Analysis Overview
SHA256
ec5c1ee022b8095b3d2055e299f845ef0e3530ad8336fca6f9620314960904cd
Threat Level: Known bad
The file 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (85) files with added filename extension
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Modifies registry key
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:37
Reported
2024-10-26 04:39
Platform
win7-20240903-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation | C:\ProgramData\QMscIskU\IgUowQMY.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe | N/A |
| N/A | N/A | C:\ProgramData\QMscIskU\IgUowQMY.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IgUowQMY.exe = "C:\\ProgramData\\QMscIskU\\IgUowQMY.exe" | C:\ProgramData\QMscIskU\IgUowQMY.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CiQIMEQA.exe = "C:\\Users\\Admin\\EQkQYIgA\\CiQIMEQA.exe" | C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YSIsUAUc.exe = "C:\\Users\\Admin\\gMgEEgoE\\YSIsUAUc.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MaMQIMoE.exe = "C:\\ProgramData\\YAcgQYcg\\MaMQIMoE.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CiQIMEQA.exe = "C:\\Users\\Admin\\EQkQYIgA\\CiQIMEQA.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IgUowQMY.exe = "C:\\ProgramData\\QMscIskU\\IgUowQMY.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\ProgramData\QMscIskU\IgUowQMY.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\QMscIskU\IgUowQMY.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe"
C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe
"C:\Users\Admin\EQkQYIgA\CiQIMEQA.exe"
C:\ProgramData\QMscIskU\IgUowQMY.exe
"C:\ProgramData\QMscIskU\IgUowQMY.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DaoIQsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xukgEUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIokAEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AaUwAYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmwgwgUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uyAQYcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYIQEUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAEoQsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dEsUYcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCggAIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KAUssgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MwQQowcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCwswAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\emcoQAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUoIAcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hswEIgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BwccAQME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIsEIQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqkoAIcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GOcwYsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe
"C:\Users\Admin\gMgEEgoE\YSIsUAUc.exe"
C:\ProgramData\YAcgQYcg\MaMQIMoE.exe
"C:\ProgramData\YAcgQYcg\MaMQIMoE.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 36
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 36
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qacQQggc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gYAsooAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nUIMkAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fKUgooMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZkwUwEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAAMQwoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYEwIsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOsIwwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20450088616759160981959454035-632558703-1805208175-1653363748-722607908821950258"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WawEMMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gQIggQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\boYIokgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1418632360175431312181111941964235813-15960415021812948236309053766-1909064864"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWIEAAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dSIcsgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwMgAYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgwkUAAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-213359505173482066016304871711436611403-708291851-987054793-14976828911406748015"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "59831468110117390743543941787163193221184643706-36984651615607923331912031918"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GEMgIMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkQIoIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-189198630519079261433508386195097765412015455131-636940224-14646278811449684488"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1847416376598846885-656715239-142236587099271828515495557629435749791625319430"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-209112827-1326704066356905691064422435-1132195799298689016925336981680315618"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SSUYwMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1630502520588848926-814897098819880253-229051584-1589500692-1143352356-1950290364"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSAwccEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\foIkAgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "48707063326387922-151874767418678180191145674428-1921103059-7168403141066177420"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LwAAIkUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1000182474-1208076173-527649170-930338366757146708-167628275745582978-827466822"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkUEowcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JaQwgMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmcsQYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "134527320711619679041139160650483818530199071332693590728-1159380721-1051484830"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkookgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AugIUkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIsEQAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1883813258-1382595383-89375564916492589604190428091711010128-201441837-345020305"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "79569573618865819671795218454-178147512668481140233304-1294045203336175311"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMkYYIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JeYwUkgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PWoAoIcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16603890018497066814586606552001995384623697864-226965696-1531075322195693977"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGQckgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QUEUAYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "32287187-1171961283419226068-676731477-5517447161135854872-2511788351460063478"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-440889394-6061084701362025957-1145670805-17117595761059532397-740975553-68433372"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikoMkIsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7329568401506016379492791844-1191971246-554181035-1349448179-1830985540-1383719996"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-690520169-1068860276-665151346-7237408601580501865787129693473040152178583347"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\meYEcUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "764200556-1992423049104871776535232661535256914-35090985318902883341564398441"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pUgUYgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11910911631617020844-824201136153640629818498741614182387841784347042-255132987"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYAgcYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCAkUUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2168-0-0x0000000000400000-0x0000000000420000-memory.dmp
\Users\Admin\EQkQYIgA\CiQIMEQA.exe
| MD5 | 75d9985237d84e94597f64bc315b95e5 |
| SHA1 | 875ebe4ca48bafa5209e5d4d096c327efea02d38 |
| SHA256 | 0bd3ff54a2d1803670c37f0212a9fc92df9fa2f066f7952884f3ab5ab19d8b7d |
| SHA512 | 442fd2f5bb83f43233de75c8c69f0b7d5cc1c40bd875224beea8dc9afca781b1741f3b092448b46c9963c33619d5edb2cb13c93fccce358bd2f1bea73fa1ac66 |
memory/2168-11-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/2400-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2168-12-0x0000000000390000-0x00000000003AD000-memory.dmp
C:\ProgramData\QMscIskU\IgUowQMY.exe
| MD5 | 35b1f57c6ec46b0977972237596e6ef4 |
| SHA1 | 5d8829c5d41d2aec6f8e86615250a19aa6b959ed |
| SHA256 | bee6b115cd2dbeb145c8452356bc8871e2ea762491bc56969e543cc149944482 |
| SHA512 | 559fe345c793cea9878e4c438088018a0768862fd32818f454afc97573c3d7834c0469fe041add38bdd941f91a0a1271754fec2396dfaa1a2d2126a001cdb9e7 |
memory/2408-30-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JSMUYQEs.bat
| MD5 | 73b3be3bb90cc5fb3fb286800f610986 |
| SHA1 | f6db9348d0ee5ffb0bee73024d90ee5448581a11 |
| SHA256 | 3cc28bb48209419e11944938e78ca5ac9fb2536ab4b6611bc52fe0d4235c2575 |
| SHA512 | 3a7b1cfd2279ee296089a2298096f88a0a06ef9dc9436d01895203aea29509a6646a9f0dba486ec20dc48a4eb17c5a80c9edf98efb60225a0c4d937787c414e0 |
C:\Users\Admin\AppData\Local\Temp\DaoIQsYc.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2168-39-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2696-42-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/2696-41-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/2752-40-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\JssMkQQk.bat
| MD5 | 56d66b7afc8cca720f327ddda4f15453 |
| SHA1 | 05dd1ee7921d2429d24fa7b75b10066e57d952bf |
| SHA256 | d6954bd6da0d4fb71cf1a96a1a0f58548d9a6ec2c0976a765377e57b1aa58e55 |
| SHA512 | 4002a1cf143742aaf72349832516074616065794b099dd40de43bcf53c461ebd8f7c282589e263767877cf01eaa5e3cd851bb709cdbc668a6244524cfa002949 |
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
| MD5 | 8995c7a53e0a148026fbd0da69be9f59 |
| SHA1 | 05a9908e9e3e640a426214276de1cbca6f72307c |
| SHA256 | d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3 |
| SHA512 | 45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969 |
memory/2676-63-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2752-66-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2652-65-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2676-64-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NoAkMwoU.bat
| MD5 | 78d553da703371ecd91d1a00156dd11e |
| SHA1 | d22041725d91722d97abd7554049264f224388f8 |
| SHA256 | d4b29f4b4763406b6dc7737212525aeb28f1daff69077d14eafb4352e41d7c25 |
| SHA512 | bf63c4efc4eca8aee6fb18922e7551d308345e8779bb4c211d3feaecb6dd340d865ec40463b6adb32e4e6398e27c5c0c93fbdb945ad192fde2d9f4fe018818e8 |
memory/1168-79-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2652-88-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gYwwokEo.bat
| MD5 | f9ed94c43d297f856b72b48912eca76e |
| SHA1 | e96dcf461bcd4a37434a22024a4f3d6c1cd984d3 |
| SHA256 | 7e9385a454acb7040c6b965a92c48141cbd678c18d1c3dd160064c3f82f26b22 |
| SHA512 | fe0b3238eb3a5c171f29a0cf81cd126e0d1e2d00adf1a2d0c2566be39d1f4fef463947abaade88ee9a51ca62f404c6baa1a4fd2bb8a6c745c2450097091f85cd |
memory/2376-101-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2020-110-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KiMkMYAU.bat
| MD5 | 3c1b4357a73502ffb5e8e17371df8981 |
| SHA1 | eeb4fff5ab13fb97de30c62eab3d1dcb7db110d7 |
| SHA256 | 52b64ed3a13fa69600732bc22666edb45f089314ca2ef4d938b5cf696bd579d5 |
| SHA512 | a00032591c984fa0da122de203984e4376f63399c27ff211aec742cf59c52fa08dcffc467d52d93a5763fbc125172c0d658ade0664023f3023083f1d82d45150 |
memory/1692-124-0x0000000000400000-0x0000000000420000-memory.dmp
memory/800-123-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/2184-133-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cEQQcAIM.bat
| MD5 | de2d2b1f637c52b9dbccb64fca393951 |
| SHA1 | d9fe6f657bbc77e0d4a31da6ba60dd449c43365c |
| SHA256 | 7c80f08abb74e723eb4372374374c0c59f273d37daaf61ce850ce97da295a383 |
| SHA512 | 3c2f6aa9a2692ff29aed654dfc3f6a95ade0d9652a41330ad43636d9e01b39e33c5e25af3e6b1eb6095121936ac6df7e1591e8e6f35860e9343e44ab9a71a84e |
memory/1692-154-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oaQksUsM.bat
| MD5 | 20365a733ade94567bf334ca503e541f |
| SHA1 | 6451ab1bc9028b6427e0a2381a1771f1045b7e69 |
| SHA256 | d80dc4ffea8f1a60c867e862d53da60c8fb21c5c5d73c09ce9843f195df63c6f |
| SHA512 | 964bdcc460251324a2fc0d06f5302cbe0f7da19f8e62f9256fc5b714c942f762b63095408ddf865926f6f2a38382a38bbd1f0b17c30349801e1735ddd4015453 |
memory/2344-167-0x0000000000270000-0x0000000000290000-memory.dmp
memory/2532-176-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HcYAosAo.bat
| MD5 | 481eb0f039e4ec239b5de621982f91b0 |
| SHA1 | afc353181f7ebf14a07fe44d67f6e17201cf1ff2 |
| SHA256 | 67adb74bad543d9827a88d29d089b90bb89f9d325e6cd8bc69d7244c406be295 |
| SHA512 | ce236ae7097a1a72844c1f3e8a38fa960d595f7ac9178c45320829bb2be037c0975fa860bcf54b16a6c852f38f388e6894ec3aced7ef18e4dbca945999143545 |
memory/2976-197-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NyQowEwQ.bat
| MD5 | 589f1b993cb4b088a81349949a76c78b |
| SHA1 | 40b195c5169c1711c0ec14258f0c16410bd2f637 |
| SHA256 | 616d244b3a6e9bcfd0a72687ceb47680af79d102679125b35475746fead234f7 |
| SHA512 | 979639956aa5edc28720c70fb2d0bcdde9450ee56cdc6bd09c432fbc5fc869f67b19b671711fbd12b70bf5d38c34bd3faaa44f3c059bf825dfc46c807d1776c3 |
memory/1376-210-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/2844-219-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NgAIwgkc.bat
| MD5 | 9a85dfbcbf1a62fa6979529b91a7f1d7 |
| SHA1 | 83d788bea84bf39eeca440d122e71d3cbadc2edf |
| SHA256 | 8fd809f2da6347795e9416b5b8ae802a35d15a2957374298deea42600028bb55 |
| SHA512 | f6d7d0ecffdc31d559dc8e40f17f21c39868a5c3d75295b700cfcbd7fc24a3beedc35c3efbab75bcca6c15b969d98084a68d1258bd852dfaa70e8fd181ffe545 |
memory/1004-232-0x0000000000620000-0x0000000000640000-memory.dmp
memory/2680-241-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TEAoAAQs.bat
| MD5 | ffa77ef2a971f371b79d840a9a87e7a7 |
| SHA1 | a5d7f47dce55415a61457e5c5ab3f29bb21b3528 |
| SHA256 | ec55bef96cfa3223f7deb3c0e3d63e486cb6058721d07dd50bffb2a98e44c630 |
| SHA512 | c1b4fa74f8bdde2908846d542cf11160b211cd017560001975ce625326658363b92ed040efaa472af87be3a6d3e56cdb14505e04cfba4358fbe61dbdf244bbc2 |
memory/2540-254-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2020-263-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kcUQMYYw.bat
| MD5 | 6feaca820d517ae285a1ef96eb9e4d2b |
| SHA1 | c29e7b8e083df49e50d961d5acec4946c7dfb5b9 |
| SHA256 | 69b1693f6c60a5af9c88e2346040d6fb89bd4e872d9eb44813afebd3c83d20ae |
| SHA512 | e38f2b193540ff31d3a961bfe16880ef8328a67873a744434fc89f98092ba97457d7af89ed7dd6c44df882063b777800f32da9c8380ada68a2e9d40e5821c9c0 |
memory/2120-276-0x0000000000370000-0x0000000000390000-memory.dmp
memory/1864-285-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CoIIooAg.bat
| MD5 | 5b77bc3493c672171446087be1939aa9 |
| SHA1 | 25e565ccbfadf97985a3fb272cbed767cd325392 |
| SHA256 | 92727ed975ebb4c84e08c9e01e5db3be7795fbb46c3660ddd22f2a3103b615a9 |
| SHA512 | 653ba660e0067e47305fe7c4f22caa44721e77aa0d8678e0bfddc1f2fa55d84179e211ce77114830d235e88700318bf7a6a7a318e7e10008c6ff183d13b713a1 |
memory/2972-298-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1196-307-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mOQgsIYM.bat
| MD5 | 95d6ceac70b62c8d0ce0b04dea5689a2 |
| SHA1 | 01898e90670f483348366994cd7a453aefc1229e |
| SHA256 | 6341400967610ebf6aa9c5426fe7b2f2811c4da210674f1d6526028530b4ed38 |
| SHA512 | d01864b9e0effdf71da246c7897be3df2816be83fac298d2590f62382c91fdfe0a443290c9df1b7387d5733a7b158efbe08020cc2c34c3c4a0b7ed5c05374b9e |
memory/1320-320-0x0000000000280000-0x00000000002A0000-memory.dmp
memory/1320-321-0x0000000000280000-0x00000000002A0000-memory.dmp
memory/2772-330-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aSIgkwgE.bat
| MD5 | 9489d17c1d5bb8dd5777d4997c199812 |
| SHA1 | 3e72fb82f29adaf51aa0acb1fdb3a09c30ff48ba |
| SHA256 | 40aaff498dd0d567629063f852554da177cc67b5c0a92160f288b1309079d544 |
| SHA512 | f351229e635b4f4ebab64c40c3bdae037e04974ae1d723b982a0568a321184cf6ae74bca898a6ebc37e68b265b52f1bc87ba349872b3d5f450957f962291db32 |
memory/1832-344-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1832-343-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/2880-353-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZEEEQcUY.bat
| MD5 | 56d6597a0e71ba992b9bb82fd98514b2 |
| SHA1 | 5d8348a71781a47a034282eb628651ffb29f0471 |
| SHA256 | 6edbd0bd387a91095118ad1ed29c8486a5eaaa1498c36b8db4cf4433124c7284 |
| SHA512 | 872d1cad6f70942fb5eb07efc7aa3a27b0e7724c9432a3865147d8521911ac46db1930d7615940df7265ef190efe7c66687cb6a66801edf55e09e24c1a335ccf |
memory/1520-366-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1352-375-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dKMogUQc.bat
| MD5 | 589c2e47b6190923cd09ec355276d01a |
| SHA1 | 1d0a281c5abca5c027c05d943976277b17962d52 |
| SHA256 | edbbdcde3ba2cebeaaf274574cc273e1fcc89534ed69fd0523156adf7e70f7e5 |
| SHA512 | 21bd66f9fa7d6e765022f822a9ebb27d97a3132c19546f17350725a38a3fae957be737b43c7290324e9fca8589e2224b046a3cd4813deea74f9bd6d0fec97c12 |
memory/1516-388-0x0000000000400000-0x0000000000420000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
C:\Users\Admin\AppData\Local\Temp\cAwc.exe
| MD5 | ef91e18461663912d5942f8bf283caf9 |
| SHA1 | e59f25acf68c5309dd5f573f5c6dc753e809b2b7 |
| SHA256 | 977280b5c5713753ec701b32fc66fede18376cadc04870620647c5fa0d4fe548 |
| SHA512 | d28143e5133638137cc976a5ae6d85467c9210b12e6fb7429f2347ccda169491406cb01428e74c8851e2cc7390b0b6f08336fc09acba3f3185e5c33ae2252c53 |
memory/1644-401-0x0000000000400000-0x0000000000420000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\dIcAQUko.bat
| MD5 | cad9cddb4b941331232b9c8f0afc1af5 |
| SHA1 | 511ba500f7bf9859f5fddaf1dff7c40d81c5cd83 |
| SHA256 | ee5da9329509b14fa193ad1626529e215d43f38a75d7330e7912963a59739e47 |
| SHA512 | 20cfd7982092a70d201f32df4790095e74a30b147e7e4b15c132770d6e889366e29249fa3d259d9482e7fd7c4d1853dd86c849819b01d312e3ca8d2ef31547ca |
C:\Users\Admin\AppData\Local\Temp\KsQy.exe
| MD5 | 2d7b4a89ede51838a14a20533d87f969 |
| SHA1 | eaf2fb0e184014d1677d9996d02ee85e71178ba3 |
| SHA256 | 5e271c7aed6b8344052c3e1f1c66d9a446ee086df06260e8fb8abfc80db9b703 |
| SHA512 | cfd6e11088112770e9cfebe45e2eeec963109e3b383465158c9fa565e1d259afb63bca37f332dc97add29e313e3036e474f9bb0370abf4a464483e687baa63b6 |
memory/328-448-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yAco.exe
| MD5 | 4dd195ad719911bcaecacf9b11ba111f |
| SHA1 | 1b0ab64172ef23a852f2b45361ac1a2d1b763c52 |
| SHA256 | da44a57d62c9fd51d480f80476735a05cc523f201eb6e0137689c401acb48eaf |
| SHA512 | 5040b89f2c42275daac4cae6aeaf40d5ef51a54b884ed6e883786485494958eb017f0fb224837d778941ccf3c47441dee6c6f985495c30f154deb9b41a922515 |
C:\Users\Admin\AppData\Local\Temp\SIQi.exe
| MD5 | ca42a8c15f65797891ca9efaecfa1ef8 |
| SHA1 | c84b09cd30c85a1f38a767485ddac3e9ead8392b |
| SHA256 | fde853acd3bee3e49fcaf0e2f0784604836821e2d7d79bb982abec57233c2f15 |
| SHA512 | 3657c1b167e64d5be6b0cde3e35c3e2a7ef154d30ba102d480dc0036d7213f735d7c37f16d30e1d19e3b826b10b27e075e7f1536ad28c6f484039893e835063d |
C:\Users\Admin\AppData\Local\Temp\QksE.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\YcgI.exe
| MD5 | d1f3ef071c5cf118be6b1ee73ab5dfe1 |
| SHA1 | 8f4dfac367fd22d580079481582cc44f8860351e |
| SHA256 | 678e70352026fd3e957f89c64c9fd240e77323745f897954c18770c921b8fd93 |
| SHA512 | cdfce1122de2b42834eafbfbcd93c9f6f3dc5c351389c82f3085ac533eb5b3d43b851f3d91b82272051e866c79535085b86b254144f33bc5f723ad9cf97bf8a8 |
C:\Users\Admin\AppData\Local\Temp\QwAk.exe
| MD5 | 868d83d003755da255bd13db87c61bae |
| SHA1 | a9e0818dae3732c1e5a88a0e262ce559799b2ce2 |
| SHA256 | 04630e004ec32b3da4ed1cfd718e51c3dae3ecc2f9c5e7cb034416cf61edf4b5 |
| SHA512 | 4707820c677ebfdd3a78ef7b29d437cb4ac4e3a621508700df7859c583e004ebc690a717ccf151eba93ea926dde9e27e5ca8bebe8b915c7c80a6bd5484c4b6b5 |
C:\Users\Admin\AppData\Local\Temp\TMIkUgoE.bat
| MD5 | 326d4acc68f5c9996951b328025ed406 |
| SHA1 | 1b9bed988e056c5a4fc0596b9d6969ab4699cda5 |
| SHA256 | 5d981a58c58640a06c8ae411356e0548d003c3e7f27795604e7eb8b58454489d |
| SHA512 | c1ca3dd03079a58200ba257405e83dff29ac98f25504bb346815e290e34d6e4e62dfc899f5cff527859866411fe474b076107e3ceedef8bea724b98b5d59321a |
C:\Users\Admin\AppData\Local\Temp\OQQc.exe
| MD5 | 946e2c9efa32131be48dcdca5d5e3117 |
| SHA1 | 6a85cd66e716b5c6a833e41fd0fe74fd70fd52cb |
| SHA256 | a814e38d67028b76de43fc8e521318887937a3bf31ca98d986cdc312f6bb3047 |
| SHA512 | e9d0bfb5816b99ca648899767fe6fc9cff7e5ff4ab0cd30c6df5cd41829a57aaa8ecf0989a6421dc3a6b67ff666e821e3f0c30c784d2fc1694ebd2564da7ce6a |
memory/784-526-0x0000000000280000-0x00000000002A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GcUi.exe
| MD5 | 780351ce5a7b1977d315e030bfd143dd |
| SHA1 | 86721da65d53bcee573c6535933be9fe817ec688 |
| SHA256 | 9294c08073c169dfae7b43efa0bd0f035788ed3d96c47d8e4e3990d26ed86e53 |
| SHA512 | 21f29bec343c98a291bac3ed24408f2465785ce22b3600a8a9a7e9de459e90ee2a2cdf1f447c37eb649f2c0b52ba511c15dbc6ad8f6eea520aa84efe6cf038f2 |
memory/1588-561-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ikga.exe
| MD5 | c1065a3cef04466140cb525dac00a495 |
| SHA1 | 1c31ac97ea67a6aaac4612b1424a3acbb5eb42dc |
| SHA256 | 41aa0813135c82be8c5cc1c303772d17dd957e6b9dbf7931068945dae6e10fd9 |
| SHA512 | bfa2e93fb2012f877f7f4e22d15985ea0162f1154287a4304e924cb841d740807f3e7d28937d9d4a712c3463cba0a9aba65ff42781d07b29ab71568b4e796ce2 |
C:\Users\Admin\AppData\Local\Temp\uAkc.exe
| MD5 | e2a5235b74f6f173c1bc55c53b12e645 |
| SHA1 | 41b026327f77dc1c67af55aed21f6ff42f10037b |
| SHA256 | f799c9b5d4b3aecf2538a11b26363ad9551f757f9425147f7d43aadebc85c26c |
| SHA512 | e63259110900772f59e648cfd13c280cd9246384fc7872663a97bffa84f78c3dc6fe1a96bcef1e602de318d9d91e1a0f836b663250683baa8d49b146ef301736 |
C:\Users\Admin\AppData\Local\Temp\soAU.exe
| MD5 | ba16f52b6ca5046c6b3def2341a6813d |
| SHA1 | 318d8235635c44c23ea2a451f8a90786d30400e2 |
| SHA256 | af069ded24722fc7c28813751893ab308299f50c52219ec5c7da34194c85c2ea |
| SHA512 | 84b218c407316463e740bbf29ecee231cc579a2f1e54b3324dba4b242e0ca9066a604bf7f0d9e99d99a9a1696c062346eef40112af7d5a557fd84afec3767875 |
C:\Users\Admin\AppData\Local\Temp\SwYE.exe
| MD5 | 00a3b2706edd8c320c32de7edd647249 |
| SHA1 | 18408b31f2455d891264a56a594dcbd4e9c23055 |
| SHA256 | 5303a8383e9fa7f126f06a1c64a4b09fd1d2c745d11f617a3da99e4039c7634c |
| SHA512 | 64d661af957104f75377bcfc9a9cee01fe8e8ddb14526a56725c78b6fb56ffcb1ac58a132944c104d3c81f81a08aa3101c038df33ec49706d85e59f381fa003b |
C:\Users\Admin\AppData\Local\Temp\KMQY.exe
| MD5 | ccefbd1c1df2f7a20855948fd121d1b6 |
| SHA1 | 0c07aeec047669549bfafc9752bab877a80a3777 |
| SHA256 | 49b1546ae851ebfa52a711a1aabb1e4dd3a845de761e8f5dcc52256c3ea4385e |
| SHA512 | d2d51cf46ba44287e45b1a9ffbe711c132e0c1f9d78b7a0fd67cad4b28388dcc5c57fea50683419a1411fa963c2fc07e5ef80a3dad6c6b276e93ee4b96c1e744 |
C:\Users\Admin\AppData\Local\Temp\MQQA.exe
| MD5 | 222d600cd76764351a62effcd7b96e2d |
| SHA1 | ec9d97b445779558f11e18c93cc035ccce2e9c81 |
| SHA256 | 3511d0b061216cf71982cc45202dc20603314b806ec72f8c445236382f4c41a9 |
| SHA512 | b1a21cfddaf8a8a4287ec1872d933c2437560b416ab97f5f592e6d6f97e25336249cdf6a8f536c7386566ffc847f86990a0002a140a046167b7f5507a619c44e |
C:\Users\Admin\AppData\Local\Temp\iwAEoMko.bat
| MD5 | 08412c5c18fc7654f1e2e6faeaa9b9fd |
| SHA1 | b6504f4f73a4a4fa678eafd4bb08e53087b80e2b |
| SHA256 | 817844eddc31ed0f7d142268c5d950cceb53fd28aec31120b05cbec9f56c5198 |
| SHA512 | 4e2dc18f5b97eebc83b74ff35a49c2c7592cbf71ea97d94d0f9fa18fe3bbccddfccc664774064dbdad0631667fd938233f583204ac9121ec1b1896dc7930279f |
C:\Users\Admin\AppData\Local\Temp\KUUW.exe
| MD5 | 9f00126838052762e9d8788ca6b76dc1 |
| SHA1 | 74b15b71303a7e1505c3471d10d9aa3a6d0d2ac7 |
| SHA256 | bf6ee184694d94b8a9cef3c0f3085ac7377ae97431b188b09333317c8cd56279 |
| SHA512 | d1d0156cbcd27eeac6f1c127593389caa0388ab10daa0f79c78a75e22d8af52b7813cc06cb1c5a8ad014e6904c9b059bbe375e82b6a0d1fab8c70c85feb5fe37 |
memory/2508-662-0x00000000002F0000-0x0000000000310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iQcy.exe
| MD5 | 249fbc0e4a6aeee714aa003a08cab513 |
| SHA1 | 0f1aa6807a232c14fda638c5d342d380c352d6e2 |
| SHA256 | b73561dfd08e75f67f69de269d0179afac3e7da1962e74c7118fdd1a0a92f09b |
| SHA512 | 147fdd31b999e5f04a6ebacfdb0a240e066e4d51fbcb14cda8ff96d10ad89658b8c7cbe0c88350cc20b25fd004cec954fca613e5a934d061ae8f7f2f9d450ee9 |
memory/1632-671-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EIEa.exe
| MD5 | ab7f78106095a67e21dac6aecaa50642 |
| SHA1 | f30b047d877675af0b59f027055d031680c8f6e1 |
| SHA256 | 63af5d4090abf9fa7f39ba84cdfd72c95d47a6ac5bd2d9a9a824a04c68bed4fa |
| SHA512 | 57b9ccce33492afe6ebe8c900decafc07c447be39fc5ab435d1996b740c0d0cc525d23e48191e531fe76e45d84664a8ab84b69b3cb5dcab265038ec6b1c8eb93 |
C:\Users\Admin\AppData\Local\Temp\wAsm.exe
| MD5 | 97d50d87f3b078376100e6d99a91c932 |
| SHA1 | 1703e6d38e7d98a83cabd1c63483b287d2042588 |
| SHA256 | 31ea364da50769243a3fd5053848db265d70c8f32c3938227ab3ff9f3c2a2753 |
| SHA512 | f457880d68d07ff6e8062900abdbf676ad4571d13ee9c7315dc7c744026d36037e0b9935cfd7065c9380e2dd97687f15aab846f7e626a6f91cce3df2c28b620c |
C:\Users\Admin\AppData\Local\Temp\QwYw.exe
| MD5 | 15d6cef8a2fc38ebf20b768666e7cfe5 |
| SHA1 | fb8a49a8ca531ec77b156f2a0abe37df1fbd47fb |
| SHA256 | da6e86b15484deb38d220609693b7f41d9449f6f33b6d428858bcb9b7c7138f4 |
| SHA512 | 7e5928b18999e3fa669dfe50a2eccd3323061749bed3b017bea14b2ecf658279c45c7913b489e242f57f1de8e90a160cf1cc416cc4843147087ebce78c4a97ea |
memory/2296-712-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/2296-713-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/2656-714-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2576-728-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YsgA.exe
| MD5 | c8880bbfb2349f5b08e4aaa6d664adac |
| SHA1 | 45acb38c375fa6584f018401624df1568ed96021 |
| SHA256 | fb1f3ef6a78ead0af169349b6239096d2dbaa9bb8d2d61710452d35a7c9876f1 |
| SHA512 | 4eeddfb6f45dd02992fac4710dc1c7fdc0ecf7593dedbb65fb5ed6e884691fe897c1a218c8b46cab616b8306289bde74d6848d5463350459f1fe9501df9b06ca |
C:\Users\Admin\AppData\Local\Temp\UQQm.exe
| MD5 | ed2e7628f590023c7c083f38c7d4c59c |
| SHA1 | 48b0e07a5f2e3bfdb3b1d1f84a9d2ea6cd0c56b1 |
| SHA256 | 3b07a05ee2357c795266022428ffe65fde55d90b5eea2391afbb053dfd96b037 |
| SHA512 | 5f5f7fc459e263de16c084c76b43bf9ff21f4e1ca0210772ab479cdde3bf14e5715bb8b0657d3c3b21ea20e2a0753ed278dc8fe4f4b76f769b40548e5ee5cd14 |
memory/2296-759-0x0000000000400000-0x0000000000420000-memory.dmp
memory/852-760-0x0000000000170000-0x0000000000190000-memory.dmp
memory/2272-762-0x0000000000400000-0x0000000000420000-memory.dmp
memory/852-761-0x0000000000170000-0x0000000000190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mAgM.exe
| MD5 | 52109b4467765b14ba1361a240fc9525 |
| SHA1 | 059a22b7eed4201d53321662e86b23cd3ce0d054 |
| SHA256 | a9658fd443326d847f30be1537c0a43781d258e5889026ae030a3e5a087f7909 |
| SHA512 | 3ac4e11f532a876068a2c9889cb9502af7a4f24780b1ce41afee42547cc583df382794ec4cfa2d5a00ede9dcd8d5398c40ba434643f9654b0b8efa3ac4e1a9bc |
C:\Users\Admin\AppData\Local\Temp\gEsq.exe
| MD5 | a0be74918351961590b5de8bd81673f2 |
| SHA1 | 27e0768dc5488d8abcbc22648d3bdb93f9bf1685 |
| SHA256 | 7206c7683c262fa91299d067e57c2d1781168bc10da0053bf2ca06f967851714 |
| SHA512 | 4be2de16ddc804fe61a628853828b309bf93f43fd61261876a05f97a958a61b62fd4befc37312e333077263018c87f8eb8f2828c043f8e930beb7a26d5e2aad4 |
C:\Users\Admin\AppData\Local\Temp\UsEO.exe
| MD5 | cc96e6d65867de672dd6b4ce07a3b166 |
| SHA1 | c2811f0ee36cf522dbbac0385990d59205215123 |
| SHA256 | d061a85f9a7b1bfd0b50c460609aff67bd3dd5e71b60f53ce2260b4819ea605d |
| SHA512 | 67d9c6a4026b2f9ffc2e25481e9df316aa7761b7fa3598696fa07b52dbf71eaf8924245d30947a6ca03cc3781b48f79a53ab97e753cccac2210f75b9cf54bb53 |
C:\Users\Admin\AppData\Local\Temp\EEMu.exe
| MD5 | bc95b0cf5764e80e2b7710eab0b08336 |
| SHA1 | f6589bcd5bd4d9c1c03dbadf8c0ae50eb2be7fc5 |
| SHA256 | c4e265eb20b5b6050767a1531ba8d0d5d6c1aeac64bf99d9a282a20b44971eb7 |
| SHA512 | b454489e9c5fe346ce8ad27d8c7408e30e7177efdc9360ca6be5e36c009ed71b7a2bbafc3771a0b001004ae5c1639315216f60a3da543d0887ffbaec85306746 |
C:\Users\Admin\AppData\Local\Temp\MUUA.exe
| MD5 | 526fc97c71fdaf1d3a0818f204c4b285 |
| SHA1 | 488539c04483afe36a83afe72a323066d08825cb |
| SHA256 | dc00387fe1b80c6b9c467ac45ac31538e2ddfee651f5c0b18fa6b4e10bd915ed |
| SHA512 | 5b25b0e721dd5a392e86c1839f7d4b47bd8bddecc2bc5bf4aded488befc22f0330ae1317e97627e4665e1f07cf0a6f3209b4c3b592daaef1be23fb4baf14bf2c |
C:\Users\Admin\AppData\Local\Temp\WaEwsogw.bat
| MD5 | 645edbedb7c4d30f4bf80ce0153576d6 |
| SHA1 | 1f5503245a06782c4622f85d418c3e80818eef84 |
| SHA256 | 13ca6ef92e6ad96a6d07575b0b39f4f9ee95176361d9a4878a8e23f66f23053c |
| SHA512 | 33d044b0446299a5fb27fee870806b97c753ae32d475efa5f3102741a115ce880842514bafdd8452df90cfa64c9f0cbf0b9bc9d28d3985c4a32718b467ab58af |
C:\Users\Admin\AppData\Local\Temp\SUYk.exe
| MD5 | a67122051b0d88d978cfa36805d2a883 |
| SHA1 | 0de041e8b7eff303ca9d7aed0e5f16a442f23cbb |
| SHA256 | b505aff77bc079981f82708cd872df2e3b091fd82d801a39bfb73606b4b8e0a6 |
| SHA512 | e578753f28c4dd913c8e84815d6003959bae595d9ae14b6d9b0efa530a809a97a22dfd4a263ac8b92bcf2642a0ba1052b5b81fb6494bf624b9757def0c5bf389 |
memory/2680-838-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/2680-837-0x00000000001F0000-0x0000000000210000-memory.dmp
memory/2272-847-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EQkk.exe
| MD5 | fa2cedec519dfb18a1a5530c7ec18ba0 |
| SHA1 | a723d2299521c810d58c529b4d4dc6432b106727 |
| SHA256 | d51449921df5d23de9d567d87c2880f43fe20536bd872a5d5e68f48502b59d26 |
| SHA512 | 02dad2077b0883f927496e66ed817640d6556cc919c2c435fa53806b08123c6e1b2efcbae76ccf65c49fff03664bf9a9d4969f3d71c125d0861d1e51c26dee59 |
C:\Users\Admin\AppData\Local\Temp\iYYG.exe
| MD5 | 00ec878c379eee888bf7084488ae4dcc |
| SHA1 | 6f742c25d1068d18f8ae6227c9cc099e9851fcc7 |
| SHA256 | 90e6a17f16439e8cf5c46731f4233d47281dbcd1488c054f853fc510b22b2586 |
| SHA512 | 01f7aae8f97859e0bde998a4988728c9c3023d6d485dffc026a149a6d2c63a8d18d59713fa07941130b6e3f13ca8692f60dd4929c54f60ca9a97664c23e09efa |
C:\Users\Admin\AppData\Local\Temp\kYAq.exe
| MD5 | 2c6429ebdfeb0ddf7ce4d8b37be3f123 |
| SHA1 | 3586302d94730d04144dc9b1aa88b2d4f67bdbc0 |
| SHA256 | 9416ac3d7a8b96cc0e9468b5ce1209986afe5fd3655d764a9900273a02736dcf |
| SHA512 | 411de5ee10ad7fa2bb91f280ee2a2bcbaa040c4c6e070501ed7a94bf4eb91eb8928825ac2d7dd1ce987afc7e85062f697604da9a2ffb51b63ef315370efa888d |
C:\Users\Admin\AppData\Local\Temp\QoMM.exe
| MD5 | b1b05d20d3ebd317e70944dfc71a0631 |
| SHA1 | 3fa4f3f637aac33bbb051f86d129a74997995e27 |
| SHA256 | 78861d5dc070706a13318d46070a005143886bc80c21bfc6cb7b8be2607819b1 |
| SHA512 | a852a4f8bcee8470c141175d018a90f106ac7454b61877b1ba7141ebb11f2320f8012a907222c8d322dbb6de91fd2a3ce74e676188f44fedfedf53a68128af98 |
C:\Users\Admin\AppData\Local\Temp\SwQK.exe
| MD5 | 9a7512d132e533a4ba76ddb2761e6c79 |
| SHA1 | 174149cfe92685fbeb058aa535db0cecc88f57b1 |
| SHA256 | ce1f48caa473c8d7fbfa8b0e88f82bc5e1bcbe0b2095425bf13ae21e73951416 |
| SHA512 | a9c9629de32da49a898e57004fdb7481b0dff44183cc9c0176a7c7f3d1d950b81bf2682728aaed9a330606a5286754e11b2f4969127c83f59adf0d2a050caaa6 |
C:\Users\Admin\AppData\Local\Temp\soUu.exe
| MD5 | 3129e78d30af701b16675568d9cf9cbd |
| SHA1 | a45c0d527e5c57fc15714388bbd5819e0b233bea |
| SHA256 | 41fb1568232800a6900391f0ab9e973ebbe68363394386ceae56bafb5a4e816a |
| SHA512 | 637f3a9c40fa4ad1541b7b35e80ec98616102a9f0bcc9077e26995f19282c2401e6629ea295553267c88d40c30ec3748478b184e39880e2dfe401e57a7cd737b |
C:\Users\Admin\AppData\Local\Temp\MkEM.exe
| MD5 | dd3ca58329c398ddf67dc6421bcc2f41 |
| SHA1 | 4b5e15cf89005efe7921b243ad5e216e82e0bb4b |
| SHA256 | 3942a89ef7c445d901edcf3840d1693212cba3dd97d253ee7465cf35f010c23c |
| SHA512 | ab50ae0f8ba4451f4a3ba9430e6539554566fb256db3e3d7ce14ad2e77d3d81a264cf3112f678bd4f577370100e19a14e703aefed8a7a9abe72175774ab82003 |
C:\Users\Admin\AppData\Local\Temp\TCYQYAgA.bat
| MD5 | b236f6db4032f47d9f3e70ceba2e9b15 |
| SHA1 | 17324927383399d1945feb44206f15ae5712ae8a |
| SHA256 | 25828181ce5d428585a732854c698eef1c5247911760adaa109543c300a0b29a |
| SHA512 | ed94aa874cc03582cd24ffbedcc795a932149dec9728834802ec3bb6947771b2ac899685d7083bd6ec069e2608149d821894e559ba2d82d99de3d051b693d41f |
C:\Users\Admin\AppData\Local\Temp\Sogg.exe
| MD5 | a013296dd7b09f4609a5957f1b86f625 |
| SHA1 | 903fcb7bd61f41b0f93b8b4bd93c5ae66f44faa1 |
| SHA256 | ce611b00e9822222cda1a3ba1c6b12e308275a215ac43eb260893d087621657a |
| SHA512 | a3fc6283fb9b56822d286b67e08d096ff94a2a14660777186a8528e181c11453d3f1f30ef47216668b767fa3f3dc402a6f5cebd34811af644a0bd2a72a334aed |
C:\Users\Admin\AppData\Local\Temp\IsQi.exe
| MD5 | 47c87a9d3dcd04200cba0495154a7609 |
| SHA1 | 6e721e10745fdef61957bbd2cf9e9713030f8135 |
| SHA256 | 86902137dff6a40d7b96915899bd2d192b7abd4d57e8c2b61a699ce89b94371f |
| SHA512 | cdce3c4541bf12a79b5f495071469dad2e0083056d1bb5dfad653e68eb7478aa7c2267851f33ff8645ac8dfa72f980ef072cd20aea17848d1d9ba21823c43cc3 |
memory/2792-964-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OgMK.exe
| MD5 | 442d9a45959b4f8a97606856deb36fa1 |
| SHA1 | b25c28230a149d1439f1aaeff7aeced4d359da38 |
| SHA256 | 6c3cabb53e34c1ea2a038bb311827ca5122fc72f83690c5e86b37999d2627c36 |
| SHA512 | 37dd1d402b0da70663b8a06169eba59b89a1c47dd944b43528867f359198ae2084156dd01a9aece2c20b63d9d76d7870f3fbf23bf93252b15a4f60fe9b5a5bda |
memory/940-996-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GYUc.exe
| MD5 | f9dab252a1c8c280c43cd2b1bc4aaac0 |
| SHA1 | 83cc924344cd623c16f779ef9eb57eb697193d40 |
| SHA256 | 5a9fcc1c6a237bab157ae5687e54b3ace9fb855feb8f9fb99d39d37ac1ebfe74 |
| SHA512 | 588075d9850ebce5b3556cecd7bf1368591ee0ef90a7a6110a80f06eb26b4e5ea1cd0a42ad171e14ccebb4fc67e85473b93062f1e9d302b726aaf0da848401e3 |
C:\Users\Admin\AppData\Local\Temp\MwYy.exe
| MD5 | cfafc19221a8f14a06758ea20db3e234 |
| SHA1 | fb9c9ed1a973a4f789c18a6df953abb59c36547a |
| SHA256 | c31fef1af15be91aec81dbd273356cf94f45d68360350ab8e5e960c208149c3a |
| SHA512 | b64a03fdef1d648ed9d1ffcb73a728c69641cee4c5053136ceedb192ae2647861ad7996c2ab8771ccb63be4f68cca068bae988ed4ebf5d59616f4b9ecdb08825 |
C:\Users\Admin\AppData\Local\Temp\MsYe.exe
| MD5 | 3f6ef07c125d01078004748c82984928 |
| SHA1 | 6193ad684707bbb7f2f809a2522957ab547b2d70 |
| SHA256 | f13e2a698098db536e2612b7032e6b09dbc9555737b3c41d482b8744866ab83e |
| SHA512 | fdbf245ea293433d7fe0ed3efc3d0b492eb04c24fc5d443a54ba8211c50b5387a61752ad1d1754cbc0bff4e70572a751f39bbb951671f706e04cee7883b95e7a |
C:\Users\Admin\AppData\Local\Temp\okEg.exe
| MD5 | dc34a858f773bd9f0d26c607ec3a8476 |
| SHA1 | 97cc35c3c731cee7b15bf62794a333830a5424e8 |
| SHA256 | 7e899f30524d7de052b7752b05612d83bd598b15baaf1519e2d86d9b8bea0c6c |
| SHA512 | a9a8f1a43cd64bce453b02600b650d8a740fbd31bddae556cb6c7ec192772e5ab3ad620bf049291196b355460f1fab1a7d34632e132c753bf6d061e223bf04d8 |
C:\Users\Admin\AppData\Local\Temp\kwgo.exe
| MD5 | 434cd993ec5cc25a8a822e0e8ca3eb6c |
| SHA1 | 7f6b45bb6af1d744a76fd55a863befd7293c59b5 |
| SHA256 | 0e211b4ce214d541dcaf253bb5fa5398650dfb169dbdf9cc40ab8ffadd445f9f |
| SHA512 | a7309d80677c5719e1aec59f2c531b5fc56449830002f4d34eed96f39dcb6c70bd9757e426cedee4744f6217fba734875282931b99f82208e04fd794d8ef51fe |
C:\Users\Admin\AppData\Local\Temp\GEoI.exe
| MD5 | 8336c93f632159207701b801ab36d77d |
| SHA1 | f5b1507790eee9813d1f67811ee459175616f833 |
| SHA256 | c235867ffd16da1a91b9402329fde87defc6a035faedc4c2b6b44afcb83c7c57 |
| SHA512 | 955c037d2e58f2765d116dcbd5e5a442c7032ddc92c7b8cfb62639390f9f0ca0b55c32c7ca855ce0190d1f26ea17f1b5027846c77b0368f0aeff8d2d581e2fda |
C:\Users\Admin\AppData\Local\Temp\PAUgMoYQ.bat
| MD5 | c39cdffdf549a23cb73bfce39f7ea5c0 |
| SHA1 | cbc85f7f691fc37257501f13422d04017a9e798b |
| SHA256 | 47007a829c4e7b86183e6e5d858e30f35c7a91a698384eb2d4c4c35e954974a0 |
| SHA512 | 731f2bfeaf8c50ef85bc8dffc4adb7cf62eae2bab1fde5e56cf54723d563019c73399266ef72fa8bf4a4fa7b5f93cb2f47f9a25b13a25426f72f84c8e2f3d281 |
C:\Users\Admin\AppData\Local\Temp\EYkO.exe
| MD5 | 99c4aa0739703aaded2b86568e4d06a7 |
| SHA1 | 605a01e306115cce9bab776c3f0bd06e67b6e586 |
| SHA256 | 934ab4f61c80fe6ae0f638d8807ceae34358469af357fcf6f90add414d065f9b |
| SHA512 | 9d224032e041d3ef8e79315cdd368d4c9670d6fe0d7e944918fec36640a421e18810c1679cbec770f8f08f624e4f6b54c3c5f4919960c66ee1cba5ed89c9cccb |
memory/2652-1097-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Wwkk.exe
| MD5 | d96f8eac23c31e32848b50c6a7b873d1 |
| SHA1 | a4d3b0781f15ae94910ed6ae14f28ed8cf43fa3c |
| SHA256 | 9a776b576b33b49877a8305b6f9232f25d6ac6168cd201f3c36bb65ae5ed558d |
| SHA512 | 965ff0d5f6d39f761b8396d69ea57c41e52c1b1e1fa3eda31572369a4d0d963c261f986ce1fdc7b3b305d743d9dd3f85957f4a80e0cff123c2323b12628650b1 |
C:\Users\Admin\AppData\Local\Temp\ygcu.exe
| MD5 | 409a9f03895f8d3eb9cf446f4e049834 |
| SHA1 | 4797c91c41c08720bae0929f3946af703fa9e8c3 |
| SHA256 | 73c0ec0b9f413dfbd49d6ddb0e67277efd4c02b44c2f35ff39fa08437334a45b |
| SHA512 | c884ca2047ee9cbe6f39aadf9b761d1993fd493ca0c4e1a99bcf5aaee3b816bcae8925da3c0c6a4f46dd7bff346276b18ffd1fe4d1594031b8a66f15e750035c |
C:\Users\Admin\AppData\Local\Temp\IsgY.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\oIcQ.exe
| MD5 | a5aa25f958a8902246e3f1d823bf6296 |
| SHA1 | 3ffa93ce8926fa810977b5875b112f7406b462ff |
| SHA256 | 4d12312186a86f065490aae5876bf5edb728e89d09360fca5215c91cce401569 |
| SHA512 | 7c37d0c2cfaa9c2aa3ab42e8315ca9bfa918a42cae4925b0cc32bd8ed693596486403c33ede2faea0dadf69cf22acbcff7f0cd972efadc6296394fedbefb18a2 |
memory/2804-1132-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gAwa.exe
| MD5 | 2be14eaf3aa4e73b4388cba997e09c9b |
| SHA1 | ddd082b349172e1e070e528c59be3aaba58312f0 |
| SHA256 | 671028449d2a8a4f1432525b2b5773b0f8ecfdf6b58134945a11cb7e6da104a8 |
| SHA512 | 453abcc4ef85ce6c8ab034af3756caa8271509513c1915aa7fe55cd0550ad9faf5b24b5f06f5cb16b84b2d8d532c8e9e02f8ec7a384fddbbfea717be25c3b631 |
C:\Users\Admin\AppData\Local\Temp\HyYMckcw.bat
| MD5 | e27fd8dff48b0abfb2119181ff1ae055 |
| SHA1 | 12892205d0a5ea2051d492c76d975b73c701a2a6 |
| SHA256 | 5b1cddfa19c9449d4e87e4c735216704c7cb86e968d3784f9f5afc1352c775a9 |
| SHA512 | ad67fe8f8d42e33fa44e17ba0d54476ea5d0d7f3e1015048079c122e0e3238f77b52566b2a499b4d84595f23cf60db32376e429d70f26d7d0269a9164949b8f6 |
memory/772-1170-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2140-1169-0x00000000002E0000-0x0000000000300000-memory.dmp
memory/2140-1168-0x00000000002E0000-0x0000000000300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EwoG.exe
| MD5 | 8dfb8b691dde48a5b22a7f08f966b2b9 |
| SHA1 | 0894982fd18cdb40af8f4b140d56350bce87888d |
| SHA256 | f19d531527809fe8603d5f2d2013dd2cd500ad5dd3310d522c806c6876eea781 |
| SHA512 | a7acb561e8c2945978b9f4e72226f8a512674da1a351a10bab93860cf1a3f2edde78d8a09931b670b634b1e41403b92e7fab2342dcb6a5b53abf04c44e9faf11 |
C:\Users\Admin\AppData\Local\Temp\WYoQ.exe
| MD5 | cf4b40103058061902314f1593860427 |
| SHA1 | 98f4d2da846e643e618788dded3efe7d237217d5 |
| SHA256 | 41330f6bba8fa5f53035d3e7af1b2aaccecb5043fa7ee5de0d5c0f2dbfd7a07c |
| SHA512 | af1fc9a998e4b2dc3dcb1323c90787cd22ea792a328ee1756fd33fd2ac03dfdc2612170c78b954481b0a9a588e6bb17e03598c3d11b2353fb6c40d65546f69a6 |
memory/1652-1192-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ecUG.exe
| MD5 | 6abbb38ce02f8c4e30a6280f407f9b40 |
| SHA1 | 21eae270d378774cde1b9b3a3043f6579532abf1 |
| SHA256 | ed721710af442368c34e45aed8328d9cf277f636c116ad39232dceb388f91832 |
| SHA512 | e51f453c487d739f78962d680b387ccd928da17e18e1091ea851759721d650937721a79e6082d7f4462faf04be8bb83b7cdcc7a65f7d66f81cf69d5ac1326f5c |
C:\Users\Admin\AppData\Local\Temp\lmsccskk.bat
| MD5 | d930a8ca2b3192f1e6e3a18bb14c13cc |
| SHA1 | 6d38c1ed2c2548806de379a10eee51c5513ff603 |
| SHA256 | 656b89867cc9020a563865d0439335e554d4b1f5de34b55afc150779e8a19fbf |
| SHA512 | 095000f1e678390f6ccceb2a6ea9b11a09a0f891b41c1b4d2f0789a56bc55c497409e37dc0afee7edeb1bef53fbfb8484c05ec084bc856a1d1309ae600147c92 |
memory/1296-1243-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2116-1242-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2116-1241-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CsYw.exe
| MD5 | 9449adfdf983478ecbc12856591a56ed |
| SHA1 | 9e5e042955eed1e48539515ca74d49980a2e6e70 |
| SHA256 | b9f76042b61ad23e911dae65fecdc988546478534620f5551d786056a4e94afb |
| SHA512 | 48f7be46513e2cf1172df7d67b76b0176b9813950b8673be52783dea861562229b1da32fbd9cdf78bd7be6e78e231da2c72f71fd2119176a4e60ed65998c4adb |
C:\Users\Admin\AppData\Local\Temp\EgYg.exe
| MD5 | 02f3af9508403db181eb31adb6210f90 |
| SHA1 | 8f6995055551c7a81181b084f21438f007b0aad6 |
| SHA256 | 1ea2ff8d7e4cd5b281a71c0ae7dd5f38278e11b16d744b145e6f217bcfbbf332 |
| SHA512 | 6cb5ac32a1d54bc72500cd5cb4e9a76eeb36f9f7cd8a1d209ff7a01f22babcc94616fe79d1868912c9c896b11f88a50f399ddcec0206eb6a5e5ffe65c516ad55 |
memory/772-1265-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\awMi.exe
| MD5 | 87ed99de60cf4b3fb522323b5200530e |
| SHA1 | 8a95684454c9bc891ff6b009b98916a2630fd155 |
| SHA256 | b847951d77563946118328806482176099c0b6234029ad08c8c5fe690b447cdd |
| SHA512 | 3e477475556e7fbde5822b369cc6e6481d1399f2cab9cc3eee59e88f51dc83e07d534c9f1d62682c782c602bd35e07e38d70949ab8b636177829d36dcb0a10e8 |
C:\Users\Admin\AppData\Local\Temp\aYcW.exe
| MD5 | 20515d3fb4cd84a413729d4562096f42 |
| SHA1 | 61a350c362a884644ee5d958679290869dfcb643 |
| SHA256 | 89cb16b06c17f1f29cd63a5b78f9fe963fcd098409b69f8ecccd273b0f91bd41 |
| SHA512 | bc4a950e2b9fbe4df02584f868b1cd3ed77aa7d59a12927c04751a4286f3b1ef7431593d8d39aadee8d6c3e79ce0912e8ad11fff7e0e3b6533e6e0d5e7cb3e09 |
C:\Users\Admin\AppData\Local\Temp\gwgM.exe
| MD5 | 42b004f726fbbaa0b8e6e313fae5b507 |
| SHA1 | 0318393c5c43c93ca2b68cc45d0f64625da45c21 |
| SHA256 | 1e39b66347c380aa1c92af82b07c47a363bcd0d569766ec69c939f31db9005d8 |
| SHA512 | 75a7f0ff2728a8640415806801c4ac90314af1371c59286558aafc2b1757b43e5ba471da6be28b515c79eba15e501abd07da42a0bd6678c988e4ce3245148231 |
C:\Users\Admin\AppData\Local\Temp\mQMo.exe
| MD5 | 921f0359f5ac9ca1b40932f723dc0263 |
| SHA1 | 35599dfb2824b77308df9e0b00099f3b9f5e32df |
| SHA256 | 3f48e54a89754d9a6ff880b93f1a7582ad998a09e4bec0a4568987559b61774f |
| SHA512 | f1e91ead90b984af5d35a7e7c56436945b731507ccba0101e5a1c7ca3b2a653aff309cf0f340a969fce74377b7cea0bd7424195b44e9a1206348f5229ae99244 |
C:\Users\Admin\AppData\Local\Temp\uqMkYMIU.bat
| MD5 | f9952c6d6e4918b2dd08d526e807ceb4 |
| SHA1 | 510700287f366c337339bcadd4576a5a13ba36a2 |
| SHA256 | dd1d86a974c24d49aae2b111591b37dd12c1731af2c2a4b14251f0a02d3d987d |
| SHA512 | e29bbecf1cd5453982089d0649bc3ce8884e6e93c2767909cb080a656609bd622001fbf0a0dc8af25b2b14656c082a3c650dd45fdd92d3db9829ab4714d09941 |
C:\Users\Admin\AppData\Local\Temp\oQEA.exe
| MD5 | 9ba5c6ff9989794da90e240d490b74eb |
| SHA1 | 4c3516718eb2080073addbe843fdf5011c056754 |
| SHA256 | 68751cb4f078690f675a03a0a53a9495d366e191dd1ae72175c97b7263432fc9 |
| SHA512 | b41bd42181dcc99a4c54d5373e0f213238d50b5485c328b56e8f14dfad6385ecea30b56b1ccbcdf513800f52f79108d8ff1a7c7d041ac0e621213daa55757c2c |
C:\Users\Admin\AppData\Local\Temp\sIEw.exe
| MD5 | 648b3507d1abda90055ea2a040197c39 |
| SHA1 | ab9c33090a0aba413176cc40ab325f4b882450e7 |
| SHA256 | 917e7c26e6bb55d60c9864f350d2c6901f714cd02c6f04afafe5bd2b66b8c23d |
| SHA512 | 8a75f26d4b315558b24d8d6c9c90a4c9ee256bf9090a8aad6768c2a3e377a334708a602148548ad6623e4a178583e1fab464352f24c5aa916440689aff5cf25d |
C:\Users\Admin\AppData\Local\Temp\Mkwy.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\AppData\Local\Temp\kIYm.exe
| MD5 | 82b46e81dac0035f5d875b6439905d1d |
| SHA1 | dcd662e5c44044827b7368500cf1204549450e2d |
| SHA256 | 93da8a56de023063eac3e532a3f60a501c138a8c4433a738671a32c02caa23cf |
| SHA512 | e266c9693854202dd0dc07d4cce610091866f54d7af27c3873f7bc1229e25ac62807cf39ec3377439d754eb47efaae47645e35b46901841f187183af7e418ae6 |
memory/2996-1402-0x0000000000120000-0x0000000000140000-memory.dmp
memory/2756-1401-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EYIo.exe
| MD5 | 2cc13510efb6c16052acbdff40b257fc |
| SHA1 | 94bf132aae3e32fab173cf84ea595b7263d51e4d |
| SHA256 | d7f0b5389e01dadf048e5cb950e816ff669aea1e0f174dc929c9010d7c925459 |
| SHA512 | f9f577a0c751889e10b91bf6cbb4badf6258a3c933fa6264c29ae2c5faa111683866db8f4a05925e156d1355a7833fba8cc5c66149293087e3879b8d0dbfab83 |
C:\Users\Admin\AppData\Local\Temp\iMEK.exe
| MD5 | 38d449b1cb32f847939df1b5fd62e49a |
| SHA1 | 2a783ecff0b55cb190a3d2a8b5641cf7a3db530f |
| SHA256 | de786109bc44cd0c17a276dcb0fcc7a350d16ff13c4d551b759a9a7c1dc9abc4 |
| SHA512 | 0e88ba1fbfa6a7315b21ae541b311ac742704a7ef5f837ef7d7a61178457c7ce2bb95899769291b450d9d2634da91a1553007fde71971db4275876b0cfc33133 |
memory/2400-1404-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2996-1403-0x0000000000120000-0x0000000000140000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kwYe.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\Ycsg.exe
| MD5 | 029fe4f6a507799a9a48691efc91d186 |
| SHA1 | 8763cf93c468eb45b1ddbe5804f5e806d3d7b49a |
| SHA256 | e16c64ceaf1c5596383e614a065370a98238e5e7cc60043c27d43ffe5355013e |
| SHA512 | 3aae2c710ad29a9f16797729282a2181a9141075abc6c6d17bf4ba497c69167920a442b5fb90d0c83edfbd7315f46a27de8187259b48bfa6a61ea70d240638ef |
memory/1296-1387-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OIUE.exe
| MD5 | cde4969228986cf9bc676ffab01aba6a |
| SHA1 | ddf82b437705e951384999f8654362c525d54d2b |
| SHA256 | 0642b4f6dfd15dd4bc271637856e720770e04460036e0fffb5680b3dddc07bd7 |
| SHA512 | 4b5daccec760a8256c1c8faac3472b71d722efeca8f858e42e914e5bc1bbe61cae073e577a67963f8e1c71d41ac855a3a2787ea0ae87e07b2ec17389702f5987 |
C:\Users\Admin\AppData\Local\Temp\ScAi.exe
| MD5 | c462c784ffc371444f507d2fd7df47d5 |
| SHA1 | 9b6248f549f39f5ec6ea0ae4632be81e7b1fb12a |
| SHA256 | 2c369debfa14c4d172d44506f660310f825a4954aecbce9b1965616604c70483 |
| SHA512 | c08f290c4bc83862c46310cf52220c9213a6026a959d2123b3bf4b8411167a6fc8235b0eb22fba12ba083e728f81ea11ede8e8d8b405b7786ba61cbecdebdb4e |
C:\Users\Admin\AppData\Local\Temp\esQwQgUU.bat
| MD5 | e83371b6bfab0fd3ef03cd8945bc228f |
| SHA1 | baddd9ce9ab38ca585994dbbdb22c5b07b97f693 |
| SHA256 | e701a6621d0dea5a5439c6a9e70d504d30ea3e9f61d0da3396aa085ac951f9b8 |
| SHA512 | 7edf2159383909b8dee82f65a2f5fc812713d4b77d95f5204e8cee13046b9521acb55b4cc63d978a349b9a7a2d4458a424d93144656380a4ba97ed0c3629460d |
memory/2408-1453-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2192-1455-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2320-1469-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sMgE.exe
| MD5 | a5adec15b38b0aa1f1e6685ef9646826 |
| SHA1 | d0a1041dfadb02e29e300392045e2a56845a66df |
| SHA256 | f51b91e6913cb7d0a47f16147dc106ce9a280a7ecc7e1aab20efc2101148883d |
| SHA512 | 9f5091b3d43a570b6c649194d1af839e1b3822c356a376d8764bbd070b73f14944b477d42354591ba7b2a32a70331662f3d173601aeb3abf231337a141f47aac |
memory/2192-1454-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2756-1491-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\occq.exe
| MD5 | a7fe5f8be2de8acec981a77446d94551 |
| SHA1 | fbff9e11b37e090e658ef230e4395110642924c7 |
| SHA256 | ce942190f090b134ba7fd67364b6408fbf2c5536b72ea46b19de0e5b93f63cd4 |
| SHA512 | 25cfb012c27a9669f296203c05525b272c15dfce5ce4fcbfe73dd8b45dec04509cefd1051019286a87883e1a5798ce93c2722f08b47c459443e33ae6cda6367f |
C:\Users\Admin\AppData\Local\Temp\qoci.exe
| MD5 | 460e793e31a9db1f894081d4ee911e82 |
| SHA1 | c853f60cbf326a021c54c6d8b8e0eb68084ceb23 |
| SHA256 | 03bcf947e53f8b01eab1d24dc90270fd4bf47fa0d1034fb714c53f1cab300afb |
| SHA512 | 036737d9a923cd92f3bf15cc3af1d616786ffaf787535133ac220e3eec44297429a89f35ba4e3f1ce88db0179fd9afb391d1a5673f174234a250f5c9dfc05ce6 |
C:\Users\Admin\AppData\Local\Temp\IwYW.exe
| MD5 | 0cdbdc8a6fac8c5d1881597287484ca1 |
| SHA1 | f59c50cced26dcb848debf46c7f4df2b95a03897 |
| SHA256 | 36a367c80caabd0310782942f041038cf9dc9440d0664133ea500c6bbe364ecc |
| SHA512 | e61f5c60ecfb665c6b08d386940a2aee3ba9f5a5d418f024c5693372eedaa6649f31e68c5fd2797910f8154ea60db7106ac10078cbae02cc6aec5ca509740485 |
C:\Users\Admin\AppData\Local\Temp\sUkS.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\cQYA.exe
| MD5 | 693d6246d1936bf86427b15b8cae669c |
| SHA1 | 576f2d828a236a391e31d6b791ef7b1c090f60fc |
| SHA256 | f43a7b06cd8323e5ec6a5c4fe19363404c3ec689df9724f3bd9a9522b16b183b |
| SHA512 | 36f9e790b11e91ae8a9c7960f276151e995736de07942f70c301403cf31cd9ffd06f2e53d3ec16f79c90ca90434a93fd50cf04ac611c12105fa8e422d8a860c4 |
C:\Users\Admin\AppData\Local\Temp\aOwEgEAU.bat
| MD5 | b7d822d1b9bb29391070c6f2c685b248 |
| SHA1 | f79681a44ae247ff740872cc61d22a409f4af728 |
| SHA256 | 6afaf256201bd9a8b998afebaf502f35e5e073f4d982152b9218d704ec6e4b83 |
| SHA512 | 1c59a5f9ac7590d3341d2ec7d0c821edc221ad7b5143b32e05dea1f169746ab2d07217d3714095000b922386714fc8208dcd853f10aae39c0c4b4669218a1d52 |
memory/1476-1546-0x0000000000280000-0x00000000002A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wcQU.exe
| MD5 | eb9d7da44867558a4b18983a9124bba0 |
| SHA1 | 8d18edc1dab5a7d98cb1ef43b6e22e2b4e6cb952 |
| SHA256 | 43c48a30b1f7c513bd162965e94da678560b6be940970e7f632980b8ea547911 |
| SHA512 | e0e19c05217138e496bfbb159db131524482c53b7aee6009ca6b031373230dcaeb4a1c1b6bef98ef1b4ca245598f6fad29ae690c4f048b05a5f859d6ed9679e3 |
C:\Users\Admin\AppData\Local\Temp\SkUc.exe
| MD5 | dab40cb60395047c60a3a0a28dcdc779 |
| SHA1 | 46fb78c5eee29359b86610b4a0e0b609deaefb23 |
| SHA256 | 845903af48cc75aceaa3b9bcc893a96c9c543227bce6e65bfeb4983a8b4f5a75 |
| SHA512 | 276f4aa361df943e2b8876035d5c7729e8a2e5ac0c2b9bc4884543991f56a37763f5fb6e35083aebf1ea5dba0d9189e3124e1a1df7f974648ac542702dc031d5 |
memory/2320-1571-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KQgw.exe
| MD5 | 2e2412d4c3c32bb0086ab2b3bff8ae6f |
| SHA1 | 712bffdcae1fd78a5f7d901e7b6827cd198918e8 |
| SHA256 | de501c9977cd938a39fe85d8ce1b9b0c0276428691b2382894b273de4dc09a3d |
| SHA512 | fc7224a2eca5e19692a8fa176509f334060037a594cda983b5dcc2d39a93987e22f719fb78b75b8075ccba657963a9bfe937b891fccd74cf952790adfa973955 |
C:\Users\Admin\AppData\Local\Temp\gcsYkIow.bat
| MD5 | 947ab1740710fa9abbb94b723878f307 |
| SHA1 | 51c6149048777d7566a2f34a711b9c980954f75e |
| SHA256 | 41ce730e1061bfcb7f7850887abadd8a83bdeb52e49cec7072d7222c8fc59d5c |
| SHA512 | b615dc7a361c13f915768dcc570c24a7acaca4c061f8fd35388b954125c2d2fd1615e4024cfbf3a46e0795ac8d7c7c565b6ebee475257e5b5105bfe3a6f522b8 |
memory/2612-1625-0x0000000000160000-0x0000000000180000-memory.dmp
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | c37e6265f8132bfc60c03e8e5c8cd597 |
| SHA1 | e1d66b435e61764c7ab1241ac250e2fb26b9c18b |
| SHA256 | 38e292417dcb8144214f20cce4d232324357a911fde016b088ab92f3b05b98e1 |
| SHA512 | a726dd7026f405b15142ce720b224f5e7cf09091bd5245f7cf6df51a6b3abd378c9ee1e76b70641be5f0777d64dda2731c21a2b4dbbe46984febfeb672ddf799 |
memory/1376-1637-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\swYA.exe
| MD5 | b5a8744a09ad5eca6a326ad2d914df4f |
| SHA1 | b827aed701c4b1709b4a35b69099af31d6149aa7 |
| SHA256 | 63bbc63b0a7edc7d4cd42675f4b84524372bbf51a4368e6e105b6e2990663aa3 |
| SHA512 | dc510d7d7155caf260a97d08a4949b46a23127fb3ad062d9c2b9495663f205b2bb10b30e83e5d8398e635415094f24caa1ffa693acdf01b5f8eb8b991080560a |
C:\Users\Admin\AppData\Local\Temp\EsQy.exe
| MD5 | c867c93408076e21befa0a9c23723335 |
| SHA1 | c7189033c0a925a062ca2e5fd6d46e28f3bae352 |
| SHA256 | 9d656fb995a7ad81ea81d1e27f995d7963b76e6ae4aecec2f63784e92433b16e |
| SHA512 | 39e3e2a0da12070ea91f8281673b656b54079f330bc89cddda84e673dcda8f18ebfe1dc5fc05f9d2232a78dfdc85c4daa7d69706579dcf9798c4b77a17c4d178 |
C:\Users\Admin\AppData\Local\Temp\koci.exe
| MD5 | 24ff9120e8abf03aee1499dfbc2e6e10 |
| SHA1 | 2754159e0a201efcd32b829a431d0f06e52031e1 |
| SHA256 | 7a8bf8d7a04f77753ded9ed794b8457889421e2b13649b21bdb724f68af70950 |
| SHA512 | 77536082101def0824f777dd07c79702c919e33c4e81cb2f946c3a5ea7f98063897d73d30c678586a0c6a643e149fa88f995ae48fa4dcf49a990912c8dd4dba8 |
C:\Users\Admin\AppData\Local\Temp\VcwAcUsw.bat
| MD5 | f436a95d9df25ca14be71b255f189e2e |
| SHA1 | 6c6f9d35480966819fd661ffdd61a181918e9d00 |
| SHA256 | b75f6488894e9e59cf23e60a6f233ce0249f8b8e207d3ab357ad091e583bf85c |
| SHA512 | 8c3d648475db3d7db6e129e063e499def45d520af5e44a6673df5f7f29cc166568be52e34535840a6230aa7c5fa68d370ce487a8f716402983feb0f67a84e79c |
C:\Users\Admin\AppData\Local\Temp\MMQa.exe
| MD5 | 5d2a8b76bd774797e71205b6aa43eb16 |
| SHA1 | 9b5ab9b8833cce3615d5cdfda6b5848e6f60666d |
| SHA256 | 0f6393a4462e1d4a79cfd9365fce7da1bd9c6e7da0edd4c7a92d86bfb17c490c |
| SHA512 | 816514f02d15f9d5edfa63ce903d4844d7b2fe321a32004026a6c33394b2f5b38597ed281ee4ffc247749f77926d567c770e89d87d38c44c248676df27a6e4ec |
memory/600-1711-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2720-1710-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2720-1709-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2184-1722-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mwUU.exe
| MD5 | e944df2ff4755f587383707e7706b21b |
| SHA1 | 14fae995831eb6ddbeaa1ceb00501445c67774ce |
| SHA256 | 3eafd66862db4c1f40141f0d4942e4e0eb59ee5c3d3dcb78eedfbac67f68f28c |
| SHA512 | b870c5dba7aa041ec4699c46149285d492aeaa32d935f22fd3da089957dddb06c18e98ff4c2dd1b7ad91b74f499955228a615ae8b3d24bc47210256e0ff5637a |
C:\Users\Admin\AppData\Local\Temp\mIQu.exe
| MD5 | 1a199e200aa182253625011a42283bf5 |
| SHA1 | 1cc842ce26466b4879f6095d4b164064b876c43d |
| SHA256 | 1c07edf5a891f9345cc0f5a310200e5db54841c6814419ce97e8296ceb40da8b |
| SHA512 | 91583022012c7b38b9a3ececab345dd7afe8ff07f301b7497a293491caa5a5485f78dec3f1d15bf632670c0f41ee0e383614da24fbbf65f89d3faf841ae98543 |
C:\Users\Admin\AppData\Local\Temp\ZekcYoQw.bat
| MD5 | f59983a7b7bb390c78d676b5e588afff |
| SHA1 | e60f112264db6271ea7005eac93362319ab03bbb |
| SHA256 | db965d6ecf1f0d2b03214648a919641cc293692bfe83b942698b8c53c66c6f46 |
| SHA512 | c757f253da1ba197c3385349fd1fd3deadec657c8e23b9930e2bfe77f7ddd2dee3d61444b31a3f7c12be282d9a1fb519221d6986a0bde666f4c6fcf32ec16e95 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe
| MD5 | 46b5f8dcb7b09d3f23770fc5239d5e1b |
| SHA1 | 8628194edfa084461a49ba4ac8667e5e53bd5d11 |
| SHA256 | e35edc647f84c12cbc2b4a460e0ec1f6f07dc3fc2baf9274093915197524586c |
| SHA512 | 177325f986078dd59661121a4fb58dbe45bb8265d3b81d6213a0283bcd1ac8568867232a50708a6a81bc0c46df19a98e360f0d3cdfb4d921abd2f11c0c9b10af |
memory/976-1782-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1496-1781-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1496-1780-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SQsk.exe
| MD5 | 02d4a73a892471c37a60a52c18cf441b |
| SHA1 | 844a4fa978d9c1c871fce2daeaf76d0de9b92f7d |
| SHA256 | b9cd76a4996f45bfeb140dcc64dfbbf430575759299f21dbc930cc30fba744ee |
| SHA512 | 8345dd2ce002e1ce81aa171417afc837c92bea7c1b63c19ce4bae0dbd06682d44aca024f3118e7e79ae8d4529312c54a0eebc2ba6f563918ee283143c35647be |
memory/600-1804-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sUMw.exe
| MD5 | 92e38afcc92be759c9b0b91dd79ee2b2 |
| SHA1 | e5f4ebf1e2171eff07c81f2b2fd02fc948f08169 |
| SHA256 | 373bbb1a38514beac12e8a8125ae70e074979044254ca71196157d570e7eae5a |
| SHA512 | 694754876d464bd78502900165f11862e8a74c4174c74739ee39053aee0c15a34e2ffed4c0afa9b70730880a8824463f30c5006ae325df3a719344144847d2f1 |
C:\Users\Admin\AppData\Local\Temp\GkwY.exe
| MD5 | c2d621eec4bcd0feb853bb9ab03ac103 |
| SHA1 | 463537c46a09a4aa5500222dd2ef456845952bc7 |
| SHA256 | 259f042d576827eb58fc1d986c04a82c5b53fc35c8c9ab62ac13f4572d100740 |
| SHA512 | 015a7bf7149d87a07d062a2d8446f13b8967a585f47ccc1488e0e48dc310e26a89322900c2b32fb447c56e3515a2b80f72a810ea83afd0f6db5c06543ebe63e8 |
C:\Users\Admin\AppData\Local\Temp\LSAAkAgc.bat
| MD5 | 350ed98c96ced183abb84c88708617a3 |
| SHA1 | 7c7b770f2c943e34877dddaf9d37cfd35aa8ddb7 |
| SHA256 | 8d824aaffbeec45510f04daef40fc47c01295adfcd4b837406849c60ea5ad291 |
| SHA512 | 4616693843707adeb613be3cf56a7e47fe7b79839089dd35ba6816897503d16599f382cfe8f70a4acb6886d38a60b007e3ce2d16f117972c5b331945d34819f2 |
memory/844-1850-0x0000000000270000-0x0000000000290000-memory.dmp
memory/844-1849-0x0000000000270000-0x0000000000290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IocE.exe
| MD5 | 6cfea5a0bbaf873a6db2e6086b07011b |
| SHA1 | 3a5937a4b9698c03485fa20d99e591031be6215a |
| SHA256 | 1208ec0d4069a132aeb8fb9168d57c779b698f83223568aff2f1f2425010f027 |
| SHA512 | b60727690545d033745e8a55e74e8d7f050cb0de157b94bcee52be686a45d398801df0a9670df8ac8dd8fd00fd75f26bd07e664cb7b5c80e0e403c822f7f571e |
C:\Users\Admin\AppData\Local\Temp\egIG.exe
| MD5 | b895872108f7e79a6937c4240b30e551 |
| SHA1 | 2675228e177361b0971ba0d93fd54d1146773233 |
| SHA256 | cfc97f9fb5ad57738aa0a626d10e5381a56131178dddde97731663ecb8725cca |
| SHA512 | 60b9391f236800b55ffd56af1856ee45e064ecdb9360692f05a3efa8e1faeb2da8d44d8b051bc94eb4e5a49b9d62d72ea46a2eb183e0d1a09f9f632a85037e59 |
C:\Users\Admin\AppData\Local\Temp\nMUkccMs.bat
| MD5 | 57b0371f58cbe4076a0018dd68673405 |
| SHA1 | c9a5c9b2f03c02203297e5120ccff3ec518831b4 |
| SHA256 | 9828bc0aa3278dd4b5bd23ea37134501aaa654a0a3d213d7d6982f6a4940454e |
| SHA512 | 4b5c893fe0278f359bd9a755211598cfab04389a2e71f961654536f758db1f801170d5a0d3688d623f7449bae17902196d68b2abb83d24146b0f900ee6318508 |
C:\Users\Admin\AppData\Local\Temp\gwIM.exe
| MD5 | a4d1f44d64a58650db720e5a6075abf5 |
| SHA1 | d3f74a67c23b64f34831452bff2f9f4fa2a101fc |
| SHA256 | 4b6afc28038fe46bab23516b72b8f23667cba589c09ffba9b455736a31eca77e |
| SHA512 | 9c050b77d42a2e681051e3a747ca58ab0077222fa46006a08c6b6658c7eb32832bec4bd91051c966946fee8f9f3f4e615e289d8992088f6c32f507c0600ccef9 |
C:\Users\Admin\AppData\Local\Temp\MwMA.exe
| MD5 | 8e9b40d10d89fdf25739c1ea61b3e310 |
| SHA1 | 3e45546a0d2aada4d3d3d54e707920fd4dbded61 |
| SHA256 | cc1741c03edbfbddeb22952d5ba47e0d897d85bf86f07845fd4829a0025e28b0 |
| SHA512 | d90d844595d3253afe03081cd62b7a64717ef38b536d34e75405c729bfa158c02ca7c012516347bc74ca2be17581aebbdd118ba5aea33e4da606bcd54f1ed46f |
C:\Users\Admin\AppData\Local\Temp\MMcK.exe
| MD5 | 54a6d36c40ff2a607cecf14c22493c51 |
| SHA1 | e279828a3863b8222470f2ecf859aeae7cf7d291 |
| SHA256 | 40e9039fef2c2917a3c5f006c51524e4cf63ddc17d574768f4d61a0896c2777f |
| SHA512 | 307a5b3cc596e82c2f666cdd74903b914ac21a4f0cfa87ae0e6c9f0d337c01cad89de0362ea91365510dee36771b667993f0b8492ff91446a7020d306a88721e |
C:\Users\Admin\AppData\Local\Temp\KMsg.exe
| MD5 | 9f4388e11d48a9b409a97f89bb97c8d0 |
| SHA1 | a3bb572ac57ac19a9bdcc3bb4751e25dc7fa2a8b |
| SHA256 | b5dff0ee07638d1ffe1b7433551f9feebcc762a58257db0210a580b9267ce2a2 |
| SHA512 | 4f56ed6e3be379a577cee8014d097f396961e6177c164ab93c6a05b86655d8816ba95fafcdd0fe6d68b1a45fed7d91351130e36968251188aaa326a313753526 |
C:\Users\Admin\AppData\Local\Temp\VoIgsAQw.bat
| MD5 | 2e540077c03f522b67b49bd350106651 |
| SHA1 | 6140cd659f70145716ac3133d057d6ba5864cc48 |
| SHA256 | d8e27b92cd5dc1d3a82ac4aad0ac9716f0873b2c29c5126c51f8c1a924e2e208 |
| SHA512 | d8c9092a7319b7fd14da9db66e0738020ef081612934eea144b0ffc0d0a7b76410e6e74aad58e48f7f63ff8235d25e08f75fb95dfeec94f5312a4636b62b9827 |
C:\Users\Admin\AppData\Local\Temp\EsEI.exe
| MD5 | 8156ae5e2533e89dd1c7fec33e0e776d |
| SHA1 | 517821b8b8bcf95579822fa85793ac51f958664f |
| SHA256 | 19c7afe190142856eb6b75461750e44cdfe510180d772efc38c0edc602a5afc8 |
| SHA512 | 16cc9cf0668cef13ae1231737fdb5c7540f4304a31ea2c4ebbc306bcf9449c6a129b261c56a0e194d069606d29b76f77a9170aeb486378c64d88856f4241cc39 |
C:\Users\Admin\AppData\Local\Temp\ksEU.exe
| MD5 | 6f7b91efeee27c65beea9b901fe9593f |
| SHA1 | 23132613cba448d7c17854451fc39fa6de2f4573 |
| SHA256 | 1e5b31a14d4ee55445d40fea4c7d446a1b0ee02d7797c1b5d03b095cf1888c5c |
| SHA512 | 3dea183b51e0079ae4241d5e08747cde9486a3d5edbf5677d0d0ad2524a14085a4755049c89458ccbff383994e10e06e8447cb8de4a5ccbd1938f8608411ef2e |
C:\Users\Admin\AppData\Local\Temp\WEgEoIcg.bat
| MD5 | 980dbe192a8349f96c3f3cf02894cc8d |
| SHA1 | e8398f874b1e138b388904640a8bd356482c06a0 |
| SHA256 | 8119fb61bba627a1e16cd5684b1f30c18f712b40cab7f252bd84bd962d9188ba |
| SHA512 | c4d2fe8a88b63d83f7e1ddcfd026166075e227ee70f53d50385195a48ab1cc8898b6bd4d698f1b38c9ac7d480c0d32290821d9dd903897ac9521187a61a165e3 |
C:\Users\Admin\AppData\Local\Temp\iggU.exe
| MD5 | 45f027072b2398557bc5796efd0167d8 |
| SHA1 | c80ace36bcd067cafd8f544dd27b1db4104ae022 |
| SHA256 | 762066f2ccdcd508c235e061a7829ee35653d0899d215d3dddeb8723f95d6fcc |
| SHA512 | a5d558c35b261a899a0c50f6405d799d8d4ba88c7b83fa764e26e3907120e702b8bfdcf3f07670f29c38227c93244f9a774356d35af0f45344cf309025400dee |
C:\Users\Admin\AppData\Local\Temp\WIsk.exe
| MD5 | 0b2757222898bc2374c477fb24372bf5 |
| SHA1 | e89d948c84b5f7c5f88df356a1e8c70f1db0bc9b |
| SHA256 | a08cf32bc1e2d122a9c216849e9fa8aa216928281dfdf5a1d4f27940b3456b0e |
| SHA512 | 32dfe80d0c5fb3ca450b4a7dfd7a6f6ef5f30eba99ad08a6f711cabeed5efba77bb74ea7f46adc4ba2438aae5551535cbb917b65a0cadc79b303970065d40fc6 |
C:\Users\Admin\AppData\Local\Temp\ogAm.exe
| MD5 | 15992a80f065f30074a7dd2050ac3f2c |
| SHA1 | cadf26d33d15210a69a937ed97490b5593f6b987 |
| SHA256 | 788e763aee938c5e18f552f54f0280a02e14007058b4103513c93e14dcd7ab31 |
| SHA512 | 111a15d0b1daffd3d8912f67738df0a1fa2f6ff3e1ed54418bc7c41b7b701d9ce9ac7b8395a90ca9b77828f85b3ee6be03f165e1e87b5cbac2931a516f8f2457 |
C:\Users\Admin\AppData\Local\Temp\SiUAwcok.bat
| MD5 | 7787712443befde7e93c2bef8b3d794c |
| SHA1 | b36826bbbf683ad01800c258ce6c4b1b7d1499fe |
| SHA256 | 666b8f59d4866a24b932823cdf960ff96abefed03717936ac6c2bf38c299d195 |
| SHA512 | 24c6a00bb0265a4f6f8f60807bb06342e7b0d6f6f771f80078065b34e12e0cdcf13300d2bc58f601f83a084854acc0c3c9499158fb6a79e9beb6a82d995cece6 |
C:\Users\Admin\AppData\Local\Temp\GYQC.exe
| MD5 | 6c43707f93ded943f37f188cee039501 |
| SHA1 | e66cf5c2fb436414f24636ca402a7e80e97d1d48 |
| SHA256 | 0bd7c9c853f9214649a5f9c3882b2eb19fa7045c714c21cadfc98fa97e233b5d |
| SHA512 | e87c4c0f9f2c0a04fa41e54f746ac1d7a987bc520bdf166c79d928eec285410ee61fa6aad681e3cc2e4f7efa9a99fa9b2616b1f868f05cd6dec4bf5da72e01eb |
C:\Users\Admin\AppData\Local\Temp\GsYU.exe
| MD5 | 742eae86158565f6748ec21fae5f9964 |
| SHA1 | 4f792b78dcdc20dc4b8179b30dbb29eae6b487eb |
| SHA256 | b261f77d8d230dacfc58d8ed2c6f2509bae8549ad153408cf94366c60defed76 |
| SHA512 | 27f43e2bd39fe54ea7064ad84a3b1c82afeb6fc566550fa233a579494025bbe21357d9c5a850004639a6892cfd0ecac065760bdc8b2216c2cbffc0775c59c519 |
C:\Users\Admin\AppData\Local\Temp\csAk.exe
| MD5 | 63308a47ac02a88f7ef4423f62b38f32 |
| SHA1 | 9b56d834b68dd8c20e8a6471679215446fd8eac1 |
| SHA256 | 35dc327b97a43b39e668b5d1db4c68641e20e5c22d926869dd5d6976f2fa59ce |
| SHA512 | 24ce8adbb55f6cbe9278c415f41939f3ed22f1cccaff9a364353c5981897aa1c855d0fba7cdecf93305e1a8324432d21dc2e137f26e52714906a564b161aab43 |
C:\Users\Admin\AppData\Local\Temp\YosUkkwk.bat
| MD5 | fdb8d1a1cd2bd0229a253c25a08a2555 |
| SHA1 | e92dfc74ca14834536f9faa1da5ad08a5a7b0ec3 |
| SHA256 | a90bce43d38fdb24e63279467b15bab5c4854844d58724ca8ddbd844a8987095 |
| SHA512 | b2a5714cd366afad841ba5a4f10c4fb6f35e04f3aec429e63df0e27c0942ce7f339a7be6a86f9e2aeabd31f8a5e15e537acdb09d98dca594aab5ae0e4d2c5f29 |
C:\Users\Admin\AppData\Local\Temp\MsEo.exe
| MD5 | 6049ed832bf7040b241cfc8df02ff6d8 |
| SHA1 | a31646a1a4852202ab75efaa78910f37d14287cc |
| SHA256 | 2b8a89fe40ddd5d30ae56bc9c8d7795cdbb4b1c3a65661e0c20c3070265ed8e4 |
| SHA512 | fe49fc8194f4a36b1c00dac248eecc2ff0f730e42f73988ec3bc36eb02167bce0a52719857f81857931471db7504bafe6165fc943b5a7280b6960c3e3bf7afdc |
C:\Users\Admin\AppData\Local\Temp\uUku.exe
| MD5 | 2f92097ad212e1377b200662a525381a |
| SHA1 | 2488cbb0508e588badb4cf2814932933f85c5479 |
| SHA256 | 94ebc85d58653caab97365035ffd42b5063e5e017c0b33cff56fa2911d1877f8 |
| SHA512 | 34ccfcc80d48f2b4f15c31ea5704e5ed6c1c595329f871a67e78109f104cbd43620d9bfb1073cb87377734632663b7428278e8961097170f845d8f9dfa7e1d6d |
C:\Users\Admin\AppData\Local\Temp\GwowUAcQ.bat
| MD5 | c112e0f10af1cc5cc0ab589e32dc0752 |
| SHA1 | ee709443ef3de3137744bbdf69a9681d1b7ec410 |
| SHA256 | 587614b28b51b730d6d62f29affab76baf213883f90718599f70df76e83bcbe9 |
| SHA512 | 7eda83eaa7fe6fd70ab717880fff6735b1d46941f7efcd16ee4cdfb59e3556ec6427eb23419ceec0befb22783cfd210354fc37d10b4a55313cbcd2f5b2dcb5af |
C:\Users\Admin\AppData\Local\Temp\WAUs.exe
| MD5 | 9f31fd8afc4d2d257dbdb7b35445d6bc |
| SHA1 | 56feb5bcf0916117364690ef2b3b0514f34354be |
| SHA256 | 644fe1fb85d19c40e1deebe833d4d55cf4cb3c38857c9ad634d11b1f23ac0533 |
| SHA512 | 54e67b15724eea17d2e999394240706fba2a82fc7bed86260bd8ea844bb41a9d06759d34382f614fc8a759fc0208c20818424a21fa9238bc721c1add437fe97f |
C:\Users\Admin\AppData\Local\Temp\Swky.exe
| MD5 | a453e799acf469154192541a0ff45e48 |
| SHA1 | 9035c379391c6def7a9bfa602cd1203b1f431428 |
| SHA256 | 0e670f864c4a9346fcf33f3040015e4373ac29e68f4263134ad6937aafc4c433 |
| SHA512 | b15a40a1dc3078062fe05db6b6055fc79359fe8a8e61ef1c0b5f1e97d8bf26cb47400eb9b4b76c03cb21dbe125a3cad44ee9a7c5705faedeb4e025cca8ea1451 |
C:\Users\Admin\AppData\Local\Temp\acow.exe
| MD5 | 389ae0611031b813147b3404cfeb59c2 |
| SHA1 | a2bfaf23046d2ce85b1ad8651cc67fe3cc092422 |
| SHA256 | 1dbd3df7a4aa2db66cc0bcb957269c29c2e2a4ce5bc3b2d8c6521cb392c9d34e |
| SHA512 | 2d5b56b91962657d28790235f9ca8528cf3ed0db6d1b160babde56e333a18d00803e59310defd84f4cbf1c98a3ce1ad94d12e374da9d84489839b3f808e2d821 |
C:\Users\Admin\AppData\Local\Temp\mAUu.exe
| MD5 | 3e8bda44f1a43fae88dfa44a7cac9de3 |
| SHA1 | af58929892c315d1c13fe40bf949ea98d3d6869f |
| SHA256 | 247a49af575a882a422de8c95f9f82493ac87d903fe78de05fd3553d013e6002 |
| SHA512 | 2c2c05f51bd8701d189254ebb40946a3f0d034d8c7195ba6ffdf85f66a4cae8b2013a5dc4e8d0deb71fafc13468d7fb0490af1196b542605a756025ae62fd43a |
C:\Users\Admin\AppData\Local\Temp\TMccYMos.bat
| MD5 | 366978834ffe516c8c0e1014e6932a06 |
| SHA1 | 2c342d806b3d4f543db151101b2d4fd2b198ee7f |
| SHA256 | c6f678498406c610d391116edbf37f7766409df1604eba57749e8dcdf580059b |
| SHA512 | 9d58128ff738635e4b423865bd8275ecc975f2ab6285915094a06d1cbbd36b9654e6b62a1d2f7b25357016de1feee1810ccd94fd5a36ed83b1dce589bd882aa0 |
C:\Users\Admin\AppData\Local\Temp\ksMY.exe
| MD5 | 62c3cb21a0d1354d90a4d34dfaa56459 |
| SHA1 | d3e00acb6c5f3887e8e91d330a98b5bdc48062b2 |
| SHA256 | fe954248298528037d4d29d4ea3e9193099ec897763782d6ca6b4018b86d79d8 |
| SHA512 | 7b3f953ae404f89e8d4906f2690be09824d8beec5d9825019d3960c4e50e9cde3dc0b7abcbd89a8516524704a824e671d0b6dc30c43fb27073ebaa3f5b43a944 |
C:\Users\Admin\AppData\Local\Temp\eIMk.exe
| MD5 | c0b0d6184578dd0f92e60d56b970f6f4 |
| SHA1 | f1d0d5f96331ea8a05ce7366ca904447ffd1e7ba |
| SHA256 | 9068797b2e8d04f145ca4c12e10cc1b2c87061566187999b10fe563fac0a46af |
| SHA512 | e3606523c595fb28045ef4d5f18e48f14a4783c627e7872a2c69b2e6500abc0782e0809854a8acdd84118f672857511382cd6f8a391ded2592275b9af39d2bc6 |
C:\Users\Admin\AppData\Local\Temp\gIoM.exe
| MD5 | 64bdcd92dfdd25b096ef3940497ce998 |
| SHA1 | 22a6e911edc45bd0760e4aeec3d93a2e7bc0df2c |
| SHA256 | 73a117d652a8f4d1d4cd3b00f478887bce88687da39aee4fd2e37c540566acc4 |
| SHA512 | 31d8e7554bde18aa87d4d45b0f16a298da948af26c055bc00cec786f7359750d0612844ff507cb8fca4ab35b12333ecdf3af076efcb25d03ec6fd035a3806984 |
C:\Users\Admin\AppData\Local\Temp\JekwowoA.bat
| MD5 | f0eb4fd46083dd5e8d499b9390c7cfcd |
| SHA1 | 47c146604dd033134077106e7c1d582e8593156d |
| SHA256 | d06f2734f508369a50f0838d20e94fe03402da049f930f84c15824f26c59e786 |
| SHA512 | 85f8ca87ee6d039795312aa7e1c9037e8fe6aacae07dddcb33f1b0fd279c0a9c7bb357c28130b100c2806e990657485f953f0486d8ccf51daa53223b997d6ec3 |
C:\Users\Admin\AppData\Local\Temp\wAMO.exe
| MD5 | 92d96265a537213e558d7c9db0f89f72 |
| SHA1 | dc7b3aa1569c62dbbef4fb58aec0f5c9771b06db |
| SHA256 | 75bd99de4e825098c61a59b917d20f03fd76f18c1933b09876fcec690589498e |
| SHA512 | cfcb76f8cdccc1ff55f8cb7af19ec9e4f0989206ac1047926ef370d793f2057c18ffe43d8ea7e203a2866dcdfbffb9cc20a8a2d83c0a1b517c97d41bbb5fbebe |
C:\Users\Admin\AppData\Local\Temp\uAQO.exe
| MD5 | ec59f2840087c9d0c1f1e04251c5823f |
| SHA1 | 4b57d5e9551d43cc0409ca567e7da30f4004eda0 |
| SHA256 | 833936493b810d424b0691509246bbd3519e9785271b8e1930122edaa76d412b |
| SHA512 | 0a442e03b78e2ac0f54af9c99fbee43fd2e08d6dd821e6441be98d2e5e0108512fe48346cf8da631956ab8502edb08aabf73b79d4a6b99d544ceb16bf4982225 |
C:\Users\Admin\AppData\Local\Temp\tEskMskU.bat
| MD5 | 33813a9569daf0bd370a0f892cb91213 |
| SHA1 | fe622f73318a6f5598d846b74bff62ec394286e8 |
| SHA256 | b42271b99328d9f140756d590d26c9c0dcd3a353a2008746e2c8fc6cb8dc4097 |
| SHA512 | 3b06d7ad194c0a11630a49394c502e1b806f0311b7dc8bba6784d2d7a8835b0fe1ba58853d96ea616c92b38bbf4062543db8fcc9c7bc18c478e5fa357b3a993d |
C:\Users\Admin\AppData\Local\Temp\buoAYQQI.bat
| MD5 | bf2848270bf34ee2940af208c7ab6a6a |
| SHA1 | 6c8b271c8b4ccf965dc9392105d46f45cd665980 |
| SHA256 | 0ed8afcaf8904527a07f57e239207543c69927626c1f01ea30c2f026836612be |
| SHA512 | 81c38e7e0a58383e568264d99718135c9f41d59897eb88c1aaba9da34be171833b32eb8344f92ee89eb4c371a5e9cf9a9f9dd1dab0e7c1872d21f0a0ae57b9b6 |
C:\Users\Admin\AppData\Local\Temp\QOsgsYck.bat
| MD5 | 2cecec72fc70e42382d1ac44bee6c690 |
| SHA1 | cd83f29b6855674aaa8b3de619c1b4744e82efd6 |
| SHA256 | 7eb1746470975007611202b1b637cf7470378468277cc97f4d5940a3d1a7c9b8 |
| SHA512 | 27da9705b2c489912638e71da26863883ae6eeab96208478d9882d6660d8060dec91b2968191149dfdfbd95056beaf6c76c42d3ebada32593407893470d28e5d |
C:\Users\Admin\AppData\Local\Temp\KQQe.exe
| MD5 | 2d8c578c58632493118197da5770e37c |
| SHA1 | bd12308999796313742c9f127948d8304c7d2a28 |
| SHA256 | 009b6ec58ace68314280cb8913b181b21898a5b2a37f95f2c35011791e133b66 |
| SHA512 | 1e05e185eaf0faec1e1fccfa7e8611609585621706c42ea6db32675bfd08c27f34099f42d5704f6e59bb111ca106c72c23d29dafda9300d489e6d8207f04aaf5 |
C:\Users\Admin\AppData\Local\Temp\CgUK.exe
| MD5 | cec8f7792e94350d78b309cbdb728060 |
| SHA1 | 8dee8fae43a429490e7c564e8e0b5c16c7036d56 |
| SHA256 | 2c12b1ff4d57690b59d0733b1a09e932165b0bb2c8503faeadba47bf0402bee7 |
| SHA512 | a518beb0a4a8f1b4af6d225a637719891b0b7ec1b34bb9565b0d4f103c56c7dfc402d54682ccf8defa1ace1c90c03521992c421c21f0c4964ff96c2c4048c357 |
C:\Users\Admin\AppData\Local\Temp\ccgMcEUg.bat
| MD5 | 39b4a9b0bd03aa524699628a879aad8f |
| SHA1 | 1d1e16c1d3ce415d10e4d0f906dc3f4b95762600 |
| SHA256 | de0d206e8cdc53b96e81419b0a2bbad466f64516d5d3848ab23310bd59355c80 |
| SHA512 | 87688e2974dc905f8d3e048b19e5ad275f30ac7e5d92838b387bd1b11ab23312b4e3f8d74243a55459ce737159e18b9dda29c7bd5dad5fae48b463961cbb214d |
C:\Users\Admin\AppData\Local\Temp\IIwq.exe
| MD5 | 7f2d4463c55d95bfd7ba9b0b2ced3a51 |
| SHA1 | 9ecb5671dc6cf18bef497683f328a66c9eca25e6 |
| SHA256 | df66b8d018c8517b3e881c1f3a3eb87352995c09c460c4f82746d5c771e5b5ff |
| SHA512 | 1eb6bfe6d86427897e512c315d07eb0cb02449bf23b0f4dff1c24edc75941c0fa1384ce6e9b783c52864d4cc94db8d9a1cd58ce22beb81d22c41008bb4fa51e0 |
C:\Users\Admin\AppData\Local\Temp\iYMY.exe
| MD5 | 9ace99deda6a0fed41765cbaaa03a2f5 |
| SHA1 | 90b3e0236997215a908b4dd899dcb0a9af9747ff |
| SHA256 | d9d73882c3358d47592042ce4463271739a771db90d51000d05348ca456d14d4 |
| SHA512 | 76514194f234074b1d9b0344634894221e19e19e1fb7c3ac28dfff73ac48fa78eda0159d60f27616e14a2ac28aff4fa59bbf40ac1db3707d018d46953d7f60b9 |
C:\Users\Admin\AppData\Local\Temp\yAQW.exe
| MD5 | 1461951670f63148e134fa3fa50effb6 |
| SHA1 | bc8d7313d32e523f1eea2f036ecee25b56d56121 |
| SHA256 | 10d74665bc774279fc300b2a27aa908e356f5570a79768d29266ad5598289760 |
| SHA512 | e12da70c7366ab6092e490f86b9eb70080d6f73976265e5d245476e1b8549bdd2750a7ea90919ce225fa8b5f73bb7e03951917b709830391c1f54040c36976cd |
C:\Users\Admin\AppData\Local\Temp\IcYu.exe
| MD5 | af3ced27b71e2789465a71aacaade541 |
| SHA1 | 22bb9f954dc4a0b72a6f4f95bccf9997af996259 |
| SHA256 | 6cbdb4e6c1e70404a17c9e9285ef78314ab76d29988d8940d03f216266a2a193 |
| SHA512 | 680e6b2f492f3665d62730cc718fc1b8134daf479c32c0a521de00b6ce0dc815c4bbe8bc8c0b36c2b85996eadfa04dd1df31ef643650cfca181fd46de5b06a7f |
C:\Users\Admin\AppData\Local\Temp\sMcAYAYQ.bat
| MD5 | 9e4bc2bf0da97e4429953504d98f13e5 |
| SHA1 | 71d00526baf03b3b4457dcb0c904a6418b9e358d |
| SHA256 | 95d58a47aaa61b5cd0af10669244ed96f79e23dc12cfeaf7c17b6f8b38a0bef0 |
| SHA512 | d6e9d63dcd4d2e0860b97ffcd9d342764a30b84656c580a9726871e62fca83e688c07f33b678ec0631d20fcde16111cd49862bfec5e01e63a4db477b7a99c54b |
C:\Users\Admin\AppData\Local\Temp\koIi.exe
| MD5 | c9bbd5eeb1a9df99bc92d2f077f4d8ef |
| SHA1 | fbc4c9ba7c72c6243ec22f3630285e85d6158d5a |
| SHA256 | 576600a6399312467c28dcbf9bbd11c942d3860a6bfc9b9e40b9595d6329c773 |
| SHA512 | 8a61b75a897a3a975f3dc77e0072576fe89de992afd7195b7d2b1708d8f7909cfb9fa1e8e0a52f941b8a30c7e91940d86516b95ebedfdaf6239b134b590d3e88 |
C:\Users\Admin\AppData\Local\Temp\GosO.exe
| MD5 | aba862c16079e939ccc50ba6d4d57300 |
| SHA1 | c154fb56223d0b3aeac539ea2985b128a32a9169 |
| SHA256 | b24ecc5291080088782970ab3849903745dbaf897cef7e16425da9e14c6f4efa |
| SHA512 | f3bf8fc3ad6cf5c8fe824f1310b4d22759a4bc02096769ede6c5937d5bca52dba01fb99a61dacd399208a49a9e75519f39b6ad1209403ba3866ae0a800b1e9ec |
C:\Users\Admin\AppData\Local\Temp\Iwgu.exe
| MD5 | 79739a71b8e329cb48ce2d46f46b003a |
| SHA1 | c432cac35d0213201f95035976ab74bc952083c4 |
| SHA256 | 5864436a19099df08de6c89740ec842e6d4cd7442dc9f8510eff29258bde72ed |
| SHA512 | a934996008273a5c798c755c2357549234d09107b75a8ecf5f955ec53ec087a5895f2f1717c7b94228b84f4c9c9ead6228aecf18edad9f56c715b5eff4618ea2 |
C:\Users\Admin\AppData\Local\Temp\wAMK.exe
| MD5 | d6b3d027e4a5042d87fd2d56370c45f5 |
| SHA1 | df3f10b77857c17ec827e4cc07b8062bf5ebd2b5 |
| SHA256 | 077c73089450f1964c3e777313f544e52365c469b31bf53df1c7661388169bdd |
| SHA512 | 99ee5a94b541c9fd24abb6b5f5489703c501595793cd1e2af3aa1ce5ead3145e2e6195a29dab2a77e4ad855517342dfa40e11f2d693b2c24bc654d9faf226e61 |
C:\Users\Admin\AppData\Local\Temp\OWIcAYcg.bat
| MD5 | 4a4df4e3aa6c46a3f131127da94cc92b |
| SHA1 | c573e191cc950c8db08f77d503b162cf181eec99 |
| SHA256 | e6999c05fc6cd3821ae2d66a0fbda8574ca4276171a316220032101d7323b928 |
| SHA512 | f7cb744e01d9977b7210187269730aaf8a4ce4567d62f6d34c20698a884ef35bec58685eb0b2792159500432756404bfdf9e16aa5a1000676ca7d4f66af95c0e |
C:\Users\Admin\AppData\Local\Temp\HowIYksY.bat
| MD5 | 75f21d036808f205511d250275dbc197 |
| SHA1 | d6b1fbfbf4ed1911dcaff01dbdcb57fa34c9c60f |
| SHA256 | e5c44f22683ba4002c6f3f3e6183ecf4d9472efc4331e15d7e2bd3e686c3fdfe |
| SHA512 | d94f636178ab6dd384c3cfd77c6997681c68447bf3c67b77a84b55895a208c2cf402a480a2fead538d8662b77fa1c388b80a7a54fb5f57dc898ebde11a2a2567 |
C:\Users\Admin\AppData\Local\Temp\QQIm.exe
| MD5 | 09dd929b12305c8d770ebbfe811db856 |
| SHA1 | 3bd81fd427c164d995f431a48e630fc42691d860 |
| SHA256 | a27467dc2267b63b1a2826e435e432d8d20afb4e18cca2f3ec737232d6a62988 |
| SHA512 | b963a6315ea13a0e08dc4b583e91f3692ab88d1994e4ba0baf9c7a01b972be4de8feb60b7d759767ce9d897c1a3f4f91240f9fcc88ffbc8ac7f43c4b15ed7306 |
C:\Users\Admin\AppData\Local\Temp\bKogcwco.bat
| MD5 | f4efa129d357be6ac099a5249ed20c32 |
| SHA1 | 5b2fc08b8ce54bfa760d637d253cf11f7aa569fd |
| SHA256 | e4d2d50bf323bacc3c5bcfd94cf3af1aa1db4598a368d7f15ec2afd66b697b23 |
| SHA512 | 36e5380a2cb169ae1e0e4496cede4e01a3a7a4472c582552b11998ed958454a75d1408721e6f4bc027b347cb7a248ef0346140c6d3d147b9064a8c6d35316fb6 |
C:\Users\Admin\AppData\Local\Temp\DkUQYUQQ.bat
| MD5 | 7e4cc9916dfdfd61df7e2f78c8332eb4 |
| SHA1 | 186986780519671821e5f0c361ab3a6e7fecc1d6 |
| SHA256 | 819f8b8aff6fdd3bb6485bca0996fafa84005018702d77cd1c02bacff1c45e2d |
| SHA512 | 9aef6ff79407dd98c2ca1666c517cd5ab3be8ebd8609377fb3f48429f68ebf7bbfb43976e3f1ebda75c642219101ff6ecd5f0429acfc2cf4485fe2c6efa78961 |
C:\Users\Admin\AppData\Local\Temp\DyQMAAks.bat
| MD5 | 78650e88bbab1a6073d0f8de11dad79c |
| SHA1 | 462d1a43477837071c3ff7e3e3c18f127a9089ad |
| SHA256 | 7843aa13ffc7f70993af2ce7851dd794c73275af9b984da41e7970128d29f501 |
| SHA512 | 259f2b6cf8220314d0d5d00d9fe23fc78aa763aa56f679bfea1861888b5d02dc120ca221c43e708cb276c3fedbdac86a510b18309c178fbcadabcd66babf85f5 |
C:\Users\Admin\AppData\Local\Temp\qwYQEgcM.bat
| MD5 | 840474a51c1f1a8ed90006eb6ea8a41c |
| SHA1 | 45f4f83fc54bd79125f2d9b8aaed54d575d92fbe |
| SHA256 | f226f102e9a933d907dc7ce8d5066ebca3bc206ba6eadff8b67a70d6af296639 |
| SHA512 | 5a5c6dc39bed81b6dc523455431a238ce5c424e8f3fe0b24568c7b9f242d5ecae65b4e01d6e53bb60151f985f305141e7371ed6a2dc4de90fbb1e754f6a909b7 |
C:\Users\Admin\AppData\Local\Temp\WsAYsMMs.bat
| MD5 | d617f8206a37d6da8d22898f0e8c7cc5 |
| SHA1 | 6f32875c9c249cffa0c97406448cfe74fcf7a916 |
| SHA256 | d0ef9fcbbefec80d0d20bc273d9e11a43960245722faee3183e8cfc69a8b3073 |
| SHA512 | ff05cd41282bc9f678d18bf4420b587ff429d0cae2395401cbf49fea5eee91d59aa85b7a3cb59c6ee8516922af5d5491a175b90921d679561edea8199d505f08 |
C:\Users\Admin\AppData\Local\Temp\yOsAQcwk.bat
| MD5 | f9c0d6d0042a2899fc8860329852537c |
| SHA1 | 374d80f145973ed75291d64a39c5e93a346dda47 |
| SHA256 | 28159e2a966b61db386aaef25f4aef25862a0a9ad11aedfb59f4833c72a5aad8 |
| SHA512 | d3d513ef1b87605eb23d1f0bf3d65ff62d95cacfae071adb9ebfe48b0ceefbd00dad53640c118b5c1acacfaf29f601f4b50ca087aaa8d1271ccba5c436a871c0 |
C:\Users\Admin\AppData\Local\Temp\deAgQsoA.bat
| MD5 | 34737e122db94e6cb377e7346febde8e |
| SHA1 | 678982be7c165c0c9ab99193b108bae42849377e |
| SHA256 | ec3c9c3e5e9e4e37f19863beed43611e4d6d7195951e0c6233163ac3269c2f4b |
| SHA512 | 608dc8ee8a78302809d6676bfb3ef27cffccfdc51f0e84da7ba74e48de7e3e44b2cbaf160f62b412419207df829c93970805f3aede3e3ab05e1631c8f6d37763 |
C:\Users\Admin\AppData\Local\Temp\HyMoIIss.bat
| MD5 | ce643a0c04b4401fa6c811d0e70e8585 |
| SHA1 | 71545c50164bec0268cadf0f4524ed7dcb4fdbb7 |
| SHA256 | cd7dca22d415e46315b3f7fa7f6041af9689bfe73bb36650cc1b112941e06962 |
| SHA512 | 15e2a204fad999c875f38b1160ba795e42fc970838516b3b0df94950ee1fae402c675efebc0cfb043a9323f26b73ec71cca54f9fd054e83248dd5c6cc08e2d10 |
C:\Users\Admin\AppData\Local\Temp\bQAEIIQw.bat
| MD5 | aefe55c33abc49b81af55965b4fc2075 |
| SHA1 | 966253b4573b838d1b3b06c815b0773a1185d4fa |
| SHA256 | f256b0256ded991ef7a6b5f37a077d2d0c38316b178716dbb6a5e04b7300c496 |
| SHA512 | e742ef60a15870886c037e12a7f0d1fb8b2b4b2a5a06507a38d27489c0a7cc91ebdd1563bf38d63b985c473589158ca83a7ea3ee1c5c89022bf1707679bbce54 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:37
Reported
2024-10-26 04:39
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (85) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\ProgramData\HsUMsAcI\DqUwYEEs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\bOwkwQMM\nAkIQcww.exe | N/A |
| N/A | N/A | C:\ProgramData\HsUMsAcI\DqUwYEEs.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nAkIQcww.exe = "C:\\Users\\Admin\\bOwkwQMM\\nAkIQcww.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DqUwYEEs.exe = "C:\\ProgramData\\HsUMsAcI\\DqUwYEEs.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DqUwYEEs.exe = "C:\\ProgramData\\HsUMsAcI\\DqUwYEEs.exe" | C:\ProgramData\HsUMsAcI\DqUwYEEs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nAkIQcww.exe = "C:\\Users\\Admin\\bOwkwQMM\\nAkIQcww.exe" | C:\Users\Admin\bOwkwQMM\nAkIQcww.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\HsUMsAcI\DqUwYEEs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\HsUMsAcI\DqUwYEEs.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\HsUMsAcI\DqUwYEEs.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe"
C:\Users\Admin\bOwkwQMM\nAkIQcww.exe
"C:\Users\Admin\bOwkwQMM\nAkIQcww.exe"
C:\ProgramData\HsUMsAcI\DqUwYEEs.exe
"C:\ProgramData\HsUMsAcI\DqUwYEEs.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIcwscow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQMgwcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOYEcUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgUUsEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYYoUkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWAcIUgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMkogwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKgYkAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEUEssEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWcIYEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EswQwUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkIAsUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKgIkwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwAkssoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeAEwIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heswcAkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMoQwwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeoggAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqEkcsQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEIcIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEoYYwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoIQIsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkQsgAIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCAYsIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BicgkQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcEgQEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOgEkogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqEgYIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqoUwoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEgAwAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQksgUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIcoIkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PowAAEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcckcYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiQYYYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSUwoUIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsoAcowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TywQYosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEAwEcEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOkggIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCQokcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiwgcgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGoAkIcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CigsAEAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmUMcIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsYQcMwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmEQEUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DakAcosU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KawkoAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocYQAocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COAoMkgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAEoUwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKQoskIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZasMkEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUgowgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkYAYMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUkcwQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqUccsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YecQkcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGowsoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgcIwIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEksIcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEMswcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuksskEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KicQYIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWEUckQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmgkYIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQAUEoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiksQUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUYEgAkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCssEIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSgIQEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWcQQokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUgQQAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqcUYQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWIAksUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jesAEgUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEowscsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uicUoscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIEkEcQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwIYkgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsIYQQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkMkUcYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwwEUkoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAIkAQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccsUkMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMIYAggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESMEgcEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zggIgQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmgIoMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwEkcssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWwAUkgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAQkAcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyEgcokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWwwEEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vecMccYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYYgIUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSYMUYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGEkgIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv s5dVT54MBE28Xubmr/8+jw.0.2
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4600-0-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\bOwkwQMM\nAkIQcww.exe
| MD5 | c8fb1c54a29daf7639172986b3889494 |
| SHA1 | fb80d3d8446e96b516363a4fc0b20c83940dc4ac |
| SHA256 | ebb09c0278b44f06f8f9d9f07e1e9b951a28d82e9ff7d77da049e07ec905238f |
| SHA512 | 4745d7d59dd2a5362cb552fcfd70c4b2e1c9772459ad9c698b592f4b3002034db0a15f4991cc87139b066fc2cbb0a6450ca1a92cf7ac717c9b97806c263b9208 |
C:\ProgramData\HsUMsAcI\DqUwYEEs.exe
| MD5 | 538a3fea112a382665b46fda6b974c6c |
| SHA1 | 02465bd036a60ac8d9ebe26dd003e50b69aeba8d |
| SHA256 | 421bfb5c5b217be48175d05616c9542a705166b83a6b59cfd25422a18adf6e55 |
| SHA512 | 8303d2b56aa94b5d473b227b3664ad1dd3144d9635d5a33899204cfa6611e416e6fa2bdc3b0ad63fc87b6b024b22a5a2775baaba774615a5779553b4ba0d73ad |
memory/4692-15-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2584-12-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4600-19-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hIcwscow.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock
| MD5 | 8995c7a53e0a148026fbd0da69be9f59 |
| SHA1 | 05a9908e9e3e640a426214276de1cbca6f72307c |
| SHA256 | d2b2becd2a849a6a716fcab0aaddb41ffaec79dfc4769b61e4355d65897193e3 |
| SHA512 | 45480d070b7014519719cc8de7bf7e1317690732cf80b272df4611b74da1667baf6a886253635ab8735c7bf537cf937902240847387283aa81c4cb7c7b9bf969 |
memory/2408-30-0x0000000000400000-0x0000000000420000-memory.dmp
memory/336-41-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3696-52-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2004-63-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1916-74-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1472-85-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1656-96-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4012-107-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4220-118-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1476-129-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4140-140-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3740-151-0x0000000000400000-0x0000000000420000-memory.dmp
memory/940-162-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1636-173-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2376-184-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4992-195-0x0000000000400000-0x0000000000420000-memory.dmp
memory/5072-206-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3920-217-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2264-228-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2876-239-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3084-247-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2140-255-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1268-256-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1268-264-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4992-272-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1604-277-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4704-281-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1604-289-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1696-297-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3476-305-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4388-313-0x0000000000400000-0x0000000000420000-memory.dmp
memory/324-321-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2324-329-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3740-337-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4312-345-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3012-353-0x0000000000400000-0x0000000000420000-memory.dmp
memory/868-361-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4444-369-0x0000000000400000-0x0000000000420000-memory.dmp
memory/900-377-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2376-378-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2376-386-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4404-394-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1384-395-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1384-403-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2072-411-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4776-419-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4924-427-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4596-435-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-436-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3624-444-0x0000000000400000-0x0000000000420000-memory.dmp
memory/32-445-0x0000000000400000-0x0000000000420000-memory.dmp
memory/32-453-0x0000000000400000-0x0000000000420000-memory.dmp
memory/5064-461-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1708-469-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3680-470-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3680-478-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4484-486-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3668-494-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1092-502-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4544-510-0x0000000000400000-0x0000000000420000-memory.dmp
memory/528-518-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3408-523-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ecgS.exe
| MD5 | 8cc4abf5d4d5067e4ad9403ecdb6d289 |
| SHA1 | c487d1b990fccf727f7f2230e49f3169184de3e4 |
| SHA256 | 022d85088694a445dfb85b344e7c6debdb4b0c3759535758fbc973a583d962c2 |
| SHA512 | 68f8fb86554aba627c47f5131653d7b9db4f1c1d61c8c0a64181e6c4da8eb01979bed8b5ed7d104c9be89020e8dffcf4cae8d4e8e3fab5bbaf0e33b115c4f772 |
memory/456-542-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3408-550-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cYoc.exe
| MD5 | 0cacf7f1003c6753d64be0d2409e799c |
| SHA1 | d8a3fbb6cb762e541a858a68c0e876ce1e61ee58 |
| SHA256 | 5322f7459a288f30c9237739007469abbd679f1d165a6b07389f2df973b08a5e |
| SHA512 | 4b5e90819f1776565c995c7a1d5d3f5136b97682eeba509419620319f9ddde3101fd4adc576bd76082c735c5504c1b530d19f27925325adf525575dca5d10e0b |
C:\Users\Admin\AppData\Local\Temp\qkEe.exe
| MD5 | 12e3882213af4ca687a0153f6559d4ce |
| SHA1 | f0481a70be44c31ef325cf4d27988aa8e599edf5 |
| SHA256 | 7de45eab3a5233c423bc7aaed4314dd838d2c06e1b6eada058f4ecd4197705f2 |
| SHA512 | f9fbdb8142c920e71b04edf54fe153a201751bf337d2436f21b435442831e8ae9e9e9d8cb7f8a1aceaa308f51a170c737c14109180b70ead70c2bed02fe7ce0c |
C:\Users\Admin\AppData\Local\Temp\iooK.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\WUEA.exe
| MD5 | 846742d527cb5cd5eaec3fd1e9430f78 |
| SHA1 | 8c71a4c33ac4c80fe184b75366fc5ae26addab0a |
| SHA256 | 463e432867f78ad1f168114838b5071931a0fc256f1e1834f5ea85300690a381 |
| SHA512 | e72afa84250d81903856d732c7d892bdcde9b84498e155ba30398180d14e67f188939995ed3f98d6b2aa701d3164dbc799edca87b775016ea2b282744182f28f |
C:\Users\Admin\AppData\Local\Temp\mMME.exe
| MD5 | cddf28903952d7406180d32d40cf4f3d |
| SHA1 | 1a91a402dfdb5dbe54f9c3a3cb1eb61538dad44f |
| SHA256 | 2e51413294a1a58bc2eb801d743513ba2b6660368b40c99fe79fab9916b774a2 |
| SHA512 | 19ada075095b754e089ae8ef1347539466cb0e6c1fe09cf5a459c7070ce2d1b1694484fffa406dd0d4cc0fe3af6522342c39315a3b536b76a0f17758650e2d4e |
C:\Users\Admin\AppData\Local\Temp\MwsM.exe
| MD5 | da733ebeb5faefb92c549464e9897bfc |
| SHA1 | e6f27cddfb3d4b07128b69af3904da01379cf0ef |
| SHA256 | 71441ff724e90067bb13822a9248c7869e172c44227a2be939bb0d84c468a8db |
| SHA512 | 6a407d53e72c32c98cff1f5301cf99d6568e23d5d8cb4c1d2a142c59ca2063c279c50d27a1903d6d2dc9804630d4c3e01699903419158c13e13d5dd9094ebf15 |
memory/1268-627-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IMos.exe
| MD5 | a966fc062b63b0c04addedc531781358 |
| SHA1 | 1f54a273feec5cfab5d2a400f12cd0bede815f53 |
| SHA256 | c8ccce2d9deb42528a0f25ce18ee04f01227ec51f595d67b3f15fd65a62dedf4 |
| SHA512 | 148ade19661a7a29b36203ffa12bf1c02d188f6d96e2a281b22ceb8b39f22769ce5512ef60b056085bed98de72ba77298e068be9e643c5c17dcfd96d7b420224 |
C:\Users\Admin\AppData\Local\Temp\KkwG.exe
| MD5 | 11a4b9de3e4116b2b10992a3981a6ee6 |
| SHA1 | 5f63eb7de1150c0c49b3af91ce3746b66b4ea91a |
| SHA256 | 978f0da906afcab1bc0c76dc25e0c604b32e0500f7aacf70d5216f8ed0f284e9 |
| SHA512 | 5a6e92485cae96f6ffff48849a33265459d08d727f2cc2d42aa5bd00c0ed70fea557c0ac14b1b594eee4a244cee6041ed636540f315b49aa03a680338fafdee8 |
C:\Users\Admin\AppData\Local\Temp\yksQ.exe
| MD5 | a631522f4a6f650c171cd39c19933614 |
| SHA1 | c52efcda06e6f7b6b47ba792a1161aed21697a42 |
| SHA256 | fcd3a79b6768f300b744930462f62528a774dccda81564ed42cb698674505bd6 |
| SHA512 | eaa3cb0de7162e63cebaff1338438181dae300433f09738438f2e34a9ff11eed91353d966164f4689ebb4ecf6e5887ee8c000d66e731a7c99b08ea49f028463d |
C:\Users\Admin\AppData\Local\Temp\YUsU.exe
| MD5 | 73c71d40186d46d570de6e4d90539472 |
| SHA1 | 37f25554fa85564bb6fa3c27c8b25da435f0dd04 |
| SHA256 | cd1d1428473f7d6315624ec9a7acf8f1e96096b808056f56a1bd959f47485eca |
| SHA512 | df1a717f28bf2ba6d087ae1fb33b76c604f69c4c02535bc989d5053ae9ef0c941a1890cfdd4f3f86d9fe4ffe7c13b038810d2bfee7a7669de084d07b3e1a2a59 |
memory/3112-690-0x0000000000400000-0x0000000000420000-memory.dmp
C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe
| MD5 | 166d89d4c38627d6a7197838ae4076af |
| SHA1 | 19ce9d458e2ca7ede465a8fa5a49c010f479a11a |
| SHA256 | 823f6ccacb9d234ec2a1425a7429f91a515d56b3d8820dfbf1570714de09a2f0 |
| SHA512 | c3b7832eada296fa876840e83dc81d86a91e8b42602044f38479837a584eb84aff4d411ac5a659328f8bc735ff345532eff86a2751681698d352ede4342c05e3 |
C:\Users\Admin\AppData\Local\Temp\MAsY.exe
| MD5 | 15268ffda9abf001357d79eca2c755d5 |
| SHA1 | aef2291a60c19cd36a6b8c158d4b325ee781bec3 |
| SHA256 | 32d56346c719a240ff4441909faa3f594f7f41b60e5c55004234c0fe8309c8a6 |
| SHA512 | da97e7df22f5e30df9389e196a57a766cea6aa1345fec4759659e4dc747f090cdd09819b17890abd8335a56e16f334fac50fae04d928cd4973ec8f7627118e75 |
C:\Users\Admin\AppData\Local\Temp\sMcQ.exe
| MD5 | 006527ca3fd217d2f698e12f288d7a4a |
| SHA1 | 3f30be09e36d3d9e29ffc0fa40b023e07249fb74 |
| SHA256 | 69842b08c479b57a1caf3f8667c16cecb9dc72fd80caedaf42d5b72362943ea9 |
| SHA512 | 425e744bde833a1a099cf7037506297fab0e83a945ce033b1dee4fdd84a044336e1c3db124020ce93da1cbb0d742b5a5d010c87718851e7c0c2012162584ad92 |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
| MD5 | 56136f168665ddbf10046b2ff9847afc |
| SHA1 | 4849070ab505fc1d823cc38ba7511ea392214ae3 |
| SHA256 | 73e392d13ded5a76ba640bd4e846f56592d456f396207cfe76b4181734232679 |
| SHA512 | cce49ea37f1f4fcdaa61dc33203c6b83a529edd656c9896cee8e5ada584a86113ad284c9168a615d38edbbb8563b63649a26ffc663c6147c8d51aa5c7b3cc55f |
C:\Users\Admin\AppData\Local\Temp\GEUg.exe
| MD5 | f4793181c453c782adff029877412253 |
| SHA1 | 75a963a2013214d8e8bf090abca507536e151971 |
| SHA256 | 9c218c2c7dd6b7b39467bd976adb34b61ba4222b4ddf6bf9697a6afd56ac44c6 |
| SHA512 | 5ffd29eba265cabe1e305258e4e60339eb28fa4c0225ccd346d87ed5b0f898ac24762519890f7a8a3d6d622ffa897770ba6ac8abd1a7548cb769863352372819 |
memory/4544-768-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wUwm.exe
| MD5 | fb8e084785761641dbcfbc2220579756 |
| SHA1 | 713e5a8be2375a527e78e15162fb7e59dbae7d62 |
| SHA256 | 6dd6fb44d3f94004744455e335956e0f02db4ff3c3c926c6dd7873c1063f87c9 |
| SHA512 | 96aae7b44884781d89edb5ec56df9fdf25bf741da80a98fb7e5d7cbbe65e4a1cc94ea3312d6a8d9f359ed2facac4cc2b6a48b2f9399f53124def7d6d35a32720 |
C:\Users\Admin\AppData\Local\Temp\icge.exe
| MD5 | 657fb31436585b014c128c5381b37d19 |
| SHA1 | e12f849085cf51b8b9a529be94bcd8b616bbeeef |
| SHA256 | 678db908022a0532f1db0bdb0304070c6afc1681d1d98467f38449de1ae7adde |
| SHA512 | 07c5fa03589e8f820a092efe001a23d17d1c11b24931cb2384da91a5f825fc703d3226ea46d8cf0425349ccc35b964e6a6ecba6da0a00262c4e321f86edd9810 |
C:\Users\Admin\AppData\Local\Temp\AoUM.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\CYMs.exe
| MD5 | f6d6226298b98880325d56db99b142b1 |
| SHA1 | c7380f66dfc29c97ce4191303eb6c4cf9a4a6ab7 |
| SHA256 | 2d161f526fcb94b3fd9fe82ad0a0092e291f667fd272aa8002c5effafc6409a6 |
| SHA512 | 4119adcce9c4f5c651f2ff65534ea521b707b19fcad68971e000923b67faef1212be8270d41d16a9beddbe12457b91bc26acd370aab2180132e4b74e3c65df61 |
C:\Users\Admin\AppData\Local\Temp\gksQ.exe
| MD5 | 151aac3e930a79d4f9dd16dce5646c31 |
| SHA1 | 63bc26ea66ae8db4b4cd68e5699517ec7c65d2ee |
| SHA256 | 78fb78be2275e3e00f715b491aac48d08666cc9602a8bd92a49826786f959e9b |
| SHA512 | f3faca9d7050e7d1b6ec7db4ca51ac145504375f45a95c81e84a294c60f9cbd94a15e7f377649baa2a4f878c92b6f45c8597975862de886c82c111f2b1dd011d |
memory/1268-846-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SUUM.exe
| MD5 | ae7d9ce65b260ab9bf57d1237d628c06 |
| SHA1 | 7c1f9456010796e6c157786204f37659a1da8672 |
| SHA256 | 2a27b22f632e8ce25b61d06a0248511b344aec453bfbb0e05d14046289a2c308 |
| SHA512 | e688bdc1d946ba3a0242d301317b9749cbe29118f09f2b493d6e5e5fb3cc8b9c821acf5b92b30a8ccf22e18bf438c0d32333daaf2a31936518c017a8fede7127 |
C:\Users\Admin\AppData\Local\Temp\mEUg.exe
| MD5 | a62589648e0fa613f841045037459c69 |
| SHA1 | 42d6ccb4d8b5334a077f7fc22fa7751f6baf82d8 |
| SHA256 | 5f71f150f521cd7fd950fd80722e15f6d7e7fcea22673bf55b55ac947d8b5fa8 |
| SHA512 | 3697a70a64aa703a5521e6f321afa26f5cebf5d3e49cf207fadd6c7f7b5e10aaf433438c821406d17119d7409d96ab6ebad3a9261b4e232e661338894919ddb8 |
C:\Users\Admin\AppData\Local\Temp\mAsG.exe
| MD5 | ae0e5567904b1e43e20931024fe29198 |
| SHA1 | 7699f2fcb3275ef804b07ab1e29a8871b49df6fc |
| SHA256 | fb3e5d4cdd2d87fceeb598c5d2b9cd9c3fdd866f818206155d69b1280afc8ee1 |
| SHA512 | 4aeaaf3d5b6966ccde4404b69f0a22557f94762a4469829ca41e4d40640fa0c0d53104c5ea1ae9a5fd93dbd08f475ee595385136f2226e32e54661501e8aa646 |
C:\Users\Admin\AppData\Local\Temp\kIcu.exe
| MD5 | 41f86c8bee17b406a3dfcb8c7494ee0c |
| SHA1 | 00ee688790c87bdc6629b3cf8e3c3f931005f4c2 |
| SHA256 | 05c2ac7cd2fa051e2335a0804e51d0892bd50e851bc4aecb11e8d3f34e22b5bf |
| SHA512 | d93396227424c3d4954dd0f1405ae3ab1032e53acaaac3654fa8debd592e14029fb1e57eb1698efc26ff4705a80d89eaf079f74e1e956e60ec482f1fd51801e6 |
C:\Users\Admin\AppData\Local\Temp\mcwu.exe
| MD5 | 279d85d6e3923f06b179086df7130c31 |
| SHA1 | 9f6b7a18623d6bd5a21d53aea3e193e38f17c8e6 |
| SHA256 | 7b7207a38bc1d5f37447f24ce6f834ac421976d05cd0061b737bb49ff548d73e |
| SHA512 | 89ab98b3e32aa398b9c27b5124f1e5731675204310b1fcdb6c21ab9f0329959f91608349a0b6468c294ccdc8c77530216159da62aa70c5ee632c317947a31a67 |
memory/2184-914-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CwMc.exe
| MD5 | 9d31f465c12f936bb5fb3cada84c7a9d |
| SHA1 | b48a78200bd0f957c9eae11d68de4ecd7a83cd5c |
| SHA256 | e465e67cadbce59a428716197af2a044cbab1f4669b3b9ba5e8a620e3f089895 |
| SHA512 | a49beaeb7b0f7747b88fa0b11360fe3340c473a732e4d48b45692f483723ee88bab4ed7a647cfa40851be15f17ded391942a8c04a53c2a8d1a78c4b88c40aa69 |
C:\Users\Admin\AppData\Local\Temp\swQu.exe
| MD5 | a0fe2c5f7c4465e757d82c7f1f2a7e19 |
| SHA1 | c1709048aa2047e12e4ba74b388575f3c925dbcf |
| SHA256 | b900e8e0069c213c7066be4f22a78e6d278145248b6c9de6b1ffdd2f9b5ae319 |
| SHA512 | a2d13c126e9d9f7cb6b441017adb008a42ee949be8c1acc44ca4cf95bfa0f9d615eb90984d1436d972da70f48fcb2384acccb6acc7657c323084995a0f023435 |
C:\Users\Admin\AppData\Local\Temp\wYwU.exe
| MD5 | 40b740479c0579eb8e8548033035602e |
| SHA1 | 58bacaebf8d530a4dd26ce133feadb3e81ab4feb |
| SHA256 | dde9113352dbd109c5a93ce7853f46d8988ec7e5bf2b24aec07e19c11e0d9770 |
| SHA512 | 7ca87194ccce99fc27b46bf4f1383b84804759da192a726301b105ea3f4e726a5517f275eb4b6198e9dfadfb5fcfb46b7ae04618db71dc041ab08824f65b6c52 |
C:\Users\Admin\AppData\Local\Temp\usAI.exe
| MD5 | 698230488f46c3ff7623f8d17f0208a3 |
| SHA1 | 8f78ec4405405a161b176e0794496e18196937c9 |
| SHA256 | 07542609fe2f22f9016b537a7af770590727b24e9cc23fa629387e16c2cf46b8 |
| SHA512 | 0869beffb9e42db0bc2dea2bf58ffab7d9f70f0086806e5815eecc7c80a79359657d8b7891d6bff17191dfedd5aa8fa7a55b18b18e083270200ebaca2cde0b97 |
C:\Users\Admin\AppData\Local\Temp\goAK.exe
| MD5 | 4a8efe14616d6f86c38cddefd2c2d204 |
| SHA1 | f21e4d79392f645a7eb34cae9e3dd67296f2420e |
| SHA256 | 1afbf21e5f7b4bd3e8e1a5093ac91248a174685ef2dace3be0bc22c4e1977413 |
| SHA512 | afea0827288e40be45dd8f0360b77e9ad5aabc02d69337ce6bbb4c8962b49f744dc93f1af17f97d659451f112ca92f8df572e76f0beb13600303dbbc6757369c |
memory/4752-970-0x0000000000400000-0x0000000000420000-memory.dmp
memory/692-988-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SoEc.exe
| MD5 | c9b260fea47e962089930598a3070fc8 |
| SHA1 | 1885bd3f50af26fb6c65cb1df7f7e01ac09909eb |
| SHA256 | cefa620e4253ed1d8925cf8618601ccf10b6ecedbd799f97ad7aa3e50b12f8ad |
| SHA512 | ed92ff61fba51dd5023fa01c06cfb956174ae9ef27ad454dc1d54c6e9708ce77ee40043726a1fbcf8d184f58a38b9c3660a31d4ec183d89127e99ee868f73fab |
C:\Users\Admin\AppData\Local\Temp\EgYW.exe
| MD5 | 15a4b8e4ea18286e5b909862c78288c5 |
| SHA1 | 5c7082336b3acc7ae28f2fe96d331e566668ad95 |
| SHA256 | 89f4402b675c4ef94e01805651749b6500728d7452b381ed13762ef628b84404 |
| SHA512 | 2c2e005ede4ec2db40694e1e64288f1bb1bd3dce0f88cd173c471a3fdcf05b9feb5235c0654cc92fa6269a3c8fd59cc7a50b7466ece17c2109fe1233cfb9c86e |
C:\Users\Admin\AppData\Local\Temp\CUsy.exe
| MD5 | 616375ca6ccd7a148279a9ff46bdb71c |
| SHA1 | 40916a47ca75035fe4fcfe3da2cbd2826a4dcf3e |
| SHA256 | 6965d1918cac39bcca0525a89b39c777649195a705e383019a8f0df0616d91f6 |
| SHA512 | 4022b9c622ab7c22a45dbfd2d063a9046b3ab9c28f92cf98dd0ee7b4846c5393cf3d815b92de8d3811f20e3f0f1d5ae4f71d8f8092c17f38a4778f06b2252197 |
C:\Users\Admin\AppData\Local\Temp\AcgI.exe
| MD5 | cd1be36d74e14ea0cd3cc314dd4d8996 |
| SHA1 | d75253c5776fca77d718228a1b35411b0e595dfd |
| SHA256 | c7b59bf5e0142e212486059b735659bd89987b95a59568b570f4e28b65743cf9 |
| SHA512 | d82903e2535cd6093befcf00141a0f283f1cec70ec132cb3b752677907d2b185b8289fd87e089ef782f046b4c86bc637856cbe73e7d0e9132c266855c0ba520f |
C:\Users\Admin\AppData\Local\Temp\uAQY.exe
| MD5 | 8c3d626ac81636f4ddb72272b13f248b |
| SHA1 | d4097f42ca1e5a74f91a9fbe549ec91492d76d7a |
| SHA256 | 242f4270ef1fabc79bf0fa2ccb5a7cddfc6fd2505b2e2c74e92c7946473ef6c5 |
| SHA512 | c33b28a9f6fefe2eba6a6701c393bd3f47808775df385380af8ff651077b55caba2a2aec95a92bed3ea57bcc7f24ac2ffb6ad7f9bfed044ae481c6ff5a81fe66 |
memory/4752-1066-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cwwY.exe
| MD5 | a7606f2bb985e44c632c90623f83a33c |
| SHA1 | 0220ebab7945ce3b4c7edda009da5917dfed3a28 |
| SHA256 | 5d58d253bf580bd384c132f1c3312c5e9a0e27c181c14f512b9676dc47917488 |
| SHA512 | 69571e7319ef9f428d0a2ebecdf0633199d6432f7bb8bf9fc442ea5e758b99b11e418655c9cc97ac64bc15213951ce8e1cd0206a9956cd3c40f09a8bafba28a2 |
C:\Users\Admin\AppData\Local\Temp\UMQc.exe
| MD5 | 3a101b7bc500ede3e31690f5a0e51521 |
| SHA1 | 5e0ee8121d12f704266b04de4ceb5c34247c35a3 |
| SHA256 | 1a80292d276c4cbb1abd9aeffc06c1252a09be511e69b36d84e7a0297bf4ed03 |
| SHA512 | 138c8363d12d43438fcb8945b498cec7195465c01fe7622231a10a605fce558803776ae69ac2eae4ef3824d956884d79c8c6684964afe885be2f72e14ac75c69 |
memory/4520-1099-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4992-1103-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\agEm.exe
| MD5 | 211e5055cbc886d28324312ecd90c20b |
| SHA1 | f5e1866c7cead2cad3d8d7d95bfc4f983683a9e5 |
| SHA256 | 24c46a2a22d41ee46b2e04eba097a19b02777624cacc4bbe6b06e01ba68c3835 |
| SHA512 | fb64c17020466ee862e5b268cea768c475766108ee9a48e9329e04be643ee7da1e88adf8daa4a511687c6d465efc55654697cee3b6490181a25a06ef8640f6e0 |
C:\Users\Admin\AppData\Local\Temp\gsEE.exe
| MD5 | c661cc93ead895465d72de78cfac8026 |
| SHA1 | 51769dfa10fdfb3cfdd77d022ce32505c533f230 |
| SHA256 | 8840793184b7852a95f5c848adeb28a56fbdee1e67d2e83081a4dd6f9dfa53ce |
| SHA512 | 5a42229ef7e9bcbab6dacc963867fbb97524d3144dc2a13ad340ee3df214347b0727e3dd4b9b12cd3bcf6ddb867e22fc6849d2d744ca8849f7803f03ba10a6eb |
C:\Users\Admin\AppData\Local\Temp\mQgU.exe
| MD5 | aa883021bc7b24ddf8e2d2585a39c402 |
| SHA1 | 21121782d030164f692711237200d7679db3f6ca |
| SHA256 | 18baa54d1022a8038f5b303441659386e42f42b624993731e473db608f368018 |
| SHA512 | 62522ba3b6b2a0496691328b5d73f280ffd01d903d71b1b188f7850f0209c63de5d6ecf654c5a29d3742444f8156c44c34cc27eca7fe30a0c9897af0c5819dab |
C:\Users\Admin\AppData\Local\Temp\eUwE.exe
| MD5 | 3156507f944d0c63eab4dcd25465845d |
| SHA1 | ea5720a692d94ea1ace1a8bec204704632881b50 |
| SHA256 | f06107dca8e83bef3e51d900396d4b3b9d57536724b5096b994cee7db3ad15bb |
| SHA512 | 2cc26f462905502f1b0c4141b504823a273474c06f16a8fb66de3734864b404aa42ec24e917efa73a1915c11ca361306b6d40acb28ac3efdabc65cb74665e9b6 |
memory/4520-1166-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mEQa.exe
| MD5 | 2beb3c33eb780d058f1a3729091f4c65 |
| SHA1 | 51f27d493bb583c52a037fb818b7fef0271f1197 |
| SHA256 | d5c9df831ca9086d8b30c202f27731252b98ad4d82637db6e7ff2b7213f9083c |
| SHA512 | 55705aa3311c7f88572d57b94c7e90edab95181e76b4df8a5cf354a91fe40326e5eadc3f8fbe9f14ceb6a9d144cf21d4cfdd417ce9e29e7e3c591698adaa8c10 |
C:\Users\Admin\AppData\Local\Temp\oEgg.exe
| MD5 | f9116fc2ab679f457ac6f32061df6e59 |
| SHA1 | 9ef25a20aa1ba0496a5bd35e844fddac5f395942 |
| SHA256 | 4408990e9ba4444779e0949872737360ace940ba4925b7b7466be003713f5890 |
| SHA512 | 9eb2877a18e779f11a8fcee86367a46f014bb3898440d6dca0905bd63f8866399eb7a1dad351a98aea546ac2b0ab70871aec2bafe9761150f97d164139037a33 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
| MD5 | 676c8e0501d1154fed6d7d2796f6a21f |
| SHA1 | 0f25dd288ec1e7eabd5ddf8c088f8a37147dd322 |
| SHA256 | 661ef34ca46321f247682a413299468397e4f15da2b087eb0a99b4a7d27676c9 |
| SHA512 | 01301b40ac2c0ede266469179ffe6722c1f41c0b12c108fa0ebf2a593a8c808a3ba73fe0583d89a11a4357fe722151ba157d4bb3fef7cdbe7519c1e6074f22dc |
C:\Users\Admin\AppData\Local\Temp\uwAw.exe
| MD5 | 424e156cc9b735432699a98a1d382ed2 |
| SHA1 | 609ecf0618b3f58b4760a757431f7bda3f0c5b58 |
| SHA256 | 5d1d93aed00cfacfa42d7257886dc76cd6627f3d8a708a9f4de209b981184b03 |
| SHA512 | e14461f3c83a6552d4ce4ad2ae1d12f918dbdd066640977a6aff96315ede23432e0f8cefa28ec708a550267207d5743c45406a302ac311cba39abfd3a872ea2e |
memory/2276-1229-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sscw.exe
| MD5 | 32fb3f6f499dc3148fad2a6d90ef5277 |
| SHA1 | 53dd3fd788c4c38d7b2190fa52111998ce2915e2 |
| SHA256 | e84261902003e778a4ce0f1b78cfdabe145ad59af9d9fdd4734df638db109769 |
| SHA512 | fba20ae468da007b9aa582acd38f609b0e0cb630cb78ce0e4ac002cfe88984d43429523063fe33753a23824ab1fbed1f0857cbc2ca90c4bb7621721cff56ba8e |
C:\Users\Admin\AppData\Local\Temp\sscw.exe
| MD5 | b7ff02385e98354c576838354a149abe |
| SHA1 | 39921a802ac74595d0c08bc1b2260be9d4a23355 |
| SHA256 | 7a03e8bfb35c360d8e60519feb3cf88749e07e44b08446033443b65eea283208 |
| SHA512 | a7651b88ec294e7e201fdcd6abfc6c3c5afebf68aa9e930703715e8af1f4a6d78cb808274a52f417db4ea7b0fdd7b425f17aa0e8e734f0c9222fae198c692a1d |
C:\Users\Admin\AppData\Local\Temp\cAsO.exe
| MD5 | eb9dfac95be28f3e871609b67f56fba5 |
| SHA1 | a08eb7973fd556f940bd7d0b09a4f3cc99376eef |
| SHA256 | a7f360cb926fb4471748a14539fb2e3ac32ddcd6f9ae9cb3655e29232abe2667 |
| SHA512 | e564ba5154fbc7ca0225ab155745453f2bf438307d31ca6bf2584dbbf437d212bf18536a678de3308b0ff07710dc318c06505c0b02b4540896d2628a399fdcd7 |
C:\Users\Admin\AppData\Local\Temp\iEII.exe
| MD5 | 91fd737061ce35e4f8f77fb690bac96b |
| SHA1 | 311e11c8d3e7033ac21ac1befde9f0caf5b1cce8 |
| SHA256 | 5b5cb4a417d8b0c6feae6835611c02e8a52c436c85f0072ec7c8ada9afcb7340 |
| SHA512 | ef82fb6e14577bb82a07ee14798a13ed737e925677be2e1ee78bd99f9719422d729759950823c2ad278d0bbeb8a5436c00181493f09eb2015ef6ce783ca3c09b |
C:\Users\Admin\AppData\Local\Temp\aAwq.exe
| MD5 | 96c9cba3deb3ba3273ff063c5c0539db |
| SHA1 | bd0d5ad4a7e678b5c521cb22e0ae2c0c3861be4b |
| SHA256 | 288e2bc09ad5a7ca24fb284937ae4979d5d1661faa9c35c4ca030d2d774bf1f7 |
| SHA512 | e2ddd3cdaf1031cc716c1bf467837d5cd350c1eae39fa25706513639da44f8ebea23c2ff351d40e6cb5b7ff6482190c78b85358ddeb23506bc42244459043c9e |
C:\Users\Admin\AppData\Local\Temp\OAYw.exe
| MD5 | ff84f170064e1e4652a6484365b68ec8 |
| SHA1 | 20b51a7acb73c15d254ef0bab2a16c693b84a2d4 |
| SHA256 | 73b535f378484aa2db962162e54f7d72fd888aebba4ac9028b102dd01c0d97dc |
| SHA512 | 8875d1f3adb0899129de665123afa8de020e04d69dc536b153f1431f9727da5156c81da5b5021e6d630ddc45725a7968503a06c3c9bf06024b2650d31cded5dd |
memory/3712-1321-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CUMs.exe
| MD5 | b5849db47bae5ec7682b6481ab72ceb2 |
| SHA1 | e2b268bee5507d3d3083183dc8a8995b8b36a7b7 |
| SHA256 | 13a731095f26af3faf945082bfcf9ae4c5744013a8b503b910fd9cba4993f08a |
| SHA512 | 7b175e46e3d458ba86cc4058bd52feb9d6e1c736907576acf0a59c53b5aa51e712b5e73cf92efe01093afb2367ca815d26e17df2bbe67f9923563c6b55f6a4cc |
C:\Users\Admin\AppData\Local\Temp\QYkm.exe
| MD5 | e59301a580a5433ec3e04642cfd3df2a |
| SHA1 | fbddf8350cbe21a668a56f7bd28a5b542a604b51 |
| SHA256 | f0950120837b7c767a1b87f1755f455179807bd59bdc069507275fb403d73b08 |
| SHA512 | 965061eeadd2f3a074a6aef02b3dc65fbc44791f0793a312da985498c34b40ea1ea94a76de34d712ea5b5cfc55c635dffa1adcf684a057b8538129e1026ac803 |
C:\Users\Admin\AppData\Local\Temp\iwQQ.exe
| MD5 | 985843f918645a4e07e05d2c759a7e1a |
| SHA1 | 7689cf3d351375455ec2fca570685804aa537c42 |
| SHA256 | 3067593ba8fbbcd1cfd150e5ab001dafc5e2b8f1428d84cf2b3ade5320de1830 |
| SHA512 | 6c9d19252195246d0366237c7e2161206ddd2a4712e473a5dce596bc4199a0b408d06e498ee84cdfc1acafe78d83f3d4fc46528beb40dd5576f60d88cd6c2e11 |
C:\Users\Admin\AppData\Local\Temp\GYUw.exe
| MD5 | 0f5679ba6705929715c167d048108be6 |
| SHA1 | 192820318dae16db73d7513fe3ab6e1b218d332c |
| SHA256 | 3d15fb3e69413a83eadb8da895381b1ac381c3809ca778be53c5c74b1661ad3e |
| SHA512 | 109c56510577a5173da9355a1039db0d65c10491ba08c72537df28cb5c5685461174c304079765e0fea860fd7be589b55f8106f7deea2bb6b8d1a5cffc69f31d |
memory/1036-1384-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ocgg.exe
| MD5 | 066931d7beff3338553cb93bf981463d |
| SHA1 | 17c79dbaaecd0bd8d424d68220541a34d945a8c9 |
| SHA256 | c029275aed7a3a44f21733035a21140645839b9790f323901832e1c7e0d27a41 |
| SHA512 | 0dcf0bab49daa01b9790387740391dd8e35ac03f1f127e58cb210c73641aa5b8b6a6fec5246174d3deef2918bf879f823e296003693327dc1e3df10df69b3f44 |
C:\Users\Admin\AppData\Local\Temp\QEoa.exe
| MD5 | b8f055d74cf1fe47cc500c506e84edee |
| SHA1 | 223e28845c71582bf6efa9ae665c3bb399627b6b |
| SHA256 | fade748ef8e66f940d168d474f3247e68c4df858968178fb650bd96a8ba0428b |
| SHA512 | 8070ecbe40f775cdb815e9285cfaacd20579513160c597e7aad92b952b2cbe8fc0ad5b6ee141357ddd467665c0745dbb3eec8061c612344e30be1df7cedf8728 |
C:\Users\Admin\AppData\Local\Temp\QUwW.exe
| MD5 | fd02b2f265f01ae147b73b331dce0225 |
| SHA1 | 963bca528efd12169bdda1556a557bfe73f914ed |
| SHA256 | c0a8f6d16ed84ee83e402f2810eaf43cf28bb7599c4d3b168e76de170aabd34a |
| SHA512 | df39220c9b82ed49d0e28bad221fa76a0fa7999a2a17efb8ef885b4282e7f500445ade66154407f3a9aeb615cd8caa6b3476d76770709585020495cc3d6c7082 |
memory/4280-1434-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qUII.exe
| MD5 | e1750de6c893df2f546d4bea51eecc0b |
| SHA1 | 97294e738431b66f65acae91549ead8a5e732c52 |
| SHA256 | 382e64ec608578084106809e0e240f99e03b7893a63dccca195b728f03c80dfd |
| SHA512 | a77ec72f49b7dde1e1a26ecd98c505ddc77d6e9f2d4dbde1fcf6c525e80a611ad782a280088d64be5eb65c74cc5ed0ad2fa35c502ef64727a6c79da0198d5cf6 |
C:\Users\Admin\AppData\Local\Temp\WIkq.exe
| MD5 | 2c3b8533039d95726ce6b7966b6b8f01 |
| SHA1 | 2d7faab5c0fd4f1e3a4a39a3d34e53aa02581fff |
| SHA256 | 94d4ad2ccbb42c7d5ac140721950fd2c471c4654e8b936baf12b00c78923700c |
| SHA512 | cd252a1b3d0c8eb5e87bce753ffe2284aff325e2155f03e8ce65fa7f3473e1bc78ce7a991293e4da3095eb24665bc51c2b038122a02e3834562ec8a1e427615b |
C:\Users\Admin\AppData\Local\Temp\kggi.exe
| MD5 | c62242b0d96151955a5ce35448227028 |
| SHA1 | d219e8162f37fcda7339e75f7a83e5a748504436 |
| SHA256 | 5f4bc6e53690b4a042233dd24e55b7962e2f3cad797b335934c7c25a944fef03 |
| SHA512 | 3aad56e8e436e37dc15f93d486bde304b9d80694db9484b8572d733ed6ab01c776702312fbde75cf1bbff61dcf858e67cd583853b6efbb87ebd26f4efd59bc63 |
C:\Users\Admin\AppData\Local\Temp\gMcS.exe
| MD5 | 19052b91ee5d79fb68e118959161e223 |
| SHA1 | c7994d032241a2f0c849bf650e3bcec6abd79fce |
| SHA256 | c1449d00cab7ec1dd7f09261122bef4451db03bec50c8d436c2a92a5b6435eed |
| SHA512 | 592ae7bc4904d8dd51be992aa5adf49ca28da993ecd3e532d85126b3585d09d23e56e33342e3a621fa9db06eee6855a9728ed06cf17e8128b80d618c3fb5145c |
memory/2920-1498-0x0000000000400000-0x0000000000420000-memory.dmp
memory/100-1499-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wwUE.exe
| MD5 | 4e2b883066e03c01207780fabb867c09 |
| SHA1 | 7da984117cd9ddc17a0f4211248d86c796e2a186 |
| SHA256 | 9c185e8a6af58cbf253f6a79262429bff727f08359f67e9bead396aa1631b1e4 |
| SHA512 | 058a23a4605518ba6f49b1bf370badd6dce9c24bafca5b83f090f3c51b5c0bcb14f04cb883d91e460f9c0796d94a334ae49f1f58a8c1ba6360fe3cae140c3be8 |
C:\Users\Admin\AppData\Local\Temp\cEEQ.exe
| MD5 | 01535a54d1aef2eb857ef41d3aff4162 |
| SHA1 | 2f05e572b01e71d6235d4305144bb45a0a3662d4 |
| SHA256 | 501de487f9f16181e5dae29237316f6885ef48c54c21b954e0d0dbcbe2701940 |
| SHA512 | 39e067c36c6c8d18d4999824b179a39e129b7677b0fa2874b8c179860547ca1f1f9a9176e4d8a7e7aa2829c39dd90813f795d0b32984581eadf6f642dcd089c7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe
| MD5 | b482ff690e6e8c5ce5943f418361524d |
| SHA1 | 4fc9336222ed8d911f567289ce0293fe3b7041a6 |
| SHA256 | 48b7295cb53566395c26b669a466f76221be2b5e040e5b3ef20e009a364170ab |
| SHA512 | 8822e8ddf69e8b3d754aa8977d66c2369776f5312013441fb8e18fa78127b60677ed71f8ae1452280af5666df1032e0ac9ae78f783e68698aa01bc2dd82f4b9c |
C:\Users\Admin\AppData\Local\Temp\qwAq.exe
| MD5 | 409483a9a6cd9fdbcd1fdc8403c66ccd |
| SHA1 | 04bed676c7cbcadebc5988ea0b942f5547dca7a8 |
| SHA256 | 733318ca89e7ce9b23a60ee39187dffb7c9ab1ae017add67c46b3a405bbcf3b2 |
| SHA512 | 9cc0607015dacd2279abdf2558abc87f8dae4d2db66a7c687690202644f7ac823b77a7b66cc5068b32b3e9576f20db6a24ade72f9c364783f492d2c77f260036 |
memory/100-1563-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ygsG.exe
| MD5 | 7215ea3357b7efee73154e3450000dfa |
| SHA1 | 20bb7ddc5fa3e8cf4c44f3eea0309626ba1d96d8 |
| SHA256 | cd42f43951025bda5bb40a8c2d147e8e2afa64b053ba012033c50249514e68c4 |
| SHA512 | 0bb9368b85b7614f680d07fb03e096ef3aac4758e8135a6e3151dab9421f9e35c6b33622ccef53b8b137f5e55d251f232a098f9f100566eb97719f1344ca3c10 |
C:\Users\Admin\AppData\Local\Temp\QwMc.exe
| MD5 | 2587d9094663ecde74f54e0e4ef11140 |
| SHA1 | cfe90a8edfa6303ef67221aaed3e92a1e61482e0 |
| SHA256 | e7a5ef935439a141a0eaa7ae70bfef15d624338f131a4a4ac8422916b9a5132f |
| SHA512 | 1d6ec92614b19f02561f620c135e9b3676747c97ac2b45a2bd7f1ba69a92050f2a6cfb0723196c3cf71071ba5d351705f63c6d36d1ffb21c71361cffd2a5bc89 |
C:\Users\Admin\AppData\Local\Temp\mQUi.exe
| MD5 | e4d6f2b14476b69f2721aa2104e3cbf0 |
| SHA1 | e4d8b8e6503d63a186ed3654b3dec39fb4bf3933 |
| SHA256 | 70ca6a0b43d77af277c3b6fffba453a56c7a38e1d95c0f35963adbb62c5adfb2 |
| SHA512 | f169f2d9301b5843ae3999c67d168b470dbf18c20d3869dd71c773d984d45c150830a318f77f9d49e6606268d71ea54c2d0c8507ed6c288a3b5cf38e98fd48a6 |
C:\Users\Admin\AppData\Local\Temp\esMm.exe
| MD5 | 799808c49f7ac96635941f8feca8a5e3 |
| SHA1 | 0f9bfe7055c2b4a9957b4894ed46d381afe32537 |
| SHA256 | adf83d4e9c63041b3be2ca8ff1b365afedd19db8220df40c8caea52adf59405e |
| SHA512 | 2f2b0cf77e6d46ce7cea730e07ef4cc124e6fefcf90f6516ab3d1826ec36139a27e0ccfe8c0bf046cd6019c4f482dca26af35771fad13beb3defe74d9e0e95a7 |
C:\Users\Admin\AppData\Local\Temp\kUUI.exe
| MD5 | 785b6a456fc1ca18eee474cfed321dcf |
| SHA1 | 555420ca034cc7ebb69f09a607d79b77747f852f |
| SHA256 | b937858b8a0b50c81a2cf7a5f09844e1d87e2273222d56c0e4b44b0648edfef6 |
| SHA512 | 0bf94be7dbd2d22835ef57fd46efdd2015c613eda052968438c9210e6c13afab3a26306ffd805f2cc3551246015dc3f2e406c267a7899aee29faf4d1d2046454 |
memory/4460-1641-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IgIm.exe
| MD5 | 1b8ca418c22e4b8d557c4fe86857d834 |
| SHA1 | dc3c5ee0e7c7a879e2f1f879222b4da434e7bf39 |
| SHA256 | 0562d936c4f9f06c6f70514cc20b9143a98e896677ec641ea1d23c03e2110b92 |
| SHA512 | cafb402e211ee1262abd0ac0a96d61e6658e21f265c38c49298633649270889ef071a2cea45f0ef6860bab99f9a71f461088dd43db8f782373faccaef4b5b604 |
C:\Users\Admin\AppData\Local\Temp\EksW.exe
| MD5 | 8d5a719dbb20fa844a3b161c0198bc66 |
| SHA1 | cde53623e4e6e177eec1ee2bcd973b276cc37622 |
| SHA256 | e5391eab1bafda5edad94f36b617396548677baf7ca5824c7dbdb4aebcaa95e3 |
| SHA512 | 5b77a654c25babefb9efff4ece9ea8d8c24d8c87fc9a65d0544d569969bae4611dae7ef4e2b89b024f6dc1da97ee58d39b6d63397936c8973e595eafa239d298 |
C:\Users\Admin\AppData\Local\Temp\yAAU.exe
| MD5 | 76c3f3aaee8f89995cfc00c237f03c9f |
| SHA1 | 278c7d9a2908860b7da88802153f38ee618a4dad |
| SHA256 | 483b87f8e989a455a5ca799c91c0cf5d8892c93e36decd06b1a8d403a8b78791 |
| SHA512 | bd444e2545e4ca9b60795f18fe636b858e5f9c89a510e3739bf19f0f335948b5e534b9bffa15eb6c6157d130ea931ad6dd994c6a21031077baa36dcf1de47e61 |
C:\Users\Admin\AppData\Local\Temp\YIsa.exe
| MD5 | 2cd0a4f697134052bf40c10749ef1ce9 |
| SHA1 | e08e511a6704d3493aef7f9419c9f5b65a8ba7da |
| SHA256 | fb831603145f1789973e8825c03d472321db60d02459f0915c8d775667ba55dc |
| SHA512 | b366958d549d8aa4d19c8cbcde6b18772e5c324fcdb904041ee71caf9cecd1422d89b670114e0018dda2344b51e905c79d9bd9fc4eb66575590913a80681784d |
C:\Users\Admin\AppData\Local\Temp\qoMQ.exe
| MD5 | 86bb0258930bb6a48c14624fe26c8bf9 |
| SHA1 | 1b64180a31aeef5460afdb38738918336787b776 |
| SHA256 | 921f7d43c4db3d78048127f4277e752145e041c8d5f8971031893c41e626bafb |
| SHA512 | df123a0055777dbe458c301b7b32966e817896ad434fdf92a6e9ffa9be56461639fad00636551d329dc2693ed854a7b561520b85e70611b24e70f6ff0045bf68 |
memory/3656-1719-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | 06191f5c8752ca0b8598d885188a0d13 |
| SHA1 | 0273712dabbf9d1ee61aa4b335f898b3734942bf |
| SHA256 | 5cb5b1b717b32ef30bd8611614864600e1b9953dc2baefb0673db71473c7efe5 |
| SHA512 | cb1546c577ffbbd4550f54a9627f8cf576470fcf6dfc9d8faa7190a67783ac3afb000d7d15cd4d93632650f54dcbb90c05dabf591bb49fedeee800bf3986defb |
C:\Users\Admin\AppData\Local\Temp\sgkc.exe
| MD5 | e2d630043aed38d54855ff5f2cd1f8c4 |
| SHA1 | 1737867adccfe35dee387630df1b53b57c97d16a |
| SHA256 | 73a9c1201f746ed83c23bd42885a4e5183102c207e6a6de1431238d672e8afcf |
| SHA512 | 53728a2c65a39490c7bc924f0069ba4aac660d36470469c64ce02db86cc782241deac0a63b4111ec6dcd60f4427c8e14b9580e390d63c4a31f838e075a9ced4d |
C:\Users\Admin\AppData\Local\Temp\Qoku.exe
| MD5 | d800943f5a8657eb9fa782b888000b19 |
| SHA1 | cfa28ea3214464e5a1893cc734c9b8e978ed9493 |
| SHA256 | 6b8482ce0dee744c348d2a6bcb9bbe5a27a34a4b78badfc36637880160d66b55 |
| SHA512 | 96594a5d8f7d29a02fce6827690a975fb48ca886414dd86e0b2d04bc3e731391351342541d5eb245ded69637c8d345a38c7e77192b2a47f167acf636506c6c45 |
memory/4508-1768-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uIQa.exe
| MD5 | 123d662e5ffd798c0b67f4f9b8b32784 |
| SHA1 | b6a9bf211120703e91c0af8352c1c70d9f4d18c2 |
| SHA256 | 6e680372ae241f97bf9d7a11c5a564d6cda1d637591ca4f775f4b0b09b4bc53f |
| SHA512 | 868cadae2665e11d4f9bbee255450b5bba2b941660732e1c16320e9cf6634f2c777d48c794e8778569965890b9ddc0f05be8a35527e4efd85882ebd41f36d9e8 |
C:\Users\Admin\AppData\Local\Temp\OYkQ.exe
| MD5 | 4382f969be60f6d421ec3a7ae667a04f |
| SHA1 | a23a5a51b20b8dc6df40a595706a55b0baace84d |
| SHA256 | ec7a4fa42544bbba44d7fb16e0ccc8024f0ccb596f59fa26f82e40452d5a002c |
| SHA512 | 39ec9af535dd260dae5c31079d811a05680a63b041590006ebab513cc404da9874919b40aef31af38a0355b6fb7fb914b3dd4ff837b57e26be88e8357e8bef58 |
C:\Users\Admin\AppData\Local\Temp\YYUA.exe
| MD5 | 7b83fe5562db5430e7aa8d0e40bd0d39 |
| SHA1 | 49e632cc6eed388b3641a0d78a41ddd9c2aa9a96 |
| SHA256 | a5d1c6fe7717e740a7c85eb982a55170913d281e1285b76a7e67b452bef71a1e |
| SHA512 | 71ad46b07ff743a2d55b51ee1c2ca75d3237b9ef9406bf1b95d1bf45348346fecc8520bd219d2a65aa68355218f413de2084839e8e6ae66018ba2c399387d013 |
C:\Users\Admin\AppData\Local\Temp\sUww.exe
| MD5 | 58ad95225210e2a6629b8defcec6b59f |
| SHA1 | 83cee28a77b0529832468e934b5974c2d83c5c07 |
| SHA256 | c62c60664508591f961d38794cc8c9bdb27391f53a354136e4027f65df1c544d |
| SHA512 | f01d1bff785404ce53223b8483025df487b905b1fd5b296cca3cc380d5a3067e2fe57dadbbfb67593a0cf638fcd402a0aff7abe15718fad1e1dac84a1f12f9fa |
memory/4444-1828-0x0000000000400000-0x0000000000420000-memory.dmp
memory/5116-1837-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EQYC.exe
| MD5 | b7b0f2907ddae1d2c6b91978a41476c0 |
| SHA1 | 6bbce172f730f6ece2fd208094f20dc06ac1253a |
| SHA256 | ae98701cc559630240c3469554a35750deb4b2d0704adfcaf5c1bb408af38743 |
| SHA512 | 0ee037bd857b04650709922fa802bfe0d8da41ee2b42e7bcc975da498c43b1971eae11506bed45b8af6fb993462eaa5d8ad888effa31acbca33fb3f6315845dc |
C:\Users\Admin\AppData\Local\Temp\uksu.exe
| MD5 | 5aad70819ec0d60c775e7fcbeae90fae |
| SHA1 | 563ff95f75033c823cfa6f404b1f95d110bf881c |
| SHA256 | 775562145ca88b03bf6a3fea45bfeca74e8a14f92f9327c0415a92f056c6ad89 |
| SHA512 | 85756b83150f7a5b6a2b11c7734213375aeb6977b42f9928a2bdca5bd5469fd7defe5fc4f3260ed0592a327821f44d46c6f6c198b49c61ca7c8f2aa0b335de6d |
C:\Users\Admin\AppData\Local\Temp\skEc.exe
| MD5 | 55db92c18f3c19c250e4f82ea4ca02f9 |
| SHA1 | 525b06457cf7fa34fd621305f465781b2aca5d6d |
| SHA256 | fbeb47c33734c07854abe2dcf0ff8a65b7868159f9f0dfd27b6acfd4c6e0efc3 |
| SHA512 | b2791f9c37b69c2be575fe851c1a60883eef88f00fa2c61d9884cc778e94f20103e4e6eefd71062ee8e33dfdd3eaddec4d953e3a560919d69c0b29902f64106e |
memory/4920-1879-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4444-1883-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qYou.exe
| MD5 | f5878a765edad4fd2d2b9cfc4d507fb7 |
| SHA1 | dee383f9c01fee1873880279d77ffab550e643f3 |
| SHA256 | 6ce12a678783de099b58d2b1713098188da7734544460fb9a9a81da4c4b7417e |
| SHA512 | 7aa24e9521b8441b4f629fbf764a57e5da743a13e5b9be78f3da92d6c1ebb9dae47fea0f46af415b0b89692007472054b2ec1012afd6b0588802bc99e93a701d |
C:\Users\Admin\AppData\Local\Temp\mEkw.exe
| MD5 | 16a3b3902546825517c63a51fa784e0e |
| SHA1 | 7f3b938c475a0c2aaaf5ad673a05f18a4d4d8e1d |
| SHA256 | 519a997391ca6ed01403912f5b92566148dc486fc939d5587a6413d8eee85b72 |
| SHA512 | 4be2ef9ba78eda94bd2f7b12fc75d54b08859187bdeaa576b11b07f9fabeef22851ecc24183e78c3af575c1c8bc5d856ee914f14acb71e5e15e1caa4fb343d32 |
memory/4920-1924-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QwoC.exe
| MD5 | 0ef1c5c64a43c28415b2783554535d58 |
| SHA1 | 28647273a652cbfa4f1439ebec6f94172dbbf007 |
| SHA256 | 72faf5e491feb647280de3e85bd3cdb6c39bcaf3c39811326dfbf0da0e2fb498 |
| SHA512 | 6868449a4a932483cdf41ded9879ad76ffe9c77b79ac1edf36fcc84e53bdf6b27c51b145962b9fa6f5add706e184733eb196c76c5c8b5563b36d1f7c4548d2c3 |
C:\Users\Admin\AppData\Local\Temp\qgAI.exe
| MD5 | f5530d204ff5947fb8783f7ab091fe42 |
| SHA1 | 1a58bca68d79a83bc0307f22732b5b681eeb4b92 |
| SHA256 | 39997f8d6c119dbbb9bd46895a89cb888ef52828597a89d0d46685d63ae16724 |
| SHA512 | befa104bf1c1573d5bb1242e569019f1d84543f4d7849129527ced04325db50a1fc90d1bfd774f59968e1313888423930183b98eae49787740bd34e068b37900 |
memory/1940-1969-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wkgI.exe
| MD5 | 260a9b8ac9f114de50fcd602cdf2162a |
| SHA1 | 447c77d644668f565c222a5197f2600d85cdd244 |
| SHA256 | 03159c4f9002b51ec3d2352c4b0a41744f9b64bc5375ab0f2c2312d402708bcc |
| SHA512 | d1179dfc0dd89b9c095b619944d4357e02579a615c30bbed5dd8d446b20bec70c8f6f7a2763c3aafa9bcf32353cf5cf03a7a4f1e7cd44efd93366b75fcb72ca3 |
memory/3932-1970-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QQAU.exe
| MD5 | bf522b521139facf470c3bc117739250 |
| SHA1 | bd4f3f501fd3122f5c3fcf59194588526ef48fe3 |
| SHA256 | fb609de9f99debb4a0bc0963943c024b40d1cab7c8eb08e56bbfd49b39bbb413 |
| SHA512 | eaac39e762210893ef95be5c84c1ef9fef60cad171ae3cc61509bf6dc3bcbfe23c8cb13399c87a610e4bfcbc80f6ed904e9b21f72d3a0e8f00198ba32efdc9c1 |
C:\Users\Admin\AppData\Local\Temp\AYcU.exe
| MD5 | 0d31c1a2d83b7c0320c4757afc628ce5 |
| SHA1 | 918af311ce141ceabb61ea80f9083ea905cb0ef3 |
| SHA256 | 9fa1d9ca8d412caab96899abf629a4e1da68649fa73f1acdae0199b55f5aeaef |
| SHA512 | 302db064de7805b7e8701e5ebc1e99b930ed147a48b8d060c2896f23e19142d41611f7981dfd84cc73713607d882f6a865655c22755f51807c883c3b4ea31106 |
C:\Users\Admin\AppData\Local\Temp\kcUw.exe
| MD5 | b4a78637dffe5d4a2b3df93afcb3fd2c |
| SHA1 | 5a159c21a3477d20efa5ffbbd95b5c996abe6141 |
| SHA256 | f1961e6d0ce0cc99a0d45f7fcccc5e5bc2fb419682ded24a94e38f5a56ca8c0d |
| SHA512 | 9c8c8a8d26064c9eb65c1c5e80fece7fcf293f62fa40aa77da67a6ca947a52f868ca39dce679b76968dfff87edb73f7935c685aa04fd07b23a414d71226defd8 |
C:\Users\Admin\AppData\Local\Temp\WIQm.exe
| MD5 | 22cdd845c2ec2190ea2b9f14aef43057 |
| SHA1 | 53301aeee31d3ed616fd0eb91fdfa06f06cac935 |
| SHA256 | f27b157b72520c20aa0d13c2784cbaf878d6f087927732ff84649e89cc56cb83 |
| SHA512 | 5fd1ca02f039f5fe767b660b718b48543b2e9214d3754b8388bc67aa0c4161b93abf10cc7d57b9e006c738a675fe94560d2a20d957effc5ebfcbf7c8a79404b7 |
C:\Users\Admin\AppData\Local\Temp\WQgg.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\QUcw.exe
| MD5 | 289284203985bc6ec83e51fc935d7f19 |
| SHA1 | 96ca9cbdda322c3d6a347ea1a240791423d498f5 |
| SHA256 | 42ef01bdaee518cacf085ca4b43b01538d860caa0f096f7dd51fb7dd265b1555 |
| SHA512 | 5d3feb14ad889c68d4ecf5200985cf24a942f31f8a6866394992a655da6ee26bdbfcea55e8ce6be6649cbbae17714359ba04b7d9f88699f8cd412516fa1c79f5 |
C:\Users\Admin\AppData\Local\Temp\EUQu.exe
| MD5 | 0bd7784d11afeb2308042a8de0afde88 |
| SHA1 | d3a3783cbad73702b10f0b31b647b391b41e571c |
| SHA256 | 25cfeba6e73630d963e60d9d7c27e1c5e2dfebc7c5f342fcd3dd6ff5635a51e1 |
| SHA512 | 818c694b60e277ade86b3aad09d3a74cbeb1fdb3d2b46661b35841b9ad790c6a1ad0a970c02bbcbe3737ab594c915389526a4b2aef4e0bbcbf1d54b500540cfc |
C:\Users\Admin\AppData\Local\Temp\kYow.exe
| MD5 | a1173ab42e6e36ae3bd996613dcb3350 |
| SHA1 | 3e0ef35abce845ae5883819087a588396d8c28b7 |
| SHA256 | 3a0e9d1cb91d105b7c4ee64feda01a6fe3a1b8e1700538378c0942214a03bcfc |
| SHA512 | 1ac5386e0fe9198de96b46684b3464888a0450ef721cf0c9a2b51f987b3ec9016eb58e1eba3406b42355a45c22f4c143593ce2784e5af582712ed3a5cd40f08d |
C:\Users\Admin\AppData\Local\Temp\soYk.exe
| MD5 | 043737d4edc47711f9022fac61920f06 |
| SHA1 | b102da3cbfbd558f5ec32e786c18ebc93387a558 |
| SHA256 | b011d8fdcda8b63be5d07c32af93b95595ef6c02791ba2dda1d932b429708929 |
| SHA512 | 1045c96d85e3f3e34dd22fc6de4dcc3234c3386a98466f0d599a963a74183612631f6b9fd58b4a108811e828a21a8f85959838d8663798b3622a6359ae758d95 |
C:\Users\Admin\AppData\Local\Temp\ukkc.exe
| MD5 | 068fb82844ea0e003573df7a79bc6061 |
| SHA1 | 52fc7110cd84f10b017955f085baf91f5572f41c |
| SHA256 | 4aa952eca685d74e29c43db4e4ad703425449d7f5dad251447270d14bf698ff8 |
| SHA512 | 66bff6a5f98e8f427992eeec4f09cd7149a51136f6e7b8799ddf39c8dac2df53fbae66a9438d7c1253dbd051e654f1ebcf7ed92ff5385a86224eb11cc5f86d67 |
C:\Users\Admin\AppData\Local\Temp\iUgg.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\uUEI.exe
| MD5 | a35713e619d6e99e42bed467806de278 |
| SHA1 | fec56eee903e3a96233b26973d0b6ef245ebd27d |
| SHA256 | 59b27544a1081cc915a96e3e19be4bacecc781c0e551fc0c68a8e5ba8362ac3f |
| SHA512 | 6e13069ccbea3967db2031e8eaef3a8e006fc2435fdf959aa489a4944b7e59282d6a04dc1741a6c0ff2ffe10a6e43f2c28dfeb8486459f85cef04fc4d37d351c |
C:\Users\Admin\AppData\Local\Temp\MMMa.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\wkcq.exe
| MD5 | b9b2c61926f40f96b595892cb91896a1 |
| SHA1 | 47d70a6e75f32e538971067f31c031d79bf75017 |
| SHA256 | ca3f0209eede2a93abf6559e0fc42457888d471f29ad76251633cae9fe4c55fe |
| SHA512 | 9e87903c6d07314eead8a1ecd70fa019f9e4681fef652b0fafcf146903d3495334d094b95baaa777c2972b46e8c6883a1944aaa53c00ea62b3c4d4a9d29b1c7d |
C:\Users\Admin\AppData\Local\Temp\OAoc.ico
| MD5 | 7ebb1c3b3f5ee39434e36aeb4c07ee8b |
| SHA1 | 7b4e7562e3a12b37862e0d5ecf94581ec130658f |
| SHA256 | be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742 |
| SHA512 | 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6 |
C:\Users\Admin\AppData\Local\Temp\cUcC.exe
| MD5 | 380daddbd71623bd5a30220312688151 |
| SHA1 | 268a73112e06474fa0b7526337689c49182f94c3 |
| SHA256 | 6c2a3fb126eb76cd8e95ed8ed50288f8b6b73c65225034f1b83e317bfdd6ae51 |
| SHA512 | 23bdc768de4521c45c5d212466864319e870f383bc9652caeb347d420e1cdd505ac4e97afb521100c3e1cb75cf4c92644208d261425649068c7138a31ddd31f5 |
C:\Users\Admin\Pictures\UpdateInstall.jpg.exe
| MD5 | 19d0f6e5e134e330840b750c1445b3ee |
| SHA1 | 0fbeba854f9a916daf16fd01c0cdbf000b466686 |
| SHA256 | 03e6e14fe8cd13bb0ae6bbbb779c5a8a41272734256970f73c236aadec3de355 |
| SHA512 | 8f8f966cb11ce9c738ea2e4d26b2641c70ddc5dbdaa15b2af392d6755a3fa400367ce1643941f723044a740813703c4c0b4327a39c43f4603ee6d13d2a6f43e6 |
C:\Users\Admin\AppData\Local\Temp\QEoo.exe
| MD5 | 2b277168fbfcbafa39d92af34028c61f |
| SHA1 | 1e598e273d6c616d960c5f0350b8b6318d9ce6f6 |
| SHA256 | 1e07825edd35eeb32d3a5a5c6cd54713a94b2fd269c80fea1846ae25130c82c1 |
| SHA512 | 78a7d164d31ad0d543b6ac2373e744800724724955b7276ca0e6a652f4f8b4d9b180f3f289d29dfd2b35b954317aaa3a3b0b6b770133e7550dd2a2e8a1ecbe2e |
C:\Users\Admin\Pictures\WriteRedo.jpg.exe
| MD5 | a43677fd8e1693b3e54f51bbe1ae3c34 |
| SHA1 | 54420dd31e654dc32d0dede961a466573f0ad65d |
| SHA256 | befc25db782a1346a4c73fb8997f23501fdbeaacc1f99577bd12021055393f1b |
| SHA512 | dcbcfd9b0e12387f4352a682d6e9a8d6b370d4618aaf06827a21a9f052a46afe8d5adb10fe6b391b1b171aa07300e91a80c8c7379e8155667d1ed3a50f9ba291 |
C:\Users\Admin\AppData\Local\Temp\oEII.exe
| MD5 | ac06a2d7293837846a49c92a24c251ad |
| SHA1 | b3dbefa403b37a173e6b4c25768ee3d50f119e23 |
| SHA256 | 9392fd565e404d46d9ecb1f237da07dc3e4c79a5fda646bbf33928cbb8ad4868 |
| SHA512 | 94e3b5776d7ac0eb0ae3e6d20d25e0b5fcd52b83d50949fec3c44e813a87e81209517736b5787def6826d3e74b275aa048b902851cce04efffe4c611538d71f8 |
C:\Users\Admin\AppData\Local\Temp\socu.exe
| MD5 | aca67218e1b18be1ece61cd07b8dce5c |
| SHA1 | 91411c3867e0e739ffbddc1bc3a6e8084629422d |
| SHA256 | 6670347434af5aa8a0e32820d576c68f73a591ec42878a006fed9e818e2e3426 |
| SHA512 | 732bf10bccbd68a1cec23c2bd5db7c00ffe176a41f41a8375b5be71739b21d96947bb2c286762ccbd28f2ebde687a1303df4ae42c48e68ab4e6f3d35a6ff5366 |
C:\Users\Admin\AppData\Local\Temp\cYUK.exe
| MD5 | f7913954e435284831b610e8726aba9c |
| SHA1 | 6cc015e52181cde0de3c10b43f346615d1415b8b |
| SHA256 | d7d6c1f166014151512baa3387479709728475159a88f5c2d5341917d631fce3 |
| SHA512 | 015adefe63733c1b27015cdac706622f654d82550989e546009a7723d2c0c053d411955f8491cc26ed038b1ade3d9ed5cc646713adf68160ad61b3e14b847149 |
C:\Users\Admin\AppData\Local\Temp\qUIi.exe
| MD5 | acd323831bddbbaaf4d6d417683f33ce |
| SHA1 | 03f88ee651212049137f03a05a392671b39b6237 |
| SHA256 | 206022ceee408f559ec20e127d3f946ffdfb65e46c0851ff21879f7cb9a5c2bb |
| SHA512 | d25747946f85e7d0bf19649c7b2845419bf3310040af292ce361ca6eb96428dedf64f5cf15ad71f916c782b4365961818ef5f207cb76c4ccb9b0a50e7d3204fe |
C:\Users\Admin\AppData\Local\Temp\Eccs.exe
| MD5 | 48c08767416c42ba09821552e8a1a650 |
| SHA1 | 3ba84366c46991d9d5c68a6d94466e7f61b93a57 |
| SHA256 | 9e7185e72d8c0696206f67ac1f9e4db47c1a665ae3a52649a4ddbe603a9d12dd |
| SHA512 | 26c565a45871ed724ea830f4b5a9e0117874f8cfd98e22b827d67aa9e68c6a0a4592144e8f28660a12b5870e40378927ab93fbb3e95c4c8dee7fcb4ad11ffd9b |
C:\Users\Admin\AppData\Local\Temp\eAMm.exe
| MD5 | 92fc921f3d33bd7c560da1451ff97a7e |
| SHA1 | 15320cfe47090778b82fad0559d6518f933525ed |
| SHA256 | 74e12c61828cf6f7997c59e47a5b9222cccc99ca26b735e9e44bfe8ecb3c6792 |
| SHA512 | 3a9c1a34f2c799f6e84f8bec90a564164c5e9ce8bfe54b213db0c72f4759f1076242053ab3a7d6d636e352b9b317ae10e47289612c6006d6e0f0e97e9144dac2 |