Malware Analysis Report

2025-01-22 08:16

Sample ID 241026-e8th2azeja
Target 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
SHA256 ec5c1ee022b8095b3d2055e299f845ef0e3530ad8336fca6f9620314960904cd
Tags
discovery evasion persistence spyware stealer trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec5c1ee022b8095b3d2055e299f845ef0e3530ad8336fca6f9620314960904cd

Threat Level: Known bad

The file 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan ransomware

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (85) files with added filename extension

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:37

Reported

2024-10-26 04:39

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation C:\ProgramData\QMscIskU\IgUowQMY.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IgUowQMY.exe = "C:\\ProgramData\\QMscIskU\\IgUowQMY.exe" C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CiQIMEQA.exe = "C:\\Users\\Admin\\EQkQYIgA\\CiQIMEQA.exe" C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YSIsUAUc.exe = "C:\\Users\\Admin\\gMgEEgoE\\YSIsUAUc.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MaMQIMoE.exe = "C:\\ProgramData\\YAcgQYcg\\MaMQIMoE.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CiQIMEQA.exe = "C:\\Users\\Admin\\EQkQYIgA\\CiQIMEQA.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IgUowQMY.exe = "C:\\ProgramData\\QMscIskU\\IgUowQMY.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\QMscIskU\IgUowQMY.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A
N/A N/A C:\ProgramData\QMscIskU\IgUowQMY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe
PID 2168 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe
PID 2168 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe
PID 2168 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe
PID 2168 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\ProgramData\QMscIskU\IgUowQMY.exe
PID 2168 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\ProgramData\QMscIskU\IgUowQMY.exe
PID 2168 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\ProgramData\QMscIskU\IgUowQMY.exe
PID 2168 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\ProgramData\QMscIskU\IgUowQMY.exe
PID 2168 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 2696 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 2696 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 2696 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 2168 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2804 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2804 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2804 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2752 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 2676 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 2676 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 2676 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 2752 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1116 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1116 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1116 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe"

C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe

"C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe"

C:\ProgramData\QMscIskU\IgUowQMY.exe

"C:\ProgramData\QMscIskU\IgUowQMY.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaoIQsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xukgEUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIokAEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaUwAYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmwgwgUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyAQYcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYIQEUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAEoQsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dEsUYcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCggAIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAUssgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwQQowcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCwswAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\emcoQAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUoIAcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hswEIgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BwccAQME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIsEIQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqkoAIcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GOcwYsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe

"C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe"

C:\ProgramData\YAcgQYcg\MaMQIMoE.exe

"C:\ProgramData\YAcgQYcg\MaMQIMoE.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 36

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 36

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qacQQggc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYAsooAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUIMkAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKUgooMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkwUwEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAAMQwoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYEwIsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOsIwwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20450088616759160981959454035-632558703-1805208175-1653363748-722607908821950258"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WawEMMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gQIggQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\boYIokgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1418632360175431312181111941964235813-15960415021812948236309053766-1909064864"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWIEAAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSIcsgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwMgAYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgwkUAAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-213359505173482066016304871711436611403-708291851-987054793-14976828911406748015"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "59831468110117390743543941787163193221184643706-36984651615607923331912031918"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEMgIMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkQIoIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-189198630519079261433508386195097765412015455131-636940224-14646278811449684488"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1847416376598846885-656715239-142236587099271828515495557629435749791625319430"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-209112827-1326704066356905691064422435-1132195799298689016925336981680315618"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSUYwMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1630502520588848926-814897098819880253-229051584-1589500692-1143352356-1950290364"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSAwccEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\foIkAgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "48707063326387922-151874767418678180191145674428-1921103059-7168403141066177420"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwAAIkUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1000182474-1208076173-527649170-930338366757146708-167628275745582978-827466822"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkUEowcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JaQwgMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmcsQYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "134527320711619679041139160650483818530199071332693590728-1159380721-1051484830"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkookgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AugIUkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIsEQAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1883813258-1382595383-89375564916492589604190428091711010128-201441837-345020305"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "79569573618865819671795218454-178147512668481140233304-1294045203336175311"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMkYYIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JeYwUkgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PWoAoIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16603890018497066814586606552001995384623697864-226965696-1531075322195693977"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGQckgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUEUAYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "32287187-1171961283419226068-676731477-5517447161135854872-2511788351460063478"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-440889394-6061084701362025957-1145670805-17117595761059532397-740975553-68433372"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikoMkIsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7329568401506016379492791844-1191971246-554181035-1349448179-1830985540-1383719996"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-690520169-1068860276-665151346-7237408601580501865787129693473040152178583347"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\meYEcUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "764200556-1992423049104871776535232661535256914-35090985318902883341564398441"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pUgUYgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11910911631617020844-824201136153640629818498741614182387841784347042-255132987"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYAgcYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCAkUUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/2168-0-0x0000000000400000-0x0000000000420000-memory.dmp

\Users\Admin\EQkQYIgA\CiQIMEQA.exe

MD5 75d9985237d84e94597f64bc315b95e5
SHA1 875ebe4ca48bafa5209e5d4d096c327efea02d38
SHA256 0bd3ff54a2d1803670c37f0212a9fc92df9fa2f066f7952884f3ab5ab19d8b7d
SHA512 442fd2f5bb83f43233de75c8c69f0b7d5cc1c40bd875224beea8dc9afca781b1741f3b092448b46c9963c33619d5edb2cb13c93fccce358bd2f1bea73fa1ac66

memory/2168-11-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/2400-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2168-12-0x0000000000390000-0x00000000003AD000-memory.dmp

C:\ProgramData\QMscIskU\IgUowQMY.exe

MD5 35b1f57c6ec46b0977972237596e6ef4
SHA1 5d8829c5d41d2aec6f8e86615250a19aa6b959ed
SHA256 bee6b115cd2dbeb145c8452356bc8871e2ea762491bc56969e543cc149944482
SHA512 559fe345c793cea9878e4c438088018a0768862fd32818f454afc97573c3d7834c0469fe041add38bdd941f91a0a1271754fec2396dfaa1a2d2126a001cdb9e7

memory/2408-30-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JSMUYQEs.bat

MD5 73b3be3bb90cc5fb3fb286800f610986
SHA1 f6db9348d0ee5ffb0bee73024d90ee5448581a11
SHA256 3cc28bb48209419e11944938e78ca5ac9fb2536ab4b6611bc52fe0d4235c2575
SHA512 3a7b1cfd2279ee296089a2298096f88a0a06ef9dc9436d01895203aea29509a6646a9f0dba486ec20dc48a4eb17c5a80c9edf98efb60225a0c4d937787c414e0

C:\Users\Admin\AppData\Local\Temp\DaoIQsYc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2168-39-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2696-42-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/2696-41-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/2752-40-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\JssMkQQk.bat

MD5 56d66b7afc8cca720f327ddda4f15453
SHA1 05dd1ee7921d2429d24fa7b75b10066e57d952bf
SHA256 d6954bd6da0d4fb71cf1a96a1a0f58548d9a6ec2c0976a765377e57b1aa58e55
SHA512 4002a1cf143742aaf72349832516074616065794b099dd40de43bcf53c461ebd8f7c282589e263767877cf01eaa5e3cd851bb709cdbc668a6244524cfa002949

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

MD5 8995c7a53e0a148026fbd0da69be9f59
SHA1 05a9908e9e3e640a426214276de1cbca6f72307c
SHA256 d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3
SHA512 45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

memory/2676-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2752-66-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2652-65-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2676-64-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NoAkMwoU.bat

MD5 78d553da703371ecd91d1a00156dd11e
SHA1 d22041725d91722d97abd7554049264f224388f8
SHA256 d4b29f4b4763406b6dc7737212525aeb28f1daff69077d14eafb4352e41d7c25
SHA512 bf63c4efc4eca8aee6fb18922e7551d308345e8779bb4c211d3feaecb6dd340d865ec40463b6adb32e4e6398e27c5c0c93fbdb945ad192fde2d9f4fe018818e8

memory/1168-79-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2652-88-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gYwwokEo.bat

MD5 f9ed94c43d297f856b72b48912eca76e
SHA1 e96dcf461bcd4a37434a22024a4f3d6c1cd984d3
SHA256 7e9385a454acb7040c6b965a92c48141cbd678c18d1c3dd160064c3f82f26b22
SHA512 fe0b3238eb3a5c171f29a0cf81cd126e0d1e2d00adf1a2d0c2566be39d1f4fef463947abaade88ee9a51ca62f404c6baa1a4fd2bb8a6c745c2450097091f85cd

memory/2376-101-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2020-110-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KiMkMYAU.bat

MD5 3c1b4357a73502ffb5e8e17371df8981
SHA1 eeb4fff5ab13fb97de30c62eab3d1dcb7db110d7
SHA256 52b64ed3a13fa69600732bc22666edb45f089314ca2ef4d938b5cf696bd579d5
SHA512 a00032591c984fa0da122de203984e4376f63399c27ff211aec742cf59c52fa08dcffc467d52d93a5763fbc125172c0d658ade0664023f3023083f1d82d45150

memory/1692-124-0x0000000000400000-0x0000000000420000-memory.dmp

memory/800-123-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/2184-133-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cEQQcAIM.bat

MD5 de2d2b1f637c52b9dbccb64fca393951
SHA1 d9fe6f657bbc77e0d4a31da6ba60dd449c43365c
SHA256 7c80f08abb74e723eb4372374374c0c59f273d37daaf61ce850ce97da295a383
SHA512 3c2f6aa9a2692ff29aed654dfc3f6a95ade0d9652a41330ad43636d9e01b39e33c5e25af3e6b1eb6095121936ac6df7e1591e8e6f35860e9343e44ab9a71a84e

memory/1692-154-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oaQksUsM.bat

MD5 20365a733ade94567bf334ca503e541f
SHA1 6451ab1bc9028b6427e0a2381a1771f1045b7e69
SHA256 d80dc4ffea8f1a60c867e862d53da60c8fb21c5c5d73c09ce9843f195df63c6f
SHA512 964bdcc460251324a2fc0d06f5302cbe0f7da19f8e62f9256fc5b714c942f762b63095408ddf865926f6f2a38382a38bbd1f0b17c30349801e1735ddd4015453

memory/2344-167-0x0000000000270000-0x0000000000290000-memory.dmp

memory/2532-176-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HcYAosAo.bat

MD5 481eb0f039e4ec239b5de621982f91b0
SHA1 afc353181f7ebf14a07fe44d67f6e17201cf1ff2
SHA256 67adb74bad543d9827a88d29d089b90bb89f9d325e6cd8bc69d7244c406be295
SHA512 ce236ae7097a1a72844c1f3e8a38fa960d595f7ac9178c45320829bb2be037c0975fa860bcf54b16a6c852f38f388e6894ec3aced7ef18e4dbca945999143545

memory/2976-197-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NyQowEwQ.bat

MD5 589f1b993cb4b088a81349949a76c78b
SHA1 40b195c5169c1711c0ec14258f0c16410bd2f637
SHA256 616d244b3a6e9bcfd0a72687ceb47680af79d102679125b35475746fead234f7
SHA512 979639956aa5edc28720c70fb2d0bcdde9450ee56cdc6bd09c432fbc5fc869f67b19b671711fbd12b70bf5d38c34bd3faaa44f3c059bf825dfc46c807d1776c3

memory/1376-210-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/2844-219-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NgAIwgkc.bat

MD5 9a85dfbcbf1a62fa6979529b91a7f1d7
SHA1 83d788bea84bf39eeca440d122e71d3cbadc2edf
SHA256 8fd809f2da6347795e9416b5b8ae802a35d15a2957374298deea42600028bb55
SHA512 f6d7d0ecffdc31d559dc8e40f17f21c39868a5c3d75295b700cfcbd7fc24a3beedc35c3efbab75bcca6c15b969d98084a68d1258bd852dfaa70e8fd181ffe545

memory/1004-232-0x0000000000620000-0x0000000000640000-memory.dmp

memory/2680-241-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TEAoAAQs.bat

MD5 ffa77ef2a971f371b79d840a9a87e7a7
SHA1 a5d7f47dce55415a61457e5c5ab3f29bb21b3528
SHA256 ec55bef96cfa3223f7deb3c0e3d63e486cb6058721d07dd50bffb2a98e44c630
SHA512 c1b4fa74f8bdde2908846d542cf11160b211cd017560001975ce625326658363b92ed040efaa472af87be3a6d3e56cdb14505e04cfba4358fbe61dbdf244bbc2

memory/2540-254-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2020-263-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kcUQMYYw.bat

MD5 6feaca820d517ae285a1ef96eb9e4d2b
SHA1 c29e7b8e083df49e50d961d5acec4946c7dfb5b9
SHA256 69b1693f6c60a5af9c88e2346040d6fb89bd4e872d9eb44813afebd3c83d20ae
SHA512 e38f2b193540ff31d3a961bfe16880ef8328a67873a744434fc89f98092ba97457d7af89ed7dd6c44df882063b777800f32da9c8380ada68a2e9d40e5821c9c0

memory/2120-276-0x0000000000370000-0x0000000000390000-memory.dmp

memory/1864-285-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CoIIooAg.bat

MD5 5b77bc3493c672171446087be1939aa9
SHA1 25e565ccbfadf97985a3fb272cbed767cd325392
SHA256 92727ed975ebb4c84e08c9e01e5db3be7795fbb46c3660ddd22f2a3103b615a9
SHA512 653ba660e0067e47305fe7c4f22caa44721e77aa0d8678e0bfddc1f2fa55d84179e211ce77114830d235e88700318bf7a6a7a318e7e10008c6ff183d13b713a1

memory/2972-298-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/1196-307-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mOQgsIYM.bat

MD5 95d6ceac70b62c8d0ce0b04dea5689a2
SHA1 01898e90670f483348366994cd7a453aefc1229e
SHA256 6341400967610ebf6aa9c5426fe7b2f2811c4da210674f1d6526028530b4ed38
SHA512 d01864b9e0effdf71da246c7897be3df2816be83fac298d2590f62382c91fdfe0a443290c9df1b7387d5733a7b158efbe08020cc2c34c3c4a0b7ed5c05374b9e

memory/1320-320-0x0000000000280000-0x00000000002A0000-memory.dmp

memory/1320-321-0x0000000000280000-0x00000000002A0000-memory.dmp

memory/2772-330-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aSIgkwgE.bat

MD5 9489d17c1d5bb8dd5777d4997c199812
SHA1 3e72fb82f29adaf51aa0acb1fdb3a09c30ff48ba
SHA256 40aaff498dd0d567629063f852554da177cc67b5c0a92160f288b1309079d544
SHA512 f351229e635b4f4ebab64c40c3bdae037e04974ae1d723b982a0568a321184cf6ae74bca898a6ebc37e68b265b52f1bc87ba349872b3d5f450957f962291db32

memory/1832-344-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/1832-343-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2880-353-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZEEEQcUY.bat

MD5 56d6597a0e71ba992b9bb82fd98514b2
SHA1 5d8348a71781a47a034282eb628651ffb29f0471
SHA256 6edbd0bd387a91095118ad1ed29c8486a5eaaa1498c36b8db4cf4433124c7284
SHA512 872d1cad6f70942fb5eb07efc7aa3a27b0e7724c9432a3865147d8521911ac46db1930d7615940df7265ef190efe7c66687cb6a66801edf55e09e24c1a335ccf

memory/1520-366-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/1352-375-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dKMogUQc.bat

MD5 589c2e47b6190923cd09ec355276d01a
SHA1 1d0a281c5abca5c027c05d943976277b17962d52
SHA256 edbbdcde3ba2cebeaaf274574cc273e1fcc89534ed69fd0523156adf7e70f7e5
SHA512 21bd66f9fa7d6e765022f822a9ebb27d97a3132c19546f17350725a38a3fae957be737b43c7290324e9fca8589e2224b046a3cd4813deea74f9bd6d0fec97c12

memory/1516-388-0x0000000000400000-0x0000000000420000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

C:\Users\Admin\AppData\Local\Temp\cAwc.exe

MD5 ef91e18461663912d5942f8bf283caf9
SHA1 e59f25acf68c5309dd5f573f5c6dc753e809b2b7
SHA256 977280b5c5713753ec701b32fc66fede18376cadc04870620647c5fa0d4fe548
SHA512 d28143e5133638137cc976a5ae6d85467c9210b12e6fb7429f2347ccda169491406cb01428e74c8851e2cc7390b0b6f08336fc09acba3f3185e5c33ae2252c53

memory/1644-401-0x0000000000400000-0x0000000000420000-memory.dmp

\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4d92f518527353c0db88a70fddcfd390
SHA1 c4baffc19e7d1f0e0ebf73bab86a491c1d152f98
SHA256 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c
SHA512 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 c87e561258f2f8650cef999bf643a731
SHA1 2c64b901284908e8ed59cf9c912f17d45b05e0af
SHA256 a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b
SHA512 dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

C:\Users\Admin\AppData\Local\Temp\dIcAQUko.bat

MD5 cad9cddb4b941331232b9c8f0afc1af5
SHA1 511ba500f7bf9859f5fddaf1dff7c40d81c5cd83
SHA256 ee5da9329509b14fa193ad1626529e215d43f38a75d7330e7912963a59739e47
SHA512 20cfd7982092a70d201f32df4790095e74a30b147e7e4b15c132770d6e889366e29249fa3d259d9482e7fd7c4d1853dd86c849819b01d312e3ca8d2ef31547ca

C:\Users\Admin\AppData\Local\Temp\KsQy.exe

MD5 2d7b4a89ede51838a14a20533d87f969
SHA1 eaf2fb0e184014d1677d9996d02ee85e71178ba3
SHA256 5e271c7aed6b8344052c3e1f1c66d9a446ee086df06260e8fb8abfc80db9b703
SHA512 cfd6e11088112770e9cfebe45e2eeec963109e3b383465158c9fa565e1d259afb63bca37f332dc97add29e313e3036e474f9bb0370abf4a464483e687baa63b6

memory/328-448-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yAco.exe

MD5 4dd195ad719911bcaecacf9b11ba111f
SHA1 1b0ab64172ef23a852f2b45361ac1a2d1b763c52
SHA256 da44a57d62c9fd51d480f80476735a05cc523f201eb6e0137689c401acb48eaf
SHA512 5040b89f2c42275daac4cae6aeaf40d5ef51a54b884ed6e883786485494958eb017f0fb224837d778941ccf3c47441dee6c6f985495c30f154deb9b41a922515

C:\Users\Admin\AppData\Local\Temp\SIQi.exe

MD5 ca42a8c15f65797891ca9efaecfa1ef8
SHA1 c84b09cd30c85a1f38a767485ddac3e9ead8392b
SHA256 fde853acd3bee3e49fcaf0e2f0784604836821e2d7d79bb982abec57233c2f15
SHA512 3657c1b167e64d5be6b0cde3e35c3e2a7ef154d30ba102d480dc0036d7213f735d7c37f16d30e1d19e3b826b10b27e075e7f1536ad28c6f484039893e835063d

C:\Users\Admin\AppData\Local\Temp\QksE.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\YcgI.exe

MD5 d1f3ef071c5cf118be6b1ee73ab5dfe1
SHA1 8f4dfac367fd22d580079481582cc44f8860351e
SHA256 678e70352026fd3e957f89c64c9fd240e77323745f897954c18770c921b8fd93
SHA512 cdfce1122de2b42834eafbfbcd93c9f6f3dc5c351389c82f3085ac533eb5b3d43b851f3d91b82272051e866c79535085b86b254144f33bc5f723ad9cf97bf8a8

C:\Users\Admin\AppData\Local\Temp\QwAk.exe

MD5 868d83d003755da255bd13db87c61bae
SHA1 a9e0818dae3732c1e5a88a0e262ce559799b2ce2
SHA256 04630e004ec32b3da4ed1cfd718e51c3dae3ecc2f9c5e7cb034416cf61edf4b5
SHA512 4707820c677ebfdd3a78ef7b29d437cb4ac4e3a621508700df7859c583e004ebc690a717ccf151eba93ea926dde9e27e5ca8bebe8b915c7c80a6bd5484c4b6b5

C:\Users\Admin\AppData\Local\Temp\TMIkUgoE.bat

MD5 326d4acc68f5c9996951b328025ed406
SHA1 1b9bed988e056c5a4fc0596b9d6969ab4699cda5
SHA256 5d981a58c58640a06c8ae411356e0548d003c3e7f27795604e7eb8b58454489d
SHA512 c1ca3dd03079a58200ba257405e83dff29ac98f25504bb346815e290e34d6e4e62dfc899f5cff527859866411fe474b076107e3ceedef8bea724b98b5d59321a

C:\Users\Admin\AppData\Local\Temp\OQQc.exe

MD5 946e2c9efa32131be48dcdca5d5e3117
SHA1 6a85cd66e716b5c6a833e41fd0fe74fd70fd52cb
SHA256 a814e38d67028b76de43fc8e521318887937a3bf31ca98d986cdc312f6bb3047
SHA512 e9d0bfb5816b99ca648899767fe6fc9cff7e5ff4ab0cd30c6df5cd41829a57aaa8ecf0989a6421dc3a6b67ff666e821e3f0c30c784d2fc1694ebd2564da7ce6a

memory/784-526-0x0000000000280000-0x00000000002A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GcUi.exe

MD5 780351ce5a7b1977d315e030bfd143dd
SHA1 86721da65d53bcee573c6535933be9fe817ec688
SHA256 9294c08073c169dfae7b43efa0bd0f035788ed3d96c47d8e4e3990d26ed86e53
SHA512 21f29bec343c98a291bac3ed24408f2465785ce22b3600a8a9a7e9de459e90ee2a2cdf1f447c37eb649f2c0b52ba511c15dbc6ad8f6eea520aa84efe6cf038f2

memory/1588-561-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ikga.exe

MD5 c1065a3cef04466140cb525dac00a495
SHA1 1c31ac97ea67a6aaac4612b1424a3acbb5eb42dc
SHA256 41aa0813135c82be8c5cc1c303772d17dd957e6b9dbf7931068945dae6e10fd9
SHA512 bfa2e93fb2012f877f7f4e22d15985ea0162f1154287a4304e924cb841d740807f3e7d28937d9d4a712c3463cba0a9aba65ff42781d07b29ab71568b4e796ce2

C:\Users\Admin\AppData\Local\Temp\uAkc.exe

MD5 e2a5235b74f6f173c1bc55c53b12e645
SHA1 41b026327f77dc1c67af55aed21f6ff42f10037b
SHA256 f799c9b5d4b3aecf2538a11b26363ad9551f757f9425147f7d43aadebc85c26c
SHA512 e63259110900772f59e648cfd13c280cd9246384fc7872663a97bffa84f78c3dc6fe1a96bcef1e602de318d9d91e1a0f836b663250683baa8d49b146ef301736

C:\Users\Admin\AppData\Local\Temp\soAU.exe

MD5 ba16f52b6ca5046c6b3def2341a6813d
SHA1 318d8235635c44c23ea2a451f8a90786d30400e2
SHA256 af069ded24722fc7c28813751893ab308299f50c52219ec5c7da34194c85c2ea
SHA512 84b218c407316463e740bbf29ecee231cc579a2f1e54b3324dba4b242e0ca9066a604bf7f0d9e99d99a9a1696c062346eef40112af7d5a557fd84afec3767875

C:\Users\Admin\AppData\Local\Temp\SwYE.exe

MD5 00a3b2706edd8c320c32de7edd647249
SHA1 18408b31f2455d891264a56a594dcbd4e9c23055
SHA256 5303a8383e9fa7f126f06a1c64a4b09fd1d2c745d11f617a3da99e4039c7634c
SHA512 64d661af957104f75377bcfc9a9cee01fe8e8ddb14526a56725c78b6fb56ffcb1ac58a132944c104d3c81f81a08aa3101c038df33ec49706d85e59f381fa003b

C:\Users\Admin\AppData\Local\Temp\KMQY.exe

MD5 ccefbd1c1df2f7a20855948fd121d1b6
SHA1 0c07aeec047669549bfafc9752bab877a80a3777
SHA256 49b1546ae851ebfa52a711a1aabb1e4dd3a845de761e8f5dcc52256c3ea4385e
SHA512 d2d51cf46ba44287e45b1a9ffbe711c132e0c1f9d78b7a0fd67cad4b28388dcc5c57fea50683419a1411fa963c2fc07e5ef80a3dad6c6b276e93ee4b96c1e744

C:\Users\Admin\AppData\Local\Temp\MQQA.exe

MD5 222d600cd76764351a62effcd7b96e2d
SHA1 ec9d97b445779558f11e18c93cc035ccce2e9c81
SHA256 3511d0b061216cf71982cc45202dc20603314b806ec72f8c445236382f4c41a9
SHA512 b1a21cfddaf8a8a4287ec1872d933c2437560b416ab97f5f592e6d6f97e25336249cdf6a8f536c7386566ffc847f86990a0002a140a046167b7f5507a619c44e

C:\Users\Admin\AppData\Local\Temp\iwAEoMko.bat

MD5 08412c5c18fc7654f1e2e6faeaa9b9fd
SHA1 b6504f4f73a4a4fa678eafd4bb08e53087b80e2b
SHA256 817844eddc31ed0f7d142268c5d950cceb53fd28aec31120b05cbec9f56c5198
SHA512 4e2dc18f5b97eebc83b74ff35a49c2c7592cbf71ea97d94d0f9fa18fe3bbccddfccc664774064dbdad0631667fd938233f583204ac9121ec1b1896dc7930279f

C:\Users\Admin\AppData\Local\Temp\KUUW.exe

MD5 9f00126838052762e9d8788ca6b76dc1
SHA1 74b15b71303a7e1505c3471d10d9aa3a6d0d2ac7
SHA256 bf6ee184694d94b8a9cef3c0f3085ac7377ae97431b188b09333317c8cd56279
SHA512 d1d0156cbcd27eeac6f1c127593389caa0388ab10daa0f79c78a75e22d8af52b7813cc06cb1c5a8ad014e6904c9b059bbe375e82b6a0d1fab8c70c85feb5fe37

memory/2508-662-0x00000000002F0000-0x0000000000310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iQcy.exe

MD5 249fbc0e4a6aeee714aa003a08cab513
SHA1 0f1aa6807a232c14fda638c5d342d380c352d6e2
SHA256 b73561dfd08e75f67f69de269d0179afac3e7da1962e74c7118fdd1a0a92f09b
SHA512 147fdd31b999e5f04a6ebacfdb0a240e066e4d51fbcb14cda8ff96d10ad89658b8c7cbe0c88350cc20b25fd004cec954fca613e5a934d061ae8f7f2f9d450ee9

memory/1632-671-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EIEa.exe

MD5 ab7f78106095a67e21dac6aecaa50642
SHA1 f30b047d877675af0b59f027055d031680c8f6e1
SHA256 63af5d4090abf9fa7f39ba84cdfd72c95d47a6ac5bd2d9a9a824a04c68bed4fa
SHA512 57b9ccce33492afe6ebe8c900decafc07c447be39fc5ab435d1996b740c0d0cc525d23e48191e531fe76e45d84664a8ab84b69b3cb5dcab265038ec6b1c8eb93

C:\Users\Admin\AppData\Local\Temp\wAsm.exe

MD5 97d50d87f3b078376100e6d99a91c932
SHA1 1703e6d38e7d98a83cabd1c63483b287d2042588
SHA256 31ea364da50769243a3fd5053848db265d70c8f32c3938227ab3ff9f3c2a2753
SHA512 f457880d68d07ff6e8062900abdbf676ad4571d13ee9c7315dc7c744026d36037e0b9935cfd7065c9380e2dd97687f15aab846f7e626a6f91cce3df2c28b620c

C:\Users\Admin\AppData\Local\Temp\QwYw.exe

MD5 15d6cef8a2fc38ebf20b768666e7cfe5
SHA1 fb8a49a8ca531ec77b156f2a0abe37df1fbd47fb
SHA256 da6e86b15484deb38d220609693b7f41d9449f6f33b6d428858bcb9b7c7138f4
SHA512 7e5928b18999e3fa669dfe50a2eccd3323061749bed3b017bea14b2ecf658279c45c7913b489e242f57f1de8e90a160cf1cc416cc4843147087ebce78c4a97ea

memory/2296-712-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/2296-713-0x0000000000390000-0x00000000003AD000-memory.dmp

memory/2656-714-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2576-728-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YsgA.exe

MD5 c8880bbfb2349f5b08e4aaa6d664adac
SHA1 45acb38c375fa6584f018401624df1568ed96021
SHA256 fb1f3ef6a78ead0af169349b6239096d2dbaa9bb8d2d61710452d35a7c9876f1
SHA512 4eeddfb6f45dd02992fac4710dc1c7fdc0ecf7593dedbb65fb5ed6e884691fe897c1a218c8b46cab616b8306289bde74d6848d5463350459f1fe9501df9b06ca

C:\Users\Admin\AppData\Local\Temp\UQQm.exe

MD5 ed2e7628f590023c7c083f38c7d4c59c
SHA1 48b0e07a5f2e3bfdb3b1d1f84a9d2ea6cd0c56b1
SHA256 3b07a05ee2357c795266022428ffe65fde55d90b5eea2391afbb053dfd96b037
SHA512 5f5f7fc459e263de16c084c76b43bf9ff21f4e1ca0210772ab479cdde3bf14e5715bb8b0657d3c3b21ea20e2a0753ed278dc8fe4f4b76f769b40548e5ee5cd14

memory/2296-759-0x0000000000400000-0x0000000000420000-memory.dmp

memory/852-760-0x0000000000170000-0x0000000000190000-memory.dmp

memory/2272-762-0x0000000000400000-0x0000000000420000-memory.dmp

memory/852-761-0x0000000000170000-0x0000000000190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mAgM.exe

MD5 52109b4467765b14ba1361a240fc9525
SHA1 059a22b7eed4201d53321662e86b23cd3ce0d054
SHA256 a9658fd443326d847f30be1537c0a43781d258e5889026ae030a3e5a087f7909
SHA512 3ac4e11f532a876068a2c9889cb9502af7a4f24780b1ce41afee42547cc583df382794ec4cfa2d5a00ede9dcd8d5398c40ba434643f9654b0b8efa3ac4e1a9bc

C:\Users\Admin\AppData\Local\Temp\gEsq.exe

MD5 a0be74918351961590b5de8bd81673f2
SHA1 27e0768dc5488d8abcbc22648d3bdb93f9bf1685
SHA256 7206c7683c262fa91299d067e57c2d1781168bc10da0053bf2ca06f967851714
SHA512 4be2de16ddc804fe61a628853828b309bf93f43fd61261876a05f97a958a61b62fd4befc37312e333077263018c87f8eb8f2828c043f8e930beb7a26d5e2aad4

C:\Users\Admin\AppData\Local\Temp\UsEO.exe

MD5 cc96e6d65867de672dd6b4ce07a3b166
SHA1 c2811f0ee36cf522dbbac0385990d59205215123
SHA256 d061a85f9a7b1bfd0b50c460609aff67bd3dd5e71b60f53ce2260b4819ea605d
SHA512 67d9c6a4026b2f9ffc2e25481e9df316aa7761b7fa3598696fa07b52dbf71eaf8924245d30947a6ca03cc3781b48f79a53ab97e753cccac2210f75b9cf54bb53

C:\Users\Admin\AppData\Local\Temp\EEMu.exe

MD5 bc95b0cf5764e80e2b7710eab0b08336
SHA1 f6589bcd5bd4d9c1c03dbadf8c0ae50eb2be7fc5
SHA256 c4e265eb20b5b6050767a1531ba8d0d5d6c1aeac64bf99d9a282a20b44971eb7
SHA512 b454489e9c5fe346ce8ad27d8c7408e30e7177efdc9360ca6be5e36c009ed71b7a2bbafc3771a0b001004ae5c1639315216f60a3da543d0887ffbaec85306746

C:\Users\Admin\AppData\Local\Temp\MUUA.exe

MD5 526fc97c71fdaf1d3a0818f204c4b285
SHA1 488539c04483afe36a83afe72a323066d08825cb
SHA256 dc00387fe1b80c6b9c467ac45ac31538e2ddfee651f5c0b18fa6b4e10bd915ed
SHA512 5b25b0e721dd5a392e86c1839f7d4b47bd8bddecc2bc5bf4aded488befc22f0330ae1317e97627e4665e1f07cf0a6f3209b4c3b592daaef1be23fb4baf14bf2c

C:\Users\Admin\AppData\Local\Temp\WaEwsogw.bat

MD5 645edbedb7c4d30f4bf80ce0153576d6
SHA1 1f5503245a06782c4622f85d418c3e80818eef84
SHA256 13ca6ef92e6ad96a6d07575b0b39f4f9ee95176361d9a4878a8e23f66f23053c
SHA512 33d044b0446299a5fb27fee870806b97c753ae32d475efa5f3102741a115ce880842514bafdd8452df90cfa64c9f0cbf0b9bc9d28d3985c4a32718b467ab58af

C:\Users\Admin\AppData\Local\Temp\SUYk.exe

MD5 a67122051b0d88d978cfa36805d2a883
SHA1 0de041e8b7eff303ca9d7aed0e5f16a442f23cbb
SHA256 b505aff77bc079981f82708cd872df2e3b091fd82d801a39bfb73606b4b8e0a6
SHA512 e578753f28c4dd913c8e84815d6003959bae595d9ae14b6d9b0efa530a809a97a22dfd4a263ac8b92bcf2642a0ba1052b5b81fb6494bf624b9757def0c5bf389

memory/2680-838-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/2680-837-0x00000000001F0000-0x0000000000210000-memory.dmp

memory/2272-847-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EQkk.exe

MD5 fa2cedec519dfb18a1a5530c7ec18ba0
SHA1 a723d2299521c810d58c529b4d4dc6432b106727
SHA256 d51449921df5d23de9d567d87c2880f43fe20536bd872a5d5e68f48502b59d26
SHA512 02dad2077b0883f927496e66ed817640d6556cc919c2c435fa53806b08123c6e1b2efcbae76ccf65c49fff03664bf9a9d4969f3d71c125d0861d1e51c26dee59

C:\Users\Admin\AppData\Local\Temp\iYYG.exe

MD5 00ec878c379eee888bf7084488ae4dcc
SHA1 6f742c25d1068d18f8ae6227c9cc099e9851fcc7
SHA256 90e6a17f16439e8cf5c46731f4233d47281dbcd1488c054f853fc510b22b2586
SHA512 01f7aae8f97859e0bde998a4988728c9c3023d6d485dffc026a149a6d2c63a8d18d59713fa07941130b6e3f13ca8692f60dd4929c54f60ca9a97664c23e09efa

C:\Users\Admin\AppData\Local\Temp\kYAq.exe

MD5 2c6429ebdfeb0ddf7ce4d8b37be3f123
SHA1 3586302d94730d04144dc9b1aa88b2d4f67bdbc0
SHA256 9416ac3d7a8b96cc0e9468b5ce1209986afe5fd3655d764a9900273a02736dcf
SHA512 411de5ee10ad7fa2bb91f280ee2a2bcbaa040c4c6e070501ed7a94bf4eb91eb8928825ac2d7dd1ce987afc7e85062f697604da9a2ffb51b63ef315370efa888d

C:\Users\Admin\AppData\Local\Temp\QoMM.exe

MD5 b1b05d20d3ebd317e70944dfc71a0631
SHA1 3fa4f3f637aac33bbb051f86d129a74997995e27
SHA256 78861d5dc070706a13318d46070a005143886bc80c21bfc6cb7b8be2607819b1
SHA512 a852a4f8bcee8470c141175d018a90f106ac7454b61877b1ba7141ebb11f2320f8012a907222c8d322dbb6de91fd2a3ce74e676188f44fedfedf53a68128af98

C:\Users\Admin\AppData\Local\Temp\SwQK.exe

MD5 9a7512d132e533a4ba76ddb2761e6c79
SHA1 174149cfe92685fbeb058aa535db0cecc88f57b1
SHA256 ce1f48caa473c8d7fbfa8b0e88f82bc5e1bcbe0b2095425bf13ae21e73951416
SHA512 a9c9629de32da49a898e57004fdb7481b0dff44183cc9c0176a7c7f3d1d950b81bf2682728aaed9a330606a5286754e11b2f4969127c83f59adf0d2a050caaa6

C:\Users\Admin\AppData\Local\Temp\soUu.exe

MD5 3129e78d30af701b16675568d9cf9cbd
SHA1 a45c0d527e5c57fc15714388bbd5819e0b233bea
SHA256 41fb1568232800a6900391f0ab9e973ebbe68363394386ceae56bafb5a4e816a
SHA512 637f3a9c40fa4ad1541b7b35e80ec98616102a9f0bcc9077e26995f19282c2401e6629ea295553267c88d40c30ec3748478b184e39880e2dfe401e57a7cd737b

C:\Users\Admin\AppData\Local\Temp\MkEM.exe

MD5 dd3ca58329c398ddf67dc6421bcc2f41
SHA1 4b5e15cf89005efe7921b243ad5e216e82e0bb4b
SHA256 3942a89ef7c445d901edcf3840d1693212cba3dd97d253ee7465cf35f010c23c
SHA512 ab50ae0f8ba4451f4a3ba9430e6539554566fb256db3e3d7ce14ad2e77d3d81a264cf3112f678bd4f577370100e19a14e703aefed8a7a9abe72175774ab82003

C:\Users\Admin\AppData\Local\Temp\TCYQYAgA.bat

MD5 b236f6db4032f47d9f3e70ceba2e9b15
SHA1 17324927383399d1945feb44206f15ae5712ae8a
SHA256 25828181ce5d428585a732854c698eef1c5247911760adaa109543c300a0b29a
SHA512 ed94aa874cc03582cd24ffbedcc795a932149dec9728834802ec3bb6947771b2ac899685d7083bd6ec069e2608149d821894e559ba2d82d99de3d051b693d41f

C:\Users\Admin\AppData\Local\Temp\Sogg.exe

MD5 a013296dd7b09f4609a5957f1b86f625
SHA1 903fcb7bd61f41b0f93b8b4bd93c5ae66f44faa1
SHA256 ce611b00e9822222cda1a3ba1c6b12e308275a215ac43eb260893d087621657a
SHA512 a3fc6283fb9b56822d286b67e08d096ff94a2a14660777186a8528e181c11453d3f1f30ef47216668b767fa3f3dc402a6f5cebd34811af644a0bd2a72a334aed

C:\Users\Admin\AppData\Local\Temp\IsQi.exe

MD5 47c87a9d3dcd04200cba0495154a7609
SHA1 6e721e10745fdef61957bbd2cf9e9713030f8135
SHA256 86902137dff6a40d7b96915899bd2d192b7abd4d57e8c2b61a699ce89b94371f
SHA512 cdce3c4541bf12a79b5f495071469dad2e0083056d1bb5dfad653e68eb7478aa7c2267851f33ff8645ac8dfa72f980ef072cd20aea17848d1d9ba21823c43cc3

memory/2792-964-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OgMK.exe

MD5 442d9a45959b4f8a97606856deb36fa1
SHA1 b25c28230a149d1439f1aaeff7aeced4d359da38
SHA256 6c3cabb53e34c1ea2a038bb311827ca5122fc72f83690c5e86b37999d2627c36
SHA512 37dd1d402b0da70663b8a06169eba59b89a1c47dd944b43528867f359198ae2084156dd01a9aece2c20b63d9d76d7870f3fbf23bf93252b15a4f60fe9b5a5bda

memory/940-996-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GYUc.exe

MD5 f9dab252a1c8c280c43cd2b1bc4aaac0
SHA1 83cc924344cd623c16f779ef9eb57eb697193d40
SHA256 5a9fcc1c6a237bab157ae5687e54b3ace9fb855feb8f9fb99d39d37ac1ebfe74
SHA512 588075d9850ebce5b3556cecd7bf1368591ee0ef90a7a6110a80f06eb26b4e5ea1cd0a42ad171e14ccebb4fc67e85473b93062f1e9d302b726aaf0da848401e3

C:\Users\Admin\AppData\Local\Temp\MwYy.exe

MD5 cfafc19221a8f14a06758ea20db3e234
SHA1 fb9c9ed1a973a4f789c18a6df953abb59c36547a
SHA256 c31fef1af15be91aec81dbd273356cf94f45d68360350ab8e5e960c208149c3a
SHA512 b64a03fdef1d648ed9d1ffcb73a728c69641cee4c5053136ceedb192ae2647861ad7996c2ab8771ccb63be4f68cca068bae988ed4ebf5d59616f4b9ecdb08825

C:\Users\Admin\AppData\Local\Temp\MsYe.exe

MD5 3f6ef07c125d01078004748c82984928
SHA1 6193ad684707bbb7f2f809a2522957ab547b2d70
SHA256 f13e2a698098db536e2612b7032e6b09dbc9555737b3c41d482b8744866ab83e
SHA512 fdbf245ea293433d7fe0ed3efc3d0b492eb04c24fc5d443a54ba8211c50b5387a61752ad1d1754cbc0bff4e70572a751f39bbb951671f706e04cee7883b95e7a

C:\Users\Admin\AppData\Local\Temp\okEg.exe

MD5 dc34a858f773bd9f0d26c607ec3a8476
SHA1 97cc35c3c731cee7b15bf62794a333830a5424e8
SHA256 7e899f30524d7de052b7752b05612d83bd598b15baaf1519e2d86d9b8bea0c6c
SHA512 a9a8f1a43cd64bce453b02600b650d8a740fbd31bddae556cb6c7ec192772e5ab3ad620bf049291196b355460f1fab1a7d34632e132c753bf6d061e223bf04d8

C:\Users\Admin\AppData\Local\Temp\kwgo.exe

MD5 434cd993ec5cc25a8a822e0e8ca3eb6c
SHA1 7f6b45bb6af1d744a76fd55a863befd7293c59b5
SHA256 0e211b4ce214d541dcaf253bb5fa5398650dfb169dbdf9cc40ab8ffadd445f9f
SHA512 a7309d80677c5719e1aec59f2c531b5fc56449830002f4d34eed96f39dcb6c70bd9757e426cedee4744f6217fba734875282931b99f82208e04fd794d8ef51fe

C:\Users\Admin\AppData\Local\Temp\GEoI.exe

MD5 8336c93f632159207701b801ab36d77d
SHA1 f5b1507790eee9813d1f67811ee459175616f833
SHA256 c235867ffd16da1a91b9402329fde87defc6a035faedc4c2b6b44afcb83c7c57
SHA512 955c037d2e58f2765d116dcbd5e5a442c7032ddc92c7b8cfb62639390f9f0ca0b55c32c7ca855ce0190d1f26ea17f1b5027846c77b0368f0aeff8d2d581e2fda

C:\Users\Admin\AppData\Local\Temp\PAUgMoYQ.bat

MD5 c39cdffdf549a23cb73bfce39f7ea5c0
SHA1 cbc85f7f691fc37257501f13422d04017a9e798b
SHA256 47007a829c4e7b86183e6e5d858e30f35c7a91a698384eb2d4c4c35e954974a0
SHA512 731f2bfeaf8c50ef85bc8dffc4adb7cf62eae2bab1fde5e56cf54723d563019c73399266ef72fa8bf4a4fa7b5f93cb2f47f9a25b13a25426f72f84c8e2f3d281

C:\Users\Admin\AppData\Local\Temp\EYkO.exe

MD5 99c4aa0739703aaded2b86568e4d06a7
SHA1 605a01e306115cce9bab776c3f0bd06e67b6e586
SHA256 934ab4f61c80fe6ae0f638d8807ceae34358469af357fcf6f90add414d065f9b
SHA512 9d224032e041d3ef8e79315cdd368d4c9670d6fe0d7e944918fec36640a421e18810c1679cbec770f8f08f624e4f6b54c3c5f4919960c66ee1cba5ed89c9cccb

memory/2652-1097-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wwkk.exe

MD5 d96f8eac23c31e32848b50c6a7b873d1
SHA1 a4d3b0781f15ae94910ed6ae14f28ed8cf43fa3c
SHA256 9a776b576b33b49877a8305b6f9232f25d6ac6168cd201f3c36bb65ae5ed558d
SHA512 965ff0d5f6d39f761b8396d69ea57c41e52c1b1e1fa3eda31572369a4d0d963c261f986ce1fdc7b3b305d743d9dd3f85957f4a80e0cff123c2323b12628650b1

C:\Users\Admin\AppData\Local\Temp\ygcu.exe

MD5 409a9f03895f8d3eb9cf446f4e049834
SHA1 4797c91c41c08720bae0929f3946af703fa9e8c3
SHA256 73c0ec0b9f413dfbd49d6ddb0e67277efd4c02b44c2f35ff39fa08437334a45b
SHA512 c884ca2047ee9cbe6f39aadf9b761d1993fd493ca0c4e1a99bcf5aaee3b816bcae8925da3c0c6a4f46dd7bff346276b18ffd1fe4d1594031b8a66f15e750035c

C:\Users\Admin\AppData\Local\Temp\IsgY.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\oIcQ.exe

MD5 a5aa25f958a8902246e3f1d823bf6296
SHA1 3ffa93ce8926fa810977b5875b112f7406b462ff
SHA256 4d12312186a86f065490aae5876bf5edb728e89d09360fca5215c91cce401569
SHA512 7c37d0c2cfaa9c2aa3ab42e8315ca9bfa918a42cae4925b0cc32bd8ed693596486403c33ede2faea0dadf69cf22acbcff7f0cd972efadc6296394fedbefb18a2

memory/2804-1132-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gAwa.exe

MD5 2be14eaf3aa4e73b4388cba997e09c9b
SHA1 ddd082b349172e1e070e528c59be3aaba58312f0
SHA256 671028449d2a8a4f1432525b2b5773b0f8ecfdf6b58134945a11cb7e6da104a8
SHA512 453abcc4ef85ce6c8ab034af3756caa8271509513c1915aa7fe55cd0550ad9faf5b24b5f06f5cb16b84b2d8d532c8e9e02f8ec7a384fddbbfea717be25c3b631

C:\Users\Admin\AppData\Local\Temp\HyYMckcw.bat

MD5 e27fd8dff48b0abfb2119181ff1ae055
SHA1 12892205d0a5ea2051d492c76d975b73c701a2a6
SHA256 5b1cddfa19c9449d4e87e4c735216704c7cb86e968d3784f9f5afc1352c775a9
SHA512 ad67fe8f8d42e33fa44e17ba0d54476ea5d0d7f3e1015048079c122e0e3238f77b52566b2a499b4d84595f23cf60db32376e429d70f26d7d0269a9164949b8f6

memory/772-1170-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2140-1169-0x00000000002E0000-0x0000000000300000-memory.dmp

memory/2140-1168-0x00000000002E0000-0x0000000000300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EwoG.exe

MD5 8dfb8b691dde48a5b22a7f08f966b2b9
SHA1 0894982fd18cdb40af8f4b140d56350bce87888d
SHA256 f19d531527809fe8603d5f2d2013dd2cd500ad5dd3310d522c806c6876eea781
SHA512 a7acb561e8c2945978b9f4e72226f8a512674da1a351a10bab93860cf1a3f2edde78d8a09931b670b634b1e41403b92e7fab2342dcb6a5b53abf04c44e9faf11

C:\Users\Admin\AppData\Local\Temp\WYoQ.exe

MD5 cf4b40103058061902314f1593860427
SHA1 98f4d2da846e643e618788dded3efe7d237217d5
SHA256 41330f6bba8fa5f53035d3e7af1b2aaccecb5043fa7ee5de0d5c0f2dbfd7a07c
SHA512 af1fc9a998e4b2dc3dcb1323c90787cd22ea792a328ee1756fd33fd2ac03dfdc2612170c78b954481b0a9a588e6bb17e03598c3d11b2353fb6c40d65546f69a6

memory/1652-1192-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ecUG.exe

MD5 6abbb38ce02f8c4e30a6280f407f9b40
SHA1 21eae270d378774cde1b9b3a3043f6579532abf1
SHA256 ed721710af442368c34e45aed8328d9cf277f636c116ad39232dceb388f91832
SHA512 e51f453c487d739f78962d680b387ccd928da17e18e1091ea851759721d650937721a79e6082d7f4462faf04be8bb83b7cdcc7a65f7d66f81cf69d5ac1326f5c

C:\Users\Admin\AppData\Local\Temp\lmsccskk.bat

MD5 d930a8ca2b3192f1e6e3a18bb14c13cc
SHA1 6d38c1ed2c2548806de379a10eee51c5513ff603
SHA256 656b89867cc9020a563865d0439335e554d4b1f5de34b55afc150779e8a19fbf
SHA512 095000f1e678390f6ccceb2a6ea9b11a09a0f891b41c1b4d2f0789a56bc55c497409e37dc0afee7edeb1bef53fbfb8484c05ec084bc856a1d1309ae600147c92

memory/1296-1243-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2116-1242-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2116-1241-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CsYw.exe

MD5 9449adfdf983478ecbc12856591a56ed
SHA1 9e5e042955eed1e48539515ca74d49980a2e6e70
SHA256 b9f76042b61ad23e911dae65fecdc988546478534620f5551d786056a4e94afb
SHA512 48f7be46513e2cf1172df7d67b76b0176b9813950b8673be52783dea861562229b1da32fbd9cdf78bd7be6e78e231da2c72f71fd2119176a4e60ed65998c4adb

C:\Users\Admin\AppData\Local\Temp\EgYg.exe

MD5 02f3af9508403db181eb31adb6210f90
SHA1 8f6995055551c7a81181b084f21438f007b0aad6
SHA256 1ea2ff8d7e4cd5b281a71c0ae7dd5f38278e11b16d744b145e6f217bcfbbf332
SHA512 6cb5ac32a1d54bc72500cd5cb4e9a76eeb36f9f7cd8a1d209ff7a01f22babcc94616fe79d1868912c9c896b11f88a50f399ddcec0206eb6a5e5ffe65c516ad55

memory/772-1265-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\awMi.exe

MD5 87ed99de60cf4b3fb522323b5200530e
SHA1 8a95684454c9bc891ff6b009b98916a2630fd155
SHA256 b847951d77563946118328806482176099c0b6234029ad08c8c5fe690b447cdd
SHA512 3e477475556e7fbde5822b369cc6e6481d1399f2cab9cc3eee59e88f51dc83e07d534c9f1d62682c782c602bd35e07e38d70949ab8b636177829d36dcb0a10e8

C:\Users\Admin\AppData\Local\Temp\aYcW.exe

MD5 20515d3fb4cd84a413729d4562096f42
SHA1 61a350c362a884644ee5d958679290869dfcb643
SHA256 89cb16b06c17f1f29cd63a5b78f9fe963fcd098409b69f8ecccd273b0f91bd41
SHA512 bc4a950e2b9fbe4df02584f868b1cd3ed77aa7d59a12927c04751a4286f3b1ef7431593d8d39aadee8d6c3e79ce0912e8ad11fff7e0e3b6533e6e0d5e7cb3e09

C:\Users\Admin\AppData\Local\Temp\gwgM.exe

MD5 42b004f726fbbaa0b8e6e313fae5b507
SHA1 0318393c5c43c93ca2b68cc45d0f64625da45c21
SHA256 1e39b66347c380aa1c92af82b07c47a363bcd0d569766ec69c939f31db9005d8
SHA512 75a7f0ff2728a8640415806801c4ac90314af1371c59286558aafc2b1757b43e5ba471da6be28b515c79eba15e501abd07da42a0bd6678c988e4ce3245148231

C:\Users\Admin\AppData\Local\Temp\mQMo.exe

MD5 921f0359f5ac9ca1b40932f723dc0263
SHA1 35599dfb2824b77308df9e0b00099f3b9f5e32df
SHA256 3f48e54a89754d9a6ff880b93f1a7582ad998a09e4bec0a4568987559b61774f
SHA512 f1e91ead90b984af5d35a7e7c56436945b731507ccba0101e5a1c7ca3b2a653aff309cf0f340a969fce74377b7cea0bd7424195b44e9a1206348f5229ae99244

C:\Users\Admin\AppData\Local\Temp\uqMkYMIU.bat

MD5 f9952c6d6e4918b2dd08d526e807ceb4
SHA1 510700287f366c337339bcadd4576a5a13ba36a2
SHA256 dd1d86a974c24d49aae2b111591b37dd12c1731af2c2a4b14251f0a02d3d987d
SHA512 e29bbecf1cd5453982089d0649bc3ce8884e6e93c2767909cb080a656609bd622001fbf0a0dc8af25b2b14656c082a3c650dd45fdd92d3db9829ab4714d09941

C:\Users\Admin\AppData\Local\Temp\oQEA.exe

MD5 9ba5c6ff9989794da90e240d490b74eb
SHA1 4c3516718eb2080073addbe843fdf5011c056754
SHA256 68751cb4f078690f675a03a0a53a9495d366e191dd1ae72175c97b7263432fc9
SHA512 b41bd42181dcc99a4c54d5373e0f213238d50b5485c328b56e8f14dfad6385ecea30b56b1ccbcdf513800f52f79108d8ff1a7c7d041ac0e621213daa55757c2c

C:\Users\Admin\AppData\Local\Temp\sIEw.exe

MD5 648b3507d1abda90055ea2a040197c39
SHA1 ab9c33090a0aba413176cc40ab325f4b882450e7
SHA256 917e7c26e6bb55d60c9864f350d2c6901f714cd02c6f04afafe5bd2b66b8c23d
SHA512 8a75f26d4b315558b24d8d6c9c90a4c9ee256bf9090a8aad6768c2a3e377a334708a602148548ad6623e4a178583e1fab464352f24c5aa916440689aff5cf25d

C:\Users\Admin\AppData\Local\Temp\Mkwy.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\kIYm.exe

MD5 82b46e81dac0035f5d875b6439905d1d
SHA1 dcd662e5c44044827b7368500cf1204549450e2d
SHA256 93da8a56de023063eac3e532a3f60a501c138a8c4433a738671a32c02caa23cf
SHA512 e266c9693854202dd0dc07d4cce610091866f54d7af27c3873f7bc1229e25ac62807cf39ec3377439d754eb47efaae47645e35b46901841f187183af7e418ae6

memory/2996-1402-0x0000000000120000-0x0000000000140000-memory.dmp

memory/2756-1401-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYIo.exe

MD5 2cc13510efb6c16052acbdff40b257fc
SHA1 94bf132aae3e32fab173cf84ea595b7263d51e4d
SHA256 d7f0b5389e01dadf048e5cb950e816ff669aea1e0f174dc929c9010d7c925459
SHA512 f9f577a0c751889e10b91bf6cbb4badf6258a3c933fa6264c29ae2c5faa111683866db8f4a05925e156d1355a7833fba8cc5c66149293087e3879b8d0dbfab83

C:\Users\Admin\AppData\Local\Temp\iMEK.exe

MD5 38d449b1cb32f847939df1b5fd62e49a
SHA1 2a783ecff0b55cb190a3d2a8b5641cf7a3db530f
SHA256 de786109bc44cd0c17a276dcb0fcc7a350d16ff13c4d551b759a9a7c1dc9abc4
SHA512 0e88ba1fbfa6a7315b21ae541b311ac742704a7ef5f837ef7d7a61178457c7ce2bb95899769291b450d9d2634da91a1553007fde71971db4275876b0cfc33133

memory/2400-1404-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2996-1403-0x0000000000120000-0x0000000000140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kwYe.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\Ycsg.exe

MD5 029fe4f6a507799a9a48691efc91d186
SHA1 8763cf93c468eb45b1ddbe5804f5e806d3d7b49a
SHA256 e16c64ceaf1c5596383e614a065370a98238e5e7cc60043c27d43ffe5355013e
SHA512 3aae2c710ad29a9f16797729282a2181a9141075abc6c6d17bf4ba497c69167920a442b5fb90d0c83edfbd7315f46a27de8187259b48bfa6a61ea70d240638ef

memory/1296-1387-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OIUE.exe

MD5 cde4969228986cf9bc676ffab01aba6a
SHA1 ddf82b437705e951384999f8654362c525d54d2b
SHA256 0642b4f6dfd15dd4bc271637856e720770e04460036e0fffb5680b3dddc07bd7
SHA512 4b5daccec760a8256c1c8faac3472b71d722efeca8f858e42e914e5bc1bbe61cae073e577a67963f8e1c71d41ac855a3a2787ea0ae87e07b2ec17389702f5987

C:\Users\Admin\AppData\Local\Temp\ScAi.exe

MD5 c462c784ffc371444f507d2fd7df47d5
SHA1 9b6248f549f39f5ec6ea0ae4632be81e7b1fb12a
SHA256 2c369debfa14c4d172d44506f660310f825a4954aecbce9b1965616604c70483
SHA512 c08f290c4bc83862c46310cf52220c9213a6026a959d2123b3bf4b8411167a6fc8235b0eb22fba12ba083e728f81ea11ede8e8d8b405b7786ba61cbecdebdb4e

C:\Users\Admin\AppData\Local\Temp\esQwQgUU.bat

MD5 e83371b6bfab0fd3ef03cd8945bc228f
SHA1 baddd9ce9ab38ca585994dbbdb22c5b07b97f693
SHA256 e701a6621d0dea5a5439c6a9e70d504d30ea3e9f61d0da3396aa085ac951f9b8
SHA512 7edf2159383909b8dee82f65a2f5fc812713d4b77d95f5204e8cee13046b9521acb55b4cc63d978a349b9a7a2d4458a424d93144656380a4ba97ed0c3629460d

memory/2408-1453-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2192-1455-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2320-1469-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sMgE.exe

MD5 a5adec15b38b0aa1f1e6685ef9646826
SHA1 d0a1041dfadb02e29e300392045e2a56845a66df
SHA256 f51b91e6913cb7d0a47f16147dc106ce9a280a7ecc7e1aab20efc2101148883d
SHA512 9f5091b3d43a570b6c649194d1af839e1b3822c356a376d8764bbd070b73f14944b477d42354591ba7b2a32a70331662f3d173601aeb3abf231337a141f47aac

memory/2192-1454-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2756-1491-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\occq.exe

MD5 a7fe5f8be2de8acec981a77446d94551
SHA1 fbff9e11b37e090e658ef230e4395110642924c7
SHA256 ce942190f090b134ba7fd67364b6408fbf2c5536b72ea46b19de0e5b93f63cd4
SHA512 25cfb012c27a9669f296203c05525b272c15dfce5ce4fcbfe73dd8b45dec04509cefd1051019286a87883e1a5798ce93c2722f08b47c459443e33ae6cda6367f

C:\Users\Admin\AppData\Local\Temp\qoci.exe

MD5 460e793e31a9db1f894081d4ee911e82
SHA1 c853f60cbf326a021c54c6d8b8e0eb68084ceb23
SHA256 03bcf947e53f8b01eab1d24dc90270fd4bf47fa0d1034fb714c53f1cab300afb
SHA512 036737d9a923cd92f3bf15cc3af1d616786ffaf787535133ac220e3eec44297429a89f35ba4e3f1ce88db0179fd9afb391d1a5673f174234a250f5c9dfc05ce6

C:\Users\Admin\AppData\Local\Temp\IwYW.exe

MD5 0cdbdc8a6fac8c5d1881597287484ca1
SHA1 f59c50cced26dcb848debf46c7f4df2b95a03897
SHA256 36a367c80caabd0310782942f041038cf9dc9440d0664133ea500c6bbe364ecc
SHA512 e61f5c60ecfb665c6b08d386940a2aee3ba9f5a5d418f024c5693372eedaa6649f31e68c5fd2797910f8154ea60db7106ac10078cbae02cc6aec5ca509740485

C:\Users\Admin\AppData\Local\Temp\sUkS.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\cQYA.exe

MD5 693d6246d1936bf86427b15b8cae669c
SHA1 576f2d828a236a391e31d6b791ef7b1c090f60fc
SHA256 f43a7b06cd8323e5ec6a5c4fe19363404c3ec689df9724f3bd9a9522b16b183b
SHA512 36f9e790b11e91ae8a9c7960f276151e995736de07942f70c301403cf31cd9ffd06f2e53d3ec16f79c90ca90434a93fd50cf04ac611c12105fa8e422d8a860c4

C:\Users\Admin\AppData\Local\Temp\aOwEgEAU.bat

MD5 b7d822d1b9bb29391070c6f2c685b248
SHA1 f79681a44ae247ff740872cc61d22a409f4af728
SHA256 6afaf256201bd9a8b998afebaf502f35e5e073f4d982152b9218d704ec6e4b83
SHA512 1c59a5f9ac7590d3341d2ec7d0c821edc221ad7b5143b32e05dea1f169746ab2d07217d3714095000b922386714fc8208dcd853f10aae39c0c4b4669218a1d52

memory/1476-1546-0x0000000000280000-0x00000000002A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wcQU.exe

MD5 eb9d7da44867558a4b18983a9124bba0
SHA1 8d18edc1dab5a7d98cb1ef43b6e22e2b4e6cb952
SHA256 43c48a30b1f7c513bd162965e94da678560b6be940970e7f632980b8ea547911
SHA512 e0e19c05217138e496bfbb159db131524482c53b7aee6009ca6b031373230dcaeb4a1c1b6bef98ef1b4ca245598f6fad29ae690c4f048b05a5f859d6ed9679e3

C:\Users\Admin\AppData\Local\Temp\SkUc.exe

MD5 dab40cb60395047c60a3a0a28dcdc779
SHA1 46fb78c5eee29359b86610b4a0e0b609deaefb23
SHA256 845903af48cc75aceaa3b9bcc893a96c9c543227bce6e65bfeb4983a8b4f5a75
SHA512 276f4aa361df943e2b8876035d5c7729e8a2e5ac0c2b9bc4884543991f56a37763f5fb6e35083aebf1ea5dba0d9189e3124e1a1df7f974648ac542702dc031d5

memory/2320-1571-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KQgw.exe

MD5 2e2412d4c3c32bb0086ab2b3bff8ae6f
SHA1 712bffdcae1fd78a5f7d901e7b6827cd198918e8
SHA256 de501c9977cd938a39fe85d8ce1b9b0c0276428691b2382894b273de4dc09a3d
SHA512 fc7224a2eca5e19692a8fa176509f334060037a594cda983b5dcc2d39a93987e22f719fb78b75b8075ccba657963a9bfe937b891fccd74cf952790adfa973955

C:\Users\Admin\AppData\Local\Temp\gcsYkIow.bat

MD5 947ab1740710fa9abbb94b723878f307
SHA1 51c6149048777d7566a2f34a711b9c980954f75e
SHA256 41ce730e1061bfcb7f7850887abadd8a83bdeb52e49cec7072d7222c8fc59d5c
SHA512 b615dc7a361c13f915768dcc570c24a7acaca4c061f8fd35388b954125c2d2fd1615e4024cfbf3a46e0795ac8d7c7c565b6ebee475257e5b5105bfe3a6f522b8

memory/2612-1625-0x0000000000160000-0x0000000000180000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 c37e6265f8132bfc60c03e8e5c8cd597
SHA1 e1d66b435e61764c7ab1241ac250e2fb26b9c18b
SHA256 38e292417dcb8144214f20cce4d232324357a911fde016b088ab92f3b05b98e1
SHA512 a726dd7026f405b15142ce720b224f5e7cf09091bd5245f7cf6df51a6b3abd378c9ee1e76b70641be5f0777d64dda2731c21a2b4dbbe46984febfeb672ddf799

memory/1376-1637-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\swYA.exe

MD5 b5a8744a09ad5eca6a326ad2d914df4f
SHA1 b827aed701c4b1709b4a35b69099af31d6149aa7
SHA256 63bbc63b0a7edc7d4cd42675f4b84524372bbf51a4368e6e105b6e2990663aa3
SHA512 dc510d7d7155caf260a97d08a4949b46a23127fb3ad062d9c2b9495663f205b2bb10b30e83e5d8398e635415094f24caa1ffa693acdf01b5f8eb8b991080560a

C:\Users\Admin\AppData\Local\Temp\EsQy.exe

MD5 c867c93408076e21befa0a9c23723335
SHA1 c7189033c0a925a062ca2e5fd6d46e28f3bae352
SHA256 9d656fb995a7ad81ea81d1e27f995d7963b76e6ae4aecec2f63784e92433b16e
SHA512 39e3e2a0da12070ea91f8281673b656b54079f330bc89cddda84e673dcda8f18ebfe1dc5fc05f9d2232a78dfdc85c4daa7d69706579dcf9798c4b77a17c4d178

C:\Users\Admin\AppData\Local\Temp\koci.exe

MD5 24ff9120e8abf03aee1499dfbc2e6e10
SHA1 2754159e0a201efcd32b829a431d0f06e52031e1
SHA256 7a8bf8d7a04f77753ded9ed794b8457889421e2b13649b21bdb724f68af70950
SHA512 77536082101def0824f777dd07c79702c919e33c4e81cb2f946c3a5ea7f98063897d73d30c678586a0c6a643e149fa88f995ae48fa4dcf49a990912c8dd4dba8

C:\Users\Admin\AppData\Local\Temp\VcwAcUsw.bat

MD5 f436a95d9df25ca14be71b255f189e2e
SHA1 6c6f9d35480966819fd661ffdd61a181918e9d00
SHA256 b75f6488894e9e59cf23e60a6f233ce0249f8b8e207d3ab357ad091e583bf85c
SHA512 8c3d648475db3d7db6e129e063e499def45d520af5e44a6673df5f7f29cc166568be52e34535840a6230aa7c5fa68d370ce487a8f716402983feb0f67a84e79c

C:\Users\Admin\AppData\Local\Temp\MMQa.exe

MD5 5d2a8b76bd774797e71205b6aa43eb16
SHA1 9b5ab9b8833cce3615d5cdfda6b5848e6f60666d
SHA256 0f6393a4462e1d4a79cfd9365fce7da1bd9c6e7da0edd4c7a92d86bfb17c490c
SHA512 816514f02d15f9d5edfa63ce903d4844d7b2fe321a32004026a6c33394b2f5b38597ed281ee4ffc247749f77926d567c770e89d87d38c44c248676df27a6e4ec

memory/600-1711-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2720-1710-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2720-1709-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2184-1722-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mwUU.exe

MD5 e944df2ff4755f587383707e7706b21b
SHA1 14fae995831eb6ddbeaa1ceb00501445c67774ce
SHA256 3eafd66862db4c1f40141f0d4942e4e0eb59ee5c3d3dcb78eedfbac67f68f28c
SHA512 b870c5dba7aa041ec4699c46149285d492aeaa32d935f22fd3da089957dddb06c18e98ff4c2dd1b7ad91b74f499955228a615ae8b3d24bc47210256e0ff5637a

C:\Users\Admin\AppData\Local\Temp\mIQu.exe

MD5 1a199e200aa182253625011a42283bf5
SHA1 1cc842ce26466b4879f6095d4b164064b876c43d
SHA256 1c07edf5a891f9345cc0f5a310200e5db54841c6814419ce97e8296ceb40da8b
SHA512 91583022012c7b38b9a3ececab345dd7afe8ff07f301b7497a293491caa5a5485f78dec3f1d15bf632670c0f41ee0e383614da24fbbf65f89d3faf841ae98543

C:\Users\Admin\AppData\Local\Temp\ZekcYoQw.bat

MD5 f59983a7b7bb390c78d676b5e588afff
SHA1 e60f112264db6271ea7005eac93362319ab03bbb
SHA256 db965d6ecf1f0d2b03214648a919641cc293692bfe83b942698b8c53c66c6f46
SHA512 c757f253da1ba197c3385349fd1fd3deadec657c8e23b9930e2bfe77f7ddd2dee3d61444b31a3f7c12be282d9a1fb519221d6986a0bde666f4c6fcf32ec16e95

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 46b5f8dcb7b09d3f23770fc5239d5e1b
SHA1 8628194edfa084461a49ba4ac8667e5e53bd5d11
SHA256 e35edc647f84c12cbc2b4a460e0ec1f6f07dc3fc2baf9274093915197524586c
SHA512 177325f986078dd59661121a4fb58dbe45bb8265d3b81d6213a0283bcd1ac8568867232a50708a6a81bc0c46df19a98e360f0d3cdfb4d921abd2f11c0c9b10af

memory/976-1782-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1496-1781-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1496-1780-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SQsk.exe

MD5 02d4a73a892471c37a60a52c18cf441b
SHA1 844a4fa978d9c1c871fce2daeaf76d0de9b92f7d
SHA256 b9cd76a4996f45bfeb140dcc64dfbbf430575759299f21dbc930cc30fba744ee
SHA512 8345dd2ce002e1ce81aa171417afc837c92bea7c1b63c19ce4bae0dbd06682d44aca024f3118e7e79ae8d4529312c54a0eebc2ba6f563918ee283143c35647be

memory/600-1804-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sUMw.exe

MD5 92e38afcc92be759c9b0b91dd79ee2b2
SHA1 e5f4ebf1e2171eff07c81f2b2fd02fc948f08169
SHA256 373bbb1a38514beac12e8a8125ae70e074979044254ca71196157d570e7eae5a
SHA512 694754876d464bd78502900165f11862e8a74c4174c74739ee39053aee0c15a34e2ffed4c0afa9b70730880a8824463f30c5006ae325df3a719344144847d2f1

C:\Users\Admin\AppData\Local\Temp\GkwY.exe

MD5 c2d621eec4bcd0feb853bb9ab03ac103
SHA1 463537c46a09a4aa5500222dd2ef456845952bc7
SHA256 259f042d576827eb58fc1d986c04a82c5b53fc35c8c9ab62ac13f4572d100740
SHA512 015a7bf7149d87a07d062a2d8446f13b8967a585f47ccc1488e0e48dc310e26a89322900c2b32fb447c56e3515a2b80f72a810ea83afd0f6db5c06543ebe63e8

C:\Users\Admin\AppData\Local\Temp\LSAAkAgc.bat

MD5 350ed98c96ced183abb84c88708617a3
SHA1 7c7b770f2c943e34877dddaf9d37cfd35aa8ddb7
SHA256 8d824aaffbeec45510f04daef40fc47c01295adfcd4b837406849c60ea5ad291
SHA512 4616693843707adeb613be3cf56a7e47fe7b79839089dd35ba6816897503d16599f382cfe8f70a4acb6886d38a60b007e3ce2d16f117972c5b331945d34819f2

memory/844-1850-0x0000000000270000-0x0000000000290000-memory.dmp

memory/844-1849-0x0000000000270000-0x0000000000290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IocE.exe

MD5 6cfea5a0bbaf873a6db2e6086b07011b
SHA1 3a5937a4b9698c03485fa20d99e591031be6215a
SHA256 1208ec0d4069a132aeb8fb9168d57c779b698f83223568aff2f1f2425010f027
SHA512 b60727690545d033745e8a55e74e8d7f050cb0de157b94bcee52be686a45d398801df0a9670df8ac8dd8fd00fd75f26bd07e664cb7b5c80e0e403c822f7f571e

C:\Users\Admin\AppData\Local\Temp\egIG.exe

MD5 b895872108f7e79a6937c4240b30e551
SHA1 2675228e177361b0971ba0d93fd54d1146773233
SHA256 cfc97f9fb5ad57738aa0a626d10e5381a56131178dddde97731663ecb8725cca
SHA512 60b9391f236800b55ffd56af1856ee45e064ecdb9360692f05a3efa8e1faeb2da8d44d8b051bc94eb4e5a49b9d62d72ea46a2eb183e0d1a09f9f632a85037e59

C:\Users\Admin\AppData\Local\Temp\nMUkccMs.bat

MD5 57b0371f58cbe4076a0018dd68673405
SHA1 c9a5c9b2f03c02203297e5120ccff3ec518831b4
SHA256 9828bc0aa3278dd4b5bd23ea37134501aaa654a0a3d213d7d6982f6a4940454e
SHA512 4b5c893fe0278f359bd9a755211598cfab04389a2e71f961654536f758db1f801170d5a0d3688d623f7449bae17902196d68b2abb83d24146b0f900ee6318508

C:\Users\Admin\AppData\Local\Temp\gwIM.exe

MD5 a4d1f44d64a58650db720e5a6075abf5
SHA1 d3f74a67c23b64f34831452bff2f9f4fa2a101fc
SHA256 4b6afc28038fe46bab23516b72b8f23667cba589c09ffba9b455736a31eca77e
SHA512 9c050b77d42a2e681051e3a747ca58ab0077222fa46006a08c6b6658c7eb32832bec4bd91051c966946fee8f9f3f4e615e289d8992088f6c32f507c0600ccef9

C:\Users\Admin\AppData\Local\Temp\MwMA.exe

MD5 8e9b40d10d89fdf25739c1ea61b3e310
SHA1 3e45546a0d2aada4d3d3d54e707920fd4dbded61
SHA256 cc1741c03edbfbddeb22952d5ba47e0d897d85bf86f07845fd4829a0025e28b0
SHA512 d90d844595d3253afe03081cd62b7a64717ef38b536d34e75405c729bfa158c02ca7c012516347bc74ca2be17581aebbdd118ba5aea33e4da606bcd54f1ed46f

C:\Users\Admin\AppData\Local\Temp\MMcK.exe

MD5 54a6d36c40ff2a607cecf14c22493c51
SHA1 e279828a3863b8222470f2ecf859aeae7cf7d291
SHA256 40e9039fef2c2917a3c5f006c51524e4cf63ddc17d574768f4d61a0896c2777f
SHA512 307a5b3cc596e82c2f666cdd74903b914ac21a4f0cfa87ae0e6c9f0d337c01cad89de0362ea91365510dee36771b667993f0b8492ff91446a7020d306a88721e

C:\Users\Admin\AppData\Local\Temp\KMsg.exe

MD5 9f4388e11d48a9b409a97f89bb97c8d0
SHA1 a3bb572ac57ac19a9bdcc3bb4751e25dc7fa2a8b
SHA256 b5dff0ee07638d1ffe1b7433551f9feebcc762a58257db0210a580b9267ce2a2
SHA512 4f56ed6e3be379a577cee8014d097f396961e6177c164ab93c6a05b86655d8816ba95fafcdd0fe6d68b1a45fed7d91351130e36968251188aaa326a313753526

C:\Users\Admin\AppData\Local\Temp\VoIgsAQw.bat

MD5 2e540077c03f522b67b49bd350106651
SHA1 6140cd659f70145716ac3133d057d6ba5864cc48
SHA256 d8e27b92cd5dc1d3a82ac4aad0ac9716f0873b2c29c5126c51f8c1a924e2e208
SHA512 d8c9092a7319b7fd14da9db66e0738020ef081612934eea144b0ffc0d0a7b76410e6e74aad58e48f7f63ff8235d25e08f75fb95dfeec94f5312a4636b62b9827

C:\Users\Admin\AppData\Local\Temp\EsEI.exe

MD5 8156ae5e2533e89dd1c7fec33e0e776d
SHA1 517821b8b8bcf95579822fa85793ac51f958664f
SHA256 19c7afe190142856eb6b75461750e44cdfe510180d772efc38c0edc602a5afc8
SHA512 16cc9cf0668cef13ae1231737fdb5c7540f4304a31ea2c4ebbc306bcf9449c6a129b261c56a0e194d069606d29b76f77a9170aeb486378c64d88856f4241cc39

C:\Users\Admin\AppData\Local\Temp\ksEU.exe

MD5 6f7b91efeee27c65beea9b901fe9593f
SHA1 23132613cba448d7c17854451fc39fa6de2f4573
SHA256 1e5b31a14d4ee55445d40fea4c7d446a1b0ee02d7797c1b5d03b095cf1888c5c
SHA512 3dea183b51e0079ae4241d5e08747cde9486a3d5edbf5677d0d0ad2524a14085a4755049c89458ccbff383994e10e06e8447cb8de4a5ccbd1938f8608411ef2e

C:\Users\Admin\AppData\Local\Temp\WEgEoIcg.bat

MD5 980dbe192a8349f96c3f3cf02894cc8d
SHA1 e8398f874b1e138b388904640a8bd356482c06a0
SHA256 8119fb61bba627a1e16cd5684b1f30c18f712b40cab7f252bd84bd962d9188ba
SHA512 c4d2fe8a88b63d83f7e1ddcfd026166075e227ee70f53d50385195a48ab1cc8898b6bd4d698f1b38c9ac7d480c0d32290821d9dd903897ac9521187a61a165e3

C:\Users\Admin\AppData\Local\Temp\iggU.exe

MD5 45f027072b2398557bc5796efd0167d8
SHA1 c80ace36bcd067cafd8f544dd27b1db4104ae022
SHA256 762066f2ccdcd508c235e061a7829ee35653d0899d215d3dddeb8723f95d6fcc
SHA512 a5d558c35b261a899a0c50f6405d799d8d4ba88c7b83fa764e26e3907120e702b8bfdcf3f07670f29c38227c93244f9a774356d35af0f45344cf309025400dee

C:\Users\Admin\AppData\Local\Temp\WIsk.exe

MD5 0b2757222898bc2374c477fb24372bf5
SHA1 e89d948c84b5f7c5f88df356a1e8c70f1db0bc9b
SHA256 a08cf32bc1e2d122a9c216849e9fa8aa216928281dfdf5a1d4f27940b3456b0e
SHA512 32dfe80d0c5fb3ca450b4a7dfd7a6f6ef5f30eba99ad08a6f711cabeed5efba77bb74ea7f46adc4ba2438aae5551535cbb917b65a0cadc79b303970065d40fc6

C:\Users\Admin\AppData\Local\Temp\ogAm.exe

MD5 15992a80f065f30074a7dd2050ac3f2c
SHA1 cadf26d33d15210a69a937ed97490b5593f6b987
SHA256 788e763aee938c5e18f552f54f0280a02e14007058b4103513c93e14dcd7ab31
SHA512 111a15d0b1daffd3d8912f67738df0a1fa2f6ff3e1ed54418bc7c41b7b701d9ce9ac7b8395a90ca9b77828f85b3ee6be03f165e1e87b5cbac2931a516f8f2457

C:\Users\Admin\AppData\Local\Temp\SiUAwcok.bat

MD5 7787712443befde7e93c2bef8b3d794c
SHA1 b36826bbbf683ad01800c258ce6c4b1b7d1499fe
SHA256 666b8f59d4866a24b932823cdf960ff96abefed03717936ac6c2bf38c299d195
SHA512 24c6a00bb0265a4f6f8f60807bb06342e7b0d6f6f771f80078065b34e12e0cdcf13300d2bc58f601f83a084854acc0c3c9499158fb6a79e9beb6a82d995cece6

C:\Users\Admin\AppData\Local\Temp\GYQC.exe

MD5 6c43707f93ded943f37f188cee039501
SHA1 e66cf5c2fb436414f24636ca402a7e80e97d1d48
SHA256 0bd7c9c853f9214649a5f9c3882b2eb19fa7045c714c21cadfc98fa97e233b5d
SHA512 e87c4c0f9f2c0a04fa41e54f746ac1d7a987bc520bdf166c79d928eec285410ee61fa6aad681e3cc2e4f7efa9a99fa9b2616b1f868f05cd6dec4bf5da72e01eb

C:\Users\Admin\AppData\Local\Temp\GsYU.exe

MD5 742eae86158565f6748ec21fae5f9964
SHA1 4f792b78dcdc20dc4b8179b30dbb29eae6b487eb
SHA256 b261f77d8d230dacfc58d8ed2c6f2509bae8549ad153408cf94366c60defed76
SHA512 27f43e2bd39fe54ea7064ad84a3b1c82afeb6fc566550fa233a579494025bbe21357d9c5a850004639a6892cfd0ecac065760bdc8b2216c2cbffc0775c59c519

C:\Users\Admin\AppData\Local\Temp\csAk.exe

MD5 63308a47ac02a88f7ef4423f62b38f32
SHA1 9b56d834b68dd8c20e8a6471679215446fd8eac1
SHA256 35dc327b97a43b39e668b5d1db4c68641e20e5c22d926869dd5d6976f2fa59ce
SHA512 24ce8adbb55f6cbe9278c415f41939f3ed22f1cccaff9a364353c5981897aa1c855d0fba7cdecf93305e1a8324432d21dc2e137f26e52714906a564b161aab43

C:\Users\Admin\AppData\Local\Temp\YosUkkwk.bat

MD5 fdb8d1a1cd2bd0229a253c25a08a2555
SHA1 e92dfc74ca14834536f9faa1da5ad08a5a7b0ec3
SHA256 a90bce43d38fdb24e63279467b15bab5c4854844d58724ca8ddbd844a8987095
SHA512 b2a5714cd366afad841ba5a4f10c4fb6f35e04f3aec429e63df0e27c0942ce7f339a7be6a86f9e2aeabd31f8a5e15e537acdb09d98dca594aab5ae0e4d2c5f29

C:\Users\Admin\AppData\Local\Temp\MsEo.exe

MD5 6049ed832bf7040b241cfc8df02ff6d8
SHA1 a31646a1a4852202ab75efaa78910f37d14287cc
SHA256 2b8a89fe40ddd5d30ae56bc9c8d7795cdbb4b1c3a65661e0c20c3070265ed8e4
SHA512 fe49fc8194f4a36b1c00dac248eecc2ff0f730e42f73988ec3bc36eb02167bce0a52719857f81857931471db7504bafe6165fc943b5a7280b6960c3e3bf7afdc

C:\Users\Admin\AppData\Local\Temp\uUku.exe

MD5 2f92097ad212e1377b200662a525381a
SHA1 2488cbb0508e588badb4cf2814932933f85c5479
SHA256 94ebc85d58653caab97365035ffd42b5063e5e017c0b33cff56fa2911d1877f8
SHA512 34ccfcc80d48f2b4f15c31ea5704e5ed6c1c595329f871a67e78109f104cbd43620d9bfb1073cb87377734632663b7428278e8961097170f845d8f9dfa7e1d6d

C:\Users\Admin\AppData\Local\Temp\GwowUAcQ.bat

MD5 c112e0f10af1cc5cc0ab589e32dc0752
SHA1 ee709443ef3de3137744bbdf69a9681d1b7ec410
SHA256 587614b28b51b730d6d62f29affab76baf213883f90718599f70df76e83bcbe9
SHA512 7eda83eaa7fe6fd70ab717880fff6735b1d46941f7efcd16ee4cdfb59e3556ec6427eb23419ceec0befb22783cfd210354fc37d10b4a55313cbcd2f5b2dcb5af

C:\Users\Admin\AppData\Local\Temp\WAUs.exe

MD5 9f31fd8afc4d2d257dbdb7b35445d6bc
SHA1 56feb5bcf0916117364690ef2b3b0514f34354be
SHA256 644fe1fb85d19c40e1deebe833d4d55cf4cb3c38857c9ad634d11b1f23ac0533
SHA512 54e67b15724eea17d2e999394240706fba2a82fc7bed86260bd8ea844bb41a9d06759d34382f614fc8a759fc0208c20818424a21fa9238bc721c1add437fe97f

C:\Users\Admin\AppData\Local\Temp\Swky.exe

MD5 a453e799acf469154192541a0ff45e48
SHA1 9035c379391c6def7a9bfa602cd1203b1f431428
SHA256 0e670f864c4a9346fcf33f3040015e4373ac29e68f4263134ad6937aafc4c433
SHA512 b15a40a1dc3078062fe05db6b6055fc79359fe8a8e61ef1c0b5f1e97d8bf26cb47400eb9b4b76c03cb21dbe125a3cad44ee9a7c5705faedeb4e025cca8ea1451

C:\Users\Admin\AppData\Local\Temp\acow.exe

MD5 389ae0611031b813147b3404cfeb59c2
SHA1 a2bfaf23046d2ce85b1ad8651cc67fe3cc092422
SHA256 1dbd3df7a4aa2db66cc0bcb957269c29c2e2a4ce5bc3b2d8c6521cb392c9d34e
SHA512 2d5b56b91962657d28790235f9ca8528cf3ed0db6d1b160babde56e333a18d00803e59310defd84f4cbf1c98a3ce1ad94d12e374da9d84489839b3f808e2d821

C:\Users\Admin\AppData\Local\Temp\mAUu.exe

MD5 3e8bda44f1a43fae88dfa44a7cac9de3
SHA1 af58929892c315d1c13fe40bf949ea98d3d6869f
SHA256 247a49af575a882a422de8c95f9f82493ac87d903fe78de05fd3553d013e6002
SHA512 2c2c05f51bd8701d189254ebb40946a3f0d034d8c7195ba6ffdf85f66a4cae8b2013a5dc4e8d0deb71fafc13468d7fb0490af1196b542605a756025ae62fd43a

C:\Users\Admin\AppData\Local\Temp\TMccYMos.bat

MD5 366978834ffe516c8c0e1014e6932a06
SHA1 2c342d806b3d4f543db151101b2d4fd2b198ee7f
SHA256 c6f678498406c610d391116edbf37f7766409df1604eba57749e8dcdf580059b
SHA512 9d58128ff738635e4b423865bd8275ecc975f2ab6285915094a06d1cbbd36b9654e6b62a1d2f7b25357016de1feee1810ccd94fd5a36ed83b1dce589bd882aa0

C:\Users\Admin\AppData\Local\Temp\ksMY.exe

MD5 62c3cb21a0d1354d90a4d34dfaa56459
SHA1 d3e00acb6c5f3887e8e91d330a98b5bdc48062b2
SHA256 fe954248298528037d4d29d4ea3e9193099ec897763782d6ca6b4018b86d79d8
SHA512 7b3f953ae404f89e8d4906f2690be09824d8beec5d9825019d3960c4e50e9cde3dc0b7abcbd89a8516524704a824e671d0b6dc30c43fb27073ebaa3f5b43a944

C:\Users\Admin\AppData\Local\Temp\eIMk.exe

MD5 c0b0d6184578dd0f92e60d56b970f6f4
SHA1 f1d0d5f96331ea8a05ce7366ca904447ffd1e7ba
SHA256 9068797b2e8d04f145ca4c12e10cc1b2c87061566187999b10fe563fac0a46af
SHA512 e3606523c595fb28045ef4d5f18e48f14a4783c627e7872a2c69b2e6500abc0782e0809854a8acdd84118f672857511382cd6f8a391ded2592275b9af39d2bc6

C:\Users\Admin\AppData\Local\Temp\gIoM.exe

MD5 64bdcd92dfdd25b096ef3940497ce998
SHA1 22a6e911edc45bd0760e4aeec3d93a2e7bc0df2c
SHA256 73a117d652a8f4d1d4cd3b00f478887bce88687da39aee4fd2e37c540566acc4
SHA512 31d8e7554bde18aa87d4d45b0f16a298da948af26c055bc00cec786f7359750d0612844ff507cb8fca4ab35b12333ecdf3af076efcb25d03ec6fd035a3806984

C:\Users\Admin\AppData\Local\Temp\JekwowoA.bat

MD5 f0eb4fd46083dd5e8d499b9390c7cfcd
SHA1 47c146604dd033134077106e7c1d582e8593156d
SHA256 d06f2734f508369a50f0838d20e94fe03402da049f930f84c15824f26c59e786
SHA512 85f8ca87ee6d039795312aa7e1c9037e8fe6aacae07dddcb33f1b0fd279c0a9c7bb357c28130b100c2806e990657485f953f0486d8ccf51daa53223b997d6ec3

C:\Users\Admin\AppData\Local\Temp\wAMO.exe

MD5 92d96265a537213e558d7c9db0f89f72
SHA1 dc7b3aa1569c62dbbef4fb58aec0f5c9771b06db
SHA256 75bd99de4e825098c61a59b917d20f03fd76f18c1933b09876fcec690589498e
SHA512 cfcb76f8cdccc1ff55f8cb7af19ec9e4f0989206ac1047926ef370d793f2057c18ffe43d8ea7e203a2866dcdfbffb9cc20a8a2d83c0a1b517c97d41bbb5fbebe

C:\Users\Admin\AppData\Local\Temp\uAQO.exe

MD5 ec59f2840087c9d0c1f1e04251c5823f
SHA1 4b57d5e9551d43cc0409ca567e7da30f4004eda0
SHA256 833936493b810d424b0691509246bbd3519e9785271b8e1930122edaa76d412b
SHA512 0a442e03b78e2ac0f54af9c99fbee43fd2e08d6dd821e6441be98d2e5e0108512fe48346cf8da631956ab8502edb08aabf73b79d4a6b99d544ceb16bf4982225

C:\Users\Admin\AppData\Local\Temp\tEskMskU.bat

MD5 33813a9569daf0bd370a0f892cb91213
SHA1 fe622f73318a6f5598d846b74bff62ec394286e8
SHA256 b42271b99328d9f140756d590d26c9c0dcd3a353a2008746e2c8fc6cb8dc4097
SHA512 3b06d7ad194c0a11630a49394c502e1b806f0311b7dc8bba6784d2d7a8835b0fe1ba58853d96ea616c92b38bbf4062543db8fcc9c7bc18c478e5fa357b3a993d

C:\Users\Admin\AppData\Local\Temp\buoAYQQI.bat

MD5 bf2848270bf34ee2940af208c7ab6a6a
SHA1 6c8b271c8b4ccf965dc9392105d46f45cd665980
SHA256 0ed8afcaf8904527a07f57e239207543c69927626c1f01ea30c2f026836612be
SHA512 81c38e7e0a58383e568264d99718135c9f41d59897eb88c1aaba9da34be171833b32eb8344f92ee89eb4c371a5e9cf9a9f9dd1dab0e7c1872d21f0a0ae57b9b6

C:\Users\Admin\AppData\Local\Temp\QOsgsYck.bat

MD5 2cecec72fc70e42382d1ac44bee6c690
SHA1 cd83f29b6855674aaa8b3de619c1b4744e82efd6
SHA256 7eb1746470975007611202b1b637cf7470378468277cc97f4d5940a3d1a7c9b8
SHA512 27da9705b2c489912638e71da26863883ae6eeab96208478d9882d6660d8060dec91b2968191149dfdfbd95056beaf6c76c42d3ebada32593407893470d28e5d

C:\Users\Admin\AppData\Local\Temp\KQQe.exe

MD5 2d8c578c58632493118197da5770e37c
SHA1 bd12308999796313742c9f127948d8304c7d2a28
SHA256 009b6ec58ace68314280cb8913b181b21898a5b2a37f95f2c35011791e133b66
SHA512 1e05e185eaf0faec1e1fccfa7e8611609585621706c42ea6db32675bfd08c27f34099f42d5704f6e59bb111ca106c72c23d29dafda9300d489e6d8207f04aaf5

C:\Users\Admin\AppData\Local\Temp\CgUK.exe

MD5 cec8f7792e94350d78b309cbdb728060
SHA1 8dee8fae43a429490e7c564e8e0b5c16c7036d56
SHA256 2c12b1ff4d57690b59d0733b1a09e932165b0bb2c8503faeadba47bf0402bee7
SHA512 a518beb0a4a8f1b4af6d225a637719891b0b7ec1b34bb9565b0d4f103c56c7dfc402d54682ccf8defa1ace1c90c03521992c421c21f0c4964ff96c2c4048c357

C:\Users\Admin\AppData\Local\Temp\ccgMcEUg.bat

MD5 39b4a9b0bd03aa524699628a879aad8f
SHA1 1d1e16c1d3ce415d10e4d0f906dc3f4b95762600
SHA256 de0d206e8cdc53b96e81419b0a2bbad466f64516d5d3848ab23310bd59355c80
SHA512 87688e2974dc905f8d3e048b19e5ad275f30ac7e5d92838b387bd1b11ab23312b4e3f8d74243a55459ce737159e18b9dda29c7bd5dad5fae48b463961cbb214d

C:\Users\Admin\AppData\Local\Temp\IIwq.exe

MD5 7f2d4463c55d95bfd7ba9b0b2ced3a51
SHA1 9ecb5671dc6cf18bef497683f328a66c9eca25e6
SHA256 df66b8d018c8517b3e881c1f3a3eb87352995c09c460c4f82746d5c771e5b5ff
SHA512 1eb6bfe6d86427897e512c315d07eb0cb02449bf23b0f4dff1c24edc75941c0fa1384ce6e9b783c52864d4cc94db8d9a1cd58ce22beb81d22c41008bb4fa51e0

C:\Users\Admin\AppData\Local\Temp\iYMY.exe

MD5 9ace99deda6a0fed41765cbaaa03a2f5
SHA1 90b3e0236997215a908b4dd899dcb0a9af9747ff
SHA256 d9d73882c3358d47592042ce4463271739a771db90d51000d05348ca456d14d4
SHA512 76514194f234074b1d9b0344634894221e19e19e1fb7c3ac28dfff73ac48fa78eda0159d60f27616e14a2ac28aff4fa59bbf40ac1db3707d018d46953d7f60b9

C:\Users\Admin\AppData\Local\Temp\yAQW.exe

MD5 1461951670f63148e134fa3fa50effb6
SHA1 bc8d7313d32e523f1eea2f036ecee25b56d56121
SHA256 10d74665bc774279fc300b2a27aa908e356f5570a79768d29266ad5598289760
SHA512 e12da70c7366ab6092e490f86b9eb70080d6f73976265e5d245476e1b8549bdd2750a7ea90919ce225fa8b5f73bb7e03951917b709830391c1f54040c36976cd

C:\Users\Admin\AppData\Local\Temp\IcYu.exe

MD5 af3ced27b71e2789465a71aacaade541
SHA1 22bb9f954dc4a0b72a6f4f95bccf9997af996259
SHA256 6cbdb4e6c1e70404a17c9e9285ef78314ab76d29988d8940d03f216266a2a193
SHA512 680e6b2f492f3665d62730cc718fc1b8134daf479c32c0a521de00b6ce0dc815c4bbe8bc8c0b36c2b85996eadfa04dd1df31ef643650cfca181fd46de5b06a7f

C:\Users\Admin\AppData\Local\Temp\sMcAYAYQ.bat

MD5 9e4bc2bf0da97e4429953504d98f13e5
SHA1 71d00526baf03b3b4457dcb0c904a6418b9e358d
SHA256 95d58a47aaa61b5cd0af10669244ed96f79e23dc12cfeaf7c17b6f8b38a0bef0
SHA512 d6e9d63dcd4d2e0860b97ffcd9d342764a30b84656c580a9726871e62fca83e688c07f33b678ec0631d20fcde16111cd49862bfec5e01e63a4db477b7a99c54b

C:\Users\Admin\AppData\Local\Temp\koIi.exe

MD5 c9bbd5eeb1a9df99bc92d2f077f4d8ef
SHA1 fbc4c9ba7c72c6243ec22f3630285e85d6158d5a
SHA256 576600a6399312467c28dcbf9bbd11c942d3860a6bfc9b9e40b9595d6329c773
SHA512 8a61b75a897a3a975f3dc77e0072576fe89de992afd7195b7d2b1708d8f7909cfb9fa1e8e0a52f941b8a30c7e91940d86516b95ebedfdaf6239b134b590d3e88

C:\Users\Admin\AppData\Local\Temp\GosO.exe

MD5 aba862c16079e939ccc50ba6d4d57300
SHA1 c154fb56223d0b3aeac539ea2985b128a32a9169
SHA256 b24ecc5291080088782970ab3849903745dbaf897cef7e16425da9e14c6f4efa
SHA512 f3bf8fc3ad6cf5c8fe824f1310b4d22759a4bc02096769ede6c5937d5bca52dba01fb99a61dacd399208a49a9e75519f39b6ad1209403ba3866ae0a800b1e9ec

C:\Users\Admin\AppData\Local\Temp\Iwgu.exe

MD5 79739a71b8e329cb48ce2d46f46b003a
SHA1 c432cac35d0213201f95035976ab74bc952083c4
SHA256 5864436a19099df08de6c89740ec842e6d4cd7442dc9f8510eff29258bde72ed
SHA512 a934996008273a5c798c755c2357549234d09107b75a8ecf5f955ec53ec087a5895f2f1717c7b94228b84f4c9c9ead6228aecf18edad9f56c715b5eff4618ea2

C:\Users\Admin\AppData\Local\Temp\wAMK.exe

MD5 d6b3d027e4a5042d87fd2d56370c45f5
SHA1 df3f10b77857c17ec827e4cc07b8062bf5ebd2b5
SHA256 077c73089450f1964c3e777313f544e52365c469b31bf53df1c7661388169bdd
SHA512 99ee5a94b541c9fd24abb6b5f5489703c501595793cd1e2af3aa1ce5ead3145e2e6195a29dab2a77e4ad855517342dfa40e11f2d693b2c24bc654d9faf226e61

C:\Users\Admin\AppData\Local\Temp\OWIcAYcg.bat

MD5 4a4df4e3aa6c46a3f131127da94cc92b
SHA1 c573e191cc950c8db08f77d503b162cf181eec99
SHA256 e6999c05fc6cd3821ae2d66a0fbda8574ca4276171a316220032101d7323b928
SHA512 f7cb744e01d9977b7210187269730aaf8a4ce4567d62f6d34c20698a884ef35bec58685eb0b2792159500432756404bfdf9e16aa5a1000676ca7d4f66af95c0e

C:\Users\Admin\AppData\Local\Temp\HowIYksY.bat

MD5 75f21d036808f205511d250275dbc197
SHA1 d6b1fbfbf4ed1911dcaff01dbdcb57fa34c9c60f
SHA256 e5c44f22683ba4002c6f3f3e6183ecf4d9472efc4331e15d7e2bd3e686c3fdfe
SHA512 d94f636178ab6dd384c3cfd77c6997681c68447bf3c67b77a84b55895a208c2cf402a480a2fead538d8662b77fa1c388b80a7a54fb5f57dc898ebde11a2a2567

C:\Users\Admin\AppData\Local\Temp\QQIm.exe

MD5 09dd929b12305c8d770ebbfe811db856
SHA1 3bd81fd427c164d995f431a48e630fc42691d860
SHA256 a27467dc2267b63b1a2826e435e432d8d20afb4e18cca2f3ec737232d6a62988
SHA512 b963a6315ea13a0e08dc4b583e91f3692ab88d1994e4ba0baf9c7a01b972be4de8feb60b7d759767ce9d897c1a3f4f91240f9fcc88ffbc8ac7f43c4b15ed7306

C:\Users\Admin\AppData\Local\Temp\bKogcwco.bat

MD5 f4efa129d357be6ac099a5249ed20c32
SHA1 5b2fc08b8ce54bfa760d637d253cf11f7aa569fd
SHA256 e4d2d50bf323bacc3c5bcfd94cf3af1aa1db4598a368d7f15ec2afd66b697b23
SHA512 36e5380a2cb169ae1e0e4496cede4e01a3a7a4472c582552b11998ed958454a75d1408721e6f4bc027b347cb7a248ef0346140c6d3d147b9064a8c6d35316fb6

C:\Users\Admin\AppData\Local\Temp\DkUQYUQQ.bat

MD5 7e4cc9916dfdfd61df7e2f78c8332eb4
SHA1 186986780519671821e5f0c361ab3a6e7fecc1d6
SHA256 819f8b8aff6fdd3bb6485bca0996fafa84005018702d77cd1c02bacff1c45e2d
SHA512 9aef6ff79407dd98c2ca1666c517cd5ab3be8ebd8609377fb3f48429f68ebf7bbfb43976e3f1ebda75c642219101ff6ecd5f0429acfc2cf4485fe2c6efa78961

C:\Users\Admin\AppData\Local\Temp\DyQMAAks.bat

MD5 78650e88bbab1a6073d0f8de11dad79c
SHA1 462d1a43477837071c3ff7e3e3c18f127a9089ad
SHA256 7843aa13ffc7f70993af2ce7851dd794c73275af9b984da41e7970128d29f501
SHA512 259f2b6cf8220314d0d5d00d9fe23fc78aa763aa56f679bfea1861888b5d02dc120ca221c43e708cb276c3fedbdac86a510b18309c178fbcadabcd66babf85f5

C:\Users\Admin\AppData\Local\Temp\qwYQEgcM.bat

MD5 840474a51c1f1a8ed90006eb6ea8a41c
SHA1 45f4f83fc54bd79125f2d9b8aaed54d575d92fbe
SHA256 f226f102e9a933d907dc7ce8d5066ebca3bc206ba6eadff8b67a70d6af296639
SHA512 5a5c6dc39bed81b6dc523455431a238ce5c424e8f3fe0b24568c7b9f242d5ecae65b4e01d6e53bb60151f985f305141e7371ed6a2dc4de90fbb1e754f6a909b7

C:\Users\Admin\AppData\Local\Temp\WsAYsMMs.bat

MD5 d617f8206a37d6da8d22898f0e8c7cc5
SHA1 6f32875c9c249cffa0c97406448cfe74fcf7a916
SHA256 d0ef9fcbbefec80d0d20bc273d9e11a43960245722faee3183e8cfc69a8b3073
SHA512 ff05cd41282bc9f678d18bf4420b587ff429d0cae2395401cbf49fea5eee91d59aa85b7a3cb59c6ee8516922af5d5491a175b90921d679561edea8199d505f08

C:\Users\Admin\AppData\Local\Temp\yOsAQcwk.bat

MD5 f9c0d6d0042a2899fc8860329852537c
SHA1 374d80f145973ed75291d64a39c5e93a346dda47
SHA256 28159e2a966b61db386aaef25f4aef25862a0a9ad11aedfb59f4833c72a5aad8
SHA512 d3d513ef1b87605eb23d1f0bf3d65ff62d95cacfae071adb9ebfe48b0ceefbd00dad53640c118b5c1acacfaf29f601f4b50ca087aaa8d1271ccba5c436a871c0

C:\Users\Admin\AppData\Local\Temp\deAgQsoA.bat

MD5 34737e122db94e6cb377e7346febde8e
SHA1 678982be7c165c0c9ab99193b108bae42849377e
SHA256 ec3c9c3e5e9e4e37f19863beed43611e4d6d7195951e0c6233163ac3269c2f4b
SHA512 608dc8ee8a78302809d6676bfb3ef27cffccfdc51f0e84da7ba74e48de7e3e44b2cbaf160f62b412419207df829c93970805f3aede3e3ab05e1631c8f6d37763

C:\Users\Admin\AppData\Local\Temp\HyMoIIss.bat

MD5 ce643a0c04b4401fa6c811d0e70e8585
SHA1 71545c50164bec0268cadf0f4524ed7dcb4fdbb7
SHA256 cd7dca22d415e46315b3f7fa7f6041af9689bfe73bb36650cc1b112941e06962
SHA512 15e2a204fad999c875f38b1160ba795e42fc970838516b3b0df94950ee1fae402c675efebc0cfb043a9323f26b73ec71cca54f9fd054e83248dd5c6cc08e2d10

C:\Users\Admin\AppData\Local\Temp\bQAEIIQw.bat

MD5 aefe55c33abc49b81af55965b4fc2075
SHA1 966253b4573b838d1b3b06c815b0773a1185d4fa
SHA256 f256b0256ded991ef7a6b5f37a077d2d0c38316b178716dbb6a5e04b7300c496
SHA512 e742ef60a15870886c037e12a7f0d1fb8b2b4b2a5a06507a38d27489c0a7cc91ebdd1563bf38d63b985c473589158ca83a7ea3ee1c5c89022bf1707679bbce54

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:37

Reported

2024-10-26 04:39

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (85) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\bOwkwQMM\nAkIQcww.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nAkIQcww.exe = "C:\\Users\\Admin\\bOwkwQMM\\nAkIQcww.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DqUwYEEs.exe = "C:\\ProgramData\\HsUMsAcI\\DqUwYEEs.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DqUwYEEs.exe = "C:\\ProgramData\\HsUMsAcI\\DqUwYEEs.exe" C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nAkIQcww.exe = "C:\\Users\\Admin\\bOwkwQMM\\nAkIQcww.exe" C:\Users\Admin\bOwkwQMM\nAkIQcww.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A
N/A N/A C:\ProgramData\HsUMsAcI\DqUwYEEs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4600 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Users\Admin\bOwkwQMM\nAkIQcww.exe
PID 4600 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Users\Admin\bOwkwQMM\nAkIQcww.exe
PID 4600 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Users\Admin\bOwkwQMM\nAkIQcww.exe
PID 4600 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\ProgramData\HsUMsAcI\DqUwYEEs.exe
PID 4600 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\ProgramData\HsUMsAcI\DqUwYEEs.exe
PID 4600 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\ProgramData\HsUMsAcI\DqUwYEEs.exe
PID 4600 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 4520 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 4520 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 4600 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2404 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2404 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2408 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 4180 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 4180 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 2408 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4040 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4040 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 336 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 4280 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 4280 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
PID 336 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe"

C:\Users\Admin\bOwkwQMM\nAkIQcww.exe

"C:\Users\Admin\bOwkwQMM\nAkIQcww.exe"

C:\ProgramData\HsUMsAcI\DqUwYEEs.exe

"C:\ProgramData\HsUMsAcI\DqUwYEEs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIcwscow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQMgwcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOYEcUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgUUsEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYYoUkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWAcIUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMkogwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKgYkAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEUEssEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWcIYEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EswQwUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkIAsUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKgIkwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwAkssoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeAEwIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heswcAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMoQwwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeoggAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqEkcsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEIcIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEoYYwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoIQIsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkQsgAIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCAYsIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BicgkQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcEgQEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOgEkogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqEgYIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqoUwoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEgAwAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQksgUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIcoIkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PowAAEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcckcYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiQYYYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSUwoUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsoAcowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TywQYosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEAwEcEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOkggIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCQokcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiwgcgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGoAkIcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CigsAEAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmUMcIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsYQcMwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmEQEUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DakAcosU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KawkoAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocYQAocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COAoMkgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAEoUwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKQoskIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZasMkEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUgowgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkYAYMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUkcwQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqUccsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YecQkcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGowsoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgcIwIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEksIcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEMswcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuksskEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KicQYIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEUckQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmgkYIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQAUEoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiksQUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUYEgAkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCssEIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSgIQEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWcQQokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUgQQAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqcUYQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWIAksUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jesAEgUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEowscsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uicUoscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIEkEcQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwIYkgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsIYQQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkMkUcYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwwEUkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAIkAQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccsUkMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMIYAggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESMEgcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zggIgQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmgIoMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwEkcssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWwAUkgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAQkAcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyEgcokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWwwEEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vecMccYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYYgIUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSYMUYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGEkgIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv s5dVT54MBE28Xubmr/8+jw.0.2

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/4600-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\bOwkwQMM\nAkIQcww.exe

MD5 c8fb1c54a29daf7639172986b3889494
SHA1 fb80d3d8446e96b516363a4fc0b20c83940dc4ac
SHA256 ebb09c0278b44f06f8f9d9f07e1e9b951a28d82e9ff7d77da049e07ec905238f
SHA512 4745d7d59dd2a5362cb552fcfd70c4b2e1c9772459ad9c698b592f4b3002034db0a15f4991cc87139b066fc2cbb0a6450ca1a92cf7ac717c9b97806c263b9208

C:\ProgramData\HsUMsAcI\DqUwYEEs.exe

MD5 538a3fea112a382665b46fda6b974c6c
SHA1 02465bd036a60ac8d9ebe26dd003e50b69aeba8d
SHA256 421bfb5c5b217be48175d05616c9542a705166b83a6b59cfd25422a18adf6e55
SHA512 8303d2b56aa94b5d473b227b3664ad1dd3144d9635d5a33899204cfa6611e416e6fa2bdc3b0ad63fc87b6b024b22a5a2775baaba774615a5779553b4ba0d73ad

memory/4692-15-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2584-12-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4600-19-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hIcwscow.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock

MD5 8995c7a53e0a148026fbd0da69be9f59
SHA1 05a9908e9e3e640a426214276de1cbca6f72307c
SHA256 d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3
SHA512 45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969

memory/2408-30-0x0000000000400000-0x0000000000420000-memory.dmp

memory/336-41-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3696-52-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2004-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1916-74-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1472-85-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1656-96-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4012-107-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4220-118-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1476-129-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4140-140-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3740-151-0x0000000000400000-0x0000000000420000-memory.dmp

memory/940-162-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1636-173-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2376-184-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4992-195-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5072-206-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3920-217-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2264-228-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2876-239-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3084-247-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2140-255-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1268-256-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1268-264-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4992-272-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1604-277-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4704-281-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1604-289-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1696-297-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3476-305-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4388-313-0x0000000000400000-0x0000000000420000-memory.dmp

memory/324-321-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2324-329-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3740-337-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4312-345-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3012-353-0x0000000000400000-0x0000000000420000-memory.dmp

memory/868-361-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4444-369-0x0000000000400000-0x0000000000420000-memory.dmp

memory/900-377-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2376-378-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2376-386-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4404-394-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1384-395-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1384-403-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2072-411-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4776-419-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4924-427-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4596-435-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3624-436-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3624-444-0x0000000000400000-0x0000000000420000-memory.dmp

memory/32-445-0x0000000000400000-0x0000000000420000-memory.dmp

memory/32-453-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5064-461-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1708-469-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3680-470-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3680-478-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4484-486-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3668-494-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1092-502-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4544-510-0x0000000000400000-0x0000000000420000-memory.dmp

memory/528-518-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3408-523-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ecgS.exe

MD5 8cc4abf5d4d5067e4ad9403ecdb6d289
SHA1 c487d1b990fccf727f7f2230e49f3169184de3e4
SHA256 022d85088694a445dfb85b344e7c6debdb4b0c3759535758fbc973a583d962c2
SHA512 68f8fb86554aba627c47f5131653d7b9db4f1c1d61c8c0a64181e6c4da8eb01979bed8b5ed7d104c9be89020e8dffcf4cae8d4e8e3fab5bbaf0e33b115c4f772

memory/456-542-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3408-550-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cYoc.exe

MD5 0cacf7f1003c6753d64be0d2409e799c
SHA1 d8a3fbb6cb762e541a858a68c0e876ce1e61ee58
SHA256 5322f7459a288f30c9237739007469abbd679f1d165a6b07389f2df973b08a5e
SHA512 4b5e90819f1776565c995c7a1d5d3f5136b97682eeba509419620319f9ddde3101fd4adc576bd76082c735c5504c1b530d19f27925325adf525575dca5d10e0b

C:\Users\Admin\AppData\Local\Temp\qkEe.exe

MD5 12e3882213af4ca687a0153f6559d4ce
SHA1 f0481a70be44c31ef325cf4d27988aa8e599edf5
SHA256 7de45eab3a5233c423bc7aaed4314dd838d2c06e1b6eada058f4ecd4197705f2
SHA512 f9fbdb8142c920e71b04edf54fe153a201751bf337d2436f21b435442831e8ae9e9e9d8cb7f8a1aceaa308f51a170c737c14109180b70ead70c2bed02fe7ce0c

C:\Users\Admin\AppData\Local\Temp\iooK.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\WUEA.exe

MD5 846742d527cb5cd5eaec3fd1e9430f78
SHA1 8c71a4c33ac4c80fe184b75366fc5ae26addab0a
SHA256 463e432867f78ad1f168114838b5071931a0fc256f1e1834f5ea85300690a381
SHA512 e72afa84250d81903856d732c7d892bdcde9b84498e155ba30398180d14e67f188939995ed3f98d6b2aa701d3164dbc799edca87b775016ea2b282744182f28f

C:\Users\Admin\AppData\Local\Temp\mMME.exe

MD5 cddf28903952d7406180d32d40cf4f3d
SHA1 1a91a402dfdb5dbe54f9c3a3cb1eb61538dad44f
SHA256 2e51413294a1a58bc2eb801d743513ba2b6660368b40c99fe79fab9916b774a2
SHA512 19ada075095b754e089ae8ef1347539466cb0e6c1fe09cf5a459c7070ce2d1b1694484fffa406dd0d4cc0fe3af6522342c39315a3b536b76a0f17758650e2d4e

C:\Users\Admin\AppData\Local\Temp\MwsM.exe

MD5 da733ebeb5faefb92c549464e9897bfc
SHA1 e6f27cddfb3d4b07128b69af3904da01379cf0ef
SHA256 71441ff724e90067bb13822a9248c7869e172c44227a2be939bb0d84c468a8db
SHA512 6a407d53e72c32c98cff1f5301cf99d6568e23d5d8cb4c1d2a142c59ca2063c279c50d27a1903d6d2dc9804630d4c3e01699903419158c13e13d5dd9094ebf15

memory/1268-627-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IMos.exe

MD5 a966fc062b63b0c04addedc531781358
SHA1 1f54a273feec5cfab5d2a400f12cd0bede815f53
SHA256 c8ccce2d9deb42528a0f25ce18ee04f01227ec51f595d67b3f15fd65a62dedf4
SHA512 148ade19661a7a29b36203ffa12bf1c02d188f6d96e2a281b22ceb8b39f22769ce5512ef60b056085bed98de72ba77298e068be9e643c5c17dcfd96d7b420224

C:\Users\Admin\AppData\Local\Temp\KkwG.exe

MD5 11a4b9de3e4116b2b10992a3981a6ee6
SHA1 5f63eb7de1150c0c49b3af91ce3746b66b4ea91a
SHA256 978f0da906afcab1bc0c76dc25e0c604b32e0500f7aacf70d5216f8ed0f284e9
SHA512 5a6e92485cae96f6ffff48849a33265459d08d727f2cc2d42aa5bd00c0ed70fea557c0ac14b1b594eee4a244cee6041ed636540f315b49aa03a680338fafdee8

C:\Users\Admin\AppData\Local\Temp\yksQ.exe

MD5 a631522f4a6f650c171cd39c19933614
SHA1 c52efcda06e6f7b6b47ba792a1161aed21697a42
SHA256 fcd3a79b6768f300b744930462f62528a774dccda81564ed42cb698674505bd6
SHA512 eaa3cb0de7162e63cebaff1338438181dae300433f09738438f2e34a9ff11eed91353d966164f4689ebb4ecf6e5887ee8c000d66e731a7c99b08ea49f028463d

C:\Users\Admin\AppData\Local\Temp\YUsU.exe

MD5 73c71d40186d46d570de6e4d90539472
SHA1 37f25554fa85564bb6fa3c27c8b25da435f0dd04
SHA256 cd1d1428473f7d6315624ec9a7acf8f1e96096b808056f56a1bd959f47485eca
SHA512 df1a717f28bf2ba6d087ae1fb33b76c604f69c4c02535bc989d5053ae9ef0c941a1890cfdd4f3f86d9fe4ffe7c13b038810d2bfee7a7669de084d07b3e1a2a59

memory/3112-690-0x0000000000400000-0x0000000000420000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

MD5 166d89d4c38627d6a7197838ae4076af
SHA1 19ce9d458e2ca7ede465a8fa5a49c010f479a11a
SHA256 823f6ccacb9d234ec2a1425a7429f91a515d56b3d8820dfbf1570714de09a2f0
SHA512 c3b7832eada296fa876840e83dc81d86a91e8b42602044f38479837a584eb84aff4d411ac5a659328f8bc735ff345532eff86a2751681698d352ede4342c05e3

C:\Users\Admin\AppData\Local\Temp\MAsY.exe

MD5 15268ffda9abf001357d79eca2c755d5
SHA1 aef2291a60c19cd36a6b8c158d4b325ee781bec3
SHA256 32d56346c719a240ff4441909faa3f594f7f41b60e5c55004234c0fe8309c8a6
SHA512 da97e7df22f5e30df9389e196a57a766cea6aa1345fec4759659e4dc747f090cdd09819b17890abd8335a56e16f334fac50fae04d928cd4973ec8f7627118e75

C:\Users\Admin\AppData\Local\Temp\sMcQ.exe

MD5 006527ca3fd217d2f698e12f288d7a4a
SHA1 3f30be09e36d3d9e29ffc0fa40b023e07249fb74
SHA256 69842b08c479b57a1caf3f8667c16cecb9dc72fd80caedaf42d5b72362943ea9
SHA512 425e744bde833a1a099cf7037506297fab0e83a945ce033b1dee4fdd84a044336e1c3db124020ce93da1cbb0d742b5a5d010c87718851e7c0c2012162584ad92

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 56136f168665ddbf10046b2ff9847afc
SHA1 4849070ab505fc1d823cc38ba7511ea392214ae3
SHA256 73e392d13ded5a76ba640bd4e846f56592d456f396207cfe76b4181734232679
SHA512 cce49ea37f1f4fcdaa61dc33203c6b83a529edd656c9896cee8e5ada584a86113ad284c9168a615d38edbbb8563b63649a26ffc663c6147c8d51aa5c7b3cc55f

C:\Users\Admin\AppData\Local\Temp\GEUg.exe

MD5 f4793181c453c782adff029877412253
SHA1 75a963a2013214d8e8bf090abca507536e151971
SHA256 9c218c2c7dd6b7b39467bd976adb34b61ba4222b4ddf6bf9697a6afd56ac44c6
SHA512 5ffd29eba265cabe1e305258e4e60339eb28fa4c0225ccd346d87ed5b0f898ac24762519890f7a8a3d6d622ffa897770ba6ac8abd1a7548cb769863352372819

memory/4544-768-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wUwm.exe

MD5 fb8e084785761641dbcfbc2220579756
SHA1 713e5a8be2375a527e78e15162fb7e59dbae7d62
SHA256 6dd6fb44d3f94004744455e335956e0f02db4ff3c3c926c6dd7873c1063f87c9
SHA512 96aae7b44884781d89edb5ec56df9fdf25bf741da80a98fb7e5d7cbbe65e4a1cc94ea3312d6a8d9f359ed2facac4cc2b6a48b2f9399f53124def7d6d35a32720

C:\Users\Admin\AppData\Local\Temp\icge.exe

MD5 657fb31436585b014c128c5381b37d19
SHA1 e12f849085cf51b8b9a529be94bcd8b616bbeeef
SHA256 678db908022a0532f1db0bdb0304070c6afc1681d1d98467f38449de1ae7adde
SHA512 07c5fa03589e8f820a092efe001a23d17d1c11b24931cb2384da91a5f825fc703d3226ea46d8cf0425349ccc35b964e6a6ecba6da0a00262c4e321f86edd9810

C:\Users\Admin\AppData\Local\Temp\AoUM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\CYMs.exe

MD5 f6d6226298b98880325d56db99b142b1
SHA1 c7380f66dfc29c97ce4191303eb6c4cf9a4a6ab7
SHA256 2d161f526fcb94b3fd9fe82ad0a0092e291f667fd272aa8002c5effafc6409a6
SHA512 4119adcce9c4f5c651f2ff65534ea521b707b19fcad68971e000923b67faef1212be8270d41d16a9beddbe12457b91bc26acd370aab2180132e4b74e3c65df61

C:\Users\Admin\AppData\Local\Temp\gksQ.exe

MD5 151aac3e930a79d4f9dd16dce5646c31
SHA1 63bc26ea66ae8db4b4cd68e5699517ec7c65d2ee
SHA256 78fb78be2275e3e00f715b491aac48d08666cc9602a8bd92a49826786f959e9b
SHA512 f3faca9d7050e7d1b6ec7db4ca51ac145504375f45a95c81e84a294c60f9cbd94a15e7f377649baa2a4f878c92b6f45c8597975862de886c82c111f2b1dd011d

memory/1268-846-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SUUM.exe

MD5 ae7d9ce65b260ab9bf57d1237d628c06
SHA1 7c1f9456010796e6c157786204f37659a1da8672
SHA256 2a27b22f632e8ce25b61d06a0248511b344aec453bfbb0e05d14046289a2c308
SHA512 e688bdc1d946ba3a0242d301317b9749cbe29118f09f2b493d6e5e5fb3cc8b9c821acf5b92b30a8ccf22e18bf438c0d32333daaf2a31936518c017a8fede7127

C:\Users\Admin\AppData\Local\Temp\mEUg.exe

MD5 a62589648e0fa613f841045037459c69
SHA1 42d6ccb4d8b5334a077f7fc22fa7751f6baf82d8
SHA256 5f71f150f521cd7fd950fd80722e15f6d7e7fcea22673bf55b55ac947d8b5fa8
SHA512 3697a70a64aa703a5521e6f321afa26f5cebf5d3e49cf207fadd6c7f7b5e10aaf433438c821406d17119d7409d96ab6ebad3a9261b4e232e661338894919ddb8

C:\Users\Admin\AppData\Local\Temp\mAsG.exe

MD5 ae0e5567904b1e43e20931024fe29198
SHA1 7699f2fcb3275ef804b07ab1e29a8871b49df6fc
SHA256 fb3e5d4cdd2d87fceeb598c5d2b9cd9c3fdd866f818206155d69b1280afc8ee1
SHA512 4aeaaf3d5b6966ccde4404b69f0a22557f94762a4469829ca41e4d40640fa0c0d53104c5ea1ae9a5fd93dbd08f475ee595385136f2226e32e54661501e8aa646

C:\Users\Admin\AppData\Local\Temp\kIcu.exe

MD5 41f86c8bee17b406a3dfcb8c7494ee0c
SHA1 00ee688790c87bdc6629b3cf8e3c3f931005f4c2
SHA256 05c2ac7cd2fa051e2335a0804e51d0892bd50e851bc4aecb11e8d3f34e22b5bf
SHA512 d93396227424c3d4954dd0f1405ae3ab1032e53acaaac3654fa8debd592e14029fb1e57eb1698efc26ff4705a80d89eaf079f74e1e956e60ec482f1fd51801e6

C:\Users\Admin\AppData\Local\Temp\mcwu.exe

MD5 279d85d6e3923f06b179086df7130c31
SHA1 9f6b7a18623d6bd5a21d53aea3e193e38f17c8e6
SHA256 7b7207a38bc1d5f37447f24ce6f834ac421976d05cd0061b737bb49ff548d73e
SHA512 89ab98b3e32aa398b9c27b5124f1e5731675204310b1fcdb6c21ab9f0329959f91608349a0b6468c294ccdc8c77530216159da62aa70c5ee632c317947a31a67

memory/2184-914-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CwMc.exe

MD5 9d31f465c12f936bb5fb3cada84c7a9d
SHA1 b48a78200bd0f957c9eae11d68de4ecd7a83cd5c
SHA256 e465e67cadbce59a428716197af2a044cbab1f4669b3b9ba5e8a620e3f089895
SHA512 a49beaeb7b0f7747b88fa0b11360fe3340c473a732e4d48b45692f483723ee88bab4ed7a647cfa40851be15f17ded391942a8c04a53c2a8d1a78c4b88c40aa69

C:\Users\Admin\AppData\Local\Temp\swQu.exe

MD5 a0fe2c5f7c4465e757d82c7f1f2a7e19
SHA1 c1709048aa2047e12e4ba74b388575f3c925dbcf
SHA256 b900e8e0069c213c7066be4f22a78e6d278145248b6c9de6b1ffdd2f9b5ae319
SHA512 a2d13c126e9d9f7cb6b441017adb008a42ee949be8c1acc44ca4cf95bfa0f9d615eb90984d1436d972da70f48fcb2384acccb6acc7657c323084995a0f023435

C:\Users\Admin\AppData\Local\Temp\wYwU.exe

MD5 40b740479c0579eb8e8548033035602e
SHA1 58bacaebf8d530a4dd26ce133feadb3e81ab4feb
SHA256 dde9113352dbd109c5a93ce7853f46d8988ec7e5bf2b24aec07e19c11e0d9770
SHA512 7ca87194ccce99fc27b46bf4f1383b84804759da192a726301b105ea3f4e726a5517f275eb4b6198e9dfadfb5fcfb46b7ae04618db71dc041ab08824f65b6c52

C:\Users\Admin\AppData\Local\Temp\usAI.exe

MD5 698230488f46c3ff7623f8d17f0208a3
SHA1 8f78ec4405405a161b176e0794496e18196937c9
SHA256 07542609fe2f22f9016b537a7af770590727b24e9cc23fa629387e16c2cf46b8
SHA512 0869beffb9e42db0bc2dea2bf58ffab7d9f70f0086806e5815eecc7c80a79359657d8b7891d6bff17191dfedd5aa8fa7a55b18b18e083270200ebaca2cde0b97

C:\Users\Admin\AppData\Local\Temp\goAK.exe

MD5 4a8efe14616d6f86c38cddefd2c2d204
SHA1 f21e4d79392f645a7eb34cae9e3dd67296f2420e
SHA256 1afbf21e5f7b4bd3e8e1a5093ac91248a174685ef2dace3be0bc22c4e1977413
SHA512 afea0827288e40be45dd8f0360b77e9ad5aabc02d69337ce6bbb4c8962b49f744dc93f1af17f97d659451f112ca92f8df572e76f0beb13600303dbbc6757369c

memory/4752-970-0x0000000000400000-0x0000000000420000-memory.dmp

memory/692-988-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SoEc.exe

MD5 c9b260fea47e962089930598a3070fc8
SHA1 1885bd3f50af26fb6c65cb1df7f7e01ac09909eb
SHA256 cefa620e4253ed1d8925cf8618601ccf10b6ecedbd799f97ad7aa3e50b12f8ad
SHA512 ed92ff61fba51dd5023fa01c06cfb956174ae9ef27ad454dc1d54c6e9708ce77ee40043726a1fbcf8d184f58a38b9c3660a31d4ec183d89127e99ee868f73fab

C:\Users\Admin\AppData\Local\Temp\EgYW.exe

MD5 15a4b8e4ea18286e5b909862c78288c5
SHA1 5c7082336b3acc7ae28f2fe96d331e566668ad95
SHA256 89f4402b675c4ef94e01805651749b6500728d7452b381ed13762ef628b84404
SHA512 2c2e005ede4ec2db40694e1e64288f1bb1bd3dce0f88cd173c471a3fdcf05b9feb5235c0654cc92fa6269a3c8fd59cc7a50b7466ece17c2109fe1233cfb9c86e

C:\Users\Admin\AppData\Local\Temp\CUsy.exe

MD5 616375ca6ccd7a148279a9ff46bdb71c
SHA1 40916a47ca75035fe4fcfe3da2cbd2826a4dcf3e
SHA256 6965d1918cac39bcca0525a89b39c777649195a705e383019a8f0df0616d91f6
SHA512 4022b9c622ab7c22a45dbfd2d063a9046b3ab9c28f92cf98dd0ee7b4846c5393cf3d815b92de8d3811f20e3f0f1d5ae4f71d8f8092c17f38a4778f06b2252197

C:\Users\Admin\AppData\Local\Temp\AcgI.exe

MD5 cd1be36d74e14ea0cd3cc314dd4d8996
SHA1 d75253c5776fca77d718228a1b35411b0e595dfd
SHA256 c7b59bf5e0142e212486059b735659bd89987b95a59568b570f4e28b65743cf9
SHA512 d82903e2535cd6093befcf00141a0f283f1cec70ec132cb3b752677907d2b185b8289fd87e089ef782f046b4c86bc637856cbe73e7d0e9132c266855c0ba520f

C:\Users\Admin\AppData\Local\Temp\uAQY.exe

MD5 8c3d626ac81636f4ddb72272b13f248b
SHA1 d4097f42ca1e5a74f91a9fbe549ec91492d76d7a
SHA256 242f4270ef1fabc79bf0fa2ccb5a7cddfc6fd2505b2e2c74e92c7946473ef6c5
SHA512 c33b28a9f6fefe2eba6a6701c393bd3f47808775df385380af8ff651077b55caba2a2aec95a92bed3ea57bcc7f24ac2ffb6ad7f9bfed044ae481c6ff5a81fe66

memory/4752-1066-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cwwY.exe

MD5 a7606f2bb985e44c632c90623f83a33c
SHA1 0220ebab7945ce3b4c7edda009da5917dfed3a28
SHA256 5d58d253bf580bd384c132f1c3312c5e9a0e27c181c14f512b9676dc47917488
SHA512 69571e7319ef9f428d0a2ebecdf0633199d6432f7bb8bf9fc442ea5e758b99b11e418655c9cc97ac64bc15213951ce8e1cd0206a9956cd3c40f09a8bafba28a2

C:\Users\Admin\AppData\Local\Temp\UMQc.exe

MD5 3a101b7bc500ede3e31690f5a0e51521
SHA1 5e0ee8121d12f704266b04de4ceb5c34247c35a3
SHA256 1a80292d276c4cbb1abd9aeffc06c1252a09be511e69b36d84e7a0297bf4ed03
SHA512 138c8363d12d43438fcb8945b498cec7195465c01fe7622231a10a605fce558803776ae69ac2eae4ef3824d956884d79c8c6684964afe885be2f72e14ac75c69

memory/4520-1099-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4992-1103-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agEm.exe

MD5 211e5055cbc886d28324312ecd90c20b
SHA1 f5e1866c7cead2cad3d8d7d95bfc4f983683a9e5
SHA256 24c46a2a22d41ee46b2e04eba097a19b02777624cacc4bbe6b06e01ba68c3835
SHA512 fb64c17020466ee862e5b268cea768c475766108ee9a48e9329e04be643ee7da1e88adf8daa4a511687c6d465efc55654697cee3b6490181a25a06ef8640f6e0

C:\Users\Admin\AppData\Local\Temp\gsEE.exe

MD5 c661cc93ead895465d72de78cfac8026
SHA1 51769dfa10fdfb3cfdd77d022ce32505c533f230
SHA256 8840793184b7852a95f5c848adeb28a56fbdee1e67d2e83081a4dd6f9dfa53ce
SHA512 5a42229ef7e9bcbab6dacc963867fbb97524d3144dc2a13ad340ee3df214347b0727e3dd4b9b12cd3bcf6ddb867e22fc6849d2d744ca8849f7803f03ba10a6eb

C:\Users\Admin\AppData\Local\Temp\mQgU.exe

MD5 aa883021bc7b24ddf8e2d2585a39c402
SHA1 21121782d030164f692711237200d7679db3f6ca
SHA256 18baa54d1022a8038f5b303441659386e42f42b624993731e473db608f368018
SHA512 62522ba3b6b2a0496691328b5d73f280ffd01d903d71b1b188f7850f0209c63de5d6ecf654c5a29d3742444f8156c44c34cc27eca7fe30a0c9897af0c5819dab

C:\Users\Admin\AppData\Local\Temp\eUwE.exe

MD5 3156507f944d0c63eab4dcd25465845d
SHA1 ea5720a692d94ea1ace1a8bec204704632881b50
SHA256 f06107dca8e83bef3e51d900396d4b3b9d57536724b5096b994cee7db3ad15bb
SHA512 2cc26f462905502f1b0c4141b504823a273474c06f16a8fb66de3734864b404aa42ec24e917efa73a1915c11ca361306b6d40acb28ac3efdabc65cb74665e9b6

memory/4520-1166-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mEQa.exe

MD5 2beb3c33eb780d058f1a3729091f4c65
SHA1 51f27d493bb583c52a037fb818b7fef0271f1197
SHA256 d5c9df831ca9086d8b30c202f27731252b98ad4d82637db6e7ff2b7213f9083c
SHA512 55705aa3311c7f88572d57b94c7e90edab95181e76b4df8a5cf354a91fe40326e5eadc3f8fbe9f14ceb6a9d144cf21d4cfdd417ce9e29e7e3c591698adaa8c10

C:\Users\Admin\AppData\Local\Temp\oEgg.exe

MD5 f9116fc2ab679f457ac6f32061df6e59
SHA1 9ef25a20aa1ba0496a5bd35e844fddac5f395942
SHA256 4408990e9ba4444779e0949872737360ace940ba4925b7b7466be003713f5890
SHA512 9eb2877a18e779f11a8fcee86367a46f014bb3898440d6dca0905bd63f8866399eb7a1dad351a98aea546ac2b0ab70871aec2bafe9761150f97d164139037a33

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 676c8e0501d1154fed6d7d2796f6a21f
SHA1 0f25dd288ec1e7eabd5ddf8c088f8a37147dd322
SHA256 661ef34ca46321f247682a413299468397e4f15da2b087eb0a99b4a7d27676c9
SHA512 01301b40ac2c0ede266469179ffe6722c1f41c0b12c108fa0ebf2a593a8c808a3ba73fe0583d89a11a4357fe722151ba157d4bb3fef7cdbe7519c1e6074f22dc

C:\Users\Admin\AppData\Local\Temp\uwAw.exe

MD5 424e156cc9b735432699a98a1d382ed2
SHA1 609ecf0618b3f58b4760a757431f7bda3f0c5b58
SHA256 5d1d93aed00cfacfa42d7257886dc76cd6627f3d8a708a9f4de209b981184b03
SHA512 e14461f3c83a6552d4ce4ad2ae1d12f918dbdd066640977a6aff96315ede23432e0f8cefa28ec708a550267207d5743c45406a302ac311cba39abfd3a872ea2e

memory/2276-1229-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sscw.exe

MD5 32fb3f6f499dc3148fad2a6d90ef5277
SHA1 53dd3fd788c4c38d7b2190fa52111998ce2915e2
SHA256 e84261902003e778a4ce0f1b78cfdabe145ad59af9d9fdd4734df638db109769
SHA512 fba20ae468da007b9aa582acd38f609b0e0cb630cb78ce0e4ac002cfe88984d43429523063fe33753a23824ab1fbed1f0857cbc2ca90c4bb7621721cff56ba8e

C:\Users\Admin\AppData\Local\Temp\sscw.exe

MD5 b7ff02385e98354c576838354a149abe
SHA1 39921a802ac74595d0c08bc1b2260be9d4a23355
SHA256 7a03e8bfb35c360d8e60519feb3cf88749e07e44b08446033443b65eea283208
SHA512 a7651b88ec294e7e201fdcd6abfc6c3c5afebf68aa9e930703715e8af1f4a6d78cb808274a52f417db4ea7b0fdd7b425f17aa0e8e734f0c9222fae198c692a1d

C:\Users\Admin\AppData\Local\Temp\cAsO.exe

MD5 eb9dfac95be28f3e871609b67f56fba5
SHA1 a08eb7973fd556f940bd7d0b09a4f3cc99376eef
SHA256 a7f360cb926fb4471748a14539fb2e3ac32ddcd6f9ae9cb3655e29232abe2667
SHA512 e564ba5154fbc7ca0225ab155745453f2bf438307d31ca6bf2584dbbf437d212bf18536a678de3308b0ff07710dc318c06505c0b02b4540896d2628a399fdcd7

C:\Users\Admin\AppData\Local\Temp\iEII.exe

MD5 91fd737061ce35e4f8f77fb690bac96b
SHA1 311e11c8d3e7033ac21ac1befde9f0caf5b1cce8
SHA256 5b5cb4a417d8b0c6feae6835611c02e8a52c436c85f0072ec7c8ada9afcb7340
SHA512 ef82fb6e14577bb82a07ee14798a13ed737e925677be2e1ee78bd99f9719422d729759950823c2ad278d0bbeb8a5436c00181493f09eb2015ef6ce783ca3c09b

C:\Users\Admin\AppData\Local\Temp\aAwq.exe

MD5 96c9cba3deb3ba3273ff063c5c0539db
SHA1 bd0d5ad4a7e678b5c521cb22e0ae2c0c3861be4b
SHA256 288e2bc09ad5a7ca24fb284937ae4979d5d1661faa9c35c4ca030d2d774bf1f7
SHA512 e2ddd3cdaf1031cc716c1bf467837d5cd350c1eae39fa25706513639da44f8ebea23c2ff351d40e6cb5b7ff6482190c78b85358ddeb23506bc42244459043c9e

C:\Users\Admin\AppData\Local\Temp\OAYw.exe

MD5 ff84f170064e1e4652a6484365b68ec8
SHA1 20b51a7acb73c15d254ef0bab2a16c693b84a2d4
SHA256 73b535f378484aa2db962162e54f7d72fd888aebba4ac9028b102dd01c0d97dc
SHA512 8875d1f3adb0899129de665123afa8de020e04d69dc536b153f1431f9727da5156c81da5b5021e6d630ddc45725a7968503a06c3c9bf06024b2650d31cded5dd

memory/3712-1321-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUMs.exe

MD5 b5849db47bae5ec7682b6481ab72ceb2
SHA1 e2b268bee5507d3d3083183dc8a8995b8b36a7b7
SHA256 13a731095f26af3faf945082bfcf9ae4c5744013a8b503b910fd9cba4993f08a
SHA512 7b175e46e3d458ba86cc4058bd52feb9d6e1c736907576acf0a59c53b5aa51e712b5e73cf92efe01093afb2367ca815d26e17df2bbe67f9923563c6b55f6a4cc

C:\Users\Admin\AppData\Local\Temp\QYkm.exe

MD5 e59301a580a5433ec3e04642cfd3df2a
SHA1 fbddf8350cbe21a668a56f7bd28a5b542a604b51
SHA256 f0950120837b7c767a1b87f1755f455179807bd59bdc069507275fb403d73b08
SHA512 965061eeadd2f3a074a6aef02b3dc65fbc44791f0793a312da985498c34b40ea1ea94a76de34d712ea5b5cfc55c635dffa1adcf684a057b8538129e1026ac803

C:\Users\Admin\AppData\Local\Temp\iwQQ.exe

MD5 985843f918645a4e07e05d2c759a7e1a
SHA1 7689cf3d351375455ec2fca570685804aa537c42
SHA256 3067593ba8fbbcd1cfd150e5ab001dafc5e2b8f1428d84cf2b3ade5320de1830
SHA512 6c9d19252195246d0366237c7e2161206ddd2a4712e473a5dce596bc4199a0b408d06e498ee84cdfc1acafe78d83f3d4fc46528beb40dd5576f60d88cd6c2e11

C:\Users\Admin\AppData\Local\Temp\GYUw.exe

MD5 0f5679ba6705929715c167d048108be6
SHA1 192820318dae16db73d7513fe3ab6e1b218d332c
SHA256 3d15fb3e69413a83eadb8da895381b1ac381c3809ca778be53c5c74b1661ad3e
SHA512 109c56510577a5173da9355a1039db0d65c10491ba08c72537df28cb5c5685461174c304079765e0fea860fd7be589b55f8106f7deea2bb6b8d1a5cffc69f31d

memory/1036-1384-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ocgg.exe

MD5 066931d7beff3338553cb93bf981463d
SHA1 17c79dbaaecd0bd8d424d68220541a34d945a8c9
SHA256 c029275aed7a3a44f21733035a21140645839b9790f323901832e1c7e0d27a41
SHA512 0dcf0bab49daa01b9790387740391dd8e35ac03f1f127e58cb210c73641aa5b8b6a6fec5246174d3deef2918bf879f823e296003693327dc1e3df10df69b3f44

C:\Users\Admin\AppData\Local\Temp\QEoa.exe

MD5 b8f055d74cf1fe47cc500c506e84edee
SHA1 223e28845c71582bf6efa9ae665c3bb399627b6b
SHA256 fade748ef8e66f940d168d474f3247e68c4df858968178fb650bd96a8ba0428b
SHA512 8070ecbe40f775cdb815e9285cfaacd20579513160c597e7aad92b952b2cbe8fc0ad5b6ee141357ddd467665c0745dbb3eec8061c612344e30be1df7cedf8728

C:\Users\Admin\AppData\Local\Temp\QUwW.exe

MD5 fd02b2f265f01ae147b73b331dce0225
SHA1 963bca528efd12169bdda1556a557bfe73f914ed
SHA256 c0a8f6d16ed84ee83e402f2810eaf43cf28bb7599c4d3b168e76de170aabd34a
SHA512 df39220c9b82ed49d0e28bad221fa76a0fa7999a2a17efb8ef885b4282e7f500445ade66154407f3a9aeb615cd8caa6b3476d76770709585020495cc3d6c7082

memory/4280-1434-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qUII.exe

MD5 e1750de6c893df2f546d4bea51eecc0b
SHA1 97294e738431b66f65acae91549ead8a5e732c52
SHA256 382e64ec608578084106809e0e240f99e03b7893a63dccca195b728f03c80dfd
SHA512 a77ec72f49b7dde1e1a26ecd98c505ddc77d6e9f2d4dbde1fcf6c525e80a611ad782a280088d64be5eb65c74cc5ed0ad2fa35c502ef64727a6c79da0198d5cf6

C:\Users\Admin\AppData\Local\Temp\WIkq.exe

MD5 2c3b8533039d95726ce6b7966b6b8f01
SHA1 2d7faab5c0fd4f1e3a4a39a3d34e53aa02581fff
SHA256 94d4ad2ccbb42c7d5ac140721950fd2c471c4654e8b936baf12b00c78923700c
SHA512 cd252a1b3d0c8eb5e87bce753ffe2284aff325e2155f03e8ce65fa7f3473e1bc78ce7a991293e4da3095eb24665bc51c2b038122a02e3834562ec8a1e427615b

C:\Users\Admin\AppData\Local\Temp\kggi.exe

MD5 c62242b0d96151955a5ce35448227028
SHA1 d219e8162f37fcda7339e75f7a83e5a748504436
SHA256 5f4bc6e53690b4a042233dd24e55b7962e2f3cad797b335934c7c25a944fef03
SHA512 3aad56e8e436e37dc15f93d486bde304b9d80694db9484b8572d733ed6ab01c776702312fbde75cf1bbff61dcf858e67cd583853b6efbb87ebd26f4efd59bc63

C:\Users\Admin\AppData\Local\Temp\gMcS.exe

MD5 19052b91ee5d79fb68e118959161e223
SHA1 c7994d032241a2f0c849bf650e3bcec6abd79fce
SHA256 c1449d00cab7ec1dd7f09261122bef4451db03bec50c8d436c2a92a5b6435eed
SHA512 592ae7bc4904d8dd51be992aa5adf49ca28da993ecd3e532d85126b3585d09d23e56e33342e3a621fa9db06eee6855a9728ed06cf17e8128b80d618c3fb5145c

memory/2920-1498-0x0000000000400000-0x0000000000420000-memory.dmp

memory/100-1499-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wwUE.exe

MD5 4e2b883066e03c01207780fabb867c09
SHA1 7da984117cd9ddc17a0f4211248d86c796e2a186
SHA256 9c185e8a6af58cbf253f6a79262429bff727f08359f67e9bead396aa1631b1e4
SHA512 058a23a4605518ba6f49b1bf370badd6dce9c24bafca5b83f090f3c51b5c0bcb14f04cb883d91e460f9c0796d94a334ae49f1f58a8c1ba6360fe3cae140c3be8

C:\Users\Admin\AppData\Local\Temp\cEEQ.exe

MD5 01535a54d1aef2eb857ef41d3aff4162
SHA1 2f05e572b01e71d6235d4305144bb45a0a3662d4
SHA256 501de487f9f16181e5dae29237316f6885ef48c54c21b954e0d0dbcbe2701940
SHA512 39e067c36c6c8d18d4999824b179a39e129b7677b0fa2874b8c179860547ca1f1f9a9176e4d8a7e7aa2829c39dd90813f795d0b32984581eadf6f642dcd089c7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

MD5 b482ff690e6e8c5ce5943f418361524d
SHA1 4fc9336222ed8d911f567289ce0293fe3b7041a6
SHA256 48b7295cb53566395c26b669a466f76221be2b5e040e5b3ef20e009a364170ab
SHA512 8822e8ddf69e8b3d754aa8977d66c2369776f5312013441fb8e18fa78127b60677ed71f8ae1452280af5666df1032e0ac9ae78f783e68698aa01bc2dd82f4b9c

C:\Users\Admin\AppData\Local\Temp\qwAq.exe

MD5 409483a9a6cd9fdbcd1fdc8403c66ccd
SHA1 04bed676c7cbcadebc5988ea0b942f5547dca7a8
SHA256 733318ca89e7ce9b23a60ee39187dffb7c9ab1ae017add67c46b3a405bbcf3b2
SHA512 9cc0607015dacd2279abdf2558abc87f8dae4d2db66a7c687690202644f7ac823b77a7b66cc5068b32b3e9576f20db6a24ade72f9c364783f492d2c77f260036

memory/100-1563-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ygsG.exe

MD5 7215ea3357b7efee73154e3450000dfa
SHA1 20bb7ddc5fa3e8cf4c44f3eea0309626ba1d96d8
SHA256 cd42f43951025bda5bb40a8c2d147e8e2afa64b053ba012033c50249514e68c4
SHA512 0bb9368b85b7614f680d07fb03e096ef3aac4758e8135a6e3151dab9421f9e35c6b33622ccef53b8b137f5e55d251f232a098f9f100566eb97719f1344ca3c10

C:\Users\Admin\AppData\Local\Temp\QwMc.exe

MD5 2587d9094663ecde74f54e0e4ef11140
SHA1 cfe90a8edfa6303ef67221aaed3e92a1e61482e0
SHA256 e7a5ef935439a141a0eaa7ae70bfef15d624338f131a4a4ac8422916b9a5132f
SHA512 1d6ec92614b19f02561f620c135e9b3676747c97ac2b45a2bd7f1ba69a92050f2a6cfb0723196c3cf71071ba5d351705f63c6d36d1ffb21c71361cffd2a5bc89

C:\Users\Admin\AppData\Local\Temp\mQUi.exe

MD5 e4d6f2b14476b69f2721aa2104e3cbf0
SHA1 e4d8b8e6503d63a186ed3654b3dec39fb4bf3933
SHA256 70ca6a0b43d77af277c3b6fffba453a56c7a38e1d95c0f35963adbb62c5adfb2
SHA512 f169f2d9301b5843ae3999c67d168b470dbf18c20d3869dd71c773d984d45c150830a318f77f9d49e6606268d71ea54c2d0c8507ed6c288a3b5cf38e98fd48a6

C:\Users\Admin\AppData\Local\Temp\esMm.exe

MD5 799808c49f7ac96635941f8feca8a5e3
SHA1 0f9bfe7055c2b4a9957b4894ed46d381afe32537
SHA256 adf83d4e9c63041b3be2ca8ff1b365afedd19db8220df40c8caea52adf59405e
SHA512 2f2b0cf77e6d46ce7cea730e07ef4cc124e6fefcf90f6516ab3d1826ec36139a27e0ccfe8c0bf046cd6019c4f482dca26af35771fad13beb3defe74d9e0e95a7

C:\Users\Admin\AppData\Local\Temp\kUUI.exe

MD5 785b6a456fc1ca18eee474cfed321dcf
SHA1 555420ca034cc7ebb69f09a607d79b77747f852f
SHA256 b937858b8a0b50c81a2cf7a5f09844e1d87e2273222d56c0e4b44b0648edfef6
SHA512 0bf94be7dbd2d22835ef57fd46efdd2015c613eda052968438c9210e6c13afab3a26306ffd805f2cc3551246015dc3f2e406c267a7899aee29faf4d1d2046454

memory/4460-1641-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IgIm.exe

MD5 1b8ca418c22e4b8d557c4fe86857d834
SHA1 dc3c5ee0e7c7a879e2f1f879222b4da434e7bf39
SHA256 0562d936c4f9f06c6f70514cc20b9143a98e896677ec641ea1d23c03e2110b92
SHA512 cafb402e211ee1262abd0ac0a96d61e6658e21f265c38c49298633649270889ef071a2cea45f0ef6860bab99f9a71f461088dd43db8f782373faccaef4b5b604

C:\Users\Admin\AppData\Local\Temp\EksW.exe

MD5 8d5a719dbb20fa844a3b161c0198bc66
SHA1 cde53623e4e6e177eec1ee2bcd973b276cc37622
SHA256 e5391eab1bafda5edad94f36b617396548677baf7ca5824c7dbdb4aebcaa95e3
SHA512 5b77a654c25babefb9efff4ece9ea8d8c24d8c87fc9a65d0544d569969bae4611dae7ef4e2b89b024f6dc1da97ee58d39b6d63397936c8973e595eafa239d298

C:\Users\Admin\AppData\Local\Temp\yAAU.exe

MD5 76c3f3aaee8f89995cfc00c237f03c9f
SHA1 278c7d9a2908860b7da88802153f38ee618a4dad
SHA256 483b87f8e989a455a5ca799c91c0cf5d8892c93e36decd06b1a8d403a8b78791
SHA512 bd444e2545e4ca9b60795f18fe636b858e5f9c89a510e3739bf19f0f335948b5e534b9bffa15eb6c6157d130ea931ad6dd994c6a21031077baa36dcf1de47e61

C:\Users\Admin\AppData\Local\Temp\YIsa.exe

MD5 2cd0a4f697134052bf40c10749ef1ce9
SHA1 e08e511a6704d3493aef7f9419c9f5b65a8ba7da
SHA256 fb831603145f1789973e8825c03d472321db60d02459f0915c8d775667ba55dc
SHA512 b366958d549d8aa4d19c8cbcde6b18772e5c324fcdb904041ee71caf9cecd1422d89b670114e0018dda2344b51e905c79d9bd9fc4eb66575590913a80681784d

C:\Users\Admin\AppData\Local\Temp\qoMQ.exe

MD5 86bb0258930bb6a48c14624fe26c8bf9
SHA1 1b64180a31aeef5460afdb38738918336787b776
SHA256 921f7d43c4db3d78048127f4277e752145e041c8d5f8971031893c41e626bafb
SHA512 df123a0055777dbe458c301b7b32966e817896ad434fdf92a6e9ffa9be56461639fad00636551d329dc2693ed854a7b561520b85e70611b24e70f6ff0045bf68

memory/3656-1719-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 06191f5c8752ca0b8598d885188a0d13
SHA1 0273712dabbf9d1ee61aa4b335f898b3734942bf
SHA256 5cb5b1b717b32ef30bd8611614864600e1b9953dc2baefb0673db71473c7efe5
SHA512 cb1546c577ffbbd4550f54a9627f8cf576470fcf6dfc9d8faa7190a67783ac3afb000d7d15cd4d93632650f54dcbb90c05dabf591bb49fedeee800bf3986defb

C:\Users\Admin\AppData\Local\Temp\sgkc.exe

MD5 e2d630043aed38d54855ff5f2cd1f8c4
SHA1 1737867adccfe35dee387630df1b53b57c97d16a
SHA256 73a9c1201f746ed83c23bd42885a4e5183102c207e6a6de1431238d672e8afcf
SHA512 53728a2c65a39490c7bc924f0069ba4aac660d36470469c64ce02db86cc782241deac0a63b4111ec6dcd60f4427c8e14b9580e390d63c4a31f838e075a9ced4d

C:\Users\Admin\AppData\Local\Temp\Qoku.exe

MD5 d800943f5a8657eb9fa782b888000b19
SHA1 cfa28ea3214464e5a1893cc734c9b8e978ed9493
SHA256 6b8482ce0dee744c348d2a6bcb9bbe5a27a34a4b78badfc36637880160d66b55
SHA512 96594a5d8f7d29a02fce6827690a975fb48ca886414dd86e0b2d04bc3e731391351342541d5eb245ded69637c8d345a38c7e77192b2a47f167acf636506c6c45

memory/4508-1768-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uIQa.exe

MD5 123d662e5ffd798c0b67f4f9b8b32784
SHA1 b6a9bf211120703e91c0af8352c1c70d9f4d18c2
SHA256 6e680372ae241f97bf9d7a11c5a564d6cda1d637591ca4f775f4b0b09b4bc53f
SHA512 868cadae2665e11d4f9bbee255450b5bba2b941660732e1c16320e9cf6634f2c777d48c794e8778569965890b9ddc0f05be8a35527e4efd85882ebd41f36d9e8

C:\Users\Admin\AppData\Local\Temp\OYkQ.exe

MD5 4382f969be60f6d421ec3a7ae667a04f
SHA1 a23a5a51b20b8dc6df40a595706a55b0baace84d
SHA256 ec7a4fa42544bbba44d7fb16e0ccc8024f0ccb596f59fa26f82e40452d5a002c
SHA512 39ec9af535dd260dae5c31079d811a05680a63b041590006ebab513cc404da9874919b40aef31af38a0355b6fb7fb914b3dd4ff837b57e26be88e8357e8bef58

C:\Users\Admin\AppData\Local\Temp\YYUA.exe

MD5 7b83fe5562db5430e7aa8d0e40bd0d39
SHA1 49e632cc6eed388b3641a0d78a41ddd9c2aa9a96
SHA256 a5d1c6fe7717e740a7c85eb982a55170913d281e1285b76a7e67b452bef71a1e
SHA512 71ad46b07ff743a2d55b51ee1c2ca75d3237b9ef9406bf1b95d1bf45348346fecc8520bd219d2a65aa68355218f413de2084839e8e6ae66018ba2c399387d013

C:\Users\Admin\AppData\Local\Temp\sUww.exe

MD5 58ad95225210e2a6629b8defcec6b59f
SHA1 83cee28a77b0529832468e934b5974c2d83c5c07
SHA256 c62c60664508591f961d38794cc8c9bdb27391f53a354136e4027f65df1c544d
SHA512 f01d1bff785404ce53223b8483025df487b905b1fd5b296cca3cc380d5a3067e2fe57dadbbfb67593a0cf638fcd402a0aff7abe15718fad1e1dac84a1f12f9fa

memory/4444-1828-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5116-1837-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EQYC.exe

MD5 b7b0f2907ddae1d2c6b91978a41476c0
SHA1 6bbce172f730f6ece2fd208094f20dc06ac1253a
SHA256 ae98701cc559630240c3469554a35750deb4b2d0704adfcaf5c1bb408af38743
SHA512 0ee037bd857b04650709922fa802bfe0d8da41ee2b42e7bcc975da498c43b1971eae11506bed45b8af6fb993462eaa5d8ad888effa31acbca33fb3f6315845dc

C:\Users\Admin\AppData\Local\Temp\uksu.exe

MD5 5aad70819ec0d60c775e7fcbeae90fae
SHA1 563ff95f75033c823cfa6f404b1f95d110bf881c
SHA256 775562145ca88b03bf6a3fea45bfeca74e8a14f92f9327c0415a92f056c6ad89
SHA512 85756b83150f7a5b6a2b11c7734213375aeb6977b42f9928a2bdca5bd5469fd7defe5fc4f3260ed0592a327821f44d46c6f6c198b49c61ca7c8f2aa0b335de6d

C:\Users\Admin\AppData\Local\Temp\skEc.exe

MD5 55db92c18f3c19c250e4f82ea4ca02f9
SHA1 525b06457cf7fa34fd621305f465781b2aca5d6d
SHA256 fbeb47c33734c07854abe2dcf0ff8a65b7868159f9f0dfd27b6acfd4c6e0efc3
SHA512 b2791f9c37b69c2be575fe851c1a60883eef88f00fa2c61d9884cc778e94f20103e4e6eefd71062ee8e33dfdd3eaddec4d953e3a560919d69c0b29902f64106e

memory/4920-1879-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4444-1883-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qYou.exe

MD5 f5878a765edad4fd2d2b9cfc4d507fb7
SHA1 dee383f9c01fee1873880279d77ffab550e643f3
SHA256 6ce12a678783de099b58d2b1713098188da7734544460fb9a9a81da4c4b7417e
SHA512 7aa24e9521b8441b4f629fbf764a57e5da743a13e5b9be78f3da92d6c1ebb9dae47fea0f46af415b0b89692007472054b2ec1012afd6b0588802bc99e93a701d

C:\Users\Admin\AppData\Local\Temp\mEkw.exe

MD5 16a3b3902546825517c63a51fa784e0e
SHA1 7f3b938c475a0c2aaaf5ad673a05f18a4d4d8e1d
SHA256 519a997391ca6ed01403912f5b92566148dc486fc939d5587a6413d8eee85b72
SHA512 4be2ef9ba78eda94bd2f7b12fc75d54b08859187bdeaa576b11b07f9fabeef22851ecc24183e78c3af575c1c8bc5d856ee914f14acb71e5e15e1caa4fb343d32

memory/4920-1924-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QwoC.exe

MD5 0ef1c5c64a43c28415b2783554535d58
SHA1 28647273a652cbfa4f1439ebec6f94172dbbf007
SHA256 72faf5e491feb647280de3e85bd3cdb6c39bcaf3c39811326dfbf0da0e2fb498
SHA512 6868449a4a932483cdf41ded9879ad76ffe9c77b79ac1edf36fcc84e53bdf6b27c51b145962b9fa6f5add706e184733eb196c76c5c8b5563b36d1f7c4548d2c3

C:\Users\Admin\AppData\Local\Temp\qgAI.exe

MD5 f5530d204ff5947fb8783f7ab091fe42
SHA1 1a58bca68d79a83bc0307f22732b5b681eeb4b92
SHA256 39997f8d6c119dbbb9bd46895a89cb888ef52828597a89d0d46685d63ae16724
SHA512 befa104bf1c1573d5bb1242e569019f1d84543f4d7849129527ced04325db50a1fc90d1bfd774f59968e1313888423930183b98eae49787740bd34e068b37900

memory/1940-1969-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wkgI.exe

MD5 260a9b8ac9f114de50fcd602cdf2162a
SHA1 447c77d644668f565c222a5197f2600d85cdd244
SHA256 03159c4f9002b51ec3d2352c4b0a41744f9b64bc5375ab0f2c2312d402708bcc
SHA512 d1179dfc0dd89b9c095b619944d4357e02579a615c30bbed5dd8d446b20bec70c8f6f7a2763c3aafa9bcf32353cf5cf03a7a4f1e7cd44efd93366b75fcb72ca3

memory/3932-1970-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QQAU.exe

MD5 bf522b521139facf470c3bc117739250
SHA1 bd4f3f501fd3122f5c3fcf59194588526ef48fe3
SHA256 fb609de9f99debb4a0bc0963943c024b40d1cab7c8eb08e56bbfd49b39bbb413
SHA512 eaac39e762210893ef95be5c84c1ef9fef60cad171ae3cc61509bf6dc3bcbfe23c8cb13399c87a610e4bfcbc80f6ed904e9b21f72d3a0e8f00198ba32efdc9c1

C:\Users\Admin\AppData\Local\Temp\AYcU.exe

MD5 0d31c1a2d83b7c0320c4757afc628ce5
SHA1 918af311ce141ceabb61ea80f9083ea905cb0ef3
SHA256 9fa1d9ca8d412caab96899abf629a4e1da68649fa73f1acdae0199b55f5aeaef
SHA512 302db064de7805b7e8701e5ebc1e99b930ed147a48b8d060c2896f23e19142d41611f7981dfd84cc73713607d882f6a865655c22755f51807c883c3b4ea31106

C:\Users\Admin\AppData\Local\Temp\kcUw.exe

MD5 b4a78637dffe5d4a2b3df93afcb3fd2c
SHA1 5a159c21a3477d20efa5ffbbd95b5c996abe6141
SHA256 f1961e6d0ce0cc99a0d45f7fcccc5e5bc2fb419682ded24a94e38f5a56ca8c0d
SHA512 9c8c8a8d26064c9eb65c1c5e80fece7fcf293f62fa40aa77da67a6ca947a52f868ca39dce679b76968dfff87edb73f7935c685aa04fd07b23a414d71226defd8

C:\Users\Admin\AppData\Local\Temp\WIQm.exe

MD5 22cdd845c2ec2190ea2b9f14aef43057
SHA1 53301aeee31d3ed616fd0eb91fdfa06f06cac935
SHA256 f27b157b72520c20aa0d13c2784cbaf878d6f087927732ff84649e89cc56cb83
SHA512 5fd1ca02f039f5fe767b660b718b48543b2e9214d3754b8388bc67aa0c4161b93abf10cc7d57b9e006c738a675fe94560d2a20d957effc5ebfcbf7c8a79404b7

C:\Users\Admin\AppData\Local\Temp\WQgg.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\QUcw.exe

MD5 289284203985bc6ec83e51fc935d7f19
SHA1 96ca9cbdda322c3d6a347ea1a240791423d498f5
SHA256 42ef01bdaee518cacf085ca4b43b01538d860caa0f096f7dd51fb7dd265b1555
SHA512 5d3feb14ad889c68d4ecf5200985cf24a942f31f8a6866394992a655da6ee26bdbfcea55e8ce6be6649cbbae17714359ba04b7d9f88699f8cd412516fa1c79f5

C:\Users\Admin\AppData\Local\Temp\EUQu.exe

MD5 0bd7784d11afeb2308042a8de0afde88
SHA1 d3a3783cbad73702b10f0b31b647b391b41e571c
SHA256 25cfeba6e73630d963e60d9d7c27e1c5e2dfebc7c5f342fcd3dd6ff5635a51e1
SHA512 818c694b60e277ade86b3aad09d3a74cbeb1fdb3d2b46661b35841b9ad790c6a1ad0a970c02bbcbe3737ab594c915389526a4b2aef4e0bbcbf1d54b500540cfc

C:\Users\Admin\AppData\Local\Temp\kYow.exe

MD5 a1173ab42e6e36ae3bd996613dcb3350
SHA1 3e0ef35abce845ae5883819087a588396d8c28b7
SHA256 3a0e9d1cb91d105b7c4ee64feda01a6fe3a1b8e1700538378c0942214a03bcfc
SHA512 1ac5386e0fe9198de96b46684b3464888a0450ef721cf0c9a2b51f987b3ec9016eb58e1eba3406b42355a45c22f4c143593ce2784e5af582712ed3a5cd40f08d

C:\Users\Admin\AppData\Local\Temp\soYk.exe

MD5 043737d4edc47711f9022fac61920f06
SHA1 b102da3cbfbd558f5ec32e786c18ebc93387a558
SHA256 b011d8fdcda8b63be5d07c32af93b95595ef6c02791ba2dda1d932b429708929
SHA512 1045c96d85e3f3e34dd22fc6de4dcc3234c3386a98466f0d599a963a74183612631f6b9fd58b4a108811e828a21a8f85959838d8663798b3622a6359ae758d95

C:\Users\Admin\AppData\Local\Temp\ukkc.exe

MD5 068fb82844ea0e003573df7a79bc6061
SHA1 52fc7110cd84f10b017955f085baf91f5572f41c
SHA256 4aa952eca685d74e29c43db4e4ad703425449d7f5dad251447270d14bf698ff8
SHA512 66bff6a5f98e8f427992eeec4f09cd7149a51136f6e7b8799ddf39c8dac2df53fbae66a9438d7c1253dbd051e654f1ebcf7ed92ff5385a86224eb11cc5f86d67

C:\Users\Admin\AppData\Local\Temp\iUgg.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\uUEI.exe

MD5 a35713e619d6e99e42bed467806de278
SHA1 fec56eee903e3a96233b26973d0b6ef245ebd27d
SHA256 59b27544a1081cc915a96e3e19be4bacecc781c0e551fc0c68a8e5ba8362ac3f
SHA512 6e13069ccbea3967db2031e8eaef3a8e006fc2435fdf959aa489a4944b7e59282d6a04dc1741a6c0ff2ffe10a6e43f2c28dfeb8486459f85cef04fc4d37d351c

C:\Users\Admin\AppData\Local\Temp\MMMa.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\wkcq.exe

MD5 b9b2c61926f40f96b595892cb91896a1
SHA1 47d70a6e75f32e538971067f31c031d79bf75017
SHA256 ca3f0209eede2a93abf6559e0fc42457888d471f29ad76251633cae9fe4c55fe
SHA512 9e87903c6d07314eead8a1ecd70fa019f9e4681fef652b0fafcf146903d3495334d094b95baaa777c2972b46e8c6883a1944aaa53c00ea62b3c4d4a9d29b1c7d

C:\Users\Admin\AppData\Local\Temp\OAoc.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\cUcC.exe

MD5 380daddbd71623bd5a30220312688151
SHA1 268a73112e06474fa0b7526337689c49182f94c3
SHA256 6c2a3fb126eb76cd8e95ed8ed50288f8b6b73c65225034f1b83e317bfdd6ae51
SHA512 23bdc768de4521c45c5d212466864319e870f383bc9652caeb347d420e1cdd505ac4e97afb521100c3e1cb75cf4c92644208d261425649068c7138a31ddd31f5

C:\Users\Admin\Pictures\UpdateInstall.jpg.exe

MD5 19d0f6e5e134e330840b750c1445b3ee
SHA1 0fbeba854f9a916daf16fd01c0cdbf000b466686
SHA256 03e6e14fe8cd13bb0ae6bbbb779c5a8a41272734256970f73c236aadec3de355
SHA512 8f8f966cb11ce9c738ea2e4d26b2641c70ddc5dbdaa15b2af392d6755a3fa400367ce1643941f723044a740813703c4c0b4327a39c43f4603ee6d13d2a6f43e6

C:\Users\Admin\AppData\Local\Temp\QEoo.exe

MD5 2b277168fbfcbafa39d92af34028c61f
SHA1 1e598e273d6c616d960c5f0350b8b6318d9ce6f6
SHA256 1e07825edd35eeb32d3a5a5c6cd54713a94b2fd269c80fea1846ae25130c82c1
SHA512 78a7d164d31ad0d543b6ac2373e744800724724955b7276ca0e6a652f4f8b4d9b180f3f289d29dfd2b35b954317aaa3a3b0b6b770133e7550dd2a2e8a1ecbe2e

C:\Users\Admin\Pictures\WriteRedo.jpg.exe

MD5 a43677fd8e1693b3e54f51bbe1ae3c34
SHA1 54420dd31e654dc32d0dede961a466573f0ad65d
SHA256 befc25db782a1346a4c73fb8997f23501fdbeaacc1f99577bd12021055393f1b
SHA512 dcbcfd9b0e12387f4352a682d6e9a8d6b370d4618aaf06827a21a9f052a46afe8d5adb10fe6b391b1b171aa07300e91a80c8c7379e8155667d1ed3a50f9ba291

C:\Users\Admin\AppData\Local\Temp\oEII.exe

MD5 ac06a2d7293837846a49c92a24c251ad
SHA1 b3dbefa403b37a173e6b4c25768ee3d50f119e23
SHA256 9392fd565e404d46d9ecb1f237da07dc3e4c79a5fda646bbf33928cbb8ad4868
SHA512 94e3b5776d7ac0eb0ae3e6d20d25e0b5fcd52b83d50949fec3c44e813a87e81209517736b5787def6826d3e74b275aa048b902851cce04efffe4c611538d71f8

C:\Users\Admin\AppData\Local\Temp\socu.exe

MD5 aca67218e1b18be1ece61cd07b8dce5c
SHA1 91411c3867e0e739ffbddc1bc3a6e8084629422d
SHA256 6670347434af5aa8a0e32820d576c68f73a591ec42878a006fed9e818e2e3426
SHA512 732bf10bccbd68a1cec23c2bd5db7c00ffe176a41f41a8375b5be71739b21d96947bb2c286762ccbd28f2ebde687a1303df4ae42c48e68ab4e6f3d35a6ff5366

C:\Users\Admin\AppData\Local\Temp\cYUK.exe

MD5 f7913954e435284831b610e8726aba9c
SHA1 6cc015e52181cde0de3c10b43f346615d1415b8b
SHA256 d7d6c1f166014151512baa3387479709728475159a88f5c2d5341917d631fce3
SHA512 015adefe63733c1b27015cdac706622f654d82550989e546009a7723d2c0c053d411955f8491cc26ed038b1ade3d9ed5cc646713adf68160ad61b3e14b847149

C:\Users\Admin\AppData\Local\Temp\qUIi.exe

MD5 acd323831bddbbaaf4d6d417683f33ce
SHA1 03f88ee651212049137f03a05a392671b39b6237
SHA256 206022ceee408f559ec20e127d3f946ffdfb65e46c0851ff21879f7cb9a5c2bb
SHA512 d25747946f85e7d0bf19649c7b2845419bf3310040af292ce361ca6eb96428dedf64f5cf15ad71f916c782b4365961818ef5f207cb76c4ccb9b0a50e7d3204fe

C:\Users\Admin\AppData\Local\Temp\Eccs.exe

MD5 48c08767416c42ba09821552e8a1a650
SHA1 3ba84366c46991d9d5c68a6d94466e7f61b93a57
SHA256 9e7185e72d8c0696206f67ac1f9e4db47c1a665ae3a52649a4ddbe603a9d12dd
SHA512 26c565a45871ed724ea830f4b5a9e0117874f8cfd98e22b827d67aa9e68c6a0a4592144e8f28660a12b5870e40378927ab93fbb3e95c4c8dee7fcb4ad11ffd9b

C:\Users\Admin\AppData\Local\Temp\eAMm.exe

MD5 92fc921f3d33bd7c560da1451ff97a7e
SHA1 15320cfe47090778b82fad0559d6518f933525ed
SHA256 74e12c61828cf6f7997c59e47a5b9222cccc99ca26b735e9e44bfe8ecb3c6792
SHA512 3a9c1a34f2c799f6e84f8bec90a564164c5e9ce8bfe54b213db0c72f4759f1076242053ab3a7d6d636e352b9b317ae10e47289612c6006d6e0f0e97e9144dac2