80ffdd45762bdc6f7b7fc3408
SHA1 995a1ee2c3f5433b94fe33ff9df5997acc1e3461
SHA256 64b8979d502ca67691f0f34117a959e7f634a914dc1eb255c6c21139580d2965
SHA512 89999e7a414879b4519368ee6285017481cc10d68c2ed53960b7bd040583648f7ac9f89e23126b5fdd218880c832a29704e9b5365a8801a7d985783f87b0b780

memory/2164-588-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vkwAwAoU.bat

MD5 f1cfaa6bd74aefe9d655a966697503f1
SHA1 95d2c242b409e9edeee751bedae9531292d51680
SHA256 03d8bb1c80f2c09a50cd97a484ca770bed37d59f1431e5d64701da1c734aa0b6
SHA512 f9576725ac1dc470d1f72007641caac381b6e7722ca0dd04ae8a70274ad2e7dab711a96f121b45a147167a416062ba770ad9f41b638c3d27bdb4441ed919a942

memory/620-598-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1464-607-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FyYUIEUI.bat

MD5 3512142e311706a0a3e6a3bcf3c98635
SHA1 f8a0d280e961cadbb4a95e7e605f9c238cc47aae
SHA256 0683dab85b03684ffbdfcdea372021bff894fb5a301017a643921fbaf9fecf3b
SHA512 8d580d1fbe83c8747eb4c74cc6978091c72418c0ef2c827b9056eea044482b77fcc731b79b64b2104fc56447d72b451c8a4ae4dae8e742996f2578fac1fe480a

memory/2808-621-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2840-620-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1864-619-0x0000000000140000-0x000000000017F000-memory.dmp

memory/2068-618-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1864-617-0x0000000000140000-0x000000000017F000-memory.dmp

memory/620-630-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QkkYcMgA.bat

MD5 a8c8adee3faa8ae5e6d517caadb569e0
SHA1 a13e138456bb243ef0470bac0af94de199cd980a
SHA256 60ccbe071a54c9cf9b4feac90aa104e62db38b48c0b6f4120065f89cee840ad0
SHA512 c9dd00e15a42c281277176c3a80a0c49d70c3ca7e03c3cb8b2de0784404f8353fbb2c4fa15eea3e39c0ee96e44f11f19c6a7f2ab3cc6bd11f19d619176bfd124

memory/2840-648-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iQQC.exe

MD5 c2249b89d912de3177691414a24d1570
SHA1 53c6a35df2e74c22407d182c1953a491f99f5968
SHA256 2a4501c62282f60b5f64cabd9f9994e3bb55da5ce89d25bd78ffff8c348cafc5
SHA512 51f09ef21ce7bb44cd4373a8354d63ae60bc509bda4144c3188de9b31d9b39effac7209802260130a564d8dc3b1a12a21619fc89a841459971da2dd412e3e696

C:\Users\Admin\AppData\Local\Temp\cGgsUsgg.bat

MD5 708be9c690332ad11b25bcc02e7645cd
SHA1 1c99dd3debea91a5663e7ccaa16fd01fe4557b23
SHA256 a7c5b6f6e36f7f2e390776805026249beb7098e0427f752e9d8cf73c765c10ae
SHA512 0b7997a745b08969177785351ec8de2a301ec2ac59486ece338ec38d09482b4361d0483ad8f5f45e42fe8bb684dace57b677307088476d4885c0483f6e84aa49

memory/2792-674-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2124-683-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yoYkgEkA.bat

MD5 3b193c7e1b79dea134b084534288158e
SHA1 00c9a429ac658ed13c78b483009821dbb4fbf545
SHA256 2585352ad1e884ed1bc6eb4fae8b88bf7d519df0403905607c119a7eaa31fd4c
SHA512 61809be626c24a4b3c32ce5261a41f7f37a59b29eabade10536dc1d64b7878c6d7a764c81d0e041cd542d8151f289fab3b23286347bb800b1dc0c940934c7755

memory/988-693-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2792-702-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ieEQUUkg.bat

MD5 ba8256c93adcdcf60ea3fa5c9a7d42c3
SHA1 4e9a9c931da2f345c048df6975d4827070a3a711
SHA256 bee5dfa580719ad0c1e38090691a3099fc6277b208c7422acb50569c9be562a7
SHA512 2db9c5dcd649f6a6e8e5460a596dc1cb9c65540d804be229dd565d12ac93630dabbf958596a66941f83f310674288842b8e1727a31ada8da9f87b974adce817c

memory/2628-712-0x0000000000400000-0x000000000043F000-memory.dmp

memory/988-721-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\boIYUoMU.bat

MD5 975f9cf5da438f501888e4a5d5f48833
SHA1 80ceb52d27eefcc1d831e2c768b214e01176367f
SHA256 0a9e14138dc75eae9f3edc73d6c6bbc83a15e723208f47e9e9e586d9bc504ae1
SHA512 b2a7035bd1f45eca33a8a38f1cde4e52e1f5743e72e06f2411b7b332588b0a296ae4838187dde7b46629b9be7bd64d261ff6130d3fe8e5630338daa853b69227

memory/2628-739-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XgMkcQIs.bat

MD5 097f33d73dfa18555841c047e561e9ac
SHA1 eb162a293f880718e0d8596eda776c765dd1ad0d
SHA256 4049727c512fe6001ce10494a64bfdb0281d1f1dfbd3deceb0b956f020390c8a
SHA512 80ea3240cf4fd58a58c65dc3aba4de4d855b5d7496e68e0aeabcc5b3b48338ceae0dd1ca541fba7f311e7692bcb5ce1e5dd36fecc05c59dbeb37ba6417faed45

memory/2580-751-0x0000000000120000-0x000000000015F000-memory.dmp

memory/2432-760-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZiMEccAk.bat

MD5 3482a6d6d37a55dad68538b665e1ea67
SHA1 95de113e9af222f6937aca582b469ee3d14a1d9d
SHA256 85ab41f67a4ff41af60798dbe6c875066817523813dade81e2ed67618c228206
SHA512 d43511afae09814dd54477c09c100322be93c170d993d8fd5f0e937f13a7c7114bbae65fe6e8be4c3924c026422c39989f740d5a1c6d8b75ed3839be344c8aad

memory/3040-770-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2268-779-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lQYYUcgg.bat

MD5 fb517d8e5e92714634f17b502996de1d
SHA1 670e2b26591ca9812e3a13f0fceccb7613836097
SHA256 c879e5921bb1fac750f1a269f942b8a5030f985d6d44c1e9ace17666551fbac2
SHA512 213b4844d7a160c03ccfecf355536650407c2f1d999294a8371a59bac56037d42655380957d8445fa1c91253576b0ab41437fdd65d7359a7e8d1652c4fae7fb8

memory/2128-789-0x0000000000280000-0x00000000002BF000-memory.dmp

memory/2696-798-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uSQkoMME.bat

MD5 305e8bab827a5e6ce9f92b30e62350c3
SHA1 86fce135fc9ad7231eb2bd0d98669c19c75e1771
SHA256 6ad778af255e09bed2644a3d7b59feee8eb4d6ed332eb4f794d2ebca8ef8d57b
SHA512 86e1d0a5df12d15a91f58c0e7ff23ea65b1b53cc2f49b9bf7098b2f845402fe8ab21baf1343e9528b95f90ea757b055d71d80af79a4c4c0d30150e4b5ea037e7

memory/1656-808-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2656-817-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kCwIQoQo.bat

MD5 ed9659b833bfd8b871ef3ea7ccca7a73
SHA1 186ba69c01c61cc5743b8268e354c7c6bf3ee364
SHA256 1f6aae4a70c98128f4fca6c8d1fd0267d82bb5cadcb4b3102e72897740f010ce
SHA512 ad59d7112e2fd6eb124160123d3667881e3995f173d8e5a64b2363b2a749ae67c03d790599c342b1d834742a157114c8b18057e6e69895866d2c333ab7cc61fa

memory/1420-829-0x00000000001E0000-0x000000000021F000-memory.dmp

memory/1980-838-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CgYoEsYE.bat

MD5 5ed42c9baf7977b1d41f996f9dc43628
SHA1 fb14e599995928395e0cc54b40e1759fb14e342a
SHA256 2ab76213bb94bad20bc09e617a68156457fe9807ecaf9207f87b077a7bbbf95f
SHA512 de11b4fe0107981d77e1f7f063f0ef8cd2fbe08596485aa7972e306b15fdf6367277100b67070410a7b59640ab4afbaa35404fcd72ab8e47cea00dfaec47f848

memory/580-849-0x0000000000170000-0x00000000001AF000-memory.dmp

memory/580-848-0x0000000000170000-0x00000000001AF000-memory.dmp

memory/1460-858-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yMUAQoUg.bat

MD5 bd2ebd12b0fafa14177386207bf38725
SHA1 2220b0276d71bf824e4178d093899c602c29fed8
SHA256 be374f7739951067a32ed97e7842bed32682b645827c64f58c9cdd2f93e52032
SHA512 8b669f4464e117a6ce487e1b86934ad05793611fed3ba32750b4ed12d0e308c7d1f17b18f181e924e5c531a9c7b8252965ff0c6db684abda11a201e3601d668e

memory/2740-868-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2648-877-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zKwYMgMI.bat

MD5 afe9719cd02d66c7f83860fef70a9b20
SHA1 29fe49a54395c4c938820f6fa5c6471d4c8af47b
SHA256 888cb20e7aadd8eab2ab7299fab3bef37c1a403d32996b5b44a1d5ebeab22e8d
SHA512 72b0cb8008173a827def80e3b5728aa28f50446fe7783f5dd837ba2dd3b797de1ee42fa3de8c73e2373303d302ff49e9e2f25d2fc1b85ad6ab8c43324fe1c10a

memory/2692-887-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2960-896-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BigEwksc.bat

MD5 8d72ec5c38e3829747f48d99010088a1
SHA1 f41057baee436532d2d4bd007b5ebf8a93cbd901
SHA256 9dcec633ebdd6b08f802575c377d7627ffa009384ea71eac89a14cb4082a6075
SHA512 dfe1d985bd75e8416a42228d4c74d0d7508d3c9f56823a6bc9b0ffa0bc9b4f2d69a512294e0c2b86c87f9e1b86ec9bb4a8b48ca2acadcf30590f713470f0646b

memory/592-908-0x0000000000270000-0x00000000002AF000-memory.dmp

memory/2700-917-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zkoYUEAA.bat

MD5 5557df1cf037ed79b53d54457c40a972
SHA1 bff78b0889d66c14231d8a3b2dcd7d1f63fdced1
SHA256 069c945d954e88f4c40696de365df399b8221e9ccf475f035a9c391b9bce99c8
SHA512 ff8d9719d0c7812427579b2fea315e26f5e6fbbef545ede28b23f54ae6bb5dcee50feec6689caed4c748b89d8049e17de8bd93c2e9c0079456148ca7cb9334c6

memory/2488-927-0x0000000000200000-0x000000000023F000-memory.dmp

memory/272-936-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XmAsQckY.bat

MD5 2a1d738791a832e0aefec199200d9339
SHA1 c4995ca7d7064e10a534eb544dc1f53714d17f92
SHA256 93152d5045a1e1a1b50892c4d96c6f0768d64a68ccc52a089c5b44ea6a50f609
SHA512 22584f38b45e06ef88b0bad7d642757c59b1a954cdf91051585ba919a20019224616530d1e17e80208b0d55697575593fcb5cb4a3205d849457da050dfe52ac4

memory/1928-946-0x00000000001C0000-0x00000000001FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IMUMscow.bat

MD5 7ede7391e0e1ce6d120e0c98a71666dc
SHA1 d66f7813adf7d205c1b9b4215699a2a4a2a54ce7
SHA256 37ff2f7c62e7a66b549e73d33bf970cfcffd4b16e7fa4561f63ba135ec08a87e
SHA512 01e1bb8787f512113b48d7a7738f1e56561d516ee90cd4ebee3ddcd95376bf71e1e08eb0e3ad3f7434d5be56ff0a6576c4e5a3ac220d14658207b181c15b6867

C:\Users\Admin\AppData\Local\Temp\iekAgAMU.bat

MD5 6881ac500ffed62c95338a8cfbea6ccb
SHA1 4592800b7e5bc528b0bf25df688564a97f7ed25f
SHA256 6885008de33aaec9e9b8ab101168425cb6c6468d03441411835c46f376ebef89
SHA512 174cf3e5cf9df9b2460bb0b8332084e3d81dd2d86044df2834f37ca33b21641749aa0c8e7549b5d8c040edb8cc3106a29b1ee3993b9b128b6b647a4236ec0b55

C:\Users\Admin\AppData\Local\Temp\yoME.exe

MD5 c01ec81dd403a9bc36ca4fd66f628cba
SHA1 77177119710c461c7bc739c835cad6cae8905bc4
SHA256 f41bd0b9af601dbcfbce4a9f225ecd35539ff6d980068325ce30c437d2202c19
SHA512 2afa7897e0d8b6f32323ab49a2800ba926f46028c556dabe7ac67fdfb4a27f46933d74e08f40cab07850b5f171a052b62ef70527c9bccc3e1271633a754d6a06

C:\Users\Admin\AppData\Local\Temp\GIcM.exe

MD5 61dffc80c27ade23a58d011cd60c0a29
SHA1 8c113fc8d81c87149db3abf72e5e7f734f007d13
SHA256 dda3316cfe546e27c93249de41242621d84018e53e30a09bbb3d9afb2bf69a03
SHA512 f84258e0d2fd06c3247a8cd4dc03ded7a149218344e44df85a4d7532c89353fe0119e5aa75fc0deaaec48d0af6c8cba5355cee72e29083133235ce71b04eea7b

C:\Users\Admin\AppData\Local\Temp\MAsm.exe

MD5 0fb0211e56bd7a0dd5ab8eb6bf1bab77
SHA1 a443d7f1383cc90f0c530f3e21499e56ccd6c413
SHA256 44cc63a4e3992203a155f983172bb27b86dbe0dbe07630a6ea90cb8bb02772dd
SHA512 968fa5ee869eeb942af17166acd97d49189a7b58c544d89aa4151fb246c4f3ff34cb2fe19b3185cf04420161e6451906a01780c2bb0c8cb58b4325558cfb7a10

C:\Users\Admin\AppData\Local\Temp\qskW.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\OsQoIgAs.bat

MD5 397dfb940b8763834795b273d3ed9ed7
SHA1 5902aacb653cf828bd43d7dc2f06508d23f99c13
SHA256 74f00fa92fc69f1b6dee1dbec6f94cea6d930332fbca4e95a7ea16b2ce3f4091
SHA512 5e39edbe71b369f37a0f566ad5a169d511432612023277d57a9d1eaa3569a4c632e485621c03faed6f898e17cd53e7de24e6633489c7e9a63c3e1b44be1fd8fe

C:\Users\Admin\AppData\Local\Temp\sIgi.exe

MD5 2a304fbb87a4b22ded959b81b5266b4c
SHA1 e15b7bdcae2a667e8ebae68033335318ef2f13fb
SHA256 897f527c5aeb09cabe0cfb907c24b02229bb53e895a0a5ab02907048e45b3570
SHA512 5feecc3d809b24e158d58ecadcd311cd2d6baf029b06b00351d6cb73a21dd7851e3508fdc89fbe6824517a485689ecc128ef4343e50ec9385b3761899eeee732

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 b0d4e371f6e731928cc0780998050c1a
SHA1 8e0a808b140a5e18a33285e05847d46b02bc3e7b
SHA256 6b2b60969691d10be4db0df4878b80d19ee49ebfadfb2a974f78b10da96c786d
SHA512 574aaccf7129c0dc8dff6fa4f350e67bc90f59c191ff0d3be6ebaaddc39f3830a8c227e4eebd88dbefb5f3f88b44a5aa68b549f1689338926a1450bb9e512d9c

C:\Users\Admin\AppData\Local\Temp\ogIg.exe

MD5 9980bb651e4011d5352a1cb5edbc8e1a
SHA1 4854d94f424d3f99f06fdb8b6a1cddba1940a68b
SHA256 60bed871aee70df694276eaedb17405f995a0c201a71d054f93b879ed5a47478
SHA512 e602277d336d35628865055bab8ab6ba632dcd96f323fc0e1789fbd3120f8eef2f05786371804e9663ef461198b0b9ae44b48c6b33dd82acc1272a080db1cccf

C:\Users\Admin\AppData\Local\Temp\MIcA.exe

MD5 6a2e8c1465d994d311e069ce77969ace
SHA1 71cbd221efc0743d259fc00f0d5ffb14f47bd953
SHA256 de1df078be4b02f1cc083c39c7ecb42981b42880e535ad13888d089bc1cb6b0f
SHA512 b14d0530aac50e5c90c7178b7a973cad03af31767198e768caaed3c104316087f9d04df682c12511473320eb9b52e232a8e2fc5b3bdee67c78434da47f024a8b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 29670677dc106c27e2878f699a951461
SHA1 45ccdc49490071684af764faf5079e898149adee
SHA256 4d5e5e9f48eb2bf4c36c09247d4a6897cea61c7b88b44214e1fab2a2775dd40d
SHA512 67a30d627966285a280a0135cef188bc0c7f8d9d9e46df8e0e2cc28c0aa3e002bcad8f62fcdc03729048aab31dd60bc95d383b205969855b3b347ae5d5da95f9

C:\Users\Admin\AppData\Local\Temp\kaEIUkoc.bat

MD5 6fb6fd8fe7b2e49199caadbf0d92995f
SHA1 823cb364ff579874f8fc1ba4eeb3a7f6aaca5050
SHA256 5964b6b5a9dcf03ef4b1989f12f471b4c607a918d7f845d363aa3a823dd94dfe
SHA512 40d528e4cbd74352c37ca1b9c41a0b93cf44edfe3fb7fafb43683f045e581af971b4a7a93d9179b766cdaf4d57a19167e316ef279419736e780b6ec7bda51bfe

C:\Users\Admin\AppData\Local\Temp\IgIm.exe

MD5 1cdebc2dbeb417a37f51baaebec1a888
SHA1 9a86f654f2cdcc592b901c384d97c430167a05c1
SHA256 06618c302187fc20d9e904c7c9cd61953dd6c779825adc5eb2b5f59aa88f04ea
SHA512 dc0758df46a880c1824798db590ff9b80f7dc810264b3140a6bb3f41655aaae9d6df2ef9368aac0b5b31149e94a0bfada4750578d0bcc57964a6a6110a385c1a

C:\Users\Admin\AppData\Local\Temp\okIq.exe

MD5 3fb49732eabb3c924d7987096c7c69c3
SHA1 7806f2ebe9ca988e1d0cdd7cd8f0dc940716d3e3
SHA256 d116f07b4ba075fcb9908e351bb30e2f6a8ef422c272cf9a80151f2f07beed07
SHA512 fa61ebce71b280c28a44315d674fe6717429f038b01e567d5abab1878b5f3307458ec8b6ab96e0d34e35949032305a173931fd6bd194079d956d7c6c2bc98afc

C:\Users\Admin\AppData\Local\Temp\QAQu.exe

MD5 82c840a3d35a055e42fb476db63fed92
SHA1 30692b74eba0375bf222a11e076b587c8f3942ca
SHA256 410f55a2d82cc3600392088fa0b18111bb207c4f01b195ff2c1fddb62fa79c24
SHA512 09301b1a4f29cdb9ae55fa62a941f128832adb5abe730340d464db46b81970963c904d8347cac5ea277489311b13e51d452dcfa2fc8564842797c2a14ea08684

C:\Users\Admin\AppData\Local\Temp\YMkm.exe

MD5 60a12eda0044cbe7e3f5a6151b6c6f40
SHA1 02f60c90e96074f9cc1bc422ade85861ae15d066
SHA256 9b176dd43764e76d862eebe5090d6b8ff528656dd39167cf70863517a95e61a0
SHA512 15ceacc3446fd874e6fafd7ecf1f6a08a9fbc7e6cd317ebf4b9ae6232be693a6276cf5613e753b0468a83b1558df347d8154044192f4240930e5641e13f88050

C:\Users\Admin\AppData\Local\Temp\cMEE.exe

MD5 fcc1a3e1aa15acdf3d78fe29804d6cba
SHA1 0e4b5f256793515f19683cd2a5cf94a51d478e60
SHA256 f1de9b9774eaf4cdd0fe1bd444f85be8db0d98629b5e71aeaef42ceea3b5117a
SHA512 36909c9fcdf7ff0a73e6c67852f75f20e8bb56b8c59627b483018ec3398781d0069404d413fbd4776773897eb50757edc9877df17a167f4bcabbb1aa1525cfca

C:\Users\Admin\AppData\Local\Temp\omYskUsU.bat

MD5 aff519241d939063b0e604ec19c924a3
SHA1 2f209f6360f5e61eddf35a57902ed68abf103c3d
SHA256 699fbb47b22eb930e0113abe629ee2fecd3aa156ffbcd8592ed03d7e1602f35a
SHA512 53b2982c72bef08bed470f2ae4293cc5579df7aff9da5001b7b643b661c588dfe4e9df45fe02f2178e32b4acae44663d208c4729be25d3bf854479c6b764702a

C:\Users\Admin\AppData\Local\Temp\KwAc.exe

MD5 80a8df64e844cc6b3bcd303aa72d9e33
SHA1 53a6fa83ba852d07163b7c7dfd77204f32e1cf0e
SHA256 382c0fe2f02438ca5286731454f188bb0b1daba255fb06cf863efa46b282faf5
SHA512 29eec8993b995a93a8db3190f595d49d5dc3d88f15b1d3e816caa1ea9bd77206ec18fa1a45211761a5f010b594252a08c3d95aba12e3a586a927a4b4679f5155

C:\Users\Admin\AppData\Local\Temp\iEcw.exe

MD5 13a8ccc07e895ef42a37129b4dc90222
SHA1 b5b3ef5c8928a800e3d62de0e16bbbeaabaa686d
SHA256 e8ae85d05c354eaea609940f1dd219859025ce441bac743eb55a3e1d57385046
SHA512 8b1ab57a32d8cee068d28e067b07d9be94e3a6e880b712ddb06996b762fbb76bf2e2ff9c7f2cf3fd22c3943633022bbae197a506f10746f9232aec728a19a429

C:\Users\Admin\AppData\Local\Temp\mkku.exe

MD5 af3000873912db65599f7d61abed4d3a
SHA1 38da0cfcba5fd39beb63b9366a505b06c60b8050
SHA256 7e5c3483dee3918e9dc3b40fb706ae5ada354f59023ad3516b9f218763bafc74
SHA512 a8a203ae8bda1cdb323f7d5e43176a160127daf125ea1d2ac044f3aa09a164590d17bed4b8b62cfb82f01d348753301c7668ff613e422ac972498ad75d2c3a40

C:\Users\Admin\AppData\Local\Temp\CIcM.exe

MD5 6c87232d071e7551be89b985f4156e40
SHA1 94294cce4ff870701867b84170d9485273ce5e22
SHA256 eda82309271c855bd56e940294d5c53d058588c1d04770231d968d6e10ac9ed7
SHA512 745539ce469dbd1d18e442521a50ceab8ddb830c370e5da6d168893d99e54bab7151a98ca1385c8c183178a8c8081951b93a808bef15d73ad34194bf7e09cbea

C:\Users\Admin\AppData\Local\Temp\Uwoc.exe

MD5 6c11c4145c472c7a0597980097a03c9e
SHA1 edad2698ef1923168d47f2e4c1dc2ac4ceca1992
SHA256 ca3e1cc07d47a0e511d0a07ab4b62e0137217a85c79671084e838d49c07f00c6
SHA512 271e9e1f524f8295a55b87f826bdbaf6582f02f2ea610a98d0c80ce1abaaa8f2fb2f91f75ff701a9cd98a7481ed95fe2f00659bfaf621454b9fef2af393565b3

C:\Users\Admin\AppData\Local\Temp\occK.exe

MD5 3d9e81c16beac56edfdf41f82fcf4e25
SHA1 d473ff51fe66f83d0bf42a15d951e6799c0a8d60
SHA256 0d54c3d94b8a0496453694ae983a35a6422f52b61ba669d57483f5137e8c30f1
SHA512 f76f478b2044b81a7f420fa5baf639ad4dd525417c1cc330f009e279f97cfe98cf55f99f8d9cc8a75a3291c951f1d600cc743570acea4243d6a28b080c223ab0

C:\Users\Admin\AppData\Local\Temp\OEoi.exe

MD5 720ec5912db0b1f579b076be475a2115
SHA1 0ee37b752abc97abf5520dfad285f48e196b5070
SHA256 dc7a23f0320649ebc3f82f5519d2242c2f0f3ee79b8ff2c01c74aebbb7f22fe7
SHA512 ef605a9bef9060a774ea553524c67c8823634e154239f7b545c00759ee4c8685fa0d7e4e48d3d68ef2e556b7a6a71bee19cc9d549ca7da809f33f3dc75c3d378

C:\Users\Admin\AppData\Local\Temp\ZEQYoccE.bat

MD5 bf48123435f71af6dc567287295081ea
SHA1 55809f40efb2eb5198709b8194e06133a1554b9c
SHA256 7e92381d52f0503981bc76583b2d37a84c3ceb24203e49da312441398cdcfb4a
SHA512 5ef7a152f1932ae1c7a4c0441e09dfa3f934e5b6229787e04950ba85b9cd1d9a76dc11e6e4a8921bcd5692b3be28c49220573712698f9d8094425652454fa479

C:\Users\Admin\AppData\Local\Temp\ecQI.exe

MD5 4927f2e0f8f6685f963b8b02bf9c9803
SHA1 cda55ea98c559e72bffb636818eea436b30f3654
SHA256 04c7bfe219d204bef6fdb8ce39ba7e551bbbce8954533985bedd789fd4ee1d49
SHA512 c4b266f0ecf66553f1e2223d784c621f5b4c2e0c96a7499e04bc162095f4ee6cea1518c3ca9696e6caf00677e232fdaec3534d9f9cb3a31d2b84cede1fc8ded5

C:\Users\Admin\AppData\Local\Temp\KYom.exe

MD5 17e2d1c21a4ae0c5bc2fe445fbf85d1a
SHA1 9a50bc01ea98404a3ffb8404c269e9a550a2ce67
SHA256 d6d449fa058cb3d996ce214d5578761945335a422dafe1fd90e90feb70771c18
SHA512 49b3d036b38ecd0f1f51cc2f535ec23540c36cb5ebacd7fc81000a673e6ee3cb30ded478bf88c34c976e8b267e1ece68000b36dd1b5011085c9eaf68aeacc6d4

C:\Users\Admin\AppData\Local\Temp\qEII.exe

MD5 0d4b3793dd352857694a7165e259daa9
SHA1 e6adc868b717c816ca3523683601512edc133094
SHA256 0de10de37af6dd99f468fb181497e41ff39dfb745babc93e1ae35da1bd04ba18
SHA512 ff47ca68b18ac85924c5c455a147cb7da8f77e6794955595ea35e45e97a7c033ed8dc1f4e3a6d92c1eb9f8079a0ce8c8687d0e51c18137ea42c380a766289d66

C:\Users\Admin\AppData\Local\Temp\qcUU.exe

MD5 693b891a719367422eef0a6f27ca7ce9
SHA1 a07f508a89c10767fba5ac611846be9396df3e64
SHA256 f60acdd6b828a90ed3f48675ff2fe12274311d3020d92bff78fe79d739ef7c24
SHA512 bf80f0605a2d74f889318e6c2e4fe21f8b48742237ae808001017da75288a97fa33e96578831e9d145bfa23d98927a3665806261f42e43df979ea6b1b8b4388d

C:\Users\Admin\AppData\Local\Temp\bQUUMUYE.bat

MD5 cd5454334368dcae6bfe20bfbc250883
SHA1 d2679d967058c9792928511e59e3db5ecaf2e113
SHA256 747e4342c3b5105253e52911191e47c4e02b4dbda9547181bc5f45c3cffe6dd8
SHA512 72cea16518dbe91adedf9793a3fd79f62e7c587e232c19be3c55a84cf0732ae722c4828b3c482053817a35f698c299b5236906b51d7981a6fd8cd9f700eecccd

C:\Users\Admin\AppData\Local\Temp\yYgM.exe

MD5 fb59cbee2bafd79a263594415c82f61a
SHA1 0f5aff57b6a530cccbf7e0e8ba85e7cd540ef049
SHA256 8934aebc2a1e543a57133a584ca9356cecef0e32ba030daef5dc4c4b7019d4f7
SHA512 488b24214c43b2e98fbba19d77374a056212b19f52c6bca7bb5dd7b4addf539fe8e0a02d101043684dc2d9043b7e06cf2b0bcd66faaf67546945b70cff401d88

C:\Users\Admin\AppData\Local\Temp\YsQm.exe

MD5 33dd9b8e9f0a1c2f8495db1b0a58847a
SHA1 a526a14e9f28360b7155b1a03d725adfc8253231
SHA256 73f3e9be4d8a512b9edd3f0b3746fe2e1cca784c5b7fdbf60c1b032764384484
SHA512 f47f413e93eeb0fb82fcf4b1e4b023748f12604520a605d3e140007fc7a3b49b7dd029a02151df2a606ee3db61caeb31c640adcc9b357dbccbeb0232c9f7c11c

C:\Users\Admin\AppData\Local\Temp\CQAM.exe

MD5 0ce76826fc73a0ff20bfd67cbc520010
SHA1 201dec861528ef4f675b9053728acd19117efced
SHA256 65f79670ea937c8893d50662b2d82253069022def1c9c35819c995af31ff2eb9
SHA512 2df88715f9f06259bf0c1888e165c3ddc787363ba54e4d22d0ef752e204518f8f8cbad379a11cca9b3d12835a9cf2c08d76ae4b35e58f2dac5f0b982cd6bf723

C:\Users\Admin\AppData\Local\Temp\yEsY.exe

MD5 f7b41f948fef8f13620c1189afed51ca
SHA1 d81ee8c5e468608626b686b363bde23b71ee5f83
SHA256 242b0d8f1c9f894ebfe1128422b4f179ac54576c10b9a14dec7328b8ced1551d
SHA512 cfd60306c774c8ee9e646c653461c28f77be8999ecaf29f93487271db8d38801acab0d1cd2bd3b9c052602663a21070eb22cd66852acd07e1a43c2490891eb50

C:\Users\Admin\AppData\Local\Temp\WIYA.exe

MD5 35afd99759fd108d6d2937b7d5d07272
SHA1 a84c88c89407a4e0d86ddeb83d55967aa63e09c8
SHA256 81a5ae0db09328cf3a100c7a5f2c8c65932ffc5bb76bac10d7abe6ed2e81de3e
SHA512 69abb9a821e996b77f3fa283e1e459175c3e59305ada47cf661016d164c6577a8a7011661909cd179c2c27ee95b001710db82756c881b0660a3f6e6c91da853f

C:\Users\Admin\AppData\Local\Temp\BucYcMkY.bat

MD5 9637791b9a0b7cc4f019aacd8890ee46
SHA1 4f0ae20ac3dc79b658d83a126552f73c7c217ad1
SHA256 82d9c2d37afee636e0757a37b6c30efa17d6a7948cafd10d3b6b6eed0e8c80fe
SHA512 3d0148adaefa2d50495a1686679043320d9b3a65bc99976eabbb335b1e9044f3f27466a9b7a1e8125f99a22f21861a291b398e95b53d247b1107671c57102182

C:\Users\Admin\AppData\Local\Temp\GssY.exe

MD5 d04cc1d1465ccd838941a50d3c7c944c
SHA1 9d2dd56af8449ee6634869407341d8b46826496a
SHA256 d6051fbed446b7c18b528e7f3686a082103fa26a1c8fce566a9db9b734af7bb6
SHA512 8ee4bfbad88519ad283bc6d299b1ad4045ca207cadfa3a09f75f9c545e2a74929131ba1c045c8df515276ea766cbd7469d2e6fb189baf6eb4658dc40b38e144d

C:\Users\Admin\AppData\Local\Temp\esgG.exe

MD5 1de9888b28ada21da4b59f1578de603b
SHA1 316991c884aece9c319705e6c8e9b69fa1a6c2be
SHA256 4300e436c50089989582de8670d9084a34b192cd83cf9ec8a1ed753b35941cb8
SHA512 2eb9fee806756012c1966d6d750ffe51d208517880a9002997cf0e85d414588eaa047c197aa3311e3d0fcea66349c48ddda9b0b9cf4978c5c71072117b75fa12

C:\Users\Admin\AppData\Local\Temp\mIMa.exe

MD5 69b910c1b4c733731053fda1886bad61
SHA1 f1d031ccceea9e487d1f5917e0d5795e02859e41
SHA256 4aa0ad817c5339d6c9e8441494f46cf0195597dfcae82f8bf7a4c96f90b74667
SHA512 278afb21fdbe1c0546b531fa0f2f2d94c430ccb4f055f8b0dd8415b8d1c3a5f8e49d1d4af53d00b7a1614ac7af3fb66cdc7448e72fbec70c6700f16ab2faaaf1

C:\Users\Admin\AppData\Local\Temp\eIAS.exe

MD5 42bd9280e9c5bb6f154c437486c88720
SHA1 8f06a3aba5a2547cbbe72df9a97549ad9bf87c0e
SHA256 4c0a15e35115d162b9e3d68728ade3b0b09251045c60670ed7446ac88eaa9649
SHA512 8506b2504fb6d87a4acdde0f373bc49e64fe3a0613fcad989bff55b18c23cf2f55d185e0cd3cd7379dcfb4dc41d824dfbcef1a957c354454f2cd9faf78f03ea1

C:\Users\Admin\AppData\Local\Temp\SQYO.exe

MD5 86eea30664c9c9563bfaa4239bfb2c4c
SHA1 1a9d44d0d55523ccd8e9ca5bdd8526891f7338ae
SHA256 357754b3ab181aba533288eab928774cafd4b7ccc29e0993fa39b1318c8cf02c
SHA512 48a2a95173836e65e77cdedbcb73294981da2cd066d92cdc85e6a2bca861a46612b2d28d9e08655873dbe586f08752a3a88d682bb5c6039e315ce979a8be650d

C:\Users\Admin\AppData\Local\Temp\GYAe.exe

MD5 f3dbeb2f8d678d5ee9257492294de252
SHA1 18f7df1e63e8e85c0610031116a14112b2c375dc
SHA256 b948d312e70f703512722d0c203e75c1770487b1beba72681e73ab80ecf2035d
SHA512 2acc2e3ccb16343c05dd2085d67ca236827095a69085296fbce64caeb10552bbfd87b2506c7f2fb757b68acf3ef490dccbac6b281a27253677abaced50e85181

C:\Users\Admin\AppData\Local\Temp\gokO.exe

MD5 51cc358d7d3b9dada805f68f4bd3470d
SHA1 8c920bad8f8ec7a7e5f6e3662b0d1ed522c4241b
SHA256 4e09f2c90114bda8dae9866b98e4f55adb5c6158b1b3908ff536b0e778d2b1dc
SHA512 9bf27de502152d4f4a3b59f13a5953a53e5ae4a2f2c1dd1557ea3d7fb7d4a2984028f506fa877dd58cdd5278dd8f2423f185a61bbaa95e1036050378df5c6097

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

MD5 33d3802106855a56d3c7d5450448ebad
SHA1 c0f9f5912a4d849dccdba94c2790f6080631c5d2
SHA256 a5d9e14803e41ded42717226ba10a0aba4fa10ba1d7bc2ba29f74f9b4a70035e
SHA512 a0bb5455f359e3ad3c21ff8756df513675b2a6092ad181fda142a535f0d59d9d6d1c61adaca2f50d10285a7d04f27befc6c4c1e7e3fd2d68b543dab761b80b06

C:\Users\Admin\AppData\Local\Temp\wccMoQgI.bat

MD5 4d934e85202c3a65c0b7212cea6faee1
SHA1 f4ba0186a4e4232840255a66e00b9db575629585
SHA256 ac781cdaf064fc99057af2f748e1339573adfd08f8d50a9f203b3764e984151e
SHA512 8520a3aefb2152550f4a2e5d8736a5e49dc031de1de38d626e6c20a8c9cd162e810eae30140f44c988127bdfb82f45bdbd5fb2876b95ea145a595cf3f29ce7ac

C:\Users\Admin\AppData\Local\Temp\McUA.exe

MD5 bf4debb054197eaa26ee637822c98852
SHA1 6ed7c189109b9d8aaedd2157476ff1e7374da920
SHA256 74126eb76b2a0d631ebf4aa315e31cc5a5b814de26db28fb6bdb08c22754268f
SHA512 fe00d1d610f586b9302b856ed4c04a62467241d6bb52c8e2a174b9fb4e4664e34d77fc2854d8c489e86278fce0c23b656e5b91543d8b8fb5b5732345030e89f0

C:\Users\Admin\AppData\Local\Temp\SsAk.exe

MD5 ec0eaadbce2a85097c93fd45869844a5
SHA1 a074b71dbddbb81b521732c9e23830a4d17e0029
SHA256 bc38b32039712c3d1badcad7e67827ec8029259ae7e9579391a3c9d6137ba9a1
SHA512 6dfa1bf74dbd5d8c4d6b7a8fe8afd9ba07c57b9be80ad437f31698965b9af16c5f091b58c29f2bd2f684077eb2878d0a940253473094dda35c044dc8b7893c83

C:\Users\Admin\AppData\Local\Temp\EEgy.exe

MD5 09e94d414ba9b7efc44aa31fa3ec6413
SHA1 27320bc0d42a175ededeaaeffa8d7b24a6d8c93c
SHA256 618ae29da514744d86d4f91e4e33ca460eb552908859439a4f680e1dcfd0a513
SHA512 312b01370860ce35d0cb23316bc2c45fafc3222bdbbf7dc82d3894dd0f8688199307a4450f2d92c1beb090e2638564c79efa3c997c40b8007f0aa30348007372

C:\Users\Admin\AppData\Local\Temp\WQYq.exe

MD5 511f8af1826f9f81c890f330e05e8130
SHA1 1d396b568fcd89faaffc7583f38195311c65e92a
SHA256 e9b86ea4c4e32e4e9d1b95a9c41e7f47cfa901c3d2eb5d918e5b4f2b281730cc
SHA512 501296242d975e8453b61369fbd38eac2987b02d3756f23296a6f07446ed87a12a23fd0057357ac47082c1870bdd9711bee1fe52188d37ff5b91be11e7fa1075

C:\Users\Admin\AppData\Local\Temp\UgwQcAQw.bat

MD5 004c2a85881f8639fe53d3fc5a40852f
SHA1 73e5734830e8b5c43c47ba9a31beb6a63a7eb80b
SHA256 27147d8312d6dd4e81efd7de08bc7aee52132f396ccb872e848bffb93dba0381
SHA512 33af48f36e4b2eb4516e24822409c063d5f185aaf9ea0c08fe3b88f6cf7a0babb2007aa7a9289a2faf002992681a18383a1271874bcf160bcd580266db062da5

C:\Users\Admin\AppData\Local\Temp\Ekgs.exe

MD5 9ea381fad5f2fb53fd8719ffa900e104
SHA1 aa2c63e1d03f540c411d5dc719e7efe9d9427adf
SHA256 82a8901384eb52f71472b8914fa8f70bbbfcdad11982bccf13644550ec665dd3
SHA512 99261ef713fb7c88f4fdf3c6c6f6904f10b4160e32351d5dfc84a02f4bbbd08cb8a27dc2d35463a25ef90bf7539e721108ab05303afae0e7df507edbc1d5a278

C:\Users\Admin\AppData\Local\Temp\sAIO.exe

MD5 8ba2122f6056c19af11cdd9c903d3fa2
SHA1 886e313d392483dcbd4b1f6709aec3c3d5ffe58e
SHA256 d19ea32d951f25136460933974b0f1799e172af73183573cc0e92cb56263e6cb
SHA512 5dad282bc795c17cd68e7164fabc7f2cbb67c930e38752f4c772c32c24913621dd3af1a9efb2b5aca0a213603d88c38ce960c6d4e8901da1c82cead3e82e64ea

C:\Users\Admin\AppData\Local\Temp\WIgy.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\SMEe.exe

MD5 7ac103a8ebc5c166ab2799bb1f38576e
SHA1 d75e7007f8742ad9cabdd1a608d476e0d3cb4367
SHA256 7f680ed6bf165a6f5608e339ae025391584b22ac657bfdefa4152e6ea41b27da
SHA512 9c5bcfbd4c476ccd62b3939bef43c2dd3260630eac8a22b21cfd4cc8cd2c7df166f3bb58e99f995c76bd58615275d4f5a9f12c77178f031d4fb3f6f60a28306a

C:\Users\Admin\AppData\Local\Temp\aYgA.exe

MD5 254cb4ae8214db2397130d3776375d75
SHA1 ae875b1f8b22fe0d4203f35a549c767b6d790d81
SHA256 a50674729b8b4f545e4bf108108af9df88f5be943ea3868d35ce4dbcdce7dbeb
SHA512 56ae3ac3416584bda0c105af81323f8745a0fef72a282dc21665ecd8a18bf60a9ef2c144c1dc09b44ea41b06a9b4ff33f00651c12f336d140913bb11880c10f7

C:\Users\Admin\AppData\Local\Temp\qgUAkMQU.bat

MD5 f8230ca155a16c0015d1755f5d81bee2
SHA1 a07c91d524e16ae8f743dd64e947137fa03dcfb2
SHA256 f41e9e509d617b0609c653e840f4e89d4755173bf3082fe89515355558f29e6f
SHA512 26a60c2a221b1ad6f7e0acb87611e86fbdf57c131497a0ec661ec1cb4f2ecbd0f4afc0a82c3695450d938478503e6d3106acc6d93ed7002afc439a8a3e372ec5

C:\Users\Admin\AppData\Local\Temp\YccckYsI.bat

MD5 b772dab17741c6dc0eda29303e1f6a03
SHA1 e17d4dd13c97bb2995bd052daef9c6806312ae0d
SHA256 82e3c489a3af3276279c3260e0f2a5f88a72f2a05c5fe2e432e91d97a029531b
SHA512 8d94fd2df9ec4b721b8afbc8d67b89b9e9a85edd41aeee83fbf38c697b991ef622ecafb08523e39d4777750108d4e67d839a0d3c0b996eaaddb8e6bf15d5bb90

C:\Users\Admin\AppData\Local\Temp\LIogcYcU.bat

MD5 c75fbb5d92da5e8cddd14e656dc21586
SHA1 69c53e26157a4a7674e709aee5030b83a27f1403
SHA256 0d1a42d83218a82da79f8b7695f96c6967e4ada3ea39ee8b8ce19b9dac90990b
SHA512 eb0bb1a5ec0f4a857f3da28077961d57ab2c1f985e88d9cf8662d9fd07dc1757618e16b90fc40c1e953eb46c05d790e7eab20d6a4ac6e1ab28e4ab021d8e5e48

C:\Users\Admin\AppData\Local\Temp\BqogsEMs.bat

MD5 9a95c442627829f8e31509f09320180a
SHA1 bb6eb320e150a3ffe2d585c6bc3c4799ece557b6
SHA256 8a542ec781cad5b0e4af8f37152c87cb89181768dc1329f84ebe865552305ee0
SHA512 a7e5b29c976759612e9c76f6c7854614eb696c64b3d1734d2e7a1b6d52420e62d3819e0f433d293a134c3ca09eb8f418f3f801a45ed5df2cec8cc502c42f1df1

C:\Users\Admin\AppData\Local\Temp\pKAgcYgM.bat

MD5 dd78ed9d9a213e633715c6937bce8cf4
SHA1 a066881323ddd3227ae17b5e4b45ea506f4478a9
SHA256 19201c628df915027610db19eb217cb0c7b818252099e91d0a316a689bfc0ebd
SHA512 fd50486c169e3c554c378cea89e418e36d3ea0116f6be37e1f90632fc46e460f102b49de28b24034ab5635a7dc11470903de8cdb24a1b3594dd2e8f838ad3762

C:\Users\Admin\AppData\Local\Temp\hMIIgIAk.bat

MD5 c591f34106f0be2e502b64b4778610b5
SHA1 a16bb2094eb60d07faa7029f3a7c3154e131e549
SHA256 1353deefb6929d4265574cac19f73489b616e1fdd8dda683e1c37d513929aaf9
SHA512 877d0f88e7eaeb958bcde4d61c430a6960683025b22e53921d69bfbdebd30dce00bab11ca15f01fef4becff44de9a53033d1d0908bb5b96b237ba3547a447969

C:\Users\Admin\AppData\Local\Temp\aiIkIUEk.bat

MD5 dcc6c08ba46f4bd136ee0a0bb5dd5db0
SHA1 cfb47c237fced0ccdb616256d3f3bd61f9df1f96
SHA256 9439f775a3298f501d629ed9f2b794eebc76a24c4d4d343145c717e103188230
SHA512 750c5077844601c08f2e4805fcd264e1d4b85f5ba6c5f61fbcbac693813d8b371983219be439027c036ec4753835315942e5fcb438c8e44a4e47d0888658ae11

C:\Users\Admin\AppData\Local\Temp\IqwgkgEo.bat

MD5 82037709f594e7b79a05dc698be54012
SHA1 20533113caca6682a282f53bdfaadad7137cb1a3
SHA256 9109e537a9e823f3fa6337d56a5bbbd883b7b6dd75f82a9fb4f4415ba2a3f2fc
SHA512 f71d393ce15c47530cf12ae74e16ec8f013f79fac74fb77177d04bdb0b561362a4b0db3da96c3254280f448d3af5c1fc873a38431d184b15ab7969f2c09c9dab

C:\Users\Admin\AppData\Local\Temp\oaUEEcsQ.bat

MD5 1cf468df97f7085fee1589beb637454f
SHA1 13975f24c9a7cecb59b74abc9d51dde0b91c633a
SHA256 e7c326eed62a8143f185d0c595ec5bb2fc4b85330dd7f99a2a74cd571eb2cf09
SHA512 9692c63379989074b160f4ca97ffc2b5d4fc30ecbdd48813bdfd4c944ab37ad5711662f6aefd941e18c23be64695a8e37dccc5cb76fb78a176ff807689a6e1c4

C:\Users\Admin\AppData\Local\Temp\eqIYcQck.bat

MD5 2e15d1e0f85c75b3ca3c0d6d8d6e5012
SHA1 c7405070a5fbd374c1b4c772ebab1f0c892d28e6
SHA256 298e38168b29d3e65439138d5a715d5c2f72047e0c235e8cd4873c2ca8f2b52a
SHA512 8b41afe4aae07ded4cd038db239f8b8c653e07ad2e76cbecd611be8c86447e652f805620f1835ef0aa8ecef6ed4018550ef00708bf3ffbcd749616072914badc

C:\Users\Admin\AppData\Local\Temp\vsogcAsI.bat

MD5 0be51d3636061de4485d9e219a80f578
SHA1 3ed1ab6771492b73954901704b9bbbbffe469331
SHA256 a79de65814275941a3e6ea17ca8827e04402eb553e38b7987c4c95f5c3634e52
SHA512 a403575b0c124f0c568603fe4aafc8b86a4b27fbd2f657916035ed9cc386b07f8fbd132411fb7d7d1bc62bed451bb8d3586c69ea0bacbe9eb609712808c26a15

C:\Users\Admin\AppData\Local\Temp\tSUgkQIo.bat

MD5 b3473107134bcc340a96c82977994d91
SHA1 8b86338898aa76524c63e74ee47a42da3bf36a05
SHA256 e8ce4f1ee4dc0a1de9f42db52495f9af280a774c96b8a0b70437472e6a6066ff
SHA512 21aabdbac44068d6f1a1bc9f7c90893db6a90002bfce4a631327f3156c13308e45b93f65854b4838282c5ac76b55c7e95910997338eb6225146734f966af5e59

C:\Users\Admin\AppData\Local\Temp\JgAYIAco.bat

MD5 c8c81865c510043e698af76253016be0
SHA1 6ed53bcc4fc4d8dfa4d02b0d20f5eadab266ff2a
SHA256 76630e07a8799ff35e259e05a370fb9b3a13aa22270fc879342cf688e9c718fc
SHA512 fe519e76b862495a06ca77c061a1019b6a9efcd98425f73e0371c9bb313a72295b2a435eea03ebd91f4ec84c8883aa1e6eb519c26f432972afa99d8a1fc98d25

C:\Users\Admin\AppData\Local\Temp\ocQU.exe

MD5 dff5618b4e8f29eac6c7265dcd9a42ab
SHA1 265b4d7725f17f2c2e667d844a85459eeb49af0e
SHA256 a44e8d5e53195ab157c0d523627a0459623f9316d946a3b9865e1ebc0e5ee9ef
SHA512 c544d65d142f49d480a7a2fe5f7f13ee1ac364f2e7e71765891ee5142e51dd4b8333f9883611cf8ffe0c10e2166d802787f431113fa227fe129c272d3e5ed505

C:\Users\Admin\AppData\Local\Temp\owwK.exe

MD5 b0e768e001ea4911c177c3bdb9cf4e52
SHA1 ac1eec53ef1bbddd719bcf25084e6b49a0a5f986
SHA256 33d4e21d1d70df5bb95ba9d5864bea44b7d2c4cbc37be14225b703578e42e2d2
SHA512 6d67502e3dcd863d0a6823e5405a522f3c00e85c0640a9328bd845d2c582ab87bf2839391bac828b10857b40191a6dcd29590496409fcffed412c25385649f54

C:\Users\Admin\AppData\Local\Temp\SgUS.exe

MD5 fee95b2eb1f6f6ff9eb094b12e89086f
SHA1 7ca7af311030f215ae671736a176a30a0ecd773c
SHA256 00e50174298d7b98f98ddcf2000eefa8ce6539584eddb44f8444ee11d8f6df00
SHA512 05ff21f41fe3e03c1d4b25a7da9492ada10e4973660ff0e0e2f221a35908eb6f522e1cd798051d28ec4f8dafef05316ea32ff016c0f279139bc9b2695c6b1295

C:\Users\Admin\AppData\Local\Temp\fwQwYoUs.bat

MD5 be416a4de17a2422f6cda5fb6cc9077b
SHA1 ee75fdb098593d3b95d25d4b68ccc0a854c2032c
SHA256 aa9cc264efc670eb6ace53328db01277522140f7a2ab1940bc4f3634176244be
SHA512 d639cd6d39e5e77687f7b29b837905543822c8141a0bb2ea9b530eeecd724accfe324951bcfeb22623fecbcaa1bc34f6133e34aee8b3a5024d4fc58c733c4a48

C:\Users\Admin\AppData\Local\Temp\assq.exe

MD5 fbd93c3d0206f69aeb5ec7b9ec62dbf3
SHA1 8acbc4f8bbf1dda831cd831780e389102c8b377b
SHA256 357e7caea329ad41a290df01436e4073e5f478095029f6ad330a98dd0f922e43
SHA512 f77d97b54ed667e10b2cf0dbb766ca0d2370cad21999569d40f57a5ea142d72c17ecccb5528c4062191edeaa372923595879a23f411e4ee04d8721e43fa53d4a

C:\Users\Admin\AppData\Local\Temp\cEca.exe

MD5 78d5709cedd7aeed97444a4b3a8b8c1a
SHA1 6a714e4601e1628f4c9f0f0bb11eb517fc83c931
SHA256 1cead494ffba6d5511b4e5d91b0576464de49ef48250e6de8841d4116264b714
SHA512 c6b8bfbde1533a1317c0e308365b8a631b3c9e625b2f963b70d3de0eee7b5c2906ad61393e6189763b4bfb6712342348de121ac76af1e5a07790bae5f29b7dd6

C:\Users\Admin\AppData\Local\Temp\aMUi.exe

MD5 f5d5d9a42e67a38e6807d92f29e22c4a
SHA1 5e14191172c3f0535736e83cb0d073889af70071
SHA256 bca64702742c3e6a6ddce75512b8d06109348a9627800400e033efb75e72728f
SHA512 288611d33008249dadd0c69d3a4acc1f3676cc238b46a6e438be99f0511af7126f70fca5374e19a80767a0aa26ac1bf10622db9da7e5902fd1bb83476a6c3829

C:\Users\Admin\AppData\Local\Temp\KgEC.exe

MD5 09cce4c0a6df088d80d00ab39ed68c5f
SHA1 10bc820cc007be27b8da38dc6a88f0a5f19be3ea
SHA256 dd2a998a82b843f12d1704ba6c3bd8c6f17af2bf910a5cb901074a427a87d21e
SHA512 17861adda380d2e8afd5ee4cfc75cbda6fb2ffad72b54cd904c2c53fd03861f6f93e0aa9e84dbc63adf86fe8f828510b7984475ace144a0a84f862ed669495d7

C:\Users\Admin\AppData\Local\Temp\kQgo.exe

MD5 bf3af0c899c35135f17a62dab51186f2
SHA1 e72524a7185858a893dbefdbb8756490737b7846
SHA256 87675ec75c254eb9dae457d1edd5fad9aa28fd39c4fbf5d73ff1b7349270568b
SHA512 17bd6b6dd4af639ce1dc76066247f16d30405103f53b9f2f100c733851d48b0c88fb8ab78d5f277fefb61386ff5fbe042d71df92edf199f5323f4a812b4d7a33

C:\Users\Admin\AppData\Local\Temp\IgQi.exe

MD5 2aa2459ad49cb26d6ca68f5d351c4738
SHA1 14ee6c3600aceec4c73d50c8ade42881b64cc75b
SHA256 08564d2545e1aa21db947b4298632c3590cd88184eb79acbed5b5a0b4a236ddd
SHA512 0838d5155eb53531e636c1ee56d55bf0909d1434c1fb3a124e83f88f84dc6e7d04b0803ae667ef171ef3c00cda120c14a1b9d025ac827e0a317bd65c0f807e93

C:\Users\Admin\AppData\Local\Temp\OYsW.exe

MD5 c809fa09660d7b19f049d7d9ba443c51
SHA1 e4215958d3823f469bb672f46eb46b5dbb408fbf
SHA256 607290024a33f11cfb146f21e2a7b351b97f509d34243afd77fbf82481688e43
SHA512 7a1ce71a6d2d3d172211978784a3f6d67e9f5b032c2c542228645e6e9e96b33742d566e31ec58366ea4ab7d0865bf323a42a67c8da190d65956110e97f7be66e

C:\Users\Admin\AppData\Local\Temp\rSwUcUko.bat

MD5 35f43b8ec25ad229e5a8d1a46e06c70a
SHA1 3462c35276a473e831f5b45368a5d87e7da2e3c4
SHA256 4032acbe4538320e54b34751f162bb82259d3d4934cfac15bdd2e5c70fa9798b
SHA512 cedacbc2f382d5b6842e3415ed12bbefd9b4e823c5b79dae9a48297d72643eaa8b05e2c6d9c39f3a8c10b333e3ec87b8286291bb9ea2542b3bdc4b04e1400b57

C:\Users\Admin\AppData\Local\Temp\SAkc.exe

MD5 f0cd0e48b94c01e8b1494a2e6a40ddb1
SHA1 5a8547a901c040a8d065eabe544349aa9eea62b0
SHA256 f4f93b1a6313e672b24bde530b3f971e23da1dbe09195b05e9e5bf04dfa69bb9
SHA512 a901b99b4edbf92423ecd71f61fed1a7b5e6eae0e9d0a479813558c9f6160eab0cfec78d36f2e645702eb9a76a18d15abf5ce93c23fef863eb976697fd927aae

C:\Users\Admin\AppData\Local\Temp\UgMg.exe

MD5 94c3798bdd9eb0503e72f9d48ca0dab8
SHA1 21871c118e43ad77d059b6bd57fd8d217875232e
SHA256 0a1b4b0abad9e45662787374703ce8988497f8c9527ac22f9bb3b14230663b50
SHA512 a1fb7287e80027740cbfc5e2d5df5056ea440b18b36fee012de3b4081ce8504a70f44ff6db6a1302afd8e14f0767d6834264cd7bbc06cbd7369324a6927294a8

C:\Users\Admin\AppData\Local\Temp\qEAe.exe

MD5 fe677c5a00925ff3ae200012ec484425
SHA1 1a5834da5e82535179a6a1e201ee3ae28ce68d5a
SHA256 3c0ae6afffce3d05fba5147d45c8cbc52992c70a563c51a7c7fcc6a6ae25db49
SHA512 d476cdba97cc0233930cc5ea5b025c1ee3c0486099e6551a8774fafd5982bb50f15cea63931379ea87958503763c5301eace7ed9bfc7137dde6137e199220224

C:\Users\Admin\AppData\Local\Temp\eEsm.exe

MD5 5ca322f9c5c959f8be822cd5b47b3fa2
SHA1 b4dc60729804d5d790c9f583e854c71f9f6ba8ad
SHA256 aecb7ca843e3b11ed023b0070608c31302806344b04ec540eaf5a38d7093aad3
SHA512 6a026f1ffb5c43fc69d5cc27f93b895f4617d366d1b280ef1bce1bb26436320ea342cc97cd72e03685bfc1c7b5c22cf191248ba9d40f3161ebba75a590c75662

C:\Users\Admin\AppData\Local\Temp\wuYMUsAc.bat

MD5 31c2e91826eb0a975e61e917fd324626
SHA1 b53110f19f8a1f6563e676b99230eb2ad1e2e9e0
SHA256 9489c7950650e4fc25fdd8ba3d272907c8d5ff517703efa272efb91c651d79e8
SHA512 84838056f0f01453dc189221aa283558348638e0abf8f665bbe6e8d130610039f952bdac5ff3940b809a0c348a28d483793d20b21591cb16c1a82f1fffdc98b9

C:\Users\Admin\AppData\Local\Temp\IUkw.exe

MD5 7f39af80705b5ec731d976b9eeb946d9
SHA1 16feda95bd14cc912622e32a45405a5a572aa845
SHA256 c8d9cdfac4e8eac6cf1e4a49ded187704862c969912f4ea931e33d03a693a347
SHA512 467c391f1901f47bea60fb22d49248d8601b5591fe53bd28910460ce028e51ce0af2266996d6ff5d458b2592ef2324f5250b69ae431f024bd2e57f46c6ddf512

C:\Users\Admin\AppData\Local\Temp\cooo.exe

MD5 f683472c711ea61e8eb4c5ef8430ee14
SHA1 f6f4f4140a3e82235405d612e9d28706e96516d1
SHA256 e81d88223c6b5851259301d0d6399f3f4ed7434c73ae3ffa1c8725e67636bcd0
SHA512 1ba8c7747671e9c5d94563b6d222644814bf050b130fe986ff1be40003a419dac5fb7d9ffd44ae39e0a0d2ed622c79fba1b5661eb1840cffea011ce6ec0e95d3

C:\Users\Admin\AppData\Local\Temp\awkA.exe

MD5 cb5695ccfc144447eddadcd21c989346
SHA1 77796d11dd3682666000b955fa3e9ca74158f481
SHA256 4d2a8d4b0e8c3bc9757f9229d7ccb9bbba33d232e76fe0c2a4bcca636045cb43
SHA512 fc24b9a2d30ae0e5b2caf2c8cc533b8e473111d574fc03d3f14e7786cf72383b045ac02e7af8e51668dc6859495022691f7ee3838899a3b2e9d9155bd923474c

C:\Users\Admin\AppData\Local\Temp\KUIc.exe

MD5 391a63821688cc7d22fac1ebef068662
SHA1 1ac47d820e0b42817018a748e8fc48dd52a2b9f4
SHA256 d0916ae432ae4ae036de16dca07d8b569b936b513f45c7befd5445bcc17ce83a
SHA512 a318bca1a7a3da3b498761bc80984ce78401106f28fc07cf7281dc171f392b431f725d2041ec6cbd9ce172481d8d49162b992f7e6ecafe27a22384dc6d62069d

C:\Users\Admin\AppData\Local\Temp\QMYC.exe

MD5 8d573dd1a33bc051c860e44b9327b755
SHA1 835a5ad4f193f5f0648c40a6dab569b64437b5f2
SHA256 0800187efe32f6c5104bda1cbb824b00006e2fe5abb74e68be2bc77da8830d75
SHA512 19714df4ce691a0763f481850efc20ed3d88ea17fed06413fa68c02a05516e47446e74a882d65f750abae206d95bc896b3a7ceb7bf01ffdeaac6763c81d7b910

C:\Users\Admin\AppData\Local\Temp\imYcYkgY.bat

MD5 8adb01692abd88e23ee1f42b077552c0
SHA1 4d31162d93f027a946d0edff9667d6763ed9ea98
SHA256 3d23ae0001d6ef3f30d509f1499d7f2367b27ec92ee866a1f143df25853874e0
SHA512 2de76bfa306df4ac7dc6dc45861830d05a33cafc15abc530105c121376856e868afb52d9b2800582d89584a971c8589c84ea2f6bc205ec2f2f358c664c85a15c

C:\Users\Admin\AppData\Local\Temp\wMkm.exe

MD5 e19bec2f75748fd9d84f5f7aaa447727
SHA1 a5df1af29edda915250db8a5391ba5811485c72b
SHA256 f23a7c43fee5ea15ba09fcf23f345e87f8a089f36a80c306247b2df833ade0cb
SHA512 b45afb1b56e155ef2c663ce34ec1aed51844acc1981600a63ee1631d55794d8dfd70f07b9467bb0efdda1a2e8c05c33213eca07070058365c7ba9c211781efdf

C:\Users\Admin\AppData\Local\Temp\wwIM.exe

MD5 1335d0f8599e2b2162745c87f731bb17
SHA1 b04973ea69ea371e3f912b0b5454b44dc2c5047c
SHA256 2a0592d7e99d9530079175a84b0636cc97c2fb8b04d1e9f927d4686b7e83299f
SHA512 bc0743a3c8488caed46dceb4ef9f632007c82f45dff4a48e1f2609250753baf47e28b7edd1b438dddb5bd2ca3040e4713a459fd7b0b04b7b69aaa6aa8ea5c32b

C:\Users\Admin\AppData\Local\Temp\EUAK.exe

MD5 985da6d0fefa98b9299107749ea9e893
SHA1 f829f8d75ef715a1679b3e86749d0e6c76115e1d
SHA256 7939d89570e1b396d11cc64f165e900bb6937ad46a204fa8045ba47b17b13e93
SHA512 bdbaac0cc5452a3440039303e24c6746b9fe59c0f322514905fb8792a518b0621082ea4e897dbe7197f95efac98002c2dc6bf0ba7384ecd0b542127c41b44a43

C:\Users\Admin\AppData\Local\Temp\yUIw.exe

MD5 2725e67df6d281b024bccbc3abf6e6a4
SHA1 b658d7030b3913bfddbe219296906080f68266c0
SHA256 74434f4ec65d70800788a48209c110a531ce91a5fce7e0ceea46665aaa3fb27f
SHA512 ce94542b964ad32d618131124f8aea051773889f947827f1a67661df8590e56b836893934969a2fda2d657f2a6fb3248154df8f3ef43a631c2b4f75c64f76cb1

C:\Users\Admin\AppData\Local\Temp\SwoE.exe

MD5 d8f46a5348032f495537d855cc31d7f2
SHA1 18c870ba1f72d66e694af0ae7937e3637c350f55
SHA256 3f75949c4ac20561f9bf223e5c86c3e74d3fe7fc291c54488b151908ded30a92
SHA512 eb8bea6c5ad907f65e09383c6266a65be08490085c2192fe9b46cc121e29a6a01161ba275bda5f913d64243e4be8a028b7eace02cb2a2b5b2c91148ac6283e5c

C:\Users\Admin\AppData\Local\Temp\kekAkAUg.bat

MD5 efe0df10db597d9a73fbf89e9947a6fa
SHA1 50562f79fae9f4a286a362495a8297f849b7b033
SHA256 edaac78f11896e492c26ba33c789a356f9dcbc7ffb699b7db11d7d535a5dc99f
SHA512 5d63a53c547ae7663cd070d5bae376110e365a1175e49b81f51ad17785d3a1654e3152ea625271869de70cf59144fe9d355d7d0ed445c3698c8af2db209f611d

C:\Users\Admin\AppData\Local\Temp\YcgM.exe

MD5 aea8114898cceb7ad24796c4c4651453
SHA1 3ba3742ba33f8cdeeaa063f2bdaa52b9e0be0f91
SHA256 37318276585cf748761fe9b36004e6c00f9edba398eb4ddb46a41425bec2e292
SHA512 e51bdb354e7ea5126ab7e6c55bd82333a47b14d961797eaa657bc292f94dbe23cc20f338dd04e05e4698b63e06165bb37c8967885b40ca0440143b71a57adaff

C:\Users\Admin\AppData\Local\Temp\qYsa.exe

MD5 504c5a96d55be1cfc970d2a463681204
SHA1 759d7b2a08fa60357cc7f6fd2a8001239590fc73
SHA256 e5c1d906da8e7aa5e7ef920392742ee6d02b9871fe9785ba58a33c422b861a33
SHA512 7bff1de001ebc76565201e56810916d0683af0af4b2e515d1f3e80ffee0099bea900891eb6b61f3130515612e5345be54ec2392616f613e478643c5b03256fd0

C:\Users\Admin\AppData\Local\Temp\MQUQQYQk.bat

MD5 c18a03c2b92c58dd65251d7e0a37f481
SHA1 3651b48531cc768e2542d05217b36286a082a5ff
SHA256 4c82b2347e85748997a2c25aaf6b64462498561ac75a83ad57d4641d0aac3119
SHA512 ce88687c83204de890cb8fbb57d079dc778b132c5264261d63b8f43e59eeea98b6d41bca661cb29e178ce1b29ec40bccbba164b98dfbbef200a85880fb12cd14

C:\Users\Admin\AppData\Local\Temp\KIoo.exe

MD5 f48968b399f79e9534fc9541ae040949
SHA1 a1ad6ecb41774e9e715432aab2abbc9d5fd76073
SHA256 782f83fc5ea64a76bf5a090cfc8d054083b6ffe249c98c0c217561eea773b379
SHA512 a47547787650e63bcff2f024b6711d688e66e1db5912a9dbc501dcb3cf02959173b806ddfc520b547c6cb8eaaec33bd07addb074888c9cacae39426389542ce6

C:\Users\Admin\AppData\Local\Temp\iEEk.exe

MD5 c3f2c0cdf02fc2c419bf3d4a2bc69aa2
SHA1 a66d6fb40cc735a497fb003879a65dfadc9fbdd9
SHA256 d5360030a953f1e69eb766974510d5ba3511f6dbbc76a6165a167c366b61eba3
SHA512 3320630526a13ce799e38535f72825350edc01329ddfef6a63680df20ca523d435e00b1623d17ab047fe013d0c80f05ac8650faf8b88da91d0fe431fc1d317ba

C:\Users\Admin\AppData\Local\Temp\yoYu.exe

MD5 39b43abf338af18da8686eab9ba41e52
SHA1 f87394cc6be50984459c7660b3dfc430a2eca8ed
SHA256 c0e8d45fc41cd4586d7af2029a9cdeb77ee1dcc769fbee0452e006ded0f72433
SHA512 ea035dafd94b28b6f43a587ef54e7f9c948a1cec65d4a3ea699c8775c7f4aaab53e0482a19aea9f43cf3483b2b0efb9f22837caf7f40234fe1043a12d1819a1a

C:\Users\Admin\AppData\Local\Temp\yQsg.exe

MD5 3b59faf9bf45e6fadca9ce9f17dbe639
SHA1 1a96c6dc65c31d5904fda73e90d7ed88cc036a9f
SHA256 7a76856ebb398860eaaf23ffec9d310241a8750d68babba970a0aaed08b8c8af
SHA512 18675bc92f70713836389743f78b871a53047afbcdd37b799f26fec974ab748708c0fc7766dff30b79d3c958f6be7b74d6386934d1519fdf7e1166ec85e3d0ea

C:\Users\Admin\AppData\Local\Temp\dgwgkQQc.bat

MD5 17f755d673b79f1adce02e049a78cf6e
SHA1 6b56a51d5690492bf787c200070b8b3e33c1a1b5
SHA256 7f41d8df610880f34112c15fc30cd94ee5c92a926408c5a794d51f489ae2861b
SHA512 8a5ee6fee96a8128d738a6796492d5d10eeb6f2507c9c71fe8aea0ed205d200680567323c989b0d2254f8d7b6ccd02d1cdb40e19794797cbfa5a3fb14bb428b5

C:\Users\Admin\AppData\Local\Temp\oEMK.exe

MD5 fe645dad93828db64fd745e33e89559b
SHA1 0944b3817a0225665091278a10b27991b5f77af4
SHA256 9eb6cfbdd3bdd989fe16ea6eb1b7fedae44c1807a95e356a07b4ae0b61a22762
SHA512 a4bf002848abb14b36672c41de2e84ca99ff69af1da0f0085b9dcb4ea7fd4f7b652219d5bc969e4e242231ed6801622481b01fcde7ebad12395cca5e4d835648

C:\Users\Admin\AppData\Local\Temp\kkgK.exe

MD5 997b99988d4d08981b92570bd988352d
SHA1 28a1ee91b9b762d86e5f585a0d27988aa378b3dc
SHA256 026f13ea588ca39302fe71b83904e33b9d56a357b090775c57076386d287ff30
SHA512 ee53d78fcf4a89d8115bdab0499787be84f1e1a757808b45abd58ef3742573af49826e06198736bc0fd02fa63ff7b43675724e56f46b7f5df9a8dfe36756bd1c

C:\Users\Admin\Documents\RenameUnpublish.ppt.exe

MD5 ffd7b2c48e013f57cc054b0b7e263afc
SHA1 3d44915ebaba0c80ff4ba5d7f6b0a3cc52816473
SHA256 e1efdfa537baf5b27587ff97c7b70f8b4a14985e73f6afc99ac0e23922f74571
SHA512 0528e33228171450242bc3fc76b63a494be3a50c496ef02371174041a486ea1e3ff6605ee2b8a02b0c88a9eb9fd605110e782d38e1cc6b8036e0b81575f0be7a

C:\Users\Admin\AppData\Local\Temp\uEQa.exe

MD5 f7ca35170d4ec3134aa5e996b798d175
SHA1 be778ed893f173b14e5497016ea930f5e3042cb6
SHA256 e3d0a2dc1b7f6ebb62097f8a11afa8f72587565b7bcbeea1cfe72f0bd79e1d3d
SHA512 106c3e4ca9ade0c081e4071609062dcc8379b5bb6129a0aecfad34aea5f477d373205be97afbbf849193c3241c5df280a4da410fa3f3d46c60170ec3bb9de6c1

C:\Users\Admin\AppData\Local\Temp\sUYG.exe

MD5 c83f6dfca3a673a60dd2b0820fe1ba79
SHA1 6f0ee40e39dc8ca9bb098dcd7d499c881003e9da
SHA256 8169a64e4952053500237f0fcfccc8c58f60a5fd3edc35e87c1c00b56c80fe8e
SHA512 5ee3dbffc507de2b5a119544b84c6b5646fc82074b2f8670d7675aee641636e42dd18e7d0e0a2be8f20d19bda54f2df6ec366cd1baa164cc231553a9386cb9b6

C:\Users\Admin\AppData\Local\Temp\cwUc.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\oAwC.exe

MD5 cf06d795cfc1a351ec511113ad7ba5f6
SHA1 3fac68198c05832e6063a54d3cd412f627d73966
SHA256 52e3b396dd89df0f12077e7e278241fc26f4fa8fa2403c1628eed1616a07d37b
SHA512 e16010da39637e5065cef6a050620b4767aa033336bfffdd2fc5069809ac23a6d25996d43309e286b482860c5c90702ac29fa064d5d864ac37b0d94686efea84

C:\Users\Admin\AppData\Local\Temp\kQUg.ico

MD5 0e6408f4ba9fb33f0506d55e083428c7
SHA1 48f17bb29dcd3b6855bf37e946ffad862ee39053
SHA256 fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67
SHA512 e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

C:\Users\Admin\AppData\Local\Temp\SgEY.exe

MD5 5d0977bf876fe22dd7b15aa23fb9b104
SHA1 3648b3b085422de6642a07ed5b071c4f12262842
SHA256 49600789ad2038d6d143a1ca286fc61b18c4c0226391fe8ab9b809a631d6af9d
SHA512 7e7c8f17bd915ab6257dc49edb5db18bccb83eeeb920b002cccde026a53002b45fa34673251b1ebe1da4b080b3bae66ac8d5f5e2e1734eaa8d7e71d3169e8f60

C:\Users\Admin\AppData\Local\Temp\lMkIQMoc.bat

MD5 8b24e23f07a8afec3202a2d7e371ce54
SHA1 aec28ae033c725fc551d193fa1f5e5fef4a0b364
SHA256 f151b34f094bf913d0d9162220f98a16398b5e731f6b3c3e1090339de2d20935
SHA512 6dfe7b895656abc8e3d466f8df55a1adca5b864cb669db18a81eda9fc0f5d50ec0047fce77558d943235a13af01d466dbf674f9648792c153bcc5186e779c228

C:\Users\Admin\AppData\Local\Temp\GgEQ.exe

MD5 7b374ec9126ac85bf31bf51b46004f64
SHA1 3ba8bbefc8b645f6ced5ec978bc0656648fe87df
SHA256 c609c77889e1589d5e3b031acf08743ff0ba6fd1e7f286beb822f3c31c10ba46
SHA512 5d133038ff878fc3aa906319e861dfce3700e5d0d05a02458cd0f6f6a38f01b78a16a7a70e9de6cbb986263388908e258e3dc7fae8572ba6168bdcedae9b39d2

C:\Users\Admin\AppData\Local\Temp\UIoQ.exe

MD5 f39664782c4d031fafe61f70a384f3b9
SHA1 5139276aa695eca20eb3526f0b7a5a4d5a6432a3
SHA256 ea73eabcf266dd3cff8d136002586ae270ae4ca94167250cdeaec7ffaa95aaf1
SHA512 4a1376c57588390ab11fd56d09e0cd80500cf8b5fe31b55ccea23adb1a62a07523457c87224178145ae206bdfe60642529a3697be765683793a68b4924a46e93

C:\Users\Admin\AppData\Local\Temp\SowM.exe

MD5 a7d1c103e62484b85b3c5878145e962f
SHA1 99b82ebb2ab7f3e08723c4baca4bd2ba4d6ee07e
SHA256 2401d389f232d8dea4f2455503ecdef830276a037ec81dddd5ddc316857300b9
SHA512 4b91404a21283e8d65a6ba279885598d04082daa054ef5c0a4b091dffa4eaa2ca029f3dad81b941c4d23c80395812eab14bfd69617c74f102483c3a41aab96ac

C:\Users\Admin\AppData\Local\Temp\CQgq.exe

MD5 feef1bd170c7dd289014732216f33d35
SHA1 dcfab10c0db3802e8951827d7657b03f3b7e4353
SHA256 ebf00614c65dae93877759ec4ed9738fdddb40eb353c2518f46980a6efb9705e
SHA512 0ceef66bb4ca44fc622897d5589b3689add1620e5c37f2352ca0928a26a7a319828ce36fcfbf01e5c6b1b76d38b10c18d760a6f28e02a5e80812f1af6450a90f

C:\Users\Admin\AppData\Local\Temp\QQES.exe

MD5 a9a17d3fbceba80e05d5cc838fe25fa6
SHA1 6a470e98faba92bde19e83d3241097be8b67e608
SHA256 0115b6e36502cce1149732df3c7c4155e04535d9bbfb3630a71f32391dde58e9
SHA512 4f1ee85b847e53c0cebff48412b471a72097bef50d2a1d9edf3f57655bb21e7705819e771912eb06ebb0669515e592d687f6a45a132fab445a32486885cf3d1e

C:\Users\Admin\AppData\Local\Temp\SYUI.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\boIQUcAI.bat

MD5 7357f832e2397751ce42c27983b3c881
SHA1 a29d0f80fde3499b74d9a01ce0cd8870f1b88539
SHA256 8420763867fb5a033714176a493fb31d931dcb2a5c2469a416cf561f9e02af95
SHA512 31e56f6bdb4319c916adbaabba1e804baec33bfc976f617ca06016268f0f777225a7ede5ac292f1692d1150e3faf1ff47b1fc99cc9fe7a695e96a394ef901e0e

C:\Users\Admin\AppData\Local\Temp\AgkG.exe

MD5 ad00b1c41147f3199141e12bb923df36
SHA1 6a22420d86e4efa2a31018b97e28535c834f9414
SHA256 6d46a9eeea44b62772cd712c8ff2c080d9e7ea1f2c0217ccaeb16ea7a24e2b12
SHA512 e0328237dbd9b1450e531c70b2e526cee2778774361df83ba2298dd153f9c00f897582bb8db34d455ecbbe5ce83ec9299b380c2df7c76dec574ecdc754c0bd5d

C:\Users\Admin\AppData\Local\Temp\qAsM.exe

MD5 4b12d5704ab7ccf3d46b39dab5255275
SHA1 b7b3b295d131cd6a7b912f093b696466359704d7
SHA256 94700dd8ee6b97f42c17b4c35c5f7ed2ad6f73fb1ffabfdf596932f7bdec552d
SHA512 be3b207e5f797e38d07cf692379faefae7859a6dcdb3381786cd6307398f57427f47cb004021c845c39b32e3943ce2f0f62ac1f19be607850d875a4e7f4dcf5c

C:\Users\Admin\AppData\Local\Temp\eEcw.exe

MD5 1444345f9f84eac01c18da23695838f2
SHA1 5c29f36848be3d17da2d1203bde95aa8dc5f4c5f
SHA256 21e93fde01766c7694aaaf8737374efbe212ca14bec0ef2db259e2f6c7847655
SHA512 0c2061598101397c242f581af6b3ed42859ed2e8605aa002eddff6a0d3d8262ba68f7676ce79163aa1896be49d61dde9965bf10dde66b624937fb26a8d72c774

C:\Users\Admin\AppData\Local\Temp\cIwc.exe

MD5 17dc5d6bcfe6b061dea84f2f1128e12a
SHA1 30d8350c20ce63d16f870e7d8ea379ac2298d8f9
SHA256 cb766ee04dbee5eed88edbf897d0799943f9e69cea7440f579e4f7269c13399d
SHA512 0b1db58e6aaada90c9869b5ea1d091a0d7bafa153b4fda697569ac6d5b0743edf3cae99f638b2c5249f826775c01be161b7691b976ab00234b52679e72a35809

C:\Users\Admin\AppData\Local\Temp\OMUc.exe

MD5 8cb4de99eefaeede28563929fe36ab01
SHA1 e8670215b78422ef93bb19187773674ae9ea9d37
SHA256 c3a47d1594464c1ed12ff4b06a43bb1471515b517ff841a33aaea3e952f9402f
SHA512 7e406017516168681caff0d6a4b3775e509c0019dbbc5dd21ade8a51b9eceb138ae5c3335db0058dbc0261bd58f223e9f1dfd8dcc221f9804f054feda71dfba0

C:\Users\Admin\AppData\Local\Temp\ZCQYUMYQ.bat

MD5 ad82e5819dbf7609fa8986c941d195f7
SHA1 23be03c937c3c73617bea6adaa4d096e75fd3075
SHA256 ef9345d58c51d9c0935e2352af6864931b7970268b31091358a9ecae6f89eb60
SHA512 13a90ff13cb4e61725a1522c368391d3526249555aa97fb1938403f6d6c8fb1574461c4c2208cee71249501d60a40a2c35687b7731ea521098595111511f848c

C:\Users\Admin\AppData\Local\Temp\Kggu.exe

MD5 1de8d56f199a7af1a21f405f7fc2dfa3
SHA1 02cfd2d64704731f24145aee74cb7f319910850f
SHA256 8739caa4781fc3281a0e245a8a7775c362fb24412e9d62e8ffca8295611a0225
SHA512 612062ad1905031f4700b3da4b2ab31930b78fb432e5d886498e97b427a0ec514ec0c66180867e6a51f950b5e0acd634f691e8d4371af1af2f3e189030cc5e4b

C:\Users\Admin\AppData\Local\Temp\ccIs.exe

MD5 12097bfab5288850dfd18e1b13dc713b
SHA1 fed4a8eec1d102f2d016bc282a0741841fff7a49
SHA256 34028a07458c2fa32079e6b37fe9783ad6b6930a2321e86e53873e893ccb65be
SHA512 6564b6431055b0129862df997b2c314bef3089cc61800d934359c60be7a809e49c108dcc03915ac2837e74f5b141692f8c00e930a0ee98bce47da409208bdbc0

C:\Users\Admin\AppData\Local\Temp\cUgE.exe

MD5 431ce787395b1bcc2ab410f6ac26f13a
SHA1 e832258e84bb9c1e2885c1646f8f2e6158752217
SHA256 c1b25b9ef6c528daaa046dfb52c16c094c4bf2cb7b00f715ef1810b4405baf4c
SHA512 fe599233c0f968859afc2522bb37a6680516b72e4b9723739d1808ed111adfb0aa9c1c920df3025d198faaa2ffa5c1257977502f307ab2ecf47e3435d89d09fe

C:\Users\Admin\AppData\Local\Temp\IEMC.exe

MD5 f61a1985fc6df80befe6c7a2647787a6
SHA1 224bb83806dd88599cb306babfd736d45aeaf10c
SHA256 0a617a129815e07ef3500efe63393633b0bf721637883eb42929bd784c301dca
SHA512 cdef4f4abbfaa34a3a8b4ff7858f0936434a5c24ef5b890dc9adf5e8f1a4637b081d77c7abe7877fb88920c86f89fd03835e7b1381efe368cf8a5b6ef88a1ca8

C:\Users\Admin\AppData\Local\Temp\mkcI.exe

MD5 abd0b54f88284e7b6688d1bd32acf7ae
SHA1 ff94d3c36185e97e6e14f42bb59d8cd8acbf9358
SHA256 d594122e8b32bd557a2f828da108b850fc802a9b31b664c41fa413e73834e3ec
SHA512 c8e6857ff437b6d03c5ac6b1a77a8c0ef175fae3932e480ba7a2f4abe9bfb8e2c2664e13d29f740aa85892455e19425ba038988fd0d789ab61e5cacac3165188

C:\Users\Admin\AppData\Local\Temp\yeQYgYYY.bat

MD5 a438568df95612e71a30616733d2b905
SHA1 5fd29ee5692bceff8ae60724ded9685adf556b90
SHA256 6b48a6db0b2e1eab2e50ada013310548bfa7997a4203cd295369a5312bf3f909
SHA512 f5dfaf227e62d0a276f13159d6a99d224ea68a64197ef9dc42d095314beb664aa632036f40a99cf8b551f8f790a8f5cf58b04791d4a12bfa451e241e219cb284

C:\Users\Admin\AppData\Local\Temp\coIe.exe

MD5 9fe3c9b8b883ef84bcbac2414c37ab71
SHA1 49b9a1b8ffecb8643db142ec8760c42ee89dfbff
SHA256 078d33b4657fac9a0703ebf00a0a0f93663cd1f047a62f196b1b51b96876c785
SHA512 32ee0f8fac10bd23669cd8e838693941995b2fdc792bf0393211a2deb86a50a902004b3912233ce09bdca27836bb56a8ea391fbe091228e4e57427abc37c1037

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

MD5 232cf85bb79468c2154aa3a7b2e36e8d
SHA1 367fc00f621bef2bfc9d39f2d9a76373c434cf01
SHA256 933f6462afa10ffabd6c05b36420a184347da6393aa3f7519a90c8f83a917090
SHA512 8d0bed05dbe4446b33262dc27eac95a50f3a0af508b15f002c232a9a78e37f7f84d22748342409d1e5e172aed9ea16c51d22c9e45a876e3f4b11ecc939a43e7c

C:\Users\Admin\AppData\Local\Temp\EcoM.exe

MD5 1780c1ab5ca9469610e931c0796a0798
SHA1 c3e4370429b48a6e911f82cc88caa483a1ef1d4b
SHA256 57024891205e60321558f390f359114f8041daf8bbaf104b6e473e867e96f0c0
SHA512 69c875e1e8aff87d7bd5a1e7e4828ce9e2be92ac47d761061870dae19a0aa4c1090d06057c7558adc963369ae002859a4079db0f34a6cf52e1ec3d237ca9208b

C:\Users\Admin\AppData\Local\Temp\CgQQQgEE.bat

MD5 567d40048e92f99434bd2ae99fa38448
SHA1 a04bc4ec0c40cfd3715d49ac1da25ed6f90c1116
SHA256 9da7d6679b9e5ce11e2514a8a71a2dc3f94bfd81b7ff66cf0f520fbdc3003820
SHA512 7df8779c8dc7bede2ca576ad7a594bef58f9892b536bb328a7ada1feda1a3dc4ffad1ff9ed79b4acde927d07129106e7a3d2c20fe7e69ab463d62a5a4712a457

C:\Users\Admin\AppData\Local\Temp\oQMs.exe

MD5 0bbb942ee77437e63deaea944840eb91
SHA1 07ab0ddc955081f7c95a26c83a5f4f5dc4a31154
SHA256 7a664a72e436c51708122dcadcba8057555b4edb870cbb0399f92f537b4482b4
SHA512 bfa2c721c1bc293f209611b3cc52ee797e228506ec8d22c85e7ebaa1872696287f0064ab65ece0e6cf7898ac5e7de3978792d68625387cb01072b4e3adba31a1

C:\Users\Admin\AppData\Local\Temp\kgsG.exe

MD5 ce28d6f24db7f02fe71ca08fa35777c0
SHA1 b0a4791869943486ed09859b62e260360e1e2375
SHA256 f44bddb0b178b1921d5c4ce541ed2f2a78cf838209dd3f6da30f0fb0aed3ffd9
SHA512 f7e64e1817d4bb08ec450c6e21f2469845332ef4f69317ffd78008df32b7a40f016e9f4f08dc54bd5eb1a326f666a8691b2ffd0688df73290877058b2adff08f

C:\Users\Admin\AppData\Local\Temp\qAoA.exe

MD5 f3840dbc613cd8d84099f889d5075168
SHA1 d236ec78b9fa2ad9e22fd37ade5c46e63610b8e1
SHA256 5d66ea5398dd26633a4c018b0a03bcd8c2439ecd2fcc7f071d716db9c930267c
SHA512 7b049301e131eb6fe94deb030affbf75c3dd40b6baa5c7ee700715096c1ce4c25f9431061d92c58592597d04e86757cfa56e6371f3f979abd7ba5ef7a675d9a2

C:\Users\Admin\AppData\Local\Temp\qEce.exe

MD5 5dd4af1cde2956b15d070723873f3e98
SHA1 05e2c0d182622b87afb6539d7dd4ee45bcf76fe4
SHA256 1a554459eb3b603eeec64ff7881ae3fdf08b8d0d4f40232d37b5e67e1f3cf0a7
SHA512 5744ae37ac75607232b72a7eadc1d0f887d729a2463d322b79d6194e79867ffbd3255d6924a3f3e4b90095267b8cbfce410ef5c68c534fb03f7c8166b1dd769c

C:\Users\Admin\AppData\Local\Temp\kcQkcIIw.bat

MD5 989ef0f71bbad32928e78f05a1b3e8f1
SHA1 5ae4e8f9ca6401ac5cb76a54afa950a29c4259e5
SHA256 7c154edbaee9514bb518f3b5e3237189906986c0785129ea5c7879e4f3e18d9e
SHA512 1a73135e39fe9db65a5159be376441c08489fb52f788961b554cb375300bf81c9bdb4b7d55abe8a1f2724911a546a9f4a4a1038d1a43a6bce09703dc33f3385d

C:\Users\Admin\AppData\Local\Temp\MUgE.exe

MD5 0b2954b01896d79edb0d859c9a74369f
SHA1 1fa115f9c9abc184efcec3b788887a86f9c2f7eb
SHA256 fb6f7278138256743d687bf4029f4563a80882dc0a8decdb1453765684c1e020
SHA512 a06ec304bdce249ac86676e042506ef98104d30ce331750811e01eba21115ad9488d59de8b6f8676881c75d129f0738fa8309407bc52bd9da61fc939a2037d13

C:\Users\Admin\AppData\Local\Temp\GgsG.exe

MD5 26721137667db1eabd8758a00f1dc6fe
SHA1 b66ef7c001937cc445ef264410e3b1d9d5a5d6b4
SHA256 c35f14c1a16cacd07c38ed7a27989c17162043de4fcfc4565f42afded7962d55
SHA512 5116bf492f9462ce7bd5801c1b726b5e0b64361c42fd8f6f4de70467163ac4778d7edb68b0816ebe62cc839278e969504c9f04b30bd20f664742f0c514a3be3b

C:\Users\Admin\AppData\Local\Temp\CUUK.exe

MD5 b9087ae6477172aaf95bfd426b7c6cec
SHA1 550ba6238d565b77bd9190cb8c6c8bce560c165f
SHA256 7cd6ce93e7afa499221e491c6215b95bee28e8034079991454f186115d45dbfd
SHA512 e02f9f2f0e3f6ccbcb94184613e20df676088d2a44f6383dd5ba4112a98b0e3e96ec58c7cf74164dba8d275b030dc2db7f7a38c7215f6e434d62a01089eff2d0

C:\Users\Admin\AppData\Local\Temp\Ggok.exe

MD5 53dec319666447c5ca536f0debb0e71c
SHA1 9ca99f39be7b83efa7c89ed6fd88d3eaedad5894
SHA256 a4c9f0384c8f6f52454afb9770efc9258d7c220f4f4e3463165624202dbccee6
SHA512 a417710aee43593393f4b7193243ac9881e616283e2280e104c34e7cac50d181ed65f5d4cf66a7ffa822bcfc3f9eadee74df0fa04c1295f91b65072e568ae387

C:\Users\Admin\AppData\Local\Temp\FswwUEgo.bat

MD5 e620734d954c44b3121e6ae930d9a116
SHA1 de4239fd68a89907e1fd34d90fea16617ae4cf3c
SHA256 9a1237beab0d734109783f4b06da7d9998f58e5f5d9ca88a166a3a8f1ddba0ab
SHA512 219ae5aaab374e9bf427eb3105cb3b618c6ba68b801aa35202cc78aca132062496cbb1c4ad2e558d5577f175038f92e1c3f44f681b6f9860d98abf88de4123ab

C:\Users\Admin\AppData\Local\Temp\awYy.exe

MD5 455e7b65eece70aa82e40e2a8829590f
SHA1 cf5b84866aa8a48a3a101b6e2ab720b788f61de6
SHA256 a24bd2a5dc8f0c7a589d8d4e01833e78d66034728c76e05a53625666bb36a830
SHA512 a78dd5f09d84fde7045392f71cdf666d2010a46576ff862e19b3d4145d7c1412e9f787b1c80a7904e2490f9b87ed958cdde023a4f3c867f0e5099b3571313409

C:\Users\Admin\AppData\Local\Temp\AkwK.exe

MD5 d2478f0cd2a5b9fd4986deec90043498
SHA1 4f7b8ed9bbc634b6e8ac4effad73c26bfa0336ef
SHA256 32c85318140f9b952f55a83ad7c95bd43180ff9ad8ccf28d023a31987bb4192f
SHA512 173f9acc2bed1d08466c61a9ebc7c8763f3e1ccfb10af3a3fe7bed8e81ec508d7e66dd7301d86ae138ffccc77041eb61bd7739670ace95d905b9dd12c2887627

C:\Users\Admin\AppData\Local\Temp\EEMS.exe

MD5 4d05143c8ca8926447c1084b5324aab3
SHA1 adbee163ea8d0398922392cd22921e702243a375
SHA256 b484d7fec494ad86aaa87ff2eaa0fc13e75a93afac3c148471b75cc696055774
SHA512 382c748254d81bd296e9cf34105e9000732acc2192ce74e45ede594e1a864a4b1092818958d22c8bfc23e646deced8f59cf07f1a72e04931d1fe66ac5e3e0b52

C:\Users\Admin\AppData\Local\Temp\veIUowoE.bat

MD5 0481c98d79e750425d8677164211f403
SHA1 2117ade83d77f21346203dae0c30e44b5251df18
SHA256 e5c062ed119c046f9cacf90663e4f1d11f9ad638b039893ffcc173c6cd080799
SHA512 246379397c49e5adf2a5c7254e5e9327b4f8223cefc1ba594dac288567d5753759155ee0c1b39b31293ce389dbbd3364385e7cc3330cc4e8b956d0279024b0e0

C:\Users\Admin\AppData\Local\Temp\mwgG.exe

MD5 07f7e58fb5c51b7d84f0f6262c6b7483
SHA1 b711187cf546daf96d8210c6026802d1854c0f43
SHA256 e636cb37967384b002e8dd5c123cd45c8bddc894d2add4b02b9437be2e7c11ef
SHA512 7e77a5174f03c7c9cd9beaa5ffa689fba64111fb705b5783ccfe30ca05197dedaafe19a72b9016b86d7f8a8e17f1223c9a79d9a45e930a8db49d7fc63505dc18

C:\Users\Admin\AppData\Local\Temp\iYIo.exe

MD5 48acc55ca11c2c2a06001c02388f5e8f
SHA1 36599e914c4414539c7ba985c26b5b6d2b24f1ba
SHA256 e9d759fda3f9721efd62a45d08cebcce2440cd42cc948496d6132b85ec2a512d
SHA512 b7e04224eb4ff9c653c2fa16d2a9316f7a037a1489ab6aeb501f71d04721bc643d58447ba13a7e7af0b5a9fdb1ee1c769d88515b9f7647a63edeb7a17c65992f

C:\Users\Admin\AppData\Local\Temp\OIMU.exe

MD5 065be6c8f20719927530f046d43d07c1
SHA1 ea51800515cbb06ee7e1c2c5bd122a344c0350f6
SHA256 d46251b564d390f2ddbdaf7fca12ce79d0dc248fa8573cb25bf5962cfc20f126
SHA512 7923d600b14ba819892e1641e8371086ea9c4431835a7a8d69dbd92dee5921a551f3adedae97432cd0879bc41cb62e84bcb659a3497980f9b60446a244e1d6cb

C:\Users\Admin\AppData\Local\Temp\ryUEAUEQ.bat

MD5 f9569a58467a26ce7edf3b431fc23673
SHA1 5482b569940f2410b7f21c5e9b6089a583bee299
SHA256 53f98b1ee317604492c754061898479e241d1ec0d86976fd7b0f286b7557097e
SHA512 d7f794c7fbea7b63e59aacca214bdac6ce8035d27e015d2a748775100a224cdc80be095c714011b7d07712187fba4513c02872fbdd3af704012d7a9d375935cf

C:\Users\Admin\AppData\Local\Temp\ggAS.exe

MD5 a8a9dab952ac05b42584874f7d3cdcc7
SHA1 6fbeb0e85f7903a96757c75127620cb581e534f0
SHA256 78563717ae07b74214129787acd330ff0b366801deeb4d352e5f5d8d7a878ebb
SHA512 46c4c45e432c422791f32b310dd0456b200b32d482865f409a54bd9f6730f7e24024385ba3885e834a357ab359a49559e9cf34cc00300c7f6b4b0397e8d80bd8

C:\Users\Admin\AppData\Local\Temp\aocM.exe

MD5 b36924da217f3278d3681b9b7b13050b
SHA1 15d7bb6b91784c1433748096f915ab31351f58bf
SHA256 ca02e00c5220cfefa9eed5b4981b01b2013f60aad5ad8eb4c838669efd4435a1
SHA512 56e134b024facb9ac12f460f7228029423bbb44b4d0e4f2dfe71b2cd8e5f1272e9538b2124d0aae5527e223834778b6b6cf9a707f5549e01296eab6d91192d13

C:\Users\Admin\AppData\Local\Temp\IcIw.exe

MD5 f437c3ce715eb2625a085d335e4089c2
SHA1 0e522c8d51884b84f13cdd7abda9c4c9c3d4f9dd
SHA256 1c7bdb1926617b0e426bc068fdfdd7bedec7ccbfb6541a8aba860e2b09caa59c
SHA512 15e775a39d0ec32382157c9504f8add39836c8f7420c526776f3c8ff945653780fa303a540327bb51de5b6cf6c7934ab508903949bdc9c08c8948797530708af

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 530f94f7431cdaa5350bf0e7e0939cbb
SHA1 88c201a4ef8249abb9c6adad0fa95a358b9ecdde
SHA256 136d40f16cdc0ad22054616ca929f2656ade0856a1a28a2ed805b6006e3e2600
SHA512 26934163d17fc446c257e3dc5c3077954ae4c62e68be3e730fe9fe58b1fa6e72d766ce9ec181c960dc146515a35961c4d289904b7eb35cdf54e403baf91d6627

C:\Users\Admin\AppData\Local\Temp\XMkwIUco.bat

MD5 ec1faffe005e56230b33471c60d26ed4
SHA1 2be2525894cd564342221d6175644e3a5667046f
SHA256 de0c7e1af9bf831060607f1f768b5e85ba26ab83395580994a6ca580dd910ed9
SHA512 c205b41e99648f2ac78d0086e194d000750b6f7c145beeeed1e9a6b21ae661932b7e0918258081df5a10b56261dc76c0f93300d8dd40be50aa9bf3f26c691df9

C:\Users\Admin\AppData\Local\Temp\yEoi.exe

MD5 312f81fcfa0b8aa748f2816d927f6f58
SHA1 31313973a561e9fa70a4a83dbad334658337d966
SHA256 c16be53f532b33c8d6a0343741cc906b842b9a739d95b62505abae3a85fd12e3
SHA512 874ce13f306a899d79c067df761169e06d7a34dde372bd1c5275c44ff8a3c2b58d33c09face936ad900955c0d2d976a6229ce3535a8fefa14596bf07ef40f980

C:\Users\Admin\AppData\Local\Temp\MAYi.exe

MD5 9d549431a6114f1aab4d802d8810720a
SHA1 9516146f18cfe1a397ec73ff588bd33313cc39c0
SHA256 9b0d240bbde75a347911a2fd991403f4208780b905f723579729072e7662be76
SHA512 b8781bdc792ada35cc35761372d785731ec6813bc2c7d0af7e2f566d1e084c53893f44141096e0a0b9a757a60937e5e9b6d7f7df4201d0b2c2f8aaeb3fbc33db

C:\Users\Admin\AppData\Local\Temp\wsUY.exe

MD5 ad53df3c5356368d346c688ac7462398
SHA1 51e8c75251f5de08fadb45480938c98536511ec0
SHA256 aa8dad71c46b5fd021e568834841137ffe1353f350a21466e17a3ac2e6d8b876
SHA512 c262008999b70e4d6a095d746c8b39a7e38afa2852dc10e432f8e2918062da9fcf49378c2e858a7237bb185929d24c38b3d4ed9b97474f656d2a7cb9a83f9369

C:\Users\Admin\AppData\Local\Temp\uCsoQUUI.bat

MD5 f6c0bc4d80d38a253a89cc7c77ce909e
SHA1 214c1034105dc26ad0e79e9de13ae1b36655a92c
SHA256 04f9857ee476b201224dbab1670e951100f6e7351d7b87f1dad1bdee33f868bc
SHA512 791af30fe01c2f6b046b503e2206d14bda8293a9809251ea0bcc158e0acb1861193e0ebe8e682c8262d7e6f7abce871771201d6f6fd38555ee4a76f7f7fc58a3

C:\Users\Admin\AppData\Local\Temp\KUkG.exe

MD5 e6ac3bdc81b51b874f58748f13ae8220
SHA1 eeb34244ff970755a26e3ec1a6b345b6be8f1037
SHA256 e1684a87e64eebf80a8466f52488582a8581b1b5a4f5888bc3a1f8797201f73a
SHA512 22e601371c1bdb65cb37a045dcab63dc01204b13272a97604906577db9cb9e2800d9f73a9a55b6be114be35b84c13b7203e156843e1232c51abb7faec0a3565b

C:\Users\Admin\AppData\Local\Temp\WkQi.exe

MD5 f419ff7f487b1ecf4ac2d7c8883e57e1
SHA1 c08ae61d1b18a0990a3e9901ecad70d957a91c8d
SHA256 f27328937547ab8dbc95e1ec9a21858c540ee8fa79c4dded9bad3ba2dd201e23
SHA512 3a1e847a6ab586a5d3e41874d7cc9ef4484b0747515ae29f31ec119f530801bf313b595c41bc6b0d4587520f6ab2a8f20662a07d21bfdcc49788e76fbf1da9ad

C:\Users\Admin\AppData\Local\Temp\YkES.exe

MD5 b46c796d137cadbc797af6ef58cf3e36
SHA1 1458fc41ad13853657765c1e40cdda3b3bc1e896
SHA256 9ab7ec1d73bb36dfd3d3195e0bcaf9a672c240ce1f1349804917bb61a462d012
SHA512 b45bacf78d7f6ede5b46b724554f790014ab834e2e604cd083f6660b81708d72c1386c55056b03452802dfe509abb64cb7d291793e78cac825472dcc848cb102

C:\Users\Admin\AppData\Local\Temp\wkYMUEUc.bat

MD5 1519e6838c9f0a5e0329921956982e1c
SHA1 6b2d28e9bf37639f118a4b71c4432d8295c7a95a
SHA256 dd27da276aa504857fa857b6dc467250e1440e8fd015bde181402474ac8aa20d
SHA512 e31a2bad11e4ac3823e0ccfc995ca82d5b240f28f6bdc99bb26c60823ad8dfcd2abfee3ef6a5e47c36d87332955ed4f23bc7be268d27ebbfdebc44532c567822

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 a87225f045608e3746aee85778e3537d
SHA1 98f9f4f3379686b96728e0c36f0c077234ef9d5e
SHA256 db9bdbdf447f462b8d687d3c784beb9335bf7d9fed76c689d18648bf50ed0bc3
SHA512 6a402c9b32293c4781c1e9f0cff025c20397afb27092a6f22a5d96ba7470ab7c49cd1890802b7911a448ce17c723b6979eccf62bdea015f5af30c4b92dcdba42

C:\Users\Admin\AppData\Local\Temp\EAYU.exe

MD5 d616abf26cad9bdc95eb001e58a0410a
SHA1 175afce034b4fb16d44236d2037c8be354929608
SHA256 8c1368796224e34e28921040b31c9b15c7bd85402d32d725dbfe55ce0bbec55a
SHA512 65178a849617f40ed2f734742bc3d287c3d02b119c40344758a3c2a2c94c4584a78bebe0b71e51bd38bc10dc5985b769934822e0445c406403309a609bec45e2

C:\Users\Admin\AppData\Local\Temp\oAEa.exe

MD5 a1cf17955a77f36c3409674dafb5bfcf
SHA1 7c051738b22019894f488dca2670a1141f843683
SHA256 6c12172420e247422d3f856a41c31c2fc11bf41c8a8081ad430ef4e106f0bc3b
SHA512 b69e9389166eb4e936af8ab124d13e6232127b9f1a7ef51dd655ee29315c5d0eefb1bd5d1ece47110011f260a9d7dfeeb9b21be55df952fb6a80c03758d86792

C:\Users\Admin\AppData\Local\Temp\IQsA.exe

MD5 c9dbb2efe7c55b9757b1b732a0392a3e
SHA1 8579be6d269fc745b166732082f123c994d8e4cf
SHA256 ce5feca72a232b8ef23ffa5b14ee8a1a3f1e6564197bf073ad9454ca28e07f57
SHA512 dd285e92a5de075e0c19a84313dd9238e36860d941f10da7539e43b0a4ab8dc6118da123db597fdb69037cec557994aead09dcc7d48f97e0ac23d33c707bd10b

C:\Users\Admin\AppData\Local\Temp\oYUEcQEE.bat

MD5 a0aa389e13119812a92bf460f53141e2
SHA1 1f6e640307332d0886064e3dbb43c30c99544927
SHA256 43fd11cbaef9699555512cf5ba7a56b166a18c62a5d61ffd5621e3d4f3542441
SHA512 104bd44dbd105affe63dc08cf95e230550822b0b534fc88495c10a98335eba76b4dd4e63a616c5a2f6bbf0decb69520c5cbd43a63b10e37eaaa1864a70a1b369

C:\Users\Admin\AppData\Local\Temp\YUso.exe

MD5 aecfe1dd2e8cf93e5b994e2ff60a7eed
SHA1 c4b0f1086367741dd9a695c7a41b23b38396531a
SHA256 a5d13679d8926d0672fab54085243bd016e5f6345154218e385df55dc5187cd1
SHA512 17e9b62fd8296b08339ea76eaf3dcd92521f8e65b4da3f8211c7c4112a7e610c0a70c75ecc0b02852cbb416a4056f065a24d6abfb4c64bf7893a32019d8228df

C:\Users\Admin\AppData\Local\Temp\ooko.exe

MD5 765ebad4ee88dcab441b60f99235a9f3
SHA1 58c2390081cd0c0495b6828b80fe3f58832120e7
SHA256 7c4fcf3b23d6d3d2146bfbefa3a241f27eb215f66f2376b2e4011591972f596e
SHA512 c2376f3715e838bf2350789db949f784e4604a8405dad926ec871ae1edcaf4b0083cec5f798cdb83be3ecd0e37df41a9855b356bcff02d08ff6c429477040b11

C:\Users\Admin\AppData\Local\Temp\msUK.exe

MD5 8640a5fb1d5f39f01672a3876b1ca973
SHA1 05c17b0af77df3639f40f2f8fc4543d5a59fdf05
SHA256 39a79b8ab19959ff1a98c15983800f3520b0d0e7a579e86f364387a110c75460
SHA512 e2fda9566f6434c11a34bf26c2fb81e0790a246f68addfed577f67461f03b80e95685728ff057e98fd99a22e00018bf495997dd3f48da83e468992cfc1bb315a

C:\Users\Admin\AppData\Local\Temp\sEoY.exe

MD5 d9231945a7fabd4c1556fbde919a5ac6
SHA1 766d3fd610a4c0758b3239848af443b96ee54ae3
SHA256 9f586697eca60f414aaeb3b8970b3ad49a7b516013373e3b3bedbf26f3ce8f4a
SHA512 74086060b9586e34ca4dc9020c50598b42041decfae01b9abcdd1ad97706ff3ba2ddbc2ebdd043eac8d4c9c9e99ead81c14e3b0740ebf88c1e1ee36b6b65b01b

C:\Users\Admin\AppData\Local\Temp\OYAwEkQI.bat

MD5 50ef3ef68c75e396a2356039518d0b71
SHA1 64554845e7a1fe3f8371679acca1b5c82066e0ad
SHA256 c3a510d963b1b6f45d64a7ad681d22bddc1aa7ef759385914facf4ba79fb5707
SHA512 4e131a92f17463b46d4178fe507f2b2299bf22d1c6a35e696794c652d7cf57673e89d1557cb8882ad6617b25c2903f609920aac89bec5613627cf11bdd94dd6f

C:\Users\Admin\AppData\Local\Temp\YWgokMEk.bat

MD5 2b4a42a5f60b13f0fda0fa1a68ce9eae
SHA1 d78d0f96d4eb1d5b5017c6e8e8eaf0e74f740f4d
SHA256 251600e51805f36f7b5adc967dfaa6e34e6e1f58587d2f43861a4b04135d9df8
SHA512 418381daec1e8224fcaac4caaa16543cb84458293ec1b55eeb3b92f6099fdacef60c78548a97f44057c774159ef55b064d587df89745ffddc88fcd6152aee450

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 e0ed6100bc8db7ae374180bdd2d4f6f2
SHA1 4e663331848acb909a6ccc2173071726a7abcbbc
SHA256 44c0d41745043f64af81fffbd24f783ccc4e2ff7fcc9197cf0c247cfb094861c
SHA512 e77459085cb5eed46065b058c8750feef047e7d7878523046a6db2aaf5f520096d6fde8dc67655c8e96815b5891d0eefd1a7cd156dc76b41e56c858cf2984bfe

C:\Users\Admin\AppData\Local\Temp\BCMEkccc.bat

MD5 640cdfeb28783f96c256e377d3ccedcd
SHA1 a03691f7574f093dabb6e8ec0e5f34ca48eb8ecf
SHA256 a7a11302aef09ebdfe458805203ddb1299b032dc3688e5a4554f3371695128e9
SHA512 66f030c9d85a85e4848a425be987df9736effaf73df41b22497eb1ff60c8893324975cf83bb13ad490e4fef51da2299a9c4ab93cb1636ec01dc91be4e5dd6b6d

C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe

MD5 125ab9309f64748726ac1c90ada09c4c
SHA1 e2d2cb267b1e7b8c4da5e4feb0c7820ab3c42d7e
SHA256 6ae5764afe9476ec29933c0260fa5a8a9d7c80a83c9f14fa4cf98b5527d97e87
SHA512 d261bdc1b6fe5b7b969899f07dac6b80ffdfdf8492ba915d2b9b2bd93d92e49155406cf0d306ec9b39203b354aa98fed3e499a873b500cac4e27e18796eedb09

C:\Users\Admin\AppData\Local\Temp\CUUA.exe

MD5 61bdedf81966333d42e46461c4ddcd01
SHA1 818181363647407fc301e278eb7c3c8f2eb389df
SHA256 2cc0e8f165fc9cc763d8cf84f7f13b697cfb4b28b398e4c2a0f0d6cdc4129048
SHA512 4922da50616138ca11742db6542a2102e7f0a2cfc16a94b2041350e9a752126a4606506ca01963a6a6681d2186e335109a8a21edf0da16412a74a258f6f594f6

C:\Users\Admin\AppData\Local\Temp\ucoQ.exe

MD5 6722e08a1567864d7f9896a08235174f
SHA1 ac7ef022365d54f974097db22004f65ec6b5c745
SHA256 6b544da3f5f4e1b39017cb5995c9603112e7e9f8c571a357495d952281c81b58
SHA512 06b1625b630692ddaedbb64734b2fc1ea7f6799a14331a30421a38f3772e132c6a2b5b16c910ec4396a2206260338360f985f4f13bc87209a8ccb08a3921be50

C:\Users\Admin\AppData\Local\Temp\isow.exe

MD5 134ae01b39f37cfdc5abfb14ed22c362
SHA1 bc3290c75877d65f638f7f22d11a5bd5da2b4752
SHA256 e89cab9af2dd193bc97759388d0f8e7706a82b3e0b409c59a2386ae1deccbbaf
SHA512 5eb4a002d54765bcd70b82ac22386e857431c838e4dd482331ee4660da744e6e09822419eb930004c2716121252b39d91e6323e0c020700e6d0642505c2c0eca

C:\Users\Admin\AppData\Local\Temp\BCAQAQQc.bat

MD5 9a8628ddb3c4f56c46dd3198b496dda6
SHA1 1dd7f505b565bb3135dd278af85dea1c5ebe7880
SHA256 4842ccf3f4496fc3bc56065dc646dfcae270a84c560104f1d1dad0147ba18874
SHA512 1d00ec5a20b94a5eb1c48dd4d91c65a0c02e8a1a0464b77ebb66a652f60c7aff4d7b490b1b477d2f9787d5a4e80b3d1db07b20a23b14fc1f39b4675635b24ed8

C:\Users\Admin\AppData\Local\Temp\hOEskYUs.bat

MD5 cfcfa5ff6114f176073bf3b87f53326c
SHA1 a08692efad20a03dc9fe10fe0fcd830468ea5681
SHA256 05b7758013c8b1d1418eae4dee46ab54c2e0574cacb3d065e9e59729453613e7
SHA512 7488ed38534eec0e2e2c1ca23c948cf9c08997b2131df7aa9e6e247c9bd492cf08510906eda3d6c85d2c23d725913a53e5ffddda1853887336dc3d5cb5a7efe9

C:\Users\Admin\AppData\Local\Temp\gEAA.exe

MD5 09148d6c7a90fe9d3333aa5edf5b71dd
SHA1 d9e8dff92de8c63745154605f86883c02986b450
SHA256 81f15376f53965e47f2d7cf2e1f44777dc5befd78d39de327b7c48deda5e33e5
SHA512 0c8efee3bb7cacb27e701e9b546ee7f1c220053b53ce305ad1989f7a3280d5abb123c2e77c31d74130757444fa088f1ee649d2e19721365d582e802b252b740c

C:\Users\Admin\AppData\Local\Temp\SAgy.exe

MD5 5b7ac256947503accc1137b81e5a791c
SHA1 5b6821ab83a84665e66753a6070d6e86ccc2c5ad
SHA256 c5c17ff233b3b63e9a964486d13a36a0f3fa4ebad3e4df41bb2f20cb630e2e5d
SHA512 5b2f7572aae830db14492781324638cc6ba1646e073fedaabac9ec64ff9f10b7d7ad87ee59f014507a4dc05b8097247cd6c2c9da2e169ccd74e7e35bfbd1f49e

C:\Users\Admin\AppData\Local\Temp\AEAm.exe

MD5 04b1125b9d6577ce190dc2af1aa7e868
SHA1 ee5a76b3c041cad5bbb0e632b5d5811162231395
SHA256 0ef4f1519b800b685ca46fb21e0f844a394515aa85c12990a939d607b3de1f0f
SHA512 daa06443a2268fc12ea3992931970a8e931a903c6416485aa82dba6e9c7cd70a9d32369985b21522df83218c1ceec3d99e119ae69359f001c5661ea99fa68d24

C:\Users\Admin\AppData\Local\Temp\cYIS.exe

MD5 1e5df6b0112678395f3708ce2f67cc6b
SHA1 a474330b36289a43984d1d9bc3d2bbd8d5b2ad07
SHA256 e3252897165f41c5e79f9b7ceb7833029e4d672e1a2a524daad16b13cb79280a
SHA512 7c232406a8066afb51f799c0365a73484efcc3299cec9fb062b0314a51cf780619e7f467276c543685b30b318aaa213b77e9f72a5cbc9ca6fd568b678ddbd8b6

C:\Users\Admin\AppData\Local\Temp\Gkws.exe

MD5 8f666252dad94dfa5799d9e0f9990892
SHA1 48807928796676b3158847d1363d226807bfd6e2
SHA256 0f00b67c6d98f9510bf7d09225af91ffa3bfea9ec0a54b54b213f82c2b175f50
SHA512 ee42aae382a55d5e7c987b8248c6bcbaab989cd07cda1880749e5a0467d574b6dc0b3e7606a1b9674d328e91c6712b3135d8bebfddb8fa707b6042c5f1039adc

C:\Users\Admin\AppData\Local\Temp\SMci.exe

MD5 da10b4bd57dd723b93128f3deb0dafaa
SHA1 614cce756a97e6f2656a31b822ceb6c9f260d991
SHA256 f4db3f33c0bdced0528553c7a0483227e69d99e5e2dc3e217fd74cd61aa3cd2b
SHA512 e98c35528bc446ba922c87ed6787e68e86ee6ef91dee686e7312dafa2a9f180902edf01edf49a1dfc5cfe4cdbff402854ea601b3be4ba6808e8b8a4cba9af758

C:\Users\Admin\AppData\Local\Temp\nugoMYsQ.bat

MD5 9da0131c22f8f971124053dac3d233bd
SHA1 74cb435ffa149c69c676ebf70dacf67c86088906
SHA256 5a67eb7ed2e0fcc837a5c18f88ccd120ad86a909aa648fdb7e1d3b66966d1556
SHA512 91c6a090b52b26214d6b96ece80579669eccc410267ea88dbe071c460648d2f7fac5070b5714269277b21fc85af0973857c53795bcfb96f7b1f00acedb114ded

C:\Users\Admin\AppData\Local\Temp\EAUa.exe

MD5 d00430e41f55ee2fa027f835820a0696
SHA1 c801257c0c30ee69f736da4f15cfa1991741934b
SHA256 3aea2e627288e50b29a4965c36ce2b7b22a6803977827d34ddf8ff9649630579
SHA512 9de4847a1f252aade79ee8a059954127a8827f5479fb8b368f136e8d3c1bec1657a9adbfdda1a343a1ef71781a43a560b9faf05b5643fbfcec76949478c7c794

C:\Users\Admin\AppData\Local\Temp\AqkIQQQU.bat

MD5 512dad5e0156ecdf654c32480a710f40
SHA1 18841576abf0150aba096506ba14fb00f1c00a7b
SHA256 fdf174e454ceaba3e8de12d6152ed069fa72e02cae25fe149c7eb913af236a1f
SHA512 b1f65d566629be6213f2be5e4ad4eaee73d329b4e4afad0a2f6d9156fba491bdca58aec1565e8a75954045f9e51537672f8489becd488f50713733e5dc8f849a

C:\Users\Admin\AppData\Local\Temp\SGMwEUQc.bat

MD5 ca53ecd5f5b10a0e38d9bc1244a2958d
SHA1 8598c0f57df23cc63367b0b115ffc9d941ad3723
SHA256 2153bb7ccefab074294e0a37155e25236e2352b269809c3c58130be87b5c7da9
SHA512 015cc4dc15ba16c7f1f621af08d325cbc14ed0a49be7dde330a26ac18d17578a99f3eaf574131ab6e8973e403e934db6e57061e74bdbb64801724c2ab42d6db6

C:\Users\Admin\AppData\Local\Temp\IoQcIMso.bat

MD5 9deaeec3ef176b17499d27b0732e512e
SHA1 713bb8500504db6f2b0bdca0f3a8272bde4fb7ab
SHA256 d472056e935c8b603ca9c38d0ccf9873be4ec664831d7fc31d0f051d2df14784
SHA512 8e0c9553ab33db8fe96d77db9b0eb0c27fd63bb57412b8fafcc8efafa912679f686347056dd10b5dfaf13708514f65aca07fac53cd625761824ac970c9388f5c

C:\Users\Admin\AppData\Local\Temp\WucMAQQE.bat

MD5 5e9ec14cc0fb23044fce779c6fee2e35
SHA1 097be815a98ea8f532619ca8032cb5c85198a248
SHA256 a4a60e34cd47ca45db768b7b24f4274b994a1dd735d8a7e01a7449e92f3f1a1b
SHA512 60a7ae57fe62e27d32f4bc72c1c339aae86b01b8495910321d5bc59d95e2e23a7bf69078ecf970aebeda104bfe3f26e0f6e8bbb705fa4f12a41fa9cb0e75ecf8

C:\Users\Admin\AppData\Local\Temp\vCQoEkQY.bat

MD5 2756f9f4ded120ab8d86b2070f1c8555
SHA1 90176ca4be579beef7d64884ed27ce35f3300d70
SHA256 333994e9b966b01c3bfa2d563908661339a9be5252c4612dd99539d9c859a7b0
SHA512 5804c4d92d111fef6c219856518854729bf501f49a448e99ba3d6bdc0428af15659b6a7fccc8fa948d39e9e160999c25ef3182e6136572e799bc78b40e909e20

C:\Users\Admin\AppData\Local\Temp\lykwkkgg.bat

MD5 7ee6f050d4af5e0ecab1c58210e0cc98
SHA1 4b7bd2f055d147afc1a08cfdeab0554fa5a6695e
SHA256 4d6fe1b827be79b33a7dab72b47ac526e98e06974071b58756de417c17b8cd24
SHA512 27b3dfd702ec2fa0359d8b4d4e746b9eadd14e6e8d4a7b87968450e6ed97d82697bea6e4fddba1b7c88b85e1ca124c5bbe71e7aa54790bc423fdb777fb2de9c8

C:\Users\Admin\AppData\Local\Temp\jkwosUgc.bat

MD5 3d737859f1a2b59e21357ec1a7dd837f
SHA1 d402dba9a03f1ae0de229c766f7481c8e350fce2
SHA256 0af60587b3c6198ab109e86e327da0ca22aecdced1170e9082b33e95d99745a7
SHA512 695cddb5415b990a20c267aa731d60fa9a02e8a00accbe8b9333268e591b15375645c0668335c5fa7e5d2aae1a90fe2fc5f4c22b5f77c0184dbf19e7cd8199c6

C:\Users\Admin\AppData\Local\Temp\JmEocMUI.bat

MD5 65e8daeb14a1e5a9bdc7785cfb16e4f3
SHA1 ad43c3ff2d2f175c4e0d03db1ca70657cada3741
SHA256 12aac0c92da6c49ed9f423bb408eb1164dca668b8d891d8aaf811305c73e3c90
SHA512 7b1e5edb13714ad8dd2a5a0f20045750f4198399ee5f4c9417a04f37e78d6fab0f03bbf0c37f504ac81a351ca59d3107cc142d98e72d040559d35b2bca741ceb

C:\Users\Admin\AppData\Local\Temp\GGIkEQok.bat

MD5 0a5562697ae64a38fb9c0af3a8ce9839
SHA1 3f07487ffd1d460ff518cdd61f602e314c32ad25
SHA256 8fc6eb537262a191d7d0402c9f083d3fafb69266238422c9ca45818354672ee8
SHA512 b8e39803d3803934ba7e1fbd6b63dd98bb62580e9a20546da5d8daa7acd2872ebf8507b5baf63070c8d07e53a0674070de9981f442d83e1668c269c541080ce7

C:\Users\Admin\AppData\Local\Temp\IaggEIAs.bat

MD5 0a95f036c50ef180b47f4c2b462c452f
SHA1 76dac59358a9524d8ccf68403dc7d696c7ed502c
SHA256 eb122f725edc49b50efeb39bd3793fca00a4ba0c188d2967e242d2beebcdcd6c
SHA512 07de3c7346c0217115417f4f096b6ce7d4b33b9c0ef4b24f60ecadc4289943cb5f88462fab9202c8581f144817ec2a7953ed40c0d87f0f9af9ea2bfe9bcc7628

C:\Users\Admin\AppData\Local\Temp\ewwQAoIc.bat

MD5 21206b7650ee2219922e7cd9e6b9fd72
SHA1 50bab9aef110a594803b8dbb66ff54f59032c26a
SHA256 98961c9fceaa89e52de1e16f2820340f2db0113df322b126819f3ae95455f89e
SHA512 5e1ebce423119cd19c64916badb44ddb03db0f85665cf0ab494d3f907d01ddb53c138808480d0f5fe8f83e0810046d5cc016f2609b5cdb8a8b4abd743acd59b1

C:\Users\Admin\AppData\Local\Temp\eSMUMAIM.bat

MD5 7deb966e8106d8202d4194b767ace454
SHA1 8b811c3f38d2ad826102249d9ac08746595afca7
SHA256 0409ca44f99008958eb31a887d505f2a4d1ad49b204248c3385a793634f12139
SHA512 29f6f52d17247ec82aa6d89ab4d028903e934c7155f0c40c49c4f087ac5898a1eedaf1173e47f134c32fa271e38e3bb526d4170d00f1a72396046645dbf2419c

C:\Users\Admin\AppData\Local\Temp\OeQwIUcU.bat

MD5 8bab3732238bc3eb081a29046f91d559
SHA1 2b87561ac3c320a7ea86ee4e405f922619778188
SHA256 ee304333780fa5a00b2b4d62ce82678d9ea1424b60b99902b791e3e60255527c
SHA512 ccc21e17c78bd6a01d80d588442e25e738956724638cbfa0b25c1d427483121698652ae127c42c3a064cdc09caca7842e1754b7002a13934f89bc7281fd2a2de

C:\Users\Admin\AppData\Local\Temp\pMsoAwco.bat

MD5 a02094d56bdf887936f5c74aa9f3cf7c
SHA1 262d2d5c4ee434263c9d9e7bc10ec2318240eb70
SHA256 c95a2586d784de98645f19062815722701fd2a8396b5222978f0a1d86363a749
SHA512 a78a450431773e1880c05f0d99d32185ca86c9f189f9de1e746662e3769b831a969660c89f662f7fbc1201ad7bab4fc9dc9e46f497575451df085be454a10098

C:\Users\Admin\AppData\Local\Temp\BCQYEEEs.bat

MD5 749ef55ed83f4a091d261079cb300e72
SHA1 f48c410ee6d76b85b6fccc618da27a642ae35502
SHA256 10388a3dcb9a6219bfe9d8f70a224d5798b836e1ac6fefeb969d74eb945f9f3a
SHA512 d5fab05009be15b2d8b1cc5628d025165b0e31eb40c43193014bbea0ad863ec6028f2402493ea2a1af598363b23b043b0bd3dca11dfdd65b7b3ab01c3be38b07

C:\Users\Admin\AppData\Local\Temp\RwgIQksE.bat

MD5 89291eb8675079829287d7f3e3fe6848
SHA1 4a04d5e91eaa3109c94bf8a9aa3258d8df4a131b
SHA256 ea0f9f8bc218f9f856c17a0a5457e2e34300faf06de1c265cab98fcfdde344c3
SHA512 cfbe321cf75e647d4598f7535b1db95c842ca43ade37de7d3777f25fd659682965f6e515cd407ce66d33e9bc688a9eb648e79ba7c6c0de9220a4c2ae31861c77

C:\Users\Admin\AppData\Local\Temp\bukQUkgU.bat

MD5 9bacdabf5d47a51e526b748ddb89485a
SHA1 cf4bd9631666cc2587f9f2b8511127bfef833e23
SHA256 7f7ea54734976d444d48229753488df119ce3b3fb41669dfe1a7accf233be27b
SHA512 211989b4fefa8da4a0811ee4d6edffcc640bc6b8356d732239c02585ce104cad1e001353a8e02acc93857c935406415e6f2589ed90f861a025c965fc15c8f0f6

C:\Users\Admin\AppData\Local\Temp\aEooUQcI.bat

MD5 ab6a5a8f341395ccfe7127b31df5a267
SHA1 5aed8feb7f6bcabc60049f03cff43377165cc8d5
SHA256 ef9a3803cf926631b93e9db6a9d2af05e980f3f33ccfe5357da7af301a147de6
SHA512 aca4f36d88ebb9163cbbe03a11525043e4c1758d244a424ca9833cedd58b639d3a0cf32cd4a921b6c1eec90ad2a0609b6d39dd89ee4f43cbebae205d700e5d33

C:\Users\Admin\AppData\Local\Temp\eUEccAkw.bat

MD5 e9d9d3cd8a9b83eb0521c007ac0e31cc
SHA1 25bfa8f6f6315e6703f1c1d55a861ea2a7dc5e7c
SHA256 4d40b2b8b23daa4fe0715d34531d12138b5a75a12cf4fca4c98fe811669c973d
SHA512 3c88713bcfdef0259d1db294eb39f7ef0d964e0aa1685dc51350476d64bc8cd768c95182219fe1ea613cf68871c438d54c71d1df0048b7bf24e93e0ff3e932b0

C:\Users\Admin\AppData\Local\Temp\oSwcsMUQ.bat

MD5 ed2063813850e3e2df96e2ca5623d91f
SHA1 8b44ec92c43139fcd1b8a643fa7fc07e54fcb438
SHA256 f775b9160092dfe4388a593d70d6a02f35057abd7dde946c97785e9af4a157ec
SHA512 90a8781ffc32c08083aa6e8f75cc57933c1e9d08aa3eb79797cddc130724c5e54870e943f733b2c229e643104dd6afa5a791e73edb9840823bd08b13cd3d8574

C:\Users\Admin\AppData\Local\Temp\YMQUkkYg.bat

MD5 bc27e17d33f5b1541063472b72a0dceb
SHA1 5fcd869be05403e83505f4d83ecf88c715aaef22
SHA256 3a9426b754c6bf4629f4df26dbbb672ca549996f304ee2eff9b93eb02acee48e
SHA512 96d82e874e076e93c64075c9c57cf5d3579cbd2311dafc1d8c9b44d51c595f0d6514747ce83fc3fb852eeca2b75b86a71bdeb0e1e2a8e66fb10c5408849cab78

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:27

Reported

2024-10-26 04:29

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (82) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\ProgramData\DSYIUAMk\bcwQUEwI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AKUwMUUs.exe = "C:\\Users\\Admin\\BgQMUgIg\\AKUwMUUs.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bcwQUEwI.exe = "C:\\ProgramData\\DSYIUAMk\\bcwQUEwI.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AKUwMUUs.exe = "C:\\Users\\Admin\\BgQMUgIg\\AKUwMUUs.exe" C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bcwQUEwI.exe = "C:\\ProgramData\\DSYIUAMk\\bcwQUEwI.exe" C:\ProgramData\DSYIUAMk\bcwQUEwI.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A
N/A N/A C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe
PID 624 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe
PID 624 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe
PID 624 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\ProgramData\DSYIUAMk\bcwQUEwI.exe
PID 624 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\ProgramData\DSYIUAMk\bcwQUEwI.exe
PID 624 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\ProgramData\DSYIUAMk\bcwQUEwI.exe
PID 624 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4940 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 4940 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 4940 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 624 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4232 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4232 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4700 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 228 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 228 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe
PID 4700 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2264 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2264 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1416 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe"

C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe

"C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe"

C:\ProgramData\DSYIUAMk\bcwQUEwI.exe

"C:\ProgramData\DSYIUAMk\bcwQUEwI.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCYUIUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiYYgMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSccYooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyEcwIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ricMwsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcoIcgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZakUEsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKwgwksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWggIMos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUcMsgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIYQkoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqcgAccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWwYgMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWQgsQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiUAYgAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CskMcAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icsIEAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgQowsUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuAccMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEAwUYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEUgIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIwwAoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIEgAoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAsIgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YowMMkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WugowcMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UusEIUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgwAEMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSckAwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGIEMUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGYkIkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaQckEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyckMEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cikUcMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYIYkgcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqIckAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\recwowIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOsQssQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGQkwEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKMAgUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waUwoAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEkcgAgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiowAQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DusgwAYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWAQQoUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuEEUEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsMEwYoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emcAcwAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySkcckEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tswQAoAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmwEAwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsUIoEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGIAsYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIQIsAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSsAkMUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIYwgwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmkYIAUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEYAoUwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsckUwcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAcwsEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiwkwoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYAwMAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EogswgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWYoMocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgcQsUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMAwkIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UekIIokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUYAgYEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMskAQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuAsAQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUUYwEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWYMYoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iakMgEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGAYkkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwQIAgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYIEYEoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiYQAYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEMEkMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMgMIYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zykQQEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/624-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\BgQMUgIg\AKUwMUUs.exe

MD5 d62d0c423151cd3c39b1585eb1cb93dd
SHA1 f9b1a6d282a4f48c0af2023ca7e4f4e80b8ce177
SHA256 fe871e199202097d0c5b9010420f885c2b017b51fe54e01691441e344cf3387c
SHA512 be69b05bfbe71c07233192c4f56c57508f60e8db5545648e26b84ac729259fd51bdf43e631fb3590244df72507a55b2a10238143e00b7bf951dd215f328c618f

memory/2736-7-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\DSYIUAMk\bcwQUEwI.exe

MD5 2aa5b240b2497e4c6f893ecb252e20a7
SHA1 56b584efffe28e20b32f042d28cba4e9f34777a5
SHA256 18b160972bb5b69db179f40271ac4d5ca3592e17bad19bd6bcaaa32354cc3035
SHA512 19a8686217c30422ce894427f90b4d049eb41ecf91d574b68307dec9a8aa8414a1ec85d79bd2e609b64ac37d79a35cd1fecee5a5111dc00d062a9a209678efd6

memory/4692-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/624-19-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dCYUIUoM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-26_17d62c14f00cca5fbfdfac29cdbbcf5b_virlock

MD5 5861d4e6983be2b92122bcfb7d239eb5
SHA1 892a1af54e23a9960f63eae6369c526ef325b77c
SHA256 b3de971f88cdd8219cd9bf4a1212107b4052f468caac1f196d756ddf095acb48
SHA512 af3ce9a9c4a7be34e1d75bd9e25b483cfadc18e50cdb3229c5bc70bf965f6c478a707711154066c446f84ae5b6216917dd34935ee69772c305a00bc6d5040178

memory/4700-32-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1416-43-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3256-44-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3256-55-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4720-68-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2568-79-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4924-90-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3096-101-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5116-114-0x0000000000400000-0x000000000043F000-memory.dmp

memory/32-125-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4188-136-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3448-147-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2412-160-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5116-171-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4340-182-0x0000000000400000-0x000000000043F000-memory.dmp

memory/796-193-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3120-206-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1184-217-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4992-228-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1872-239-0x0000000000400000-0x000000000043F000-memory.dmp

C:\ProgramData\DSYIUAMk\bcwQUEwI.inf

MD5 e46efba4024e1bca517c8e01be5aa586
SHA1 2927bb925e045d41bbfb6f4bf52a87f735695924
SHA256 7f474a04f99c85f0b63e67287cd600223f4ed37669b3d6e4c9cab05b219c1b9c
SHA512 ef451de48ed65887351cf53fa5495ca620fbf4766309bfef4e4591070b6ee7d438de996bcaf69682152d7f56913be44a56e887ec74b2f3ad1371092c4fcdfac3

memory/1748-252-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4988-260-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1152-268-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4208-276-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4328-286-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4788-294-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3956-302-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2712-312-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2400-320-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3740-321-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3740-329-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2616-337-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4484-338-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4484-348-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1140-349-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1140-357-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4044-365-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2404-375-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1200-376-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1200-384-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3096-392-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1872-400-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4992-401-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4992-411-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4996-419-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1836-427-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5004-429-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5004-438-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2148-446-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4604-454-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3644-462-0x0000000000400000-0x000000000043F000-memory.dmp

memory/456-472-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3844-480-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3712-485-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2348-489-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3712-497-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2300-507-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4512-509-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4512-516-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1604-524-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3864-532-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1416-542-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5080-550-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2408-558-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4540-568-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1780-576-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5056-584-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1964-586-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1964-593-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2004-603-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3164-604-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3164-612-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4484-613-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4484-621-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4760-622-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4760-632-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4184-640-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2304-648-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2616-649-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2304-659-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3064-660-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3064-668-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4208-676-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3288-677-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3288-687-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4020-695-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4052-696-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4052-704-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3576-705-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3972-712-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3576-716-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mYMA.exe

MD5 66f1968780fd09dc7835d0f37a2e5264
SHA1 01f2b3771ee18e6a13abb967d21bdffe7d950881
SHA256 58a37b9411381781b0a96ea5b01cb37a61c7afc6747dce906ed07ae5b3d330c4
SHA512 9f8d97c199c1b7062a489808a7623400d218f62fff617c8b1382a28b6b81dd6677926c303128e1e05a469035eb10a763fa31c402fa36ef31820af4df15633520

memory/3972-739-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aEYo.exe

MD5 59efc6f6c58898d046c29b125b43d90f
SHA1 ffd9c9d5d02c622b55d21e2e194239afee81c315
SHA256 b2d74b0ca15424bf8e35491fb1efe0534e539622aace834fa24018d046c5237f
SHA512 366a1c4270304e122985e590a04d0321d3342362e1d971e96a2dd0a3fa24e52df889fffcc3a0377c70e2b29b37b05ff45764d9dea0f64631c45f08c3617b8860

C:\Users\Admin\AppData\Local\Temp\CMUE.exe

MD5 06a0ba6ba4460c081644eef528778430
SHA1 4b78b51e31e2ec7a138eec577cf1a52c6367e9bc
SHA256 5522a505c01dbf31d5b96fdc9505c2ad0ac9fb54a1930ecc7cbfa8b703fae79f
SHA512 e701d63384324f891d567d1822c7606a7ea60eafae589eb71f56f897635993de46951f25cb259a3ed908c2104268adc75e98c14024b0b55a466d9bd63a83dada

C:\Users\Admin\AppData\Local\Temp\kkAk.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\qIsG.exe

MD5 8fd601f64f1d5eaaed5d0a5102feb259
SHA1 4e1d5bdcd74f11939454452700bbc1b52a3a247a
SHA256 3d4813769a8ca3042597d35f4aeabd2e22d3646a91e789aa148ddff9fdfaf397
SHA512 fa2da9cff1f7cfd82cfd1d7ead340922e62c5e69f2ff059a8321f3eeda53cc93b32c14a3a0fc31a99ba341bc398b20c553a7a83f952a4f379fc7f5569622796b

C:\Users\Admin\AppData\Local\Temp\gosI.exe

MD5 ada3b1faa14c50fa5cb32e5d9b0d0a5f
SHA1 ba751934481d5793d069e942a8520801bd5ab3c5
SHA256 446d8fc08d61e2aedf9b072247264ab96e7e8e9ddc080d4db3c16164e82b6780
SHA512 352e40f141ab7b35cd4a7ba9a59090fcf7e2f36d83227bcb2ce4c6a4e1d50d3775f29ea3d419ae35fca5226090ab0054021cd065428328201605dcd371857fe0

C:\Users\Admin\AppData\Local\Temp\YsIk.exe

MD5 0cc22da2825645cb0ff1ea511fa4cca8
SHA1 7ab66b5ec52fb23cd465a7e10e1a3890174cb88e
SHA256 1cf6ddd13ae4d9aa178fcf9cec44acb81d82343a4fa4baeaef1c39e746e5d037
SHA512 891ef64e42a8c5ca57dea2830b1d3244b148c59ba7b428914d1cc76637a91478b4a5a20d9f81a5a024740ad67e041e73f1e58f8114ada334533a94b48b847ac2

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 a037193768e27d42a1acb41e5db2c713
SHA1 a87ac080a816fc2a2b662fdebd0fcc9006ee6294
SHA256 81a724cfba6b68d6750e93d80b1476021b83daa4bfc0c26b13ac99b58974474a
SHA512 16741b1eedae7a4a25800e2464f4e566eb80256a6809400e3354f0ebcd958be3494f6008f19a723cc5721f97c852c2ee1beca03d7d61577e66f5501e9367e306

C:\Users\Admin\AppData\Local\Temp\eogg.exe

MD5 aeffda32b6112286db773c9618a4564f
SHA1 4e42d3d9fbb18774bf2c52cf0d83cf16f0223148
SHA256 d0c6f1276c1aa892bf2c15dcf18c67eed0c5ae182a1f189508e20943425d15a8
SHA512 168a3c697496408f24fe317c478fe2da2aec131c4f2fae2dea07bde8f5b18e92123dbc36b7a674cf8357d16181e16bff6f0f6d4b7c131da41d5c6120774aa434

C:\Users\Admin\AppData\Local\Temp\KwMc.exe

MD5 a383db6418f25c6622e9b5d5f1daefe5
SHA1 1b5801d3859ae5158a66802fca039990155fbac4
SHA256 f3a33f5acfc1012e99b97a7adfc5e78316a9101e9b74112e9bb00ec6ca5022e0
SHA512 672723f89da63fa83944fdb30510a7d91e31a87fd27178819c0a5799177de0c062a0b19d9eec836c27dd58d21926440b3847d233dec0fd3a2057bdd82b4f31f2

C:\Users\Admin\AppData\Local\Temp\esMq.exe

MD5 d29cc0c595f6cf44b04ff1e2f9126fcd
SHA1 278a33ebfefd2897078f1d787dc35c598d84247e
SHA256 93a999ca0ce84681507837f757eed6ea12a9d49ba07fd22af8b4977273c184e8
SHA512 1eef8cc8c822c3d53bef21c52bef5685f6c645512026cd777342f9b8965d6057135a708217b99a4b6e8ff72dae55168cc89e4085bfcfc7c5c69348907d899481

C:\Users\Admin\AppData\Local\Temp\YoUo.exe

MD5 fdad38a714d012bf7843033c65a66bdc
SHA1 cee5917e1f027787bc841334badb18a57e1330ee
SHA256 d8bfdeef74d965a93dfd775dbb6bf9af57ec9f2b16317b5b819cae79c708fb18
SHA512 bfa25dda0fa1a4c29d44eacc856527994e78562769afeaddd6840e5ccdf4e982d872a34b70d1da153ab1fd1fb5194428b942f0dc9a16bc52139f42ffd49e7209

C:\Users\Admin\AppData\Local\Temp\ukMK.exe

MD5 9d808a6ead1a80d8aa59ccd8e238bedb
SHA1 671520ea7b35f42deceead843092a31f18e5ef37
SHA256 41d7419975605fc49e3c2632d30500785acd0bb632428cba5caebfb78a2557f7
SHA512 7882a12c84781c69095af6f6d09087186662fdadce8ff2e4d04843e091619c980d3511ec3d797518fc4c8c5619ea9b427720753119a44e92f3c6123cf092e942

C:\Users\Admin\AppData\Local\Temp\GAkU.exe

MD5 5844bf90c16225d401f79a852c653b47
SHA1 8ecc071788ac9e52c16e9de6e8ec9479a3e6f1b8
SHA256 1b5e8dfb82c85d3ea247c7fa8ea08ff91b0aabc372dd18f33e20041e482fff32
SHA512 404d12d2660160316ee8818d3853cda2ab2c379bfec2b8e99392893136f659ad974ba1c8a769dfeea235a793f7f450f0a14dcc865f6e9d60812ac2a293202f5d

C:\Users\Admin\AppData\Local\Temp\UYgI.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\YQEI.exe

MD5 ba43334ef1f29947fcc294d09f399812
SHA1 37caf00586a729722c658835e73c1fe44db6cb29
SHA256 e62b7af64447917997c43b3842a82babbcdcafb1e17ad1470450ceea91f2b88f
SHA512 f3c5493a6bf1c08d0397d2f637a804ad5c38c9a2209730e7c87b0eadcf8702ec8f3ecf79ef296efaefade1c3d43bf365482e8f3de1995777aae50a03ded1115b

C:\Users\Admin\AppData\Local\Temp\EUUk.exe

MD5 41445c60eb43872dcec5f0a39aa84d54
SHA1 b57f4b0308dcc1b9ddfb85f79ba994c97faa3a16
SHA256 6c5a41bf691e763cdf77ca469a7ee91fce210cf19b80361c8267deebdb56b17f
SHA512 27da557922df4092307275e9f71673a769c376d84afe506ffd891e036da5f0b7d29c23c405841bd55b7fb69aff343e8ac48dc9e08e64d8f71684463fd264b432

C:\Users\Admin\AppData\Local\Temp\ickO.exe

MD5 ada01a48048688595de8f2e03f223e02
SHA1 6b6c7a5a73a4a1e41f553813f1bb152e7b957a7c
SHA256 436dec969026d15eae875ae319d1539ab651935605753b7d7387db2dacdcd1ca
SHA512 b5c490ae55a08dc06b4859d25f32101485def1cdda30fb53a6907e6d049ef0d54c57b3c6d1e74bd85b39e064f28b621acb1d27937df2983f03fa277be303e078

C:\Users\Admin\AppData\Local\Temp\uogW.exe

MD5 f014e70a79f982ab249ce3b35e9d6adb
SHA1 b7c4aac2e4419e7ca8920a4dfa19556180b975ab
SHA256 0e23c56f8e80537e6cfd09304412814a5d7e6391deacacd8af8a5e84ea76796f
SHA512 3d7a69668e0b5db1bc6667b0dd9c226d57d2d2816a131a031bdf2b5474485becff8c1c50ec3d068ea3f36a28ea1e305664542bea84808a6744064e98d65ab3cb

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 b25d2dd76aac0957a8fc06fbf7cb4fce
SHA1 0e45758130cefd081be94e07ddc4f6e029f4e12e
SHA256 33af2a8a3a657563982c69057511c59598146c5db54e60ea5385574e5b508461
SHA512 ff8375aa407f8d5264735bb2785143871a4a5b3b04fc059fb183d80321f12a79f3793796c6ae888e7861befe54c188a9f2a7256f0305c095752c99e2489a4b59

C:\Users\Admin\AppData\Local\Temp\YUMg.exe

MD5 f1dfd90fc184d8202e12cfa07e12ac99
SHA1 990b87a95aa11f707a70a9a4bd8d548d541b78a3
SHA256 0e8a43dbc9a28a56a14d694576d05888aa0783be17b36274bdd36a9a726256a1
SHA512 12791c3d501b100897bf46e23eaf780b83680e8b38b7922670071043b4edbdec4487db9b50fa374f978907d5145033b0922d10c73faf62122ffa18dbe02f718d

C:\Users\Admin\AppData\Local\Temp\mMsw.exe

MD5 c89618ee879c24a62b2329f11b472a5b
SHA1 13b985def8cff972c5cfea48d9a8863dcf1c0ce6
SHA256 366a9c3f2e2f85de742ab1a53c036857b48e430e795e77626490d83390111267
SHA512 890b0d975d54be4cce05e1ed79bd8788b2c688fcc0e0722a44e04d86f858d95355820a5e8c63a9053ccac8ec4484bb9659b4961ba660911c0054f19c85d8d014

C:\Users\Admin\AppData\Local\Temp\CkcG.exe

MD5 cd6040b93e49659593380532172364f6
SHA1 1778a524684b8d5fffcf119ebcdc3dc728f5398d
SHA256 516483c92912672f669c342ab70d3ff8c6102feeea8d0693a80e9531235058b3
SHA512 93c93d3e1516e6f26a3bcbf237bbe37efd4e3c88c8989585bc6bad3d585ae33e3de8ff76ba135475553ed4d1ecdf2f09c4e85fd1373876e324b584904db8cf6b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\128.png.exe

MD5 49eae9eb0774464cdc3cf2756b649b5b
SHA1 506823a44213ac003588befa968c7e1280c35f6b
SHA256 0983c08d06002a5f1011fb340f39659a82122755e930657fa138b25cecc16082
SHA512 2387ef2a3b569b75a3b95405555ec145905f95c83ea8a8b2b52b64b99117f5dffb40abc1f3f96184bb148b05413be5808d8209cc2b813c60d728fcec36e9bebe

C:\Users\Admin\AppData\Local\Temp\mMYe.exe

MD5 0b4c0e064f03921d633c18e52a637e8b
SHA1 69c3c87659e144e2984604ca7c75de85993d181b
SHA256 0c9a0b584e9fd2787bcca7e0037eb5891b8e1adbb2197783eea2f3b2995d09fd
SHA512 7ea3a094ce1d1e45e295c1c60b424322ac9454423d4b7042f28f1e3e39a0370e6dc44bd6c491af68fd331a1c5c18d7f6ded8686c2d735d1cad4393c497bc938c

C:\Users\Admin\AppData\Local\Temp\kIUY.exe

MD5 d55d47eb7c51c67ce2fac71ffcb9b6c0
SHA1 c23274d052978696ceb8171ff604a8d2c611277e
SHA256 ee8c072117af10acb9fde6f45301120681b76590c89a0d185b082a8907b9038a
SHA512 43007e730c412c7ca72f78fa42dac0a56c7a93ea9bf7b8537716b587c48b237cd09e3bf8168f5d6ce3de401b7aec3ba12681b66715cdc41674413b742d237a4e

C:\Users\Admin\AppData\Local\Temp\EAYu.exe

MD5 fd4d82da14d3250a0c524c0498056045
SHA1 b8f35b311c3ffcde6794b95efdb443994dc3146e
SHA256 30d11134a3e15e323892eb4776ddcd1bed602e39890f3434664a1e78daf5c495
SHA512 dbe5fd4008bfe0a7c8f56d6a8428e02d56b0c60ab4b236256d3e3fb95ed7d4be2527ea9a1e440335755e9863c46d4e29f944ef03e06da91d90e561089323ce6c

C:\Users\Admin\AppData\Local\Temp\akYm.exe

MD5 af3f1283ff1378f1ab1b22270b9b5fd0
SHA1 42397eee1e61801ddf801aef3cf8dd59f444dacd
SHA256 6da57f80b77cfb1878381aa74c8b02dae5f88031b14752cc23b907ab46dd558b
SHA512 5ffa626707341e9b94d1c326eeb96da5a8d58f8499eb15b1f4db891a68ca8e8354dd7556c543ff4b490cbf8696c29db407ffd1ccf4496a5956103ccdb4a2f450

C:\Users\Admin\AppData\Local\Temp\iEYu.exe

MD5 d6966ce56b697bd90ec05c62a10006cb
SHA1 c339e2d911ba401e5b33175837f5ede76a91134a
SHA256 137144f68f0c54058d81c903b680a3e8c595c3248ed7ec5b0f52f57db51ad4ad
SHA512 6aeda1aa9146795c73361287e54a117b523b913061d9f72943e683c4067640749d831dc333142a97d540fd045d0ac388ad5ba3e023861274f152c8e945eab435

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 3e047d820335a16579b2302a1c0b4857
SHA1 18ab0d7d687cea67988953888d05b2e308ec7016
SHA256 520a51a247b92d013f84bb9a62b680e115cc6c6701cebb89621b7f1ef7bf4749
SHA512 535854fa89c910a9784819469607d570b496d566679758ebbf9f99a195f14e7923df040249ab707270e841693653972c7c7378f87951e8d00dd0206f748fea98

C:\Users\Admin\AppData\Local\Temp\wosA.exe

MD5 299dfcf3e580497eb5a5109aaea4517a
SHA1 90a36b86f38c158bb77b7ff62c22e11d9e584ba9
SHA256 5e00e946c8dbd33cbac623ca7974ac233a1b08b9a8083a46547e6db15e87ceab
SHA512 24b7ee4126b08835552112bb431420970baa336890de9fd8a612aef066a30d4544c36b32af00817bf176f9aa7020b07f853f43f0e350e2f35459903656d5c6c4

C:\Users\Admin\AppData\Local\Temp\wUgm.exe

MD5 2658a623fd1cb426869236047fbc98a9
SHA1 b99b73de6be290b9ac7cc528bddca1bb66e4d71c
SHA256 b65f2d19e934f2860c39ee678ea0c43de5f171f36c8034d3d637fbda268adc02
SHA512 53cfafde1c4ae6918e7114d4c4db5fe4755c5f3f8c625dbf416285c91b201aa452edc6041fa166c1879fe0a408a90e63645d1ae2721c743cd6776fb7e8e7f684

C:\Users\Admin\AppData\Local\Temp\yswM.exe

MD5 893f1e033e2fe5b1bd511372b10742ef
SHA1 209c1e88517608a244d09f8a58c27a6a9bc426e7
SHA256 4d68c684b12c3b314df59d56c818bea7e56a76f15268b3aaed1add232296b510
SHA512 66077d81eecc1aa8dd55648912ca4b6d10c78a103b000f75f54a274dbeedc00fefdf7bd4bc76756c913e6d3e78fb62c49f075fd8fa839ffdbbceba33ca22e9b5

C:\Users\Admin\AppData\Local\Temp\wsAu.exe

MD5 ecf1f5635af35498c9a95ed01444b91e
SHA1 3f97fea64d1a8330c3653ec67963d23781f62ba1
SHA256 772dc8c1b3b346fc4b739df11e7ebfb2419cf6e105cb272b58a85cd56fec22ad
SHA512 695ce5fe65700257f5690388601ce15c94f5861ff37abf222d164364e5b95d3cd39027c7851068a726efea7051fc6b8172f86eef18bd293434431262dd2948c9

C:\Users\Admin\AppData\Local\Temp\Sswy.exe

MD5 a2b169997a32d64ce929eca776cbd190
SHA1 545ec3c112d3cfadc2d0e44a2e9b9b2ea3b84d59
SHA256 eecdd5eb4795d05ae60e62c57f78c7b8a0065b6c8ccbc41245d4f2367b3e9eb2
SHA512 55ddde7c20c1463799a295ad0c0ce561bc77bd64f9a80b789bd99fa19a060bdb3b29c6bf950f0fe69ed291d1a09cf7d2d67f4ea7d6a2985aaf2b70eea3b17cb7

C:\Users\Admin\AppData\Local\Temp\OYIi.exe

MD5 7132f1fa4e799d7d8d0077a49cee898a
SHA1 be0dabba1a209546b88f5e34408c0cf7fccbf692
SHA256 19401b408140ff05f7b80f160a3a78ab9e2426ca8c4d3534209ad7c7a6f07530
SHA512 829123e50a3b0ab2335abfda07257a44ac902df3e4c45bbcece96056b86b10e49c699b4cdaf1b7fc9ba1f876813eac8ea8e65940db716aa2da62bb5960ad9cce

C:\Users\Admin\AppData\Local\Temp\YQAc.exe

MD5 452727c3972dbbc582f82894272f9460
SHA1 275803deca8fe4be60b58ee22151c44629e99394
SHA256 76f00f0dca68463f72a35cad12261b321e5b454f75478cc61b052bdf055df2d8
SHA512 8716251180004751735653c5460b8ed021e6c69eb16620fe5d9e5085d2cb62caa2ac76824b1bfa0a68c508746d14e1ea78c190ad91229ff5c88083c1d5d11143

C:\Users\Admin\AppData\Local\Temp\gYky.exe

MD5 5e01bff3e68ca9334d22157d1af66dce
SHA1 3b5554e355117c33cbe5fd16a23cf14fb655317a
SHA256 dcc8e099c6d2f955173c8528aa6e8f3a8bf7f01ae182c3944a32988a905166f3
SHA512 3f12d47f220bf79cf2ec78c4a4a4e6b022b4a0cf6cecf320b83e7edd71c82cd2aa1bd91a8af7b7b3044eada860317b2cf0aea8461de611a2100d15d83543d0a0

C:\Users\Admin\AppData\Local\Temp\iUoi.exe

MD5 c4653fabbe4e01655066b94a1b32d9c6
SHA1 3cca2210a47b810013b376bccf6ac3aa76f2878b
SHA256 812685754f0898eae51104d1befc5d03e582650fe9a011df1ca5aac5f1cb5711
SHA512 ccd35cd3e9adf61f4ac08b311fe1dcf16825af418c3c6b94141a87864c9557bc4ac771d0a2e6d68c9852eaeeb6176125c1623689fef6efe8cb6ae7468bc2cc7f

C:\Users\Admin\AppData\Local\Temp\AMcA.exe

MD5 17760be5149b367cb7d10c5f96f63f7a
SHA1 888e2fc4ed948cca0bb7577b6ad00f7b6fefade7
SHA256 612b3d3637fdf60fc69167aa641f2526b13a5eddc705e9cbe62febe55183cac5
SHA512 e4252a72fde6f8156c2471db9a09c9756b347418ead17242e5223e7a2a3547eb1d583958fb6cc822cb666ccfc3eb3845ea15bebbeeeafa79d448fdd6d9f2e6fc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 089c27a59879785fba72ff49206432b0
SHA1 ff5f2dd10cc535f47f4c369cfead43f4a5faf383
SHA256 90f4c16240c34630dd280ca4c8d51963ef6c7d64ca2728540851ff4e41aed087
SHA512 5d2dddd86455866baa4d3ccc9f0df4c109f1db7b11ef5d2e060d8fec338e2aa2bff9c09af9c151c1a74a21a2780302089a96f6e747628a872c2ad5afaab29bfd

C:\Users\Admin\AppData\Local\Temp\MYIc.exe

MD5 de2cd153e6d90a8e84134a7250ec2356
SHA1 28696cc9d78dad532cd65efe394477b10c0786a7
SHA256 d8fea869381304b4f536506e48cefe986604e82b779d8ea89a08768e82624df7
SHA512 4e3137efff9381f2d0749791f8c3c3cf6f223cb0cf534c86fceee0c364481aa943394b160ac05d0a4cbbfe04228b0e872726a31f1f4daa7d1a09f8079dd050cc

C:\Users\Admin\AppData\Local\Temp\GwsQ.exe

MD5 00bff8fc4c87f37b1e218f2d2b7478f2
SHA1 4c9edae5b38a5d4ec7bb2e79b4c87611a2b417b9
SHA256 984cd41d967a4b12317df6bb3fac413678ea5db291d340d61a889471b0fc9c25
SHA512 cc174ff7e901b2d1e77d7cd402b5e7f54bd5885c05ce6edc4fd7a8d8182219a2cbd44e58b63895ab823e8c4c2f45ef4f1214d21c71eaafe4b524110826ac5214

C:\Users\Admin\AppData\Local\Temp\EMYW.exe

MD5 a458dcf169dbb8a06556640482cf895f
SHA1 d327b46d5ebae867c9e2875fc559e753be2fc822
SHA256 a02311e9932bfb3ea8db32c2272254e848d4566a755113f34ca0cceec54e24c2
SHA512 f6102e161713e22b451e8ee651da147a24fe91cf394bb3839d5a5f2021b69a61eee6c4d63f6ec4e35c855dc41ecf7e21803bfbc7efb87bd2fb9be92296fac7ec

C:\Users\Admin\AppData\Local\Temp\uQwc.exe

MD5 75a48b64ba383e5194aa108518baf126
SHA1 29c0cd4f7497e952b90f4c25b647686a1b9e3feb
SHA256 7bb90b98175d4a7a49503236488d023d8bdb18d33f8ebb0432059204506811ed
SHA512 a00c165ea60ad53cf4c6f79136bda652399dd3cf751ed1200b80fecfb64b063418c405ea5aec1d010e50d10fe68dbb9f51c48cb9fb016789617ec4f7c309d6cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 bc9c59faadd942801992a5337bba0ba2
SHA1 10c38f7ff581268ba502fab47a9f0220dc5ff607
SHA256 e50dbaa0655a60ea81f4343fa8eb458260f64973805b3139f44f693072c9c8ac
SHA512 15321d0332dd3ca5c4b6150f73b49e1b36950c86a532f8966f3b2338ca87d3d0b2e8206471eeef2eb95767d9a9d7536458901e0c5e52faa11a2df9c3da00833d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 e74bdba0506e185ceb92150c2d721812
SHA1 f24b32e53cef222f48141dbcc51122cc1b69bb2e
SHA256 432daa958a3e836b10228c6810d4bbfb02b2fb378a3c73eee762ad6bf60ebbc7
SHA512 0af7a6bc3e45ca17c03c9a8b5050ad6b633371b0474828abd80214c49d22cbf66d78fc74804723f409ffda7f5689a79421f2727aa0e50376fe0e4ba824ad94c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

MD5 e3ebcea3ce77fd9353195da0e772cd4b
SHA1 94a56dd246fd151703c78bba25e778a61f92f308
SHA256 73bfd023688bff8029a8a43440519b2eda7b6f71a59c313d2f7e664bb874614a
SHA512 20a141a2b6fdbff55ded551f3984238f756015538a88fb7dee8bcadbaf43bd878ee201d23f6f1c99f4f91ff9c96e63c646c4529128a186f7a92cf95261dc52ec

C:\Users\Admin\AppData\Local\Temp\eQok.exe

MD5 d69fdb6ad0ae23d888fd479f746e2d7c
SHA1 8f892acf179bf0bc1aa2c1e07882f6afde7a845a
SHA256 96b0f29ae5276c568f90de7c9d7c04a23233d7b854b3938c76b50f509d737d8a
SHA512 1f8e2e8802b835b2fc9cf076e8d95c2769918b1824cb1ecfc831a5aabc6d0a68f390f580cba2ce97ea34d6ecf4edcaa2019c39ce311e411e1c8e4386feefc588

C:\Users\Admin\AppData\Local\Temp\oMQC.exe

MD5 b093345d4f030f9e3e2c5520f23f96d9
SHA1 2e0e402fe52cdd7f26b21c647408f72864fb5db5
SHA256 9e05be8e25abb60a7e3a29adbe75c9f026a8d44bf77578b57b2f64b4ff265de1
SHA512 f4899274dac545d80097d52ae94d45c14d8b0154a77de421083dab1f244a9d9cf55f67c83292115fb0c42b6ff6b5748b7832b7e58ec2ce3e11d30cba1b5cd748

C:\Users\Admin\AppData\Local\Temp\wcMu.exe

MD5 36e932d8797172bd1d5bec786a813a3b
SHA1 b6a3af3699846e2312699e836c6a1778b2dd2bf7
SHA256 b504ff661d4f683b4f098ae13d2588625eb7763b9a08cabfa959b072d75343f4
SHA512 5cc498696230292c6cfa6b50d832d7837dd0c39ac20c7af85bd6ef107c2fb6fcec3d3625fbc4efd82c037bb5bedd37ea033bf66e938d29c065f4aaa5c7309bc2

C:\Users\Admin\AppData\Local\Temp\GYEc.exe

MD5 29bd06e648573d8f3555e76ffde1aa3d
SHA1 c8a28d6e7a91c631360055e61a9112b406118c58
SHA256 ab3525cd4fad5aac9ebc1c74ace60da1ce74c0bb2eaf6328523e627550ecd886
SHA512 77ed58fd8cc5797535094e3dfc92ea621d063840481a9175ddfd5e8b163a3747e983facec3960fcac386eb89d0514287448c9cdac2c892dc2a736ea8148c792c

C:\Users\Admin\AppData\Local\Temp\yQQE.exe

MD5 58dc47fcc032ae81a214ba4a94c1fd56
SHA1 06332fcba343549e147fe74795b2e41d515d898b
SHA256 7fe59623ee61585c361824a47503d77268c2ca8a9bd24152ba763724fe9f21ac
SHA512 6688e539df0be5a5ceb42d68bf5fdeae684244bd552a53976181b3ac7a0db67bd0586319f98ff7a565961e07f829d350c9846dd524b4e5c0055bf0c77305fa78

C:\Users\Admin\AppData\Local\Temp\Isok.exe

MD5 e0d1f4b1d41d1d7b6452a067daa9c902
SHA1 3cfbf2abeef9168ed88d1f207a06b30eb7e26d2e
SHA256 b5b0147bc40f2d69cd8de99e06fa07a56ba65c32d136289ed60a0f28a85e5949
SHA512 76b675fa154b27f030ee76bad5fed43a2c2652dad972799f704e5dc60bfb1337fd506fc5a2ac3123e2e331dffbaead922db838049b9cb779b4f99d4ed7f2e0dc

C:\Users\Admin\AppData\Local\Temp\EcEY.exe

MD5 09c2562ca318024075b0f5560837f450
SHA1 49bd213b3a75d26db6b2e54c228ccd847e8811f1
SHA256 284d007cc10aa81a9060968eaa11b973fb74984186ac9cde9c526c61f1f5fbdb
SHA512 7b989a87471f2406eefead0bf7c507ab93c4dd96fe69d1e4f9d7ce7bdabe71b65d29893bb69b5d33884fdbe8a3f7aba1ed9b973c7a2458c9a53b912687b54b7d

C:\Users\Admin\AppData\Local\Temp\oEIM.exe

MD5 15e93f9f3a6dc579de4c065a88b40572
SHA1 882e64857b3a4c9589100213ca06557daef812c5
SHA256 cfdfdc90c318b992c01941e32160d10efc421fb61538a6bdd7061fda1cfb9247
SHA512 af5c0c9e3c27e8c8266cae66c73148f372f805917ca2b6f47abc737115e8f8be65e60bd11dd2afcea7d629a50b65e089da573dd82894d9a299d0e5f5b8b760c7

C:\Users\Admin\AppData\Local\Temp\IIMu.exe

MD5 212688bc4258e6359ff8e0495b136499
SHA1 06bd2b3fe19b378f4971b985026ccb7abe4d8218
SHA256 b70d1854d1bf91972f35a64c0c5fabc33f0c14db6d902d2429db714b42518d94
SHA512 325264e320802f598efc0d17b7feeb3c2a56e0196899d822575c2e47d10a7bd7a32c53b0939afb53c4021a2f906ddb47a21949d4297dbef426833bcb5f298bba

C:\Users\Admin\AppData\Local\Temp\eEgw.exe

MD5 f7aac7fe219594fd586bb6810137d25c
SHA1 c3bd281f5b9549332a577c3c483b785c19259e03
SHA256 3c39624519e4f0f88fe0341483fef9bf2064797c2249a5b18e3fd04c26ac026d
SHA512 2372acf3acbc0fd452bcb7f2aafb332cdc4a4c32f061c0f054b9234bb7881b97652fe1e10d38911175f1fdcc41381f0ffec17ee94be50bbfa428fa66bc65ab0d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

MD5 b45fc223ad772539764d68c3a7ba5437
SHA1 431e3536c5d71c137557ec07b4e2983bf61e3e3d
SHA256 d9b370b19f7cb9a394077f358c9b36e77e80facc83062846e2cbb5a2d63e0c06
SHA512 c6ffa394d01def3e6699f4fda209d77090c160188c9fd5f29f8a0e93e69dc521d83fa1ef761ad2ac5d8371a20627c5eccb22270d2a4508576ac2f0c9680db842

C:\Users\Admin\AppData\Local\Temp\iYMM.exe

MD5 71f76264cc2af6de7b85e20551a1c0a9
SHA1 b75bbbad4788edc47ff7536de0542664842c7af1
SHA256 b2da0e6e80012f7cb475d6d0f45c6629d5cb5596e30cc3f5b51c8cf7dddbea7b
SHA512 55bdf24898e63098dd75edf273caa9fc0348ff08674652826499ba48cfd68351e54b12169bdb710899d0d9ab7b6f4b965db8883d03a823eeab5865cf5437f2d1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 a22b1bec8344f1a93929996a6e5e40b6
SHA1 f14a4c4c8fb683043ee7cfeac8bf760a866fbb72
SHA256 8a4a3e005236810b84df7f4c4b6fc38e2e9e7d425c06b019f634c94a3bbb6c73
SHA512 2cc67cc2530619d89c3301245cb8f20b056a8b0d4405b09b3b1f445d7188c704bd8d88e4bd83c9c71b9793ea644a4448953334d9d8b6cb54844adc99ff9d3e06

C:\Users\Admin\AppData\Local\Temp\iMUk.exe

MD5 d9d007a9c85e673a525f9b6597d0f9a1
SHA1 47a0304fb8630a57c6fd784db24367c728575597
SHA256 e0cccd9ef2325da9180f25a130ec22b95ff7410d428f76fd0485263c110ea9a0
SHA512 da14ffcfdbfdcd75664159df0c7470a943809e984966e04adadaaea87114817acdb8f31a197be74eac129282280ce4826648b21a5c7d76e2b8ce99f34b4e122b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 022c32ca7932101f0407b6d01022dc45
SHA1 e642ca2402400f925aed110b28d68fef7798be50
SHA256 90359b0a0d432d7a47fb531aa3e6573851243c9a3bea339f2c62668f4835c4bf
SHA512 6469224759ed5fc25ea919ca3ec4cf80defadc5706b6539288e3d7fa3b9e98c232fdd753ecc24cff843f8606a66e29a52d0993e4f38bf74cf3c7467c7cbdaed8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 2acd2d04969b02f3ebbe51f6e37bec4a
SHA1 7d795dfceed9fa81474acdc382382a9d2099d2d1
SHA256 7e55dc81fcd3b00f279925562effd094b1ba7ba8c04f606e2869f97e60a4359d
SHA512 385d74f312bf8562fb7fb04e77a9cea472d5b9384884f7f463cacfc26cc9b6deead1008f7edffe7cf42d4aa9ffa51bc16686b1fa01a701ee5bc9b5a660e8cd29

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 a081bbf4f28a8a05bb02c10e4bb15a8f
SHA1 bea126574e411337f28a04e29ae07d98852f94e9
SHA256 47c7a059029178e92d7d9643d01a2627dea3b71da1e250e2eb212ae50c736b00
SHA512 6e1858cc328987d9400032f45f19e7a9b85c5c45214e3ec84653f811a6334dfb9b628ad12875f584260b7be81ae8dc73fbe31876b02ce1fd3f1a1570659174b6

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 b2ec385e16a37a51c94cb0a166cfbaa7
SHA1 aaf36a5547f059505c441fb46441451d97b83f6d
SHA256 5d0bba97368860741130a4b284b1cc5cca907caa7020460354bc5ea4fe002f18
SHA512 3caec9ea8a4fb12ddd2b0ca284e60c00aad80308e2fb5af1ad3f153890cc823686c1856852afb7b5379bf8b0fb438b8a77d29dafa5c365ffb149c8984fea0049

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 3ab5684efab992c059cb6b1971ac7791
SHA1 24c7266a18a3d8d7504e2b99a78bf25a5fa34961
SHA256 ac026a9b790da53b041d6216561e1b6b5766192e76bbb19c0f0276f59624ec66
SHA512 2590a1829956b3e79a13e1c17e1f32260ededb556d026a4b10b327e7f7ac5aa30e82b4ec2f97134c8d14b647df0f6983cc850798fca9678cf4013a3e9896107b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

MD5 4597f3559dae64686f28b4ef0ddc9660
SHA1 4af95358fcc2ce9222a77f341dc7dddd158d9488
SHA256 8ae41fc83fd891f674df7bdadc2c45b3d46c30c40b303634234f8ca330cb85e3
SHA512 1e1ea1e73852fef7e79dd83fc7d1a30b63cc947ea842ba80da4b3550e74b4499e6446e5ef08c5cc93d4c2bef2867b49e9822bb74dcd9a508cc3401cd0df27943

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 27d53f6c39843c13370d6cfc81080d64
SHA1 b365141ace62f1295ef80f3ab68945a1485cdb3e
SHA256 7098a819d8e731b26a4a1a8fc5d9585e276c775d0092448aa91b2fc01e3af525
SHA512 a0128e98bd905049c6a6b2819a4b5944940778a9f32e380644136f9343bbae0235a6a98b5c4e482b9fd212d6e277624492507515542800e8f96b843d57150316

C:\Users\Admin\AppData\Local\Temp\cYcA.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

MD5 ed9486c45fcb55d4c90003f359779217
SHA1 c2db7cf0808d8289b43fd6499423c66239a25fab
SHA256 214cdfb577d320ea2839c71fe3258df26d6f4be832a25a0ed3ff6a03d056773c
SHA512 21ace13713647acf3a9928d5fc748852a541305c7b2b7e05b6afe0691d9e366056c66bf65ef2abc44db7bc87ea8b51a7d7b4fe7ceab06c4331f411bef58a7560

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 07aaa43f5e3dd72d2e34a0b15597a2ac
SHA1 790d1a4784fb32b2c2bfd460b5daaa5168667a45
SHA256 524bf6a891270f612599ff126acb48f14c281c1547cd5f0d0cb60805a02564fe
SHA512 4810518820d9b8e6b217a93df60e2ec8610e0f2830cec760771852dde42cc2e3dde3904623799652ccf41cb0674339aaef47667c4eeea10403e0248c749035fa

C:\Users\Admin\AppData\Local\Temp\wwQU.exe

MD5 71e24729b7130417077bc0b348b93b2d
SHA1 3603df5014f0b7273ca0f2fd02d5663bd14b4770
SHA256 160850de30adb952131aa1dabf54f9112b638cfa1f643d55beb4427014c11945
SHA512 6987197a42236e4f2a36aca908e72f7831b333a96ca5eba663c374a00b79d3ed5706da560baee835e9a15f227deed29014e1ff609c1a47d7d1441c683ab7b489

C:\Users\Admin\AppData\Local\Temp\sMcE.exe

MD5 81bef5aaf0ce3f5b3dcc9465bc239059
SHA1 0fe6ba73181f277f38a61791a6b89c1ee69bd49d
SHA256 4e79b8b8ab1e63e710e318dfdcd9390d653ca834ab0a3212f407e2abd4835c3a
SHA512 ed8cc659ddc5eed1adaee787d2746a24d8cd4003c4cb019519e97cd64bcd93bb7b49df17af3cb814924ec26c009e83214e27c319e23a52bc700120f0e33e5607

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 30beab235ddca95d4f13e562af49e335
SHA1 13b196e4b6f5b0d9287a01b269f05bc47a3935c2
SHA256 ac64a5e0f48f7352ea1d632144daac4107aff8e7fd67d276f6f555bb08465b03
SHA512 8b8eb189bbbf7cb45975394230f7b4d9e7d44ab1f42a7b90dde5a30442198b0a17ae3a22de48538ab417911102799d9ff553c66770baa36b482da3f0ffb7bcde

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

MD5 dcb4acfe37d9749f50e8a155bef53210
SHA1 a36fa8141dc1a917346dbbbf36fea36822ed617e
SHA256 74d9f16e88d5b5a0175870535c1313d6ba02c811f770c902e63f238e15acb62e
SHA512 ff124d5b2f04c9e95e802b28917f22cdbca441ec5339addf71ddde2d4f2ab2dbba76e9104accb183842013b3732f1654cbdd460d96329d6bee8a76bd9e337470

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

MD5 abe84fda3f3c1e762d8f16978a935b08
SHA1 b1d139ab4dd04d89cd8117c5226dc3ccd75e418b
SHA256 894e4017f9b21ba7a3c02dcceb8a99ba34e41e65b441f9d8f720cf55d8680a52
SHA512 c39eb7850a3d00c206d9d644e32191ee83e0e4375202b4393d2b643b3f9ce36434baaffca0806b893c50bc4b834e2d5532b0f14554a3ccd71319f506495ebfd2

C:\Users\Admin\AppData\Local\Temp\CMAy.exe

MD5 a82c8d0d366de55d19512b31696f5a99
SHA1 faf0a79db5bc75a0e029ef442a4c26c6140d514d
SHA256 f888019c321469f564b694dbc37b38e8069308775bf20f7d33311c13eabad533
SHA512 96d1f9ffd105a37f5b4327da72371f84af2bc1766598f78c17096465e5737553e35c3c57de212795efc44136b6e29a1fa75269b9239ef9c85a4dd4a9fde47420

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 27dccf5c481892fec4219101a9595036
SHA1 e89fc9a86da624f0baed3473836c503ab398189f
SHA256 e4afc374252a8f08040da7e3718e20be458dc0596c838e85d64a0c03027e49ad
SHA512 d44999178f441062fa44a6437287c3c6dbe79175bfbf79b40a28ca5b0efff800a09f8d866dab2892a3e9b4ec4ca1d8477ae32cab2c8d4071ce838d5fd3b2c995

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 0323a889fed776f4853cdff9e4d537ae
SHA1 3aac8af0e411844329fcf69b128a099c37ba196b
SHA256 7c16f0510afdf72571b31d6da08f74119eae45b70d9d198727e8741f82345e49
SHA512 f4ba5996f49d897c0a1f6240037c26c0ddaf8732a4113bd65b8200d80140d14608e657419f4f46b9b58e8424f2dd0c800cfc28abd0ad55226c09796807ede9a7

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 2a91c2cada6ebb156efcee598293fb71
SHA1 a1d434694e9a026e9d8a9b7eafd0451b5dfcc012
SHA256 2885dc62332e2cca1df7edee771d6dba00b91f7d3333c90f02500a4b9415fa7e
SHA512 e97ab2641f4bdd30644c6e34f4bcdc32180a25842038ed1d384c0a73488503cc4ee57ab0aaaa9f7f70f4460723ff1cb5f6e0db73644f5350c82e5dabb309f378

C:\Users\Admin\AppData\Local\Temp\GoUw.exe

MD5 bc6143769362f5fe027fc9a40154baef
SHA1 5fe844bb61093f744e9e074593b3a59fed3a536f
SHA256 e58b1b36a743b637aae00d0a80c13c033c46942de19ea70f21d5331e9f2eb66f
SHA512 6588f997d7af9f98f99e74a9c548ba9150713dddafef0a7679ac988a6b6f0251cd7250c6c66f9c5313a5b3e7895681baa356d4d959ceb5fd0ec66d3b2d7c829e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 81ee63a9ef52f6a9e212583f636a5d0a
SHA1 ac3c83b007fe48673602d407766ec98fcfdec47b
SHA256 0add42aafdfbaaaedfae20a1b4bb7a008511fbc26b8d13f66975e08b34563fdb
SHA512 aa5c565e07f5c32b6f10fc723001a51fe9167f64b73d6689082a66946d7d2ee22e9ac75d729ac9570a0458856109665e93c06da370828f1af585fe490742367b

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 ad5739920fa10f0d97915d48952e5a6d
SHA1 5360a6a311c766c533dbbf5bdba42bbf32316e74
SHA256 160ab17f16e09c400d97ed6d8cb25498c489ae8e18ea0c51896bde811cff1853
SHA512 986d8d1c6afba3d0ff57453e45d412008e4b0d581ceba967aa171667b5dabb026a84a94b9812b02fccd84bb138fb888c8369d141a69763d3c7c8c11f766f1b51

C:\Users\Admin\AppData\Local\Temp\gIMY.exe

MD5 64ff84c5bd2132eb9fda9ee0265dd678
SHA1 c6b9ec761c9b55f5d57bafd89c1515889d909eff
SHA256 34c576c0c9a1183a1d26730e60886fa76549df56f5b9873236e89535c052ae56
SHA512 56b2d3fe73280ce07257e98417068daee3c5f681b68183de0f921bbfc2d254da6d661e1f71e1883207bb4095dcf8ab6fb6446fbc215c006b6332c3776b93326e

C:\Users\Admin\AppData\Local\Temp\Osce.exe

MD5 0cf16ce52f8172dccd9862cd5a483283
SHA1 5924cd1359d710fcd1db79261dc429b31f947729
SHA256 b9c696c34be9ad3cb072e4201d22e9db3eaa1f7a23ef57de60fc4b9cd299a4e3
SHA512 6dfe76bf6b6a2895d34f5c94c2ae74e2f7aca4789740460ffcaa57000a1716f0573f4a13a886ad1b4141782b149f4ccdc4b51d13a651cb1c3480b4e023a50499

C:\Users\Admin\AppData\Local\Temp\iMgI.exe

MD5 003aedf7eea67a8c103402776c8f586a
SHA1 e9c94d8a2b7034a22524d674e861ef61c4513256
SHA256 791e4f8cc8bf2546a1e28795befb558753ab970a38ea82898528a5f606e25495
SHA512 0999d8cc61d7b105ae9b5bbe9abd49f13667d1305f1d8f402c7b27c44c71713f836847a855ada226747119d5f6e25830fb70c87098676076d93cd09fe405f41d

C:\Windows\SysWOW64\shell32.dll.exe

MD5 3538d3453cb67d0d73fd1a8e0335a649
SHA1 74cdd05deb12c06b9292191063b67f2e936bc467
SHA256 c42a8f8d064c39f07895b753491e26008286ea6ea4bad078b02ee4bd2f985731
SHA512 1bee2405d1c95490dc9a4911dc8929c3c728ef8ec41c56077eaa86b734039405e3630546d462f0b41be377873ac3478806e2578a6c149b632cbd51f0560be823

C:\Users\Admin\AppData\Local\Temp\wwca.exe

MD5 d5219ec43c06902e315c1d60d38a36f5
SHA1 5371e347020b77d66fd68b051ed1b8712d37b913
SHA256 1d14518e0f522fef9dd7e80dcffd4f02b647b9533ac560c6ff0ee1a132da95e8
SHA512 28b10705d0b98c6db696165c579de6deef9b09562b69270737e76109802f88388ce6b7a723862eca3be61d7e6cbdc5eb8d029f7a4b750bec0b3d7e9ad935f8bf

C:\Users\Admin\AppData\Local\Temp\UkkY.exe

MD5 9cb2513c2f551bc39699f8436997d359
SHA1 b85ffac65f068c6dfcdedc4af27a2207ae9c66d1
SHA256 824b8293d6cd5b3d456f5f19c7df527bfe90595afb1eb7a5560a656258822d6c
SHA512 e52ecfd686d15dd9d5211c3ba6a974cd900baebde3604eba43c1f04f74f4c3dc29162e5435e54985097cc35fa446783410cd81fc10ce51f793b14a71c3f23a48

C:\Users\Admin\AppData\Local\Temp\wAgk.exe

MD5 8cd1e766b6c22b45354050640aa1d694
SHA1 68f10471d47ecd4b3b4a1117eb9680aaf35a6d5f
SHA256 838efbd1b6102c9920f06f345c6e5afd096df84aef20c5a086e122297098214e
SHA512 70231bbfd0d4392f76eec7598954b394b73ed39ac1fdc244a6ef50f7e593056997f8b69d37805bde3b8d0f12255efa52290b7c70ed0f5af4aab61908e0acca38

C:\Users\Admin\Downloads\LimitAssert.mp3.exe

MD5 695b73c952a50df7b0a99375d8936ae1
SHA1 541c5afda17b848c2ca50f47b54265d4701153ca
SHA256 1187dad28bddb8c18f47c633abe67866773e5413e293b981e220b61b60f97e0c
SHA512 4af3a16c981cd0b7e434c9c83cf46366997e88a4509b32580a098c633fc2a3e0e8fb692662d366fc89b444cad45206c71883b43fdc343d74ec551a4b14cc2055

C:\Users\Admin\AppData\Local\Temp\AsAA.exe

MD5 a2976b3535cf6bc63385499673a13710
SHA1 cd7ce99de0240d431845570114204389ed5d412b
SHA256 78041cf62047034b05248c474e02df3e0223353052d02f2be1c14968211579d7
SHA512 1e52c4176c6d6ab3b070206aa72babde7f9ccacc0dbd74bc022d50dfaebf57d702fd0e4039cab7ab74b17907d0d03f9424756d1259799aa34bf8fb005e627a52

C:\Users\Admin\Downloads\TraceMeasure.bmp.exe

MD5 52153e134860853ade08053c4af71e14
SHA1 fa17e1edb2c888561e73dae2d6956f65f420b9f2
SHA256 fda7b79f28010b3f6dbfcd726323274d272c25eb859fc8c102157874740e73ba
SHA512 2487757238195dd00f12e6ff4910b45e4f7c1d67213db8f2cf3cb96ffae17ce04681c97a78fc49206dc5f732b3c9816452c7b0bdfbb138b67f759eecbcbe5d7f

C:\Users\Admin\AppData\Local\Temp\gMMs.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Music\BackupEnter.mp3.exe

MD5 1b961ccd5aaedc394d7c5fce0857f585
SHA1 d3076bdfd79d466b3859fd014337d89ea029626f
SHA256 6d8a4e84bb4b1c459e2ee50781e12fb466ba8469c07a4fb7e6cf03e2979cf7f5
SHA512 1c3ba9277a03d374a0255783f8346959f550a2b24a1183139698d7b447ee96b29a2c97dc9588a41790edd9ad9223a1b7d617f49a8a518e6d3efa459d209f1c73

C:\Users\Admin\Music\UnblockEnter.xls.exe

MD5 f1fc974c70d5bea4336f71daf1888d5b
SHA1 484b696142655db4657bd4ff3f0012e12883c527
SHA256 03db8d7b7dedc6484c407b6dd9c1b3c813f4315eeb134069bc93976d56f45580
SHA512 97e5dfdd7dd29e82468d972c6121d72e2c0ba0480c762ba7a3e54d810a89fb341535d21f071b1703ec875c6a0af32898452895897833c3b931cf7074aa83c9e0

C:\Users\Admin\AppData\Local\Temp\UUYK.exe

MD5 215b5fac510a11dc2236654164d5806d
SHA1 730a13793273ce93a5fe2ff4162ccf01ac322196
SHA256 ef7da2e4b51ccb5e536a01d346305b81f727ae1ac402d6e6456b4f5294a29608
SHA512 d9c21d5938023528ca4a32713bb78ac1d9809dc446443424bae28ce3c2bab914fad30005bb3d129c6e7d61d683eba9a0cfd5ea240e3d111a1f7022333afb3848

C:\Users\Admin\AppData\Local\Temp\swAu.exe

MD5 ee962e4a4befa41ecc8a2da70e17f4de
SHA1 46b9113a4390bd1f8149cf3beaa32f16f611da92
SHA256 de35a611fb8bc1127953ed4bf6f7d668be4e4c396f8df31bc8d56c33396677b5
SHA512 67059630224fdc1a4b64a7244e852beed688dd3688b553f062e156ac29a7ce8714775ed414b09731c3b5fa6897609050a084a0e1c4eda03b1333ad903c8dc000

C:\Users\Admin\AppData\Local\Temp\ygok.exe

MD5 2f5170478c69c4dc2cc7c4c9417b7ee1
SHA1 0957ec87031ca438933be220a2a775cbabb111d9
SHA256 9ede6503ab406b6c7b8b926c5476db4f558f616f6650e3cbb51c24543e4fb2b8
SHA512 a5bc230434598a2e2ccee9b5ba95b8bfb004799c5f0bf866562b50c2ebe60193894b18f5c9bb3be127b596b21c84b4efd854c92762f1fe2c87cb9872d60dcfd2

C:\Users\Admin\AppData\Local\Temp\CYkC.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\mQok.exe

MD5 22850c131938da00fb8ac95a2d0a8e16
SHA1 fa050e95b26701ee80abb21fc73c0bc6dcdefa27
SHA256 cfc2227788d60467c9e7e8df7146eccad0b734c7c2c8c4c085f274a13cf66ef8
SHA512 37d8f278d94f7cadc403e6edfb1e1354c7c05dd5633edd910c20c851a1a3db0b7bdf83144c408537efeeda784c3fe850893ec3d09f79d15638c221173d7418c8

C:\Users\Admin\AppData\Local\Temp\IMMQ.exe

MD5 840089efec30cd5d828b456047e0f33e
SHA1 e99d917c62dfdb93751a39f726ac1d86f9fe293e
SHA256 61e21105fa911a032c2a2b1837c2a2a9828edabdec7f5f8fddc9d69e0ce997e3
SHA512 da004ac0538757ee195e4b1975107737303794cbec0b0225cf851c4f970274f6a685ae74168de10cd0e80dffe29607a969e20b283b451c21f82f9c070dbe8193

C:\Users\Admin\AppData\Local\Temp\iogo.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\Pictures\SwitchStop.bmp.exe

MD5 294a00974336ce8afeb72f970934ff14
SHA1 21dd45a1907cc3b6613be476024486ec28f79770
SHA256 999ba53e4aac774cdd8363bea3a9e1e43ce018b4ae031f782d82d2bd1387596c
SHA512 f6d8466d28cebcb4d6b841908320dca6fbde5aa58df7658a19e36f50c515f4e7f9bc1e6bc0ae3a55964efe4272e8acbec41af0b3ec6f2d6d5fd40e0e493cd2be

C:\Users\Admin\AppData\Local\Temp\EogI.exe

MD5 1a1f783c7c282d387429c5194d863cb7
SHA1 2afe05c9d828ef1bfed4c0e0d7564ff50c9d829c
SHA256 0cf6b78fcd9387b0f8e88e3949d644530b014f0e5267cd2247f1a4dc4b629c06
SHA512 c7d8bae4ab9b33431ac59152cd452634640f523a62c118856972efd937e60691851930de17027707047710beff2364f7f0756b57d7cacad3bf5db69516bfa467

C:\Users\Admin\Pictures\UsePop.bmp.exe

MD5 afba99e6dd22f89ed3dea1f45f325ea1
SHA1 d4267788eae7606c7e66168ce66bcf39a55d8405
SHA256 63f5bf4c9540189d72eb67aa132149b4cab2e7efd29be4349148d041bbacc29a
SHA512 8c7f1f48f0ea7a407868e033469565938d47f40afd557dac7732099677a45c46c13025f4e71c141d80c73c3677a2dcc74cc1408de2652dd21eb3ad5356097db9

C:\Users\Admin\AppData\Local\Temp\wYAu.exe

MD5 47447c1ed800c271c8abb73c80b85a72
SHA1 80fb94100339dfd635c59dd196ea383ad1dcae99
SHA256 d52c7a83bd7bcfb77c7402d7da987ac9bdd68b03e99f8425a8897aac23cb6d92
SHA512 a3943036ba966b23b9315403ea9000ddf83a7ea0a95736b12c94277cb938186333a76ea95e617471fba48ac8cb464d33bb1921a982ff3a5f26ef6d07f3cee21c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 30d92754b64de5c6c4d425b2bb157279
SHA1 4bf5b2a8ae00f8e13f1992c0bc9d74211159d56f
SHA256 ee23b180d205e33c5272c70a2064dcfb906e9c800681d21f8feacfa56f8e5ee4
SHA512 a45f0796dfa7e6c58a4dfdee1f131f03acaaf6f804c18cef9bf9ebdacff51a677f25e61f495a986d8704795278e78e7c1316c57184e13cb3bec6b31e65634324

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

MD5 78b4b6d5e3b01180ea0feb4149ad593a
SHA1 f980e43a45f871c7288d20278bd3b27ea13e3c01
SHA256 cf9f38fc461f2a7b96dc878d6f0537ba37b0f8140df59c20b78c10ddf2654a80
SHA512 cbf051682f733cc5748cb2c60e338e6412d906626e6ff270b4dbdfe4fe96b7db97a46ead9cad29093cb789d69788e3d39533c63f02fd0de48b55b67c04352194

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 7bff1f4c6a0ac73ea3170e86ec6214d4
SHA1 46dff89ff3bf0fd453ad36977e7f0f4b95e06ca7
SHA256 b318ca3ebada3572d5e855f7af92e27dcdcae2b0c4d7c453626bccd1ea072400
SHA512 cbbb23b1384b83c9730e1d146c487d3f28fe33234a31567d35e880cc68a1bf42cfd88a96c136a3848ccc0be4c9978f6520ff2766fd4b5bac0f7b7154e46e0c55

C:\Users\Admin\AppData\Local\Temp\AssE.exe

MD5 0b0552107c4ad9eaf1a3d115b9326a75
SHA1 e95c34360dab2a4a5be9d63b7abba1570f65acb5
SHA256 6305102ef822131d362ff1de424e3553f4229035c723ee22ace036b1c8cb01a4
SHA512 21cc895b345a789aec535618eb592050d1af7872f9e1eb0f7f98708f5525ae4ac446393944e4422de50602b2484e1acab1c72ab3d25be55f89188a3cd1ade927

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 1a89dfcde42a18fd975a654f4d0dacb3
SHA1 87dc5d8c041629c53a93d6a984fcedfaf1bc2fae
SHA256 6a83f4c77c528082e3bf399538bde8f8467dbe60a1f1a4041c410ddb4eacd01b
SHA512 55943a49bf82b78556b65616204ab09a8a870f628bdd24dc65993f96150c206a9ce0f1d76eac8f43b72ecec9a586be277c0a0cea9c2821662d5708e8da9b96c9

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 461a4a4d097ca378ea0cf23b8bf8f196
SHA1 f1fb7e60bb0d55cb206f50190b26439b168a03e2
SHA256 518e77d62b9452b95046fcfc1fb0841994686f3ab8c728d9156ab773bac82b6e
SHA512 ba96615d706a5ce6cc5f094dd630313c66d4899f62219fada4af20a3a08bbca0d0d218f869f598b52860f05319b95a291a3a605b54fc1e57dc18c8c6f7af7558