Analysis Overview
SHA256
72e28253024c7646b511a5ed0c0e675dbd21983dc000a25cd073e41c76f07c71
Threat Level: Known bad
The file 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UPX dump on OEP (original entry point)
UAC bypass
Renames multiple (83) files with added filename extension
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 11:25
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 11:25
Reported
2024-04-03 11:28
Platform
win7-20240221-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe | N/A |
| N/A | N/A | C:\ProgramData\RgYMsAYU\IkwsYEcM.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCQQcYYM.exe = "C:\\Users\\Admin\\MeQMUcIU\\YCQQcYYM.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IkwsYEcM.exe = "C:\\ProgramData\\RgYMsAYU\\IkwsYEcM.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCQQcYYM.exe = "C:\\Users\\Admin\\MeQMUcIU\\YCQQcYYM.exe" | C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IkwsYEcM.exe = "C:\\ProgramData\\RgYMsAYU\\IkwsYEcM.exe" | C:\ProgramData\RgYMsAYU\IkwsYEcM.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe | N/A |
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe"
C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe
"C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe"
C:\ProgramData\RgYMsAYU\IkwsYEcM.exe
"C:\ProgramData\RgYMsAYU\IkwsYEcM.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\woMIQAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgcMgAgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIIEgcEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hoQYwIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYcAwYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TyMkkksc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CcwIkscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCwEIAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIQYEEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWwMccgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "521224872-3000722171846578990-939840330-1580424658-4685307265581425111378813322"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\owIAEYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5832202344695650661630872421-1022577799-1219190182494570834835630259-1178535928"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aoQQAQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-47672146218164241683217733371533781049782903594-1672307064998293440-953456791"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGkoIgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xwYEUwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-779047033-2079758537-7449717361200222330-104426621-1701565414-2696019911454972241"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-71732206-198848081-765210630-322109440-108328752-293726521720666320-1751298060"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMMswwYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TSokokcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-332725593-2777766311812288265146321060-7927014539790636122136272957-2100325901"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5868237291954621825195310975920512604221818431647-17870912381225500217-2143853339"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\feUokYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViMYUEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YAYYgEAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQEoQsIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-301444709-820695885-1192282001-1802336029-1569981694-855716448894566686-1792996214"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WGgIoUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-797404462-1846220925-327227904-17281526192134788191118077413902165170-1071566319"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "586811734-5138252065475456-5941756942020511901-3448562851609451371-1722138201"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GmkAkowo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yyEQIIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mwsAssok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "463688800625935610926226192-102207803918134144675219956921422914553179470821"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "467156861-9847454751937218505-217554641-1448528707779723462-1888706516-887104846"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWsMcEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMAcQkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1051140295-20037033291688515242-99631153-1928838750-902845854-1042303766115654415"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUsUkowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pawEEgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\noUEkcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2082783738-639383184-1566631761-610522791-17208218171592608010-743611361234706796"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-196211683014268394651749364556-15189190361130771678-190081212-1281495930-2021819436"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1716482163-1984522830-3272747701251312719-543829336-2138074755482544244786144569"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2772871109837441151970431163292562745-66318093014632371132064288342-1221912282"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\syQcMMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1315874266952099567862651031903199321-83646392-727736546-15674350461383989698"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIwEQwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2058572727-12589877621057485595-1798146021938526827151848349641119665-586387821"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qQYoQAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ywwMwUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1629637327-913591629-1670360587369913718-159433987-845215993-724175802-427447183"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwoYwQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOscokoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1165139576-141105179-41707651-392587140-769907033-12672108462115934319-690927017"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYookokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11350076241851667113-103703125773687941826078749-1386496434-785379364184604140"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKIAIYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6724759698615988561885251202329319454-1722368172-1128135829-693414906-1764926215"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LesEYsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1255441269-661946340-1973351835906332292-21459728307297126981640645803-1668184503"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkgEYEYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1036110740-1085092043-81330633-1294776484-6351222844936105215594959231672719584"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIEQQwMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "650169799-8206481044920234101167236150-11493990501127588835-1542643523-577269262"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-869105970-2041330957-1590535786-399975961-297287999112997978319153967091371964508"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "252524143866359048-1693036867-1823771475635339124-1313663463-18416906471746615393"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EoIUkkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "37228163515654650661350013051-1924087810-1403326567-523954960-1263787776-787339343"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIcMQcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-490141833-1638833977-699274584892243241-2112736249-2011158420-818635915419132689"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGEAQYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-180225335-603833432-8170596661955629534-1442060100-17917995661069920234369125736"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWAcUgAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsYMAQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1458528932-1648182887-1604458025-1916713931-2044688092-774587607965498382-70875020"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViIYcIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "399937434-9863245535593426502117665846-88649671613253157401013786127-199566367"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQUgswIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkwIcEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1516633724-1949329311482524463-510764814-18456081222039220548497241698-1647174109"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1255047875589744992-6380807722126842860-1268836319232656247-20011322181675236726"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iEQQssgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14190573811374802118-1524014583-573380664-426176283122566995217339810811277760921"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3236885771807019705684454651-2099818358716419010-10213036961063450800-1566359621"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkQEoMoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "446696111-11848915541504003297-825084491896924321739524606-5021772771900200223"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7556301951821001160-1791852803-18317414821452792788-1523016960-5716464161225660645"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1660300030517550233-16918182051060440324-478956279-18303993722136145521-2000323852"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuMIYAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QaIsYkMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwsQkcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12091912701163803384-1635260754-150697108112110396861755606697-1535199182486143945"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\okUcMgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1783987812-1646827493-1357751241-14211751082021826399192162404598045127135491044"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "141025176816931707791088815671-6368865781482628570-1277316773-1170961002601348651"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12297269571284894251831128347556714095-970057075-759188371757189531668597945"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1666392322-15084900251613835979975412092-2064316786-1670977648-1622752423336700564"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dcMMYAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10745182826435243231321511455906633043-1200232341-1527447669-1084282153-843534326"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1906933944171185342013675294131112874181698365021-1935597256-1221589330384886770"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DWYoAkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAIgkkAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-955320108-967808213-15204619712291634771214700403-106658549-662375123-1793017766"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8859402661893283004331175652144055350017297712582058216439-5297266962043399047"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgwUokEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1677649142-432502847-2105670002-84459751-17706223611227938147113429525-611106132"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwQsAAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2092304000317829866-1939550855-1223055231112104908-2715590781124615731634898232"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYMEYIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykYUYskA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "154860848616699963598247709332777692461521155981-1959949907-416445727-856029562"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWIcQYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10939549831775744015486422394-2131438365578487918-1936310823-21447267891448190607"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5266683021858393527-709924419-107532137620205381761688447986-18687102941156880188"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqEsIsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17843998112495870319074479061358820755-5091117601134529005-1170783263614017182"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14191271601672147867-2069354883-21297832331711024399144409490216103394331912373677"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgsgkMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VYocUYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-469970273-82917182378590175730336810-1735329221746844061-204694751268276577"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1661278959-586722282-2122058022-872510097-2942082321020385196-7078624771660531013"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2023338614-1069193704403028181-1645748158-1112994542-546546101-1398548039-795303362"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwcMUgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8379907851577509218632975425-15054485091725962340-1354230445-2052027431653397455"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-545334474-497064858816172001260723973-6406149931714435-494776987-764904160"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XygEYYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "464940180-948053771-11627965211109890578152454843392703612-1361477856-797530851"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1790184309-849634963-63755610281820213630997131707736955-1669555282-1399695128"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "338011546-563106185-1825142490-101364306612261871951868373498-1873426779122219968"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mIAEIwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19456826611397042522881221315886168012-3355188641790598126-742250687712666834"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1529920872-105073632220047880301196639274384147038637805693-287553861-719138577"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\csUQIckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1043435351-1018742145-256563026-166931636-7474911914136781061614583247-245273703"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1372835246-607239625-179002565-205552778715652371258583191-842032315-1298076107"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19725441141601181487-1640470065290387755-1400125179816384423-453581330258777454"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsoIkMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2076527574501746639-1535006761944553083-1068254971-175018091413711648471320199566"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-282362991149817565-94584407610438489271453747356-1658412820-1112542573-1510312053"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GGYQcQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13188808481557795527-1338284915-583553024-707696920-783441987932121873-1182958366"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOYUsAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5074500851665697027-17699576399960832469498042201639787501-16885218941179065746"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWYoUYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15467026631557037150815900511-4976777479080575431972755561392953644-847680539"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-821841298831690544-172099122-711190262-65132963415075869515647927-659962061"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-487230236-816488418-827666282-1887051428-78519716928090999412949819231137263564"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FsokoYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15317863721759383602-3420108611086931672-358906302-945437030-77880631498524993"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-711163403-14482421041200454524208214276110454403371447830784971293382-1998562150"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21589046-2073627198550654787182605373-655562706-1824395605419171767-308942520"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1617342770-332458396-818707267-1113842353-199975169826338974-1579409795202973105"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGgAwwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14442582631781756759-778143399-1920962569346333316-1503221686-563580098-705889350"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMcUkIYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-890613410-37468764520299438181292529581-879058797717910979-1704182743283163170"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iYMwIgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-182441046-19253491491455651045575648542-7698619201350968529156593438-655718593"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-216832412-1934618361-5613793721465429302863651045-2253442251022862113379773384"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1381688190-12275179171597618972-448083579-243502607487390010171182941633058206"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8200119681513448666-397651646-1138815654-2127333302989183090585565831-566124338"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMgwwYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1022178101736214908-89094490-1071673740194166276679402723-125395589656291878"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-596245064-879977205859694465-210453568-1489743037-1792634919494672522-1209113779"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1131918647-739964504-170538890-1167258560-25516058741212003-6744607861014124798"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bMQEYgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1832325368806301745796211525310434122-522333450-668880988-1762812699703426290"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "798497448757438621619055164-2142816981-16352670011813122856154003586-2027073214"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "27169384419566712552045860954-2084473496198708039-81559852-305626311-1116715928"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAUckYAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4780738551006349742010807147-15677984591104582964903777517-233371897-873959061"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "685336216-9114417791798640847-1471422173-1256048437868303047-1277930630-1047469040"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWEsIMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-321258815-107924406818503398901399741311-1266106341169033565874128023-305667975"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16232587231512473936798101397922239231-6142612711491224173-8763525341389097058"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1687507302-9610209421775814289-1506006689-2716372931595886257-143914507024071927"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "713697948-13707238941146454419-502789936192120599-1578198980-948936351657861417"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-48103006712213418178523799238851316815646098519281770416895723351166593572"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmgUIQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1015626579-791584197-181727296-936250009748732653-15605448521508569645400406235"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1120828876211016909-17552382571432244421-1871657871144276095-266030787-300937226"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3357632541758175195-340256287-1172118987-51517251-65536005574795138206897130"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1716517476-626111087-334318711-753127556-566436373-1136708735-1444011349694117097"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWIwgEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-300594708641278216936752286-1859096795-1246655703-1018444267-977432215-1593900249"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1895180236-543164340-1541991416-20047157551973821747-1894287367-1816342997-481970621"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "115280286964826799-1774820193-786636863630766869-941849288-16942400775969855"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18412145991447011782098398737441291951576970717462806760664831847-398813549"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dmMEkUgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1408136986-1255399445-6677202445410300991336128278-1722899219-15163326641469057828"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "367195970-368494240-1324892303-2072375208827396306-19467664999737447471513867"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "264091211724245329-169670007-51612851229034405-2009892875-139783798-1438462491"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQkYoogE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "457079623-800149601-2083973632-314026869-1098621434-1999132301-789885415-479418215"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1896318499-1927274576-132174779-398741936304608276-1710793783-616077796-1270394500"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "410121189360215036-1243847866-1531256025-15299419131911017818-2121357941250194284"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1917752197-378372062-42467010245584635-53826425-87041184310215674351178880975"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 216.58.208.110:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| NL | 216.58.208.110:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2456-0-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe
| MD5 | ef94fdbc9fb666dae9a6a4db0d331e13 |
| SHA1 | dbbe88d2c30ea82e766c1b8640fa76d123543bec |
| SHA256 | cca5e4212cd5fa3f5da940ea55dc1d573968c06dc9fa933d5fe9b57185b1aa36 |
| SHA512 | 50726eb08756139b5ba35bafc2b661fcb2709a269625fec930406cd6d083038011e2e9fb1312cd4fb9cc19484dde85e574487bdc1bc3d123656697a83e05c046 |
memory/2456-12-0x0000000003DA0000-0x0000000003DD0000-memory.dmp
memory/2456-5-0x0000000003DA0000-0x0000000003DD0000-memory.dmp
memory/2560-14-0x0000000000400000-0x0000000000430000-memory.dmp
\ProgramData\RgYMsAYU\IkwsYEcM.exe
| MD5 | 6b038f1399bbb967aa9ce3704da5919f |
| SHA1 | cfb0d33d893af43b15920b9c8a55f009b385fbf0 |
| SHA256 | 2938c963ef9b4b478149ef530df6ae4605209a9b8413ca55e026837a21d9522e |
| SHA512 | 86ec9cc4d2099d54664e311771aac4de63f1eb164e60204e7efd870536c3a64180ce28c6b4cfd960bc1d2a4af06cb365c43981e6db786b7b8b75309c6f48ef92 |
memory/2456-31-0x0000000003DA0000-0x0000000003DD1000-memory.dmp
memory/2456-28-0x0000000003DA0000-0x0000000003DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aUAIIYEE.bat
| MD5 | de92ddd43d8cd88c610682f9b46717ed |
| SHA1 | c75c7b0265d7d78be46ea5e082351c76ae1fa101 |
| SHA256 | 3b5b7ea1e88969933485c732e4c3b24e33bb6fbb706cda8aa31a8832c8eac8d9 |
| SHA512 | dff4c2746d0f93d419456735134b1746bab8e16176ece185a047fb2abfff0f0a2ced1326cea4e90138838b82cbb0e979ca483b3f9e4d7998661d115cc3df3007 |
memory/2480-32-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2380-35-0x0000000000120000-0x000000000015C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\woMIQAEA.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2548-45-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2380-44-0x0000000000120000-0x000000000015C000-memory.dmp
memory/2456-43-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
| MD5 | 588e8e645526676ae2f8644d4dd82f06 |
| SHA1 | 607f0d19028f909a02b5a4b00ab7096dfb7f30d8 |
| SHA256 | 46f556f484064bb3cc55694c4fca9344b1432ac341861e56bac17d15cca46c7c |
| SHA512 | 69766a05b8874d7a0b4ce8b7fc7888b05cb4c3be56883db39fcd63d31742aca901c056b655b716960054fdde71abb56905d73038a5974682cd1092c5a7efe6c5 |
C:\Users\Admin\AppData\Local\Temp\hGQoYIME.bat
| MD5 | 986d86df622c41d8c3b8d100696ba805 |
| SHA1 | 60e6f10b99f4111cd1dfea99872c5f5f64b88a8e |
| SHA256 | fd95b1d4e01515700f04fbecce07a34d1eb1420d11cbacd4bfd946c3607053c7 |
| SHA512 | 01d09e271a32598804e127f7b0bfaa7e3d2eafa42e4ec1f0dff28ef55ea2fe81b297cd912c0309c663460a5b06544713e02dd703147c6eb61c01df12f93cc1de |
memory/2548-65-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/1808-70-0x0000000000230000-0x000000000026C000-memory.dmp
memory/1808-71-0x0000000000230000-0x000000000026C000-memory.dmp
memory/2180-72-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vkYoocIU.bat
| MD5 | f0b66070246eb8d2d91a6fd61d862442 |
| SHA1 | 056adc7749c330be7ca9cad37dee4dfefe1c8fc1 |
| SHA256 | 739eba46d011fd5ff91698eec0ad14742d7d1915422b0936a02491887631c6c3 |
| SHA512 | 907c872c8ce945136d311c97875bfd36124b04b203b5c1b7ef2cc75fc2d350d7e7a0c3cf36a3d3a63153ca62f05a1a39477d9f7b8e03322dfb537dc60cd1cf18 |
memory/2180-92-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1764-93-0x0000000000170000-0x00000000001AC000-memory.dmp
memory/1764-83-0x0000000000170000-0x00000000001AC000-memory.dmp
memory/2272-95-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TGIsscYs.bat
| MD5 | 66d83b6a4c34d451a73b69dd53b58bc9 |
| SHA1 | 02de724035c41e6117e889c86859d71034743ccd |
| SHA256 | dab12bc8660707c965abd42d3b72b16e2f7d518e4da67aef8dd2131285815cc7 |
| SHA512 | 954c6f4ba53b13927aba102c58d6f416cdd5450f3502c1f078fe28e0b879c79da35dddfed682a0aacf9c60354cd3dbb26e8bb05f77c4bc992ec54239bf25e18e |
memory/2272-115-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2472-116-0x0000000000380000-0x00000000003BC000-memory.dmp
memory/2472-120-0x0000000000380000-0x00000000003BC000-memory.dmp
memory/2880-122-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZSocQEoE.bat
| MD5 | 2eed65291e9e8028b5d2ca62a22b0262 |
| SHA1 | dad9f81e44bf130476657d531c4d4c8e36415a6f |
| SHA256 | c7eb3bb61bcd9b17793f75c87b00244692ba73015d7e2cb491a07e8edeea1fd3 |
| SHA512 | b6c4bdf714e50ffab408293956fca886179261a994eff3380ab94281feaf32134bdf89f62927015d2fc4a8ea7c6f2096197bc6b364e646c07c23a2b798b1d7b2 |
memory/1404-134-0x0000000000120000-0x000000000015C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BCkMMwcM.bat
| MD5 | 91388cbd3dcde3024a6f57a8a4bc38e9 |
| SHA1 | 472ce4b87674f6c9f6bdaba54f7adf75874ea242 |
| SHA256 | ce0469b405d2ce3fcbef6d1f1b713c6431f84a7ced3a9898143441e2daeea4c6 |
| SHA512 | f7f9aadd7e300d2416af28228627fbf34f85bace1f3ead67b1bfaeac5146b6870e5473761080a82343f6868218a804e4663e0813efa8d1161b8ea676fcc096c6 |
memory/2880-143-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1232-142-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1668-156-0x0000000001F20000-0x0000000001F5C000-memory.dmp
memory/2016-158-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1232-166-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1668-157-0x0000000001F20000-0x0000000001F5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HYkEQQMM.bat
| MD5 | cf799acb2c9c214bad9733c9e4368249 |
| SHA1 | 4e055991e4f07aa104b3551243359efd34a75c8f |
| SHA256 | bb5744d9ccab500b60cb1488ada5218e3e8a82170deacce7e6b571fa1898f4c4 |
| SHA512 | ea82f1f715921620ba9e744d84ab9a12dde39c136b54dd645dd3b2476f7a5767ea36508dcd84154b1d88489a64234fbad8641e3a3817962363196065744c151b |
memory/2016-189-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2504-188-0x0000000000260000-0x000000000029C000-memory.dmp
memory/2420-190-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2504-191-0x0000000000260000-0x000000000029C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gYwYgIAA.bat
| MD5 | 75769cc14f66e3c56089351405187a35 |
| SHA1 | c0bf4282810a44516db60c4282b5c0dfb13b0ad5 |
| SHA256 | 9333bf16367471d59426502e46454a26a676f1a926b0b4ebe97a161f4c77dc0f |
| SHA512 | ebc0c568e8f9b3c12b0fee392e8b327c47da9c2742b182f4ac5b5feb912268b3fe1016ad252cc0b67f36b207d0ccac9168f20420009201dd40c629a9173ff092 |
memory/2420-217-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2492-209-0x0000000000400000-0x000000000043C000-memory.dmp
memory/760-207-0x0000000000400000-0x000000000043C000-memory.dmp
memory/760-206-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sgIcYgAg.bat
| MD5 | 9234d057fe8931bcccfe84a3d49c9edd |
| SHA1 | d8b0e52d5105e19bf07baec9e6f9536be0d70255 |
| SHA256 | 0829a14e7a2088776ac1aeb803555b020b02c6368edcbdc072e6abb370ed2efa |
| SHA512 | 7ee33a7978af05757bea4048952d0f46630acb3af62cd3d92bd3014f4a9c07c8182da9c5ae1e5367159ab3d85b4f26043e9ca62fd3af0a2afa284123762fd4d7 |
memory/2492-238-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EcAsUwwc.bat
| MD5 | 175593c1b3864064e9558e6ed29ee39a |
| SHA1 | 0e0e7385517fe1326eddc74e4acf0b7222ef73f6 |
| SHA256 | 0d9fc9bd534d7f24546c161877447f3f5dd85803c9a07a98fe64e1cd02e248c5 |
| SHA512 | 4921efbc03b32917844439b27345b3bdcd05b79ce944710d266245919191d5a1289a0372a7d524a33f57bfbcc6b18fc62d29506dbbbea565bbc1e10c78fd95e1 |
memory/1292-260-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2660-261-0x00000000001F0000-0x000000000022C000-memory.dmp
memory/2660-262-0x00000000001F0000-0x000000000022C000-memory.dmp
memory/2132-263-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gMYssEkE.bat
| MD5 | 5350c7a604b3a677126ff90b1a7c2409 |
| SHA1 | bb3e6154757530ea46eb590e097467e3e060b55b |
| SHA256 | 273497b169b0588cbe474b9bb9a7f56905b7a56ac9c29def2022ef49b5fa958e |
| SHA512 | 2129149401e5117c27508b6b9039924dd6ddeab539834006c1e47eef7fecd0e965a2f7021925a555a5b336cc236fe1c549ace0b93d5b68a4170287793601c826 |
memory/2132-287-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2868-285-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2716-278-0x00000000001A0000-0x00000000001DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YIwMUckk.bat
| MD5 | f8de9333945126038b829c28234d24dc |
| SHA1 | 595e5cf0f61f200a2a327158dd3ce006c241b56f |
| SHA256 | fd7cfab32659257ecd92ba2bd91ff0b2bd525be521beb655fd03c3951dd23536 |
| SHA512 | 37f0a81283edc05cefc4507667c0eb28654f2b1a109ec908c77ea0139b680e21f8ae411a5776e1b02b1bfd67ace7b358c208dfb71b6e4a416a9feb3dd6a19323 |
memory/2264-300-0x00000000002E0000-0x000000000031C000-memory.dmp
memory/2868-309-0x0000000000400000-0x000000000043C000-memory.dmp
memory/888-310-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LYwEkMIY.bat
| MD5 | d3a65ab57368f00c9990bfcd5faf6189 |
| SHA1 | 0bd224c3deac655b7249e63cbe738e046e1681c0 |
| SHA256 | 0720795ae79a8e9518160b58701cb62cf582058573c03aa2681c2c9929b8faaa |
| SHA512 | 5792dceea985681b189d2d96ef0db0db2e9c3e69d03b47ba31de5e5b8c224c3d5e778a4e0459f6652c04de826f866d5bb1283d1b748464f81aa5ab30a66d1a36 |
memory/888-332-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2384-333-0x0000000000120000-0x000000000015C000-memory.dmp
memory/1972-334-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bUUIosQk.bat
| MD5 | 910750fc7998ed28908be8a94a5b4ee8 |
| SHA1 | 9f14826ffb2dcccede1cf0268b4a5cfbfc4c8a55 |
| SHA256 | 18078e1ff2ab55b48672de810ae632dda6d8521bdfc2fd4f6d1299513229fbbe |
| SHA512 | 0de7f4ca658c1523a0e5651d638a3d3e942919ab5a8fc3fa15cd1c1593b8134d93581c3772b7bff264c84e128eb6d36bffd194a4dfb2281e996a5a0067f119c9 |
memory/2184-349-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1972-357-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2144-358-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ROUIkMIA.bat
| MD5 | 1b201877484a8f9b917cad67cc50a894 |
| SHA1 | 9830f878da1fcef9de7449bab1067a09b7b98235 |
| SHA256 | 05258493af10d9b57b99611fd75afa887e967f08b501d3dc10bd53a825d95bc9 |
| SHA512 | c6a0a650e4567733b05ae635f6508836ce2ea8ac3faeb62c629de66472351e9da57766d37e818fa2d8876c7b25f249268946acc71c5495878190d5e5d50a7acf |
memory/1540-379-0x00000000002A0000-0x00000000002DC000-memory.dmp
C:\ProgramData\RgYMsAYU\IkwsYEcM.inf
| MD5 | 1f8ab40f96c22b5514315492afd20c3c |
| SHA1 | 0a57bb2a49d2426d17d72ecdb79932a8e307dd8a |
| SHA256 | f305c87a26d62742dceb4d527a3ae9cdbf0663c61ddb2bf059d7469c1bc84b55 |
| SHA512 | b8b5172e2be4212343cb5794e299d2f326b32d0211016b734a77f654a92ff84bf99822291673b2d0aec14cb3676c1c9384ea99a4766a7429bff4c0396597c6bf |
memory/2568-382-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1540-381-0x00000000002A0000-0x00000000002DC000-memory.dmp
memory/2144-380-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FMwwQAMQ.bat
| MD5 | e69cbeed8d8cb47a3532937b702baaa9 |
| SHA1 | 9ad6c8ec019d31b1e0fbe52ecc73895cc311b125 |
| SHA256 | 6be683f1c384fbd0e1f2fa9f07813dbc34e839d143efc0ea75670583f96706a5 |
| SHA512 | c9121f8b92e7e65dd3891505407554cd3ce318d83377f05195147f02330badd29797efbd5461f6787c11f8f55193b6cc1f4897c74f1d0177cd1f7de289a0e5ad |
memory/2568-406-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1440-407-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BmAoIckk.bat
| MD5 | b2f0d751845ebf27577d23dc23762a8e |
| SHA1 | a7e2c6cf6216f6d45b955b9d0310ec0d032b2608 |
| SHA256 | ad00cedaf763891ea7ca0f19a1d71608ba3da0de84c0bc5fa3121dd75710d27c |
| SHA512 | c77b603a36ca20b9ccd91c9e8c6648694720273a071aa80a9ddcc952d100b338cd308418ad99e6603926abd0a68619550736d898e9424cae089831c0d9a49e34 |
memory/2968-430-0x00000000001B0000-0x00000000001EC000-memory.dmp
memory/1440-429-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2472-432-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2968-431-0x00000000001B0000-0x00000000001EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xqAwIAww.bat
| MD5 | 262b47a9312977817507627a78a8a89c |
| SHA1 | 6c2d1a27992f55b8c19d861e66e2d50d4d38890f |
| SHA256 | 8b6efddc575c0bba964a897f0049d4430a7578f7bce83637db26f4a6b61db184 |
| SHA512 | 21dda0e6aa4b4fe6cfdf738ad02a12287604616b9656a5aaff294affcd65eecc76ef8b61ca02de8922267a917a159bc5ca6782bf036e67c7fe476da8bdbe713d |
memory/960-446-0x0000000000160000-0x000000000019C000-memory.dmp
C:\ProgramData\RgYMsAYU\IkwsYEcM.inf
| MD5 | 9ebc5d27b14575eaf23f89d34622f305 |
| SHA1 | 8a3d616c4157842d1cb14f04a78389df554fc3d4 |
| SHA256 | fb12d19b2f4fc7c745743d6fa2b4119fa0267447b2d728a97710056cc4fbb924 |
| SHA512 | 728c52add818ea4078814d6a5a31fc30423067d361e438174fefceb188172594870f3c90d054f4546a5d841fbff8d50006098b59824019e2e5b6f6928feac2a5 |
memory/960-455-0x0000000000160000-0x000000000019C000-memory.dmp
memory/2472-454-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2684-457-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iIcsAQEs.bat
| MD5 | 989c8121991024b29bd27c9b6fc3e1cf |
| SHA1 | 7e13eed86cc7c86e5b8b4dfc581e346a11dd0af9 |
| SHA256 | de01b24622469c66305e6a18d231ce81203eaef6a66973a4de2e804c15c26a25 |
| SHA512 | 46958b4deff82d4031b15c6f1199c7c722bd1d1911d811b60da396a2161fbda8f4b67414278c038c49a91a4b3d1e668ae691cdb8b85e594d22db63b0bc5ae0cf |
C:\Users\Admin\MeQMUcIU\YCQQcYYM.inf
| MD5 | dd25fb4db75dcf3901c5fe8b5a52242c |
| SHA1 | 2fa9d2e7e6a87f0d576c20cce3f89b26adcf79fb |
| SHA256 | 1f406e4b453551ea2880d423855d0350ddf38b6d0108695b7388743817d75181 |
| SHA512 | bfbe0d13f029d6ae32fafeb5da7b719c270675c71fa59f041b2371963ca9f894bac15f712ba0dbabfac070b42c79c927e8b31ed6f6c355362ad6cfdf580911bc |
memory/2224-481-0x0000000000160000-0x000000000019C000-memory.dmp
memory/2684-480-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1900-482-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mEQMAksg.bat
| MD5 | ded1fb932802c9ef3b223ab02bc939b3 |
| SHA1 | abde9090f7629edc3aaa22b9d0b597ad7d4dd793 |
| SHA256 | 6bf40516bd960d10c3a8e7895136915704ba81b686e177faf764664ce5a96d17 |
| SHA512 | 87980311b4f55e5ddfbf0c045f1cf1e2c4ffa6ca901c6dc8bfa8f4087fddd6e6d878c8d92a7271d68b12672287fbaefd91eebfb9f4f761e724f53f964a89065e |
memory/2140-494-0x0000000000160000-0x000000000019C000-memory.dmp
memory/2140-503-0x0000000000160000-0x000000000019C000-memory.dmp
memory/1900-502-0x0000000000400000-0x000000000043C000-memory.dmp
memory/568-504-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QagwYwUU.bat
| MD5 | 829ab3ae782a51f0fcdd477004a2dfd2 |
| SHA1 | 9ef739ae273e6da95ffd143b9b36469e8443ffef |
| SHA256 | 7f91f68f7f7cbabe4deecbdb211367bfea12afde9c64fe234629d9c1c062cce9 |
| SHA512 | 2626c15880e14a068c8d8f209e985a65746b48e25d7214d9217b26e44a1420c235cf2f5257a5ea3c4b2b3e2cf6abdc41571a9de4b14f51133ddbfc4355be323e |
memory/1700-515-0x0000000000300000-0x000000000033C000-memory.dmp
memory/568-523-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1700-524-0x0000000000300000-0x000000000033C000-memory.dmp
memory/2208-525-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EAAEMIUw.bat
| MD5 | 6ef469390d90564eb5b5988591d5cabb |
| SHA1 | e5d09ce913c24ee5f90bbcbf5987bc766bb106ab |
| SHA256 | de63cfdc218d66d526e1829f0341fed1c7057fbfd51c0de41b10983a861a7e76 |
| SHA512 | 6c39b8bbfe745316b00940056fe2262828d611c09d591c62ccd244c9d123aef104d9736cd0eadf3e2029ec4339022cfc9a992b597e59fd7cbb78dbab65b929f4 |
C:\Users\Admin\AppData\Local\Temp\okoq.exe
| MD5 | 0f0b5b4581db0fde7c6dabdb58f0c3b0 |
| SHA1 | acd5e871ee7249b14a1f3745f3bbee5b841ba3e0 |
| SHA256 | 980483330b1d84b1de8e6e1f5b26cf3dcc6f8a077bbd7f83dabf5b9f08ebbe1b |
| SHA512 | 676a450dafc06192608d6a389eac28ed3108efbd16dad2215cc64ad3b49d26c8c247f639f642c4d0ee70d51bffb8d35e1385e3a4e292e7ce55342f53887e65ff |
memory/2208-549-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aokwMwYc.bat
| MD5 | 1843e229b8bc3dd6f0e2e4471a448526 |
| SHA1 | d0cf32740bd0af477fb8316e19b3d52bf9680657 |
| SHA256 | a11cb6b1c1daf1eeb817b019b691a8123ddab2e781ed65a8ff09a97fc054f9a5 |
| SHA512 | db4828fa02da7421404347a8949471911db5847aa874be70707dd05203fe3a516ce0d0e9b931f2b9d52859109fefa4920b57df7def5d9fdff8bdb17e96bd67aa |
memory/2028-578-0x0000000001F70000-0x0000000001FAC000-memory.dmp
memory/1248-580-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1676-579-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2028-576-0x0000000001F70000-0x0000000001FAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QeoUgwwY.bat
| MD5 | 0beb0608c96bdd3948455a40880f215c |
| SHA1 | 5339fecbb50c210705f6417a8c7a72dfe2448b79 |
| SHA256 | 76e1491a5cca312364c2afd83f18b099da4d88c6aba33ba3e7f85ebc976d3f73 |
| SHA512 | 49967cbdfcb0773c5f75279da0388476dfa6808a52024723cb83c13763d7c6866802ef09af761d3de9b3da1db9afb98512b09febaac5afeb412368874de900db |
memory/1248-598-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2584-600-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DMYcMQMk.bat
| MD5 | 3f8eceba060e1f517cf8535db7b2d1ff |
| SHA1 | 797498bb221af6575e00574e26ca2a39fcea7475 |
| SHA256 | a5f29f83439fcc7456f46a5a34ed43808f3de7ca69c2d7d9cea4f4763299b949 |
| SHA512 | 2a3c4c02f1afe891c25728347914ee0a7d55670aafcb4bffff9446c3b099ed50170060196a15d69dfdc059ad2623613fb16e2a0fbfe93669f4b9ee2dd8bcc03c |
memory/2064-615-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2584-626-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lEAQMMws.bat
| MD5 | 0b6af5c14bc2bd953e2ab2492a6c2967 |
| SHA1 | 7eaeea47e71859f04f866deb8652399671510eb0 |
| SHA256 | 8ca373fd9c8883f561231bdc80bfb2ac386cba2b41efb6e6333fe78e7e78cc5f |
| SHA512 | 8024e4e4f0b2b47776cae9da712ae250ae7b37e4452e5441a23878c8a2dc98d1127ab802b699fd9dbcb4f1db7fd4fa176dcdf5ef8e32f23e460ebb78603fd46e |
memory/2576-646-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zYcIIIEE.bat
| MD5 | 845662231c7d69e0269105bf9815b5ce |
| SHA1 | 1acdfaffc4359bcd40c79af553d09bb0528ecca0 |
| SHA256 | 6768143bc34cda79707d58f2a3078881ea7f15c997c59188e6f21951ab526141 |
| SHA512 | 60e77d382fb39742f0a4c8944f2eeb2cbf8a999c9d381670d1845f740767a8ad2d72a71ddc0eb6d7eb5f748d6cf789d333d7d9d36b14ed60038a79126c8168cc |
memory/2280-666-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FUEkkAYk.bat
| MD5 | 443ac0b02b2de59227dbaa108b49b167 |
| SHA1 | 95f3c7c03b8bd1b00d0b7cb2c732658c186c19bf |
| SHA256 | 91691c919a4a21636ea876b3b701e5dd130ec35095c676a777fb3d7500eeb18d |
| SHA512 | 228e7e560a4809254eaa0e644336f3b702156b2f23fcf86db6db7c831b9b1f4a2f7279b8c0be8262f6e1cd769129b33a1fc14b19597140ae07bb021b87eccb01 |
memory/1760-688-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nscEEMsU.bat
| MD5 | 10951e4840dd35b26c25240e2c8bb772 |
| SHA1 | 0d2d187bac2b7729f8cd477d8a08cba234ea7757 |
| SHA256 | 16666c3a5f7c79bbc9df387e60f153f28004bde009d2a6be5df3196758e63e07 |
| SHA512 | 3f9657fda3c6f6981b97e9e987df66143a3cc82e6327999c8f9bed6e8c932615e1fe01438354ba51250231cfea2f80fddd8f502a96794a0eae3589343f6e4ecf |
memory/1160-708-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uKIAskwI.bat
| MD5 | dd9a3c9217432fe79ad75a7f626bac59 |
| SHA1 | e90215c5e8e6e5ad49505b29706c5c019e99b0e0 |
| SHA256 | 4f0c8cb82af02523f7d101e51b5a9376dacfc5cb63e174ef0e1f2241ff8c3ef6 |
| SHA512 | db1ce71cbfd1250ba295b034bf308dcab6fb34986552051e04b7e94290cadd63ae3d78b91a671277c15391b0bfa68e3b5010cc6d571cfd4a76a8c7c830a56efb |
memory/1704-732-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KqYQAMwI.bat
| MD5 | fa5b0b1c68b4292e20fc7d34e6d94677 |
| SHA1 | 480f44095ded3c6025992ae193c5fac362edd2cd |
| SHA256 | dbdd892495d1b4a99bab30cdc61e444838b6ef330cb595555f8ce58cc81fd682 |
| SHA512 | 88ae5227450105a399266f41af27c141ced460dce81f2b25625347419474ecd52c89ba57719707010c4c4a9f9bcc90856c55b21ca177ec4fb82afaf4fc19b839 |
memory/2044-752-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WIEkYIwM.bat
| MD5 | 120fe7052df547c72940bd4429a1d722 |
| SHA1 | 49eedc45ce60b7c4928fa82c5bb4062c19e1c118 |
| SHA256 | 2e7ceea007822263d4edfd950f20aaddb7c18453f8f7598f9f772ac1210697f6 |
| SHA512 | ba12487a5207fb68473b64227b44ad49b460c9f5435551126edd4b40c6e9be6462e42275c6ffc63f93f8eae94c1a82e908834acb5f51f5603571b91472b33ff5 |
memory/2988-772-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AsMsIksQ.bat
| MD5 | b61ca101ae42aeed72b3c6d3c6f468a4 |
| SHA1 | add8a9b9d2d4eaf3a5fca66fb778975a856bf080 |
| SHA256 | 5300a352ec27c423cad7b549cbb213a1aeb12cc482bac177538f8026c8f2dba9 |
| SHA512 | 6d43c447aa90c6f31993a7067496bd2d224374aad3f36c5cf6d98dd3408bd0ea93d251c3c537e23137774105a9daecfabf17bd1f7c4e9038819ab2239bde9a9f |
memory/2488-792-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aQEMQUUc.bat
| MD5 | 9e8300a67c2eb611d68f130436fc6228 |
| SHA1 | ca22aa3eb6ed7375ad78ab0105d7a05f752a5078 |
| SHA256 | ee9e4779152d9f28a3e65f21fd118855719be1c7f63a0754ec2b40ea87cfb6ac |
| SHA512 | b4badce60a1ecae29ebf86ec5d0d13ecb8e5ad9c485a58babcca651c6df095ef58597e391681f1668f79a72835a7906ab88c3a121be986ddf85eac8994d7cc80 |
memory/1752-812-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AQYkwAsk.bat
| MD5 | df2b89794a02562cca2a6c71d819e8c7 |
| SHA1 | f549631fefadb8f7fbb680bd5e0fc74e25121ee2 |
| SHA256 | 4132cf8d948428a039ad03665f042ca267fa124c98dccb469a21560a9f15894d |
| SHA512 | 755ddf6fe61a7807f8d65a94bc66f46d209591b752199f825d12a51118f3b94bd969510b49fb1d30848ac541c5bcaa3677b44894515a561369c3cf346a2af8d3 |
memory/816-833-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\omokgAMo.bat
| MD5 | 429066bfb6f02fc9cae7b065a741e64e |
| SHA1 | 68d1b4ce51a85d4ed519f552f9c79e06557ef2ec |
| SHA256 | 48b956dfdae22be26af551241917e4aa50fb2760474044834e494e4a8ee8b861 |
| SHA512 | 96adf5f7d1b4d8c55ff6581c827fa5010617ef04b9b95ac0b05d82a897310f04ed9d3756649596027099bb7106939615947ea49ade3e8e2dcf4dd191969faa64 |
memory/1448-853-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pGAIIgYE.bat
| MD5 | 95eb353f94fcb974b01d5cce15b0ff56 |
| SHA1 | 9e8081c8abdce249238c6cf960bb6ea5e41e15d2 |
| SHA256 | bba10eec4c8869fba1778fc5d379d09aa5dba5472a3c7f7ede304cda6cbed128 |
| SHA512 | 2445597461373ec7de7203f1f4514d4b938b539025e81982f740dfd22e18e4ab5af3c6d1f74cca79530fb8273bc9dbca7c172ea511fb90dee1910b5922a1eb4d |
C:\Users\Admin\AppData\Local\Temp\AAIc.exe
| MD5 | caf7da080b1dd779594682c6da334047 |
| SHA1 | 4983f155f04d8cdf005ec25a18abe61e1dc5f73e |
| SHA256 | e52eb853f5abaf165893b3295b78fee5ee786ffb1354df6b858714a264047ebb |
| SHA512 | ababd53e4a7ff7435452897e877cdaae41b5bb45386a923478487ee59230b7f4e02522267af1240a8ff7478245652e251c112b3d0019e726df165ac6e55f92ed |
memory/1980-875-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qUUG.exe
| MD5 | 7ad54d052572e081490ab5846d69f0a5 |
| SHA1 | 89dc698f53adce0d61692aab2a7c6ba3770cd6ae |
| SHA256 | cf3629b236f6856ad9653db35c8442542ffe62d670e4eebe93ba4f6a74c179c4 |
| SHA512 | 77791d4099aa0b0c8812cc470b18f7544aa2b564ee6225a8e6fb2ac238772d353f80afc98fb8816d3d1139246fe134978609c133976ad68f81460cbcdb06da04 |
C:\Users\Admin\AppData\Local\Temp\AIAM.exe
| MD5 | 4dc979127e8a6349de3d9a4bd1189f42 |
| SHA1 | 1be2dacd06d285c6bee0455d02ea0398c57391dc |
| SHA256 | 662c86e184a776e88f28cdd77154e619a2197f62638d793bd54fa943216dd33f |
| SHA512 | 7c88f62c17675f0e705be34f28ccd9864d32d35760b3b2a4f7f5c3aa7fa6370eadcc688552e7318aae47e3b11aa0c69e29df78c96259bb9edd2bcca35566aaf0 |
C:\Users\Admin\AppData\Local\Temp\noccYYIA.bat
| MD5 | 9056b26886c3eb2f8fafcf417eb8dc54 |
| SHA1 | 10c0b70647eee64b876b158f46c28b850388c1c3 |
| SHA256 | 5340531b341c7d0c69842dcdfdb13c4b2dfa6dfb6e71a103cf3082d6b4d2fc8f |
| SHA512 | b2c80f85b1d5f269f28b785330f56d613de6afa2c1112133c9e76ea36ae28d79d3f5271c9a46df787aab7a0f7d5e41cf4caad7bc6e5ac1ba8246b84f8fefffb2 |
C:\Users\Admin\AppData\Local\Temp\QMoE.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\Mssy.exe
| MD5 | b59e0f1408bec14560ce79218eb26273 |
| SHA1 | eb64b3a3080c81b91df5807145179fd53f1311af |
| SHA256 | db7997c7ff6e9f11039bae63ff5e19fa2f1593d47082d84d99925d529b348b47 |
| SHA512 | 2f33508ef995a242d26c57f0a15656ba43212467a1dd8891b3cc97332104896e124fe8d0d5f3aa78aa15f75a4ad3a98b972b2b1ae75c7e1ecdc1a4c5be861722 |
memory/2556-945-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AkAm.exe
| MD5 | 5ba43887febd0eb219f68cd7d06dd7f5 |
| SHA1 | ef662da7b0d266857651973216db31b113be6c51 |
| SHA256 | 014d727729803680af35afbb450a482d4cc00e97f28ae5339f6d784ee7296c6b |
| SHA512 | 9532c3a1b6cd13613bab98d247197c572475f37b4fc6d54b62c084e769a45704def7c771e7fb5fdd56bfc0edcce52cc094758d9dc9d0bcd25c7279fd981c3ba9 |
C:\Users\Admin\AppData\Local\Temp\eYcy.exe
| MD5 | 1e1d8c6788258e3fadd2caab0fe2bf81 |
| SHA1 | 8eb64878cb13d102f2b63738c93268e5a166853a |
| SHA256 | a56b5cbb05ba20e4401856cf0949d3ca4efe2be08ebb0fcd1944d6b46e003b07 |
| SHA512 | de8a2dee273245b7241263d4a53d6db4b3ba097606135815f044af9daf2653037c9cd17996ec0e78a88a7eb4e514fc71e0f0ac5306d4d77ed5cbdaa552bde02b |
C:\Users\Admin\AppData\Local\Temp\pUIIwUcU.bat
| MD5 | 61c2996547ac71fe347e3b508378667a |
| SHA1 | 3476e0d149d437f3fd02aa2e3c78b892bbfc2d29 |
| SHA256 | 21ea66307dc0ac78ece9c299d5f6bacb0c56c5ddb84dc53427117ac883e5d351 |
| SHA512 | 68941d08dd06131b62e4b7610fac40282ba200bb91ece6428529b7d288b1b7d5e81fbfd6e3a97a90be32accea66bfdb628a74d4964c4a40dc75213604caf7449 |
memory/2376-998-0x0000000000400000-0x000000000043C000-memory.dmp
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe
| MD5 | bd66438c833e7fd5eed1f57bee2a86bb |
| SHA1 | fbb9c78eac8201ff7c8f72634e92d2c3f97d1fc9 |
| SHA256 | 6f1ba1d45641d112f8e297d8a45fbc1fe8cedae639727faf0b61947c60cf7b68 |
| SHA512 | 582b62f1b5ffd23e587638049609de0bca3ac1b9786c7e654eddba581db958227eb9b1840bb3445e561617671564be68d8bf6729f39b49ad39304b92863b81eb |
C:\Users\Admin\AppData\Local\Temp\ysMG.exe
| MD5 | 3e9266e16b34193de01cc3ee260fed09 |
| SHA1 | 738ee42005fffe9e1d7f248753e072b8ab817717 |
| SHA256 | 87dc707532fabfe899187713c237e4dc51e98af7f3061e01fa42d45b49f3bf94 |
| SHA512 | d1f4b9a308f10885b5300e36f5b1e2c3be6f954d30f4406e507d63c80029c6786918f60c39e4ed6b0de91f60c72b8cf719f729f45067580fa8db95a7cb0d212a |
C:\Users\Admin\AppData\Local\Temp\GkAO.exe
| MD5 | 8ea31fbcd3262a8efd59c8d115e67191 |
| SHA1 | b9639b020470e78f68ad6c7ff619daf4698367bc |
| SHA256 | 266b127664367c09f5645d2a2782e3fe95d17a0484f15ee9fd7d4088281896c7 |
| SHA512 | e54eac2444ea3148a3b373f49c4e2343e592f7be265217be837b9d2eb0723ff7fe03fa93f8c89c0e91f95358b881130db76768ae17af410963c72f57efdc8f4f |
C:\Users\Admin\AppData\Local\Temp\mkQW.exe
| MD5 | c04b6c8b1df4beab1530546cbfd80690 |
| SHA1 | c1e132e1cc4be369ca4c895f533576b3a4686b00 |
| SHA256 | 29b795c7940b24e3599fd7559b830b6f53cefc5d2cd58764a5b2d20ad7f2716d |
| SHA512 | 1b9da6efe1ed447b48b40053fb6b50105908e4fd71b65ecaf76d76c7295875a76324afad10ebb6c394b820816df18fa2fcc7710f1110f74a0d85ebeac34266fa |
memory/2216-1049-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QswU.exe
| MD5 | d7053f626afbfee7f82a683c1bec0dcc |
| SHA1 | 2a4704a0610cbd3a266a05d343868980681666be |
| SHA256 | 5ec0624d6ba66fad2df6171349acbc807386fe904cab45054eae481db12241cd |
| SHA512 | 0ccbafb5b6cf979cd9e6095d46cc83a47e81b929bc0bc713a2a4aaaf237301b0a603517d6dd72f244396ad0f6586a8057e2421f8637f91f417663197355999ad |
C:\Users\Admin\AppData\Local\Temp\DwEQgcMo.bat
| MD5 | c1e13ad20cf8e759b7ccb2354205451e |
| SHA1 | 0f55faeb45cc433c24ed9656d5d33f87fff7b88c |
| SHA256 | 79772e4b38c5c20d0d4780a74d0b9ae24008584d78a281155885fecbabe64afd |
| SHA512 | 918f65ecc0dd5980a25fd5cc67d5b9c63725959403386c5c8d8a77c3eab871349ba5f818dfac0e99dacca46ae72d6e22b1de58a7fa186ef2799d3f486d151de9 |
C:\Users\Admin\AppData\Local\Temp\oYQi.exe
| MD5 | 99121095ece12034986033ea1200b113 |
| SHA1 | 1009b7c055441e262402714298cc71183afbf4aa |
| SHA256 | 57f3d040a26f6f82f432860299131f88d2019d93acd1a3ff4a38727a884c3314 |
| SHA512 | 7985e8890636709d6ae4e8766f70d8a49916842759935e40043f42a20024f5e95c313e144cea52a0a8921989362358b530ae55711aab2521e07abac2a342b751 |
C:\Users\Admin\AppData\Local\Temp\WUAi.exe
| MD5 | 3fa4ce4678f78262a5421c306cbf3f00 |
| SHA1 | 2a3a7e1f7d759c895e7d4ae4de39ead91ba7df8f |
| SHA256 | 9db8031dc136a864eff9dfa280b7f9a92b3f9b0609fbf05401a0e74c3ba577ba |
| SHA512 | b531c82041aff8d3c15834311b03e7a320541ad70ca08a7c071a8a4cc64095c42756e09714683b09f0bce09ffab1012477a97ae7ec8cbd32c9ea57e93811880f |
C:\Users\Admin\AppData\Local\Temp\wwky.exe
| MD5 | 75ebbba38a4a01b1e8e1e461047509db |
| SHA1 | 29d94591e02086fcf2f14dd5c5eaadfda80381b3 |
| SHA256 | ee0cd61d71683284ba448690a0c7409a6867f119967566ac26984d4a7a32bff6 |
| SHA512 | 24658888848a586fd1e2c865433659a3c4556e01861d237141b137e0c340e277436cb347f81380e3151cf0a5f86a6906b10ab783d173d9de1c0131efdfc4b6f5 |
C:\Users\Admin\AppData\Local\Temp\mkoA.exe
| MD5 | 83462cd26d6a95f73f2b8c9d826a5bf3 |
| SHA1 | 811e9ae29bbf5329f0549ba2046fcfff5f8e7bd3 |
| SHA256 | 2e8ba011478b80421c13efe4c2a32e104fedfa74ecce48d273ea2bf7fbdf0658 |
| SHA512 | 96ef1ea38e8a80992f0a692c5ce3a91f6c62eb140c9e999aab20f63bebb7dfcdd143a24e3da8033f239b7457cc164c3d0c6c273825dfb4496011bd8ded3874b8 |
C:\Users\Admin\AppData\Local\Temp\ussK.exe
| MD5 | bf46a0f011d1cfc7e1181f3f4448a0ef |
| SHA1 | a1d45a5d3703112d780e2bc2100cc31283c5e6b8 |
| SHA256 | e88c339b8061c081679feddcf444291e44d787a550b6df685f99734e3f60d553 |
| SHA512 | 1f9ea98229ece38828adb4b5b484db1a3e409168414deed0916f54ab1ca3b9d6c84487f9a1880632cfcafe587bf0123eb181fc5a4970dd5accb20662b327ee24 |
C:\Users\Admin\AppData\Local\Temp\UugIIUMI.bat
| MD5 | 17036ae51026bee3a4acc7a348def9d2 |
| SHA1 | afb6ae21accf37c56a09ab39587cd332aa02a09f |
| SHA256 | c837a15b5196c642758209b04fa225f7c7888aae69a1e0e341ae3b84d42fa9cc |
| SHA512 | 046b1ae90daf18dd6c96b41e31d676b1a735d53b3a6a1916e012d659154150e30ef9b5b66ac9c9269e4be4f36d1747f3251137db0430d081c5de4de00f87e967 |
memory/1888-1172-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QYMo.exe
| MD5 | 7f25cc7f6f01f81421a8cc6699279efc |
| SHA1 | 56803debcc64343927486e7ff9078c2f5aac263c |
| SHA256 | e0383938380269747de6773ade6e63fa8e5214fcfc3f0cd943c212d0f5d35243 |
| SHA512 | 85df08aa67b559f43f79c5b2e1b524a938427eab8f87f8bd7a31de2702d52c3acbbdf19ae8d1f1fca6e007d2b6d8d10d35e2cb6b52c8dee93959ad23f878c269 |
C:\Users\Admin\AppData\Local\Temp\KkUy.exe
| MD5 | 1a0bb3faf106fc2a4cfcb53d3e03978a |
| SHA1 | 692b143d1d57c338bbfa457837128a54dd847d2f |
| SHA256 | d66be4e4ababa50e4f76418d07d430aeae696ef9ffebb4d5e47caacd13717743 |
| SHA512 | d93142bf065a490c5a4634befb96c138bc40227f9619bb9c35145e614b9cc0f209975a94876ccaaef14fadf11732d411fb29eeb74072079cf19c866d5fcfbccf |
C:\Users\Admin\AppData\Local\Temp\mQcK.exe
| MD5 | 6a42971507b1d44d1bbdf2772a349abb |
| SHA1 | a0650e3b45ee089533f9945b30fde99710ee962e |
| SHA256 | b0275983758c3b86c2a2da6641d28d5f6ff8c612a7a179b0e5199225740f159c |
| SHA512 | 791e580826e856f80e95b371dc34106f0c816f13b26a855e772330400e2730373898b93716e9a1796e4e0876e8db6d0f8265a8276d431958233063f4faa862dc |
C:\Users\Admin\AppData\Local\Temp\WQUO.exe
| MD5 | 7dccca7f99f254aafa5cc3fff23702a2 |
| SHA1 | 1dcc0d0de3bdb182c7d3707c5ba84b9e9ee4b3a5 |
| SHA256 | b63bf9468d32cdd05acee9a69864b59f69a6c7c476b8177b155ebd893408729c |
| SHA512 | 5e5b284d42883b773f9049fc2d6a00fc90f217063bba8c27a067c415d1fe3e960de2a93fa14f655cfa097cec3b2c76551d03932759abdf06bce37dfa665dc624 |
C:\Users\Admin\AppData\Local\Temp\yQgkAQIY.bat
| MD5 | ace4dfb4f02331dc209627f90680e871 |
| SHA1 | 9f83fb099bd6736ba10c2d69b5cf189340ecaced |
| SHA256 | 32f76385fa947512e8dc4ddb5c8584d4ff332e3a5ad4984b5ac3dc3928b145ce |
| SHA512 | 91b9efe70115934b46e25afa837f8be601fa65de2fd13f673ad8d1f3c09710384649adb61469d723ac61ff8ef1d6b76604039afb6cb7e0c101ebe8b42d578a71 |
C:\Users\Admin\AppData\Local\Temp\AcAA.exe
| MD5 | 206f4ccc2449228d8913d752b322839d |
| SHA1 | 2a7a5a3fe84cf519385609b2056ef57d2a020066 |
| SHA256 | 19b6d50ae7a629a4b6037507d7f1be8f402c2569c3a96ea16508bc6705005d5f |
| SHA512 | da934c49190b925610dd44b28740f6f761db39d3f4d56769f8d48c12947fa9777cb101dda4b2307904f773dd56232993b4135091f5f256b4143d8c9a590e31c7 |
C:\Users\Admin\AppData\Local\Temp\YksQ.exe
| MD5 | 754ff0549271cb461030c09589a76526 |
| SHA1 | b19b8e75adfc3b305921b3ed005e772d4184f3b1 |
| SHA256 | 98d3c0c5ed9e39d44645374c91233e492a1ba91effe9a53d3348b4f129b76c8d |
| SHA512 | b44cbc9b21cb90446c3ed6aeee51c0093018da7ac31a00714ad64bf2db7088ccbcd9231b3857d8ebb7cb1151014b2c0fe700e663e282e48fc784d3fe86507aae |
memory/2688-1243-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AcsI.exe
| MD5 | 7cbfdfc1ed62590048660d80594a20b7 |
| SHA1 | 69ed0f60e05a92982ee3aad08f965c4a5c932fc1 |
| SHA256 | f4e33fd4aff4c187b81385240795a22b49afd8f20c9e36ac1d31e16a2bec6c4d |
| SHA512 | 9ae767311dfaa333968f83d840181b42817c83df4c16ac4a831a0145f892e4092b78fcf7c0773d0153541a08cac92bab84e56b873b37f2290bfda8658fae9078 |
C:\Users\Admin\AppData\Local\Temp\oIsM.exe
| MD5 | 525076748a0158a22fe8e43e5222ff74 |
| SHA1 | 19025c9fc77c1389aa97e88d079cb45500b32886 |
| SHA256 | 05998de93cfbb22c5d68f6d07a1b144a294db5f992e007da12f7a54862ad146f |
| SHA512 | f7957a15505c3740012615fbede14e3144457628a0d684dff4ba0f17bdc73182e1bd32b5fb12ce7db958039a3dc0afa961c66af7d5a2d7d9e5a89f8792d32c3b |
C:\Users\Admin\AppData\Local\Temp\AqkgUQYM.bat
| MD5 | 91e9fa4fbca07813dbbb8c4d4abafea6 |
| SHA1 | 376615b3d04f7eea39848a64eafd1770d2d3d047 |
| SHA256 | 4ba7ed0da8c8dab22bac422f206afb47e8c37852d21c3edc41a0b44a2e38ee20 |
| SHA512 | d40097e7883e728ef375dcbee45904e67ab00525814cde2b96d09a821ac0bc5c903e1f2bbcca5d1d5a0bc9b331c078edb8e1e8a923b31d01417c0c2f27a7e246 |
C:\Users\Admin\AppData\Local\Temp\Gwou.exe
| MD5 | e5edc14130a15e0a89121904558d668c |
| SHA1 | 67ccc117301d78dc824356180497a7ddb71bf653 |
| SHA256 | 708db246fe9f4ffca8a5fcabb069fba32b64460285d316305a20c3d89f325b93 |
| SHA512 | b892c327a9008c0aa4359f801b836879568c9ad2921e40e34dee11b1335c9af6833ca07e2cf065311686064d510b02f068226dbee91ab28db4d2ac2768f4630b |
C:\Users\Admin\AppData\Local\Temp\YgcA.exe
| MD5 | 9da2d6e4a3faf50603cbe276b84d3cdc |
| SHA1 | 8a33b903be4a608a2869cd8f9e8246718f7f8603 |
| SHA256 | 23e80a81db5b0aa18868e52b2d2cfb420cefa1663cb4c5e07915100a531532c4 |
| SHA512 | 0005eca563e75be8e70cd7403bc703745e3c9b877cf8142930ca990254dfc42eea271cd0eb65c33f567210832b77c9ee36332b7e27c7e65c13192f8d448e8f69 |
C:\Users\Admin\AppData\Local\Temp\GAsc.exe
| MD5 | 090c66208297b0a941e0c8a27da491d9 |
| SHA1 | 68e357aded765fefcb61c07481907bd35f29399e |
| SHA256 | 4da705fa20c57cd4bc3374dd6bb4c22a5c4ac05b8617f253ec3a77628021f502 |
| SHA512 | b4ca5caf671895615a36123a3f2617e65d743332000458520b5d9e6d395f0e427016919a5b35343afbeae07956121ba0f8e77b6bd09c704acd69e995f0358ef6 |
C:\Users\Admin\AppData\Local\Temp\KkUK.exe
| MD5 | 6c020b1ebf59209c7186d48e0436d898 |
| SHA1 | 978cabfc25dd8ca4d2fb127df11bc87cb9aa1267 |
| SHA256 | 7ee23f78520b8548257938061bd898d3318677d331e4d96fbfe28a169cda429b |
| SHA512 | 2979cc8b9b1add12575ca84e95c3c5a2d0d7f531a09b030d14e454ceca1f400d9c38d90ad435d6269e693222e1657363abd7dcf86ccc7c80ad0cba41b1a36597 |
C:\Users\Admin\AppData\Local\Temp\csws.exe
| MD5 | 59842ee83b267d6c141266aca0142fd0 |
| SHA1 | 672e8c9ef453cc626ecd8705c7d161edc8bc2ce1 |
| SHA256 | 188d100a1919767f86e37477d40302095c0ab1a34dfe6ce130911f30c10fb72e |
| SHA512 | a86d3e65c332c1c8dacf9390c1b2d6576e71226f7a621a28bc2ad7e50478eef98532224396b5b930659a24e1b3d91bfd2e6c7ae295f6058cfd2a0b7ae05ff1b1 |
C:\Users\Admin\AppData\Local\Temp\yMge.exe
| MD5 | 78d992abf3dafa06b1b682bbd770c193 |
| SHA1 | 02641c0f4f487da849b235059a8d837bc6637c7c |
| SHA256 | 68ae112842f30e7c51a595128d6b5db0c0bc50eb124c91fcde7b6992cd7b97ed |
| SHA512 | cf729b49bc2840499aa0d7b5a0699f395025db6203297bb495160ea9d89c6c7af9a405dc9c7d746885cdf3fe1fd968723274df45f3459872d7c430ee770e3e53 |
C:\Users\Admin\AppData\Local\Temp\KooMwcgE.bat
| MD5 | 7a5f919ecc27e4db1d6f8e9fe0c8e909 |
| SHA1 | b6f9eb80ce5516d8323bfba92dc415a46ac9bdeb |
| SHA256 | 7d6e1f2d4ef03a3d179b1d22bef833f539d7496a5fd0d162b3e174e2001721fa |
| SHA512 | d631e2930a78f39ccae58e967a373609f03fed1a23c95a7cc1ac60d8ac4bcae88bdb28c6bb4bc10401a01fd5d25e3de4159ae497b7e125ce8bab52ef75e8072d |
memory/2028-1415-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yUEs.exe
| MD5 | 68a6f7c1a172b1668c9305e5a348d24c |
| SHA1 | 8c1a9554a659ccab5c8a95112cca21ee7c1ccc8f |
| SHA256 | 53642d2ed891f03cb96c5efe16fa093edcb9deff7878dd7cca1b31fed8bc0182 |
| SHA512 | 9880d054cd5bb392c97fa7bae70460b01caaec2a4af6cfa5973484ac2b9c3f5c42dcc35d31094ea06b5bac878087dc0dc141cd4c9bac5c8cc41268359b9c227b |
C:\Users\Admin\AppData\Local\Temp\MkMs.exe
| MD5 | 90efa0a135d6a2f2d31dafdc0e993199 |
| SHA1 | 5f02218db48832b4177b040ae258af10aa95a3f8 |
| SHA256 | c3812e33228cbc2db519a2d7ad0d654249e8bc7678146ea2494cad0a02907e10 |
| SHA512 | ed78d8409494ccbfe73931fd4e30912c32f8786bb8e4d5f35ad6ade6d784e3d944602af3bb4e5a560cca208324944d85e29890bdcb771acd04bb1c839fe1ff8c |
C:\Users\Admin\AppData\Local\Temp\KEgAcMYI.bat
| MD5 | ee567168e3e42eeacbcaed8e2aef592b |
| SHA1 | 1a28056f2326e68ebf83d041bc00272cd200e291 |
| SHA256 | 6adf1bf09778255d9dd1447e49c01540b475000cb01bbcbb462fdbef85144f79 |
| SHA512 | 5be6bcff74d1a17168e6be887d81f25830f2ddebc68326aba7e2aae852b308b455fb4488d64638da76144dffc46df9790fde927a420c8493ae5d06d5cdc76d34 |
C:\Users\Admin\AppData\Local\Temp\GkQw.exe
| MD5 | 739be0b96386097fc7358307d5b464b0 |
| SHA1 | 6a675ebe8a85b67ed75972db0342beaf70defe2d |
| SHA256 | 946bb5f642de01c5758f3a274d21fc2751633d379a859fb66aadd7082133afcb |
| SHA512 | 1a7e66096316451e6d0713824dcce01e1307ba037792cfea01cece7987f28c7e14ffb1df53991741ce0c03d5c2525b8205f1f4adbf24e97ac1a0ede884d746e6 |
C:\Users\Admin\AppData\Local\Temp\GAoS.exe
| MD5 | d402d3dedccc39fbcbf3173d52d19e37 |
| SHA1 | b3bec6ed535b960305fc342d295f9d3e6fe17b22 |
| SHA256 | e2886c9e628d8b27ce0c25f4529e397d98938fdaa565ea65845b7079c982e4e8 |
| SHA512 | a77c692c8e4f3224c9756d36f1d4a9364a06309bcb743a7f0d063b24ac80f199e50d31b4ddddc0da2010526a53e72a10c8ebce62b34cf5f8b2b3fea3ecfef07c |
memory/3068-1460-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uMki.exe
| MD5 | a1653c8ed30f09c74fbdf6779a700d75 |
| SHA1 | 2b38c978a15dadd843256ac22048822e272ae0d5 |
| SHA256 | 06baea9132f06a3165e8ae9adb669ed43de37948c730597494944e4c3a755172 |
| SHA512 | 42cad277643e91dbc13ef28567953fc1688c24141e89ff77c64ac193168c3d7f6aa896031f43d554b60fccc48a172bfe32c65afab0c95f257fdb567528aca158 |
C:\Users\Admin\AppData\Local\Temp\Iooo.exe
| MD5 | fb5dd7b5a5446006d6a367942a987c60 |
| SHA1 | 1f5fd0df0bc3118e90c48d5856f41d54c7659fec |
| SHA256 | 7cef26faccbbc37e2d8a7b25193cbf67227a169a39e331d843174f8811ab9aba |
| SHA512 | bbec1b83fc48fc77cc1051b3083943accc40572f6d18f6a94479ebe3c7e0b8cdfcef9ce4f84efdbbec7a4db2c5b444e6900de5978c387d605c36353c317b86b6 |
C:\Users\Admin\AppData\Local\Temp\aAQu.exe
| MD5 | 32d3feaec503332a9309f0a62693b0c5 |
| SHA1 | 0e08b40325d3297dd4b2ef394723b8ae57051096 |
| SHA256 | 727048d12951ae611713f7556a79fd41e295d6d622d30bf5fac19c7d401d1fa7 |
| SHA512 | 00c34555dd0856df26f734ef347063a6abecbf9cc67c033314071e188861949d01f445c2f7bf6f1b74b384ebebaa6a53fe5ba045cedef1d7702c0f4f202d6b84 |
C:\Users\Admin\AppData\Local\Temp\yoAo.exe
| MD5 | a647364441688caf4be6b8d49f49662d |
| SHA1 | 23300005095af4d9f5eaf352fd70b66a12913ef5 |
| SHA256 | 78fe6f3b8e38127725b64f9a61ffb4e1cffa18fe23d9cc807c43bbfa3b832ad0 |
| SHA512 | 2235758b0cfea96c3230ff2607f05ae67be2ec4e834e8e4ae45f5f4a188c3f6ecf17d6f0dbf217caea7f120a1f8c3b641aa2c67ad3190c0627c3c435c3a8b10e |
C:\Users\Admin\AppData\Local\Temp\xCUAgAsg.bat
| MD5 | 6024a8d31daf319174425123b39fd500 |
| SHA1 | 35be81527225d0f99d1debab965b173270ad51eb |
| SHA256 | be0124e726f3ed85a368063edc98fdf0eeede14691a768038eda26c1edbfc5eb |
| SHA512 | 48631fb7aac70ea93e78d68b59d23866d2433d8443df85748585071c30f894244f9f656780ab37808d2d93398c738572190969d0c25a44a0a491e1e741c8b70c |
C:\Users\Admin\AppData\Local\Temp\Uwgu.exe
| MD5 | 5c77f95990a2be14896583a11f5f4d94 |
| SHA1 | ccdc26cf16055b90216acbcbdd34b30db91ef771 |
| SHA256 | 3ebae033dcb8b46b926c67e90a1e27f160f58cb1e18cf4832b2819779f370008 |
| SHA512 | 3ef7f35e94aa1d41f184374a0a53501da2682158163c439262c5a9dd805940090703e679669b2d131a17c573679b615aac4ad6a165ded92193780344adca6cdd |
memory/2484-1557-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kEMK.exe
| MD5 | 07861736045372519d7483cf4469f7d9 |
| SHA1 | 1317a4638107b8afaf0261c7b6631f93eecb693c |
| SHA256 | 9fabbe124e5fd472e31be8ff6bf43051f824397a62e51cab80db25c22304df79 |
| SHA512 | 9c033bc387c40dc1fd1fa5693fb3822150dfc47bf477d223b78d18776819c5a239536713a0e2d3ce3ec6a78f13c3035de03525830cbd6f39baf4aaf0311d3cce |
C:\Users\Admin\AppData\Local\Temp\YAIQ.exe
| MD5 | 08d0afa4b0420591a549226878a49e58 |
| SHA1 | d3b73a36b53aebb2a2d1724ef242507ad13bc3e8 |
| SHA256 | 39a84c917360402304b2b9dacd318011031b02aa1c12736b431ef73dabb814e7 |
| SHA512 | 5de0ac19922a6a65edc735ed2d8f6e03a55c155e7b39d2900b68af1fcb09473f324b777098037086450e9443ea282bde371dec235cf4b06a8f31203ba44a763b |
C:\Users\Admin\AppData\Local\Temp\GMEO.exe
| MD5 | f46c341afa0be4b2fc04fe3296168412 |
| SHA1 | 581898c71a3793d66ea1910bef5d768ed4c499bb |
| SHA256 | 9207a41038900519fac5c041953222e4cc6859f6b1534d697a1e0ffdd48ee65f |
| SHA512 | 79bd7b1892109052ae86ff147f2c03bd9073cd2b76a837fe453654455d4ef5296a429d903ccbff0866ef2d1666b32761b1088870007b16f0766904f50cb70196 |
C:\Users\Admin\AppData\Local\Temp\uYsW.exe
| MD5 | bce126fd1a05ac3024fcf8083cd815f0 |
| SHA1 | 2b77bb0fb1728ce74c7ddea29c40c2da71e4623b |
| SHA256 | bba580805b8242cadc57a237db3c38ef5b9d801ccb0087eee323260c1f99891d |
| SHA512 | 8ce7fd5837d07307e58320728286894e8037e96294a5280bf01d4c21ecdd53d929ee8afbdcfbc66c488c7a1dcac2fa8d0f4a9f012d375ed564103c1fe8915ea5 |
C:\Users\Admin\AppData\Local\Temp\ZSoYcwgo.bat
| MD5 | 8daf0fd107c9b5ba59886578e7cca3c1 |
| SHA1 | 1cba437f40273e14742b418e8e20c8c7b64cb50f |
| SHA256 | 1f4c53096ea0995fedcbc47f50c7a2aab6beff5a03b2f9d06cd6eaee49785707 |
| SHA512 | 664a3b87ba60104b730e57a15a1925b45910021f1b7538af246b6b16ab6a44c1c0bc4279b4ff4ea5cc771a5a7300a79700d330ea0d17dec6f22f9bcb05dd01c8 |
C:\Users\Admin\AppData\Local\Temp\WUUa.exe
| MD5 | 892ab23e2fe232c32c2195feb220e895 |
| SHA1 | cb481067dddc656792efc8ebb3eaf044c6394cad |
| SHA256 | 2597312d9279c62c0db39392555ebba4301ba5148472eae372e57002a16f6396 |
| SHA512 | 73d73f9b602074e45b570552092bb284f70e1d9150ef3cb93866f38ae0871c523e6f266b0d944abb7d10a4579fd6a4dde3da05e3d0807de90506a220bb2d1f21 |
memory/2724-1629-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hyYgkUwM.bat
| MD5 | f9218334e34bfee1260d4b2fe9c92bbd |
| SHA1 | c037b9f09a89a797297f3bc00e5e68d9ba9a6af7 |
| SHA256 | 2a0172c02441fe699b0a1899532ffb11f5e220e95ddaf17292dea36525d3efcc |
| SHA512 | b93e53b9e651a2852b3fd21509f87f79b7794178870a9db49a4377a57a81e84618b388e62b254d2802d6ce94b352b9e77163be63ba7ee2404363acc128bd891a |
C:\Users\Admin\AppData\Local\Temp\goES.exe
| MD5 | f628b224c572f55e5e200bd9a28f7b6a |
| SHA1 | 39a7e635c40c27412346e00fdeefad5387b6ab8d |
| SHA256 | 9f38d94a879b3b37e90ebf8486432288b169c5c3f394594b08f83545d466915f |
| SHA512 | f093525a1ddc7900c848cd173a916d249c2406a8ffffe5aaeb637be977686eace51f4d6bc95f90d469f6002c08c4adcf521f581b3edc75a5fd69a208d7cfaaf1 |
C:\Users\Admin\AppData\Local\Temp\uoQw.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\UAom.exe
| MD5 | bbd9e2607614a52d91ffa9604db0f680 |
| SHA1 | ff669abbd9cc9e327f808d8ca9fa85cd6e18b7f2 |
| SHA256 | 1de4ab60b4528ea7550132ef1f92a1b5f108c6bd398028b53d712a5b74b8a73c |
| SHA512 | 3a71ddf0299de472df27e289c53c3ad87d288a719ca9bbf66ea3b22f2b1a806c8d680a818004b3200aa4a6c2ea7f6aa1cff2cca416e4810fc509b65d0fbcbba3 |
C:\Users\Admin\AppData\Local\Temp\wQUW.exe
| MD5 | 79c82f74ffb2bc17830a07199ed8f61b |
| SHA1 | 2752b7269e4acc65fcface50aef8010843038d82 |
| SHA256 | 5b9bce083c9888959939c5c051bf66c64e9598f3ef4719f9f57eb2abe280d72d |
| SHA512 | 6fadbf20b22831fe60d7a30f2dd80047e05d76cba9833c2d75793a7bb50b93c855a91de39ddc7e1d4c569f03286bcf7fc819babb7fb1b4618ecda6f32cd462da |
C:\Users\Admin\AppData\Local\Temp\OYUk.exe
| MD5 | c73c90ed802541308961b6a00f738321 |
| SHA1 | 6f4d1db52ccf37cd3774556f867c254d22f934d0 |
| SHA256 | f0d19f8d3fe4167ecab4b0f22db87478b188e3dfb5f18ce466ea006abfa84ab7 |
| SHA512 | f6f41f0d6077fdf6c96d1ded28f2eecf7161ab685826687f3b315b6edf1f5b761582d1b232a230a7f6e17e605ba9fe652f630d39233644cf415f0b30eb8498e9 |
memory/948-1746-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ogos.exe
| MD5 | ac5504a98ad6e1e4d8706fd943449fee |
| SHA1 | 12e68bcbdef7a35cedd1f6da7b294eb005973dfa |
| SHA256 | 4ca0c14463208e549cffb1fb814aa31daf7caeab8a1a5e80ee3d6721e6a92fb5 |
| SHA512 | 8834c38397605231a1e77abaebc3c63a6ca61ce96b7382e6d051c436baaccf8c15d4ff9f27bd325ff85551afdedfbe89befa91df4635eb93c1b745e4ccc01c81 |
C:\Users\Admin\AppData\Local\Temp\BwgYMAII.bat
| MD5 | e7c8b4455929ad929d84c51563292096 |
| SHA1 | 5bd9cd8b5021c69487214b928cf556e3eb7ec47d |
| SHA256 | 6bf0ab69ce1e851efed558e4261b8e6f44b4a5ba4e45e0300bfeb4bd044dce79 |
| SHA512 | 451c3d92af83c7669ebd5cb01209479e96d10312b11a85f8230fcacda0b2f215852bb2b001206cccb30fce68d4162a39f5d7ccaac8231ff6cd07ccdf5d2499a3 |
C:\Users\Admin\AppData\Local\Temp\iKUsUYwc.bat
| MD5 | c5a9ed974333b0d6d105b97bfdcae79a |
| SHA1 | 4a8913a19bab334e2984ac36375214fad2694d91 |
| SHA256 | f8191c2283374c5af058bfffa547f7368eca3236491577f55766c7e40320e082 |
| SHA512 | 4ef823297253ce259d50d3485166f11d66535f11fbaaa8bbeef97e87bed2fd75032d7b0a75555b784dddcc62c4052d0f18e937a674982c9fb367a98f1866a899 |
memory/2096-1766-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AKMMgksM.bat
| MD5 | 78db6eb52066231b6455eb51e6a8e02f |
| SHA1 | b46f3b9d8fb56380214ba8fc1d6946f022493a5f |
| SHA256 | 626f44b2518071683efacd8b39659e15f29d6c0ed8dc54665c96e79464a3d48c |
| SHA512 | 2db8d0920040d12569cc8da017260109ca66ee3118bb806bdef886a4fc9103a117e8144ab464c51a6d3261a81458d663731e38be7151e0c42f4b06d506b401b3 |
memory/2296-1788-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\COoUMgcg.bat
| MD5 | b72aa92c706d412a6a04fa90d3daa895 |
| SHA1 | e897f8d65f8264be101ed8b9ed4ba446c7b1bcb8 |
| SHA256 | 04633b4fd648b9d4d8a8faca77a47a2429fbbabc00cc0d493a8f7bec663681aa |
| SHA512 | fc0b00aa6d63a8626f11155825a7ddb2549cd0586b497a1ab482f3cfdf4a0a64938fedd4a0baba7bfba2f4d7833845fa17c71a340441f460fd57c3fdff3e05c0 |
memory/2752-1809-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yKcIQgEk.bat
| MD5 | ef8eb285d22440da118c8ddae8cf28fb |
| SHA1 | d4aaabfce31a97fb7da862294a264bc24e49b966 |
| SHA256 | eed648a667b5f820da34888b30f63573eea9c9c821bbf0d3b4a1113840bb3435 |
| SHA512 | 6418f7b2c7e1bc44ff338ca6caccb41d0c495f1d7c56a7f5ac8d60f693263e5716a6de8d81b2cdd7da1f46f8c891dce53954bffed24aa441083d0201997c75b3 |
memory/2724-1829-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MusEwkYQ.bat
| MD5 | ae5249b0698a8738f2bbc55006314abf |
| SHA1 | 4c1c8b9ae3547c0a90c1b897d7bfe71351cad999 |
| SHA256 | f1657cad2ccf66bd3f99cbe29ff3a602f19135613fb30bc9126b5c009ed8b683 |
| SHA512 | 0f8d2aed8ce7c31e3dc704909aff632056576e2027816d1857b1bef2f659985834134c51e36b2cc8c3c6e6328b1b2c176d5800e306c1610cf81d88db3ada947c |
memory/2820-1850-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fqAkowAs.bat
| MD5 | 33aa8d50baa9727ae1a6bdbf31ec6d94 |
| SHA1 | 96e8c516116031a37024ec4785f2f4a59cc203f4 |
| SHA256 | 25a83a51571fa438ad9b20ce36165b1f6305a1f7d2804eefa4732cb3829e82e9 |
| SHA512 | f5b79601dbce94285399916b56e64a48bcad47e2022668b85a41c321fdab65429cab0c6a6f5d0bb2a722518089e0fe96d6eaa0b524f165bad4ec13326301c219 |
memory/2980-1875-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XOQsYMsM.bat
| MD5 | 91ef3c9c488394686daf9550828035bb |
| SHA1 | 858724afeb257ed1be9a129c997d1515c37f1321 |
| SHA256 | e96fce450e6f4509a61f8c6f6239d34b4c8e4afdec26a8db81c21117716cfc24 |
| SHA512 | c02be1729a89c9265131db579cd25b8d64c758061806c2d6b1a24343d6f06e04da1eb333d20cf48ddd4f7f227eda99929f5282d13fcb6f17aab9cb15c82db050 |
memory/2476-1893-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\piwwsIco.bat
| MD5 | 46c3eed66a0e4c4919b77d94fb298f16 |
| SHA1 | 35ee74d9a49be748fa14fe45f24b8e87f35f387c |
| SHA256 | 02cf34d2eac7ce881295c0b54eeac7a48d3817f88864bb340936b28ad2841a9f |
| SHA512 | f33ac5a54ff018229bf634e292b0c31ad3bde8e0d8a0a7e9461f682669a8d9669273247374f16d954402c8bfd553a4688bc15bca75192179db4f18538866856c |
memory/816-1919-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vyQwwQwk.bat
| MD5 | a7b88dc76c0e0458b244f5ab8cf4218a |
| SHA1 | a3de441e9551257a41f0c13ec95015ef61df890c |
| SHA256 | 9210b4ee5d656b3e13bc1fe5f90f3ef64c87c8f7b1bf65cc8159a56a3b5f6829 |
| SHA512 | 31d7f7016eda6fcfb8aa85cb1e6d60c421a36a0454d40afcd8ae94ef3c0d760b939dc057d9878cf018c1b9b7e03c8970462769d1475adc59baef9a8f68780547 |
memory/1732-1938-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dSUgogEs.bat
| MD5 | 6fb00aed4bfbc28f038cbb185c1d3d59 |
| SHA1 | 4caba1f07ffa2620f5aa7871112ba27acb254f04 |
| SHA256 | 42972bd0fb27a3289854409061fa4669b4b6627a195d928241649a03b9ff8849 |
| SHA512 | 28e66185faed47f850c48df5b8c46749e500b69622aa89acc95ffc49318e0180f0dcd6bae6df6ecb846b1dd9dc72e3b178644379e6663250165cc80a19c80b3e |
C:\Users\Admin\AppData\Local\Temp\kocS.exe
| MD5 | d8dc7d490b48c073e36efff3a3c40c04 |
| SHA1 | cb99fea5800c5f37a763cf3bcca6627bc5c9988e |
| SHA256 | e6e6c6359639aa7922728364dd55d5ba4f4f7737162949a3c2c2adbbf14dad98 |
| SHA512 | 8aca47d760c3097dc4fb42de58c3675239893dde3a30943fb3cc18e52b23a652cb0a948df8f3842b1e9caa6f4cb1164541b6a6305cd8ea338687ba524d0bf7cd |
memory/1512-1973-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ggki.exe
| MD5 | 67fb3cb623fd3ab709c6aa3a7a1041f1 |
| SHA1 | 0ac32b4b427e330839e0b3b730106302f6e3087f |
| SHA256 | 7414d6d47e30c3f2ee43628d9d64b3a6e46b096bb186e1f0dfdd7ef5ccff4522 |
| SHA512 | 6d60c38a2edb48dda1ec263d0423026dc1adea31c4dcf6fe8f01e9a7ee0db87816fb1f0935275b110f7eb7f1a68a23fdc82449b25a28d44d005572b36fc95d0b |
C:\Users\Admin\AppData\Local\Temp\dWUwocsk.bat
| MD5 | a76617e51596cfaa716cd4177fcf47bb |
| SHA1 | 358e9e34929b6bf7b4051c7f15e6eeb45ac6e35b |
| SHA256 | 05f2c6cf1c9f45181bd8c01680abb19e2f53c6cb0b348500d2c0ec4a251043e7 |
| SHA512 | 95ecad2512b7ae3260e85d4d7d28aed698eecb1d5ca78fd079db58493cc1eed9afc36b9d3e5b504f750580381bc741afe81358041eb1bd3b3377eedac0c18ce9 |
C:\Users\Admin\AppData\Local\Temp\yYEK.exe
| MD5 | fe6afb6e12fe5129a1001527179851a0 |
| SHA1 | 9efe5e406ff4733c8d7871b0a102b1f7b4a01eb4 |
| SHA256 | 73ce8a2b966b21ac292ecf6d4077d8fb8fecf4aee572bf556ef9264d76cb1424 |
| SHA512 | 11cfb43a5f8ccd47ad185b5f30744f34fbf236cdeaf217a3ba563359c12cadec0af41e731a6bbb27022a848f7d6ccbaef8c8357386f1111209bc0b108f0c7bc3 |
C:\Users\Admin\AppData\Local\Temp\MsMA.exe
| MD5 | 925d6c109f03ee5335141a11d8c3dad2 |
| SHA1 | 7691bf2ad6297fa05e948e4eaaa185b67e1c1a02 |
| SHA256 | 07ac5c19a588fe8424abc58b6ddd9e9b24246deb653f5887bc724d2f08d0ffc6 |
| SHA512 | 38be64c97c3916fd96a638dcfdf3605b0f756581e6b31687d15f0192f34f1de13d4b4a65ad6c2847b96172248d84925fcb84246f8660cd525c160e089e13a0ba |
memory/2576-2048-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GoEK.exe
| MD5 | 213e3c6f889ea32be7ec2f4d5329fc21 |
| SHA1 | 0a943f5221539df11cd8e4026b7451722adbf9cb |
| SHA256 | fd8cb44039c46734517b489531471f30fe75d803ee5ff9ee4822b814dcd23f73 |
| SHA512 | c4541285511cfb29ee64251dd17ff01ffcf02f350168632751757943bf674a5d4cd80c24f5687e869576bb2f37d87426d56b1eb85106a36886beb6ffa1182e6d |
C:\Users\Admin\AppData\Local\Temp\IkUgAIUQ.bat
| MD5 | 5ff993ce518882f5dc062fc4394d414e |
| SHA1 | 113e9ae822c0fac3a01a2d9562f575a368215503 |
| SHA256 | c8bf2f74eb2498ef77426828ffc935889eab4af7c30e3e33adf39a7ff3e1fa16 |
| SHA512 | bfd8ab15a49214d4730cfe818702874b1113a7c2d6d480beb5db16004208e4c2f60fa2fce9a9a2b0ed9d077afe9da470f3deaebf25d55a863e7ddc69f7800db4 |
memory/2164-2080-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KIUu.exe
| MD5 | b5063a748630fb0f892fa38a7a3c30f8 |
| SHA1 | ebf534517559d7b7dcfa2690916edd4338c923de |
| SHA256 | a60b254413f2903d10b94e234a00e8c9e9fdd29bf7b047cf01af56e0bde024b5 |
| SHA512 | c7333b48f7f9d1a761e84a5cb6b30fc120ce82176ab0478738f78535c9d64ac1b228b675396da0b4d13cdabfa2654400c5fea178159e268ea8f826146187c8d4 |
C:\Users\Admin\AppData\Local\Temp\ecQG.exe
| MD5 | 1d2c3918461320935ef5b8711f192c0a |
| SHA1 | 2963f5b368f7c56567fedbf3506e26c73bb9c286 |
| SHA256 | aa792d9a1ce039b88d19afb102c93758aedfed9a7a530522747425be8379d038 |
| SHA512 | 962f9ec76bd8f57837eaccd08d5aa095bace7751b04c938561467981ac6e128ab8ae318d64bf71b01c7521770a6c087507b114bad029cd5654abbf5856770800 |
C:\Users\Admin\AppData\Local\Temp\MAAE.exe
| MD5 | 042b2c4e31d16b79147df3ede64e294e |
| SHA1 | 718985427c247218defc05516691ede3210701bc |
| SHA256 | 6306a5d275cb70d774abf2aa6181a4237caa5c3084ed326bc2d62862f1ba7b34 |
| SHA512 | dc00ee87c63f9001cc4785415682c14d16ac86c53a05db21388072c12190a4016f1aa3265051f664d85e19b54bf9df422c436047c41799d9df8454b8d0a4797f |
C:\Users\Admin\AppData\Local\Temp\mUYC.exe
| MD5 | 094fb2681e5df479a3a5fdcd607d72c1 |
| SHA1 | c052a9fafc4233819a694528fb7437bc4a8e9957 |
| SHA256 | 87415f2e38e33689ad29363b693a11abb4b32ec7c415e24b7f95e9ec01f7fccc |
| SHA512 | 9dc25eb9eeeac256cd612c4aa011482145cd2bf5cdf013519f8b6c33926e739f701e82a99175aea0e173f842cba012f3e9ffb1dcad4fcb24dbd9047838195e9f |
C:\Users\Admin\AppData\Local\Temp\kQAwkQYc.bat
| MD5 | 7cdbf77a22059887dea21a7b1b18d0aa |
| SHA1 | cfe905a9a2154dba8be6ef52072eea10a3974f1f |
| SHA256 | 34e58ecb06139e8ef89fc0bec90ba32dca621a4c418307175582bc27beb19008 |
| SHA512 | 414fb5a16c7a67f5174bc6ba04ae4037975302ee12270e3a25134e517e7a22fa40ebdb31896db60ef27c3222242d462b61efbbfe00b88298de4eb3a96ea96a37 |
C:\Users\Admin\AppData\Local\Temp\uAYo.exe
| MD5 | cf905a0d0bb32264877e836455adbf29 |
| SHA1 | ca9f507dba18450d1db5ac88c83d2ebb2e09bcfa |
| SHA256 | 9ca67df502c420a17f4624a86bf5f400676b482a4d4564a6ca8a756399a4e7a8 |
| SHA512 | 117e1d53e8f5a5d10c1dde06109b7450eff56f6ee2e195619ad2bde61d7fd28b52a5ac378a1549fac0b590eba12425530147d17bc9bd792ead940892d51272ba |
C:\Users\Admin\AppData\Local\Temp\goIw.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
memory/1752-2152-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mEMW.exe
| MD5 | 827dd0fc985541d92b5fc8b24b526b27 |
| SHA1 | 21db48fd2287652bcd3752b0b7527e0588d69183 |
| SHA256 | f7a74622fad45d4cf61d856352375479c28114b93784dcce7a4dfeb973ab6f44 |
| SHA512 | 0c0a8f09c2330aebf7946e7ff9e11036ca63ee33f5b119698f825de0fbe04f35296f3258308132e110e217fb8973802404e408490d563b11c9dc867c532691ed |
C:\Users\Admin\AppData\Local\Temp\ywAc.exe
| MD5 | cf68f1195505c9b31c39732f1e616424 |
| SHA1 | 7528596035f019747d8ed93e4d7eedba79ab14cb |
| SHA256 | e64c62e4e0809dbb2c9533c837fcf06f529a480df6f71aeca80f885cdcda84be |
| SHA512 | 11d1c32171a1fbb0766c27a37f1210c4bf7f6e84b1013333d3037a79cfa4bc6680d84358288d1073bc542bd6279708cd8bdbb4acec18105c08c4f3a17503e9a8 |
C:\Users\Admin\AppData\Local\Temp\oEUy.exe
| MD5 | 302a602deca962e766de29d054e63aa4 |
| SHA1 | 46969fc250d04cf4211a29a5913f848da97b2c0c |
| SHA256 | aa66583661f6bbfabe4cc8f943788b3980408cf1d99c768f4d8a8d2cb23dc559 |
| SHA512 | 904fb22e6593295256c0d8bcad8e1ddde266f19e8d06e7aa5d970a6ba797fa3687ac8944746a9e817bf7bc6fce80df26ceb53f314a6098d6fd2fba7c759ead82 |
C:\Users\Admin\AppData\Local\Temp\AqAoUkQE.bat
| MD5 | ab5f67c9d0bfa89c0563e55e2bc72ec5 |
| SHA1 | b79f30527c9096c81f577073cc75a9a2036fb52c |
| SHA256 | c195a6d45cfd152eb0cfd5cabef3fb848c70425be7ec1740bb72bf684f9a16b3 |
| SHA512 | a76b2ff20689b3d89e341cff26ce8d386ea66dd2955fb750630a857029839c18b18a4c61f47fccbde7e65c6cac337bd5c8bd8b14ec939a2f16638bb6204afd5b |
C:\Users\Admin\AppData\Local\Temp\mIQi.exe
| MD5 | 4e507efb235994d6ea7705e21374489e |
| SHA1 | de83854929235bcc64b4687701970ca0965daee8 |
| SHA256 | 4517144a2d8bb9075ae7c01a42394560ea02c5cb4ddfa55f5a2845405a3873bc |
| SHA512 | c7ed036c6b685a6ebfec16937c562e852ce817fc5e0d57000b867bc8c13082d2ce1102108cb260e3962331a6d0a8226f94129f9d9c7fc711b89bfe332789caa6 |
C:\Users\Admin\AppData\Local\Temp\cUws.exe
| MD5 | 8dd00e482843321f355bb642733d4e1d |
| SHA1 | c61da14b841a246974ed89b2d84001bae21825d3 |
| SHA256 | 3b35b4893d97b8e2089ece35e662283bad2cda424b4a9f59e3bac909700ddb4d |
| SHA512 | 3e0b62f1d29b0f5c04ca1acb66f1ab64a9eb638d40d391c72a29150a3ec4743c48b716734c54722517f456f3b8a94a67d8417a1e73f194990734d8496fd291e0 |
memory/680-2228-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WoIa.exe
| MD5 | bf697840fb8d6be4c09c93cd236d69bd |
| SHA1 | 9fa7747f1d104aea139c92d5527d7867bed45c3b |
| SHA256 | 36d77bd0ba61c1c8e84e9d4d3af39f76a2817b72486002393cea23d07755c2d7 |
| SHA512 | 6790e4f7fbe28a73bf90d7036757cd4539968013a8f2b2489232989ac18fae488c7a172cbc7307a742588cd5d2f6c7f01583906dbe413b918d7cc6b32a5c664b |
C:\Users\Admin\AppData\Local\Temp\ZUcUoUgI.bat
| MD5 | b651c4c1ba08ef526193100c5f2e0545 |
| SHA1 | c81789c9e3c69fcd34130365d749040a6c98153e |
| SHA256 | c18d4eecd78bf60c078ddfc10d1413f5e435585c4bfd3e1872e212f04a35d3d4 |
| SHA512 | e18184eebc826359d6f5e23a7e791bc75dde0c4c36eb942fb281ab37815fead4c6fa8574fd1980aa8444c8587713d89f46d83b5b1dab8f87e28cf5e57fcd0c53 |
memory/1176-2291-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mQAU.exe
| MD5 | 72d179677b28c215e3b68c97da22f6d1 |
| SHA1 | 50b9054a6f73a4cd79c0dfdf4db5c5fda4192e9c |
| SHA256 | 874cc2fcb25abf6c6870051fdfcf10453f8837d84c089d3e9b95b1d210e3ebdc |
| SHA512 | 430a19298544601041960090d4edc8ae7e90dffee3b6541cd91e02b88c1b6e7312139e1b433200e91f5ac9d16886e73388b6a327dd47a6164803769de191dd72 |
C:\Users\Admin\AppData\Local\Temp\McsY.exe
| MD5 | 07b0b8785d5a983cd328fd56ed237a96 |
| SHA1 | 8677dfd22369f5698158b0a7d4f188c886054207 |
| SHA256 | 05f7052ebde9253c18df6e63955c929951a3975149657e3f3b718c127918f928 |
| SHA512 | 5390798cfc5929dd88bcf6f7cefd84ab3a77a7c2c35fbeb1b778467bd86fb8fb4b013398e1b829a7e360e7b9817d9ebb034f56c99a8f72438a6c94eb12c187d6 |
C:\Users\Admin\AppData\Local\Temp\PKkYoQYc.bat
| MD5 | 4a38a22045ed55dae57dd018d111ca24 |
| SHA1 | 8834367b9890fbaa05cabab309c13b0148c529ac |
| SHA256 | 89f3d087d7cb8067324471878db01b38d1ca10341a4f3d953396dcf5e8a24719 |
| SHA512 | 7941e172e770925c9ed52da73a3922d26756a172b5cbf78ae1c5aa2b1ef3aacd7b1221bea9958311c190e1d11e0d661e2a3c7c91a5be60d1b4f0dbebd0b4e5d2 |
C:\Users\Admin\AppData\Local\Temp\Ikgm.exe
| MD5 | 85e766145e503477199aaa4dd7a92259 |
| SHA1 | a3b3c54a0df311a939604e976050e12350d46e54 |
| SHA256 | b1e586492f6c11fc24a7b93eb9d55650e82e51bc51c10c85b615fb79d03850f5 |
| SHA512 | 40eebb6c8092b84a07627b96607145e2d0ddba7cc8b3284074e5872d50ecbc38d5a9bc94b722ff02a219a31d5a171ca2d80c5ba27b4e21aba64e2c085e5d2246 |
C:\Users\Admin\AppData\Local\Temp\SEEY.exe
| MD5 | e4c5432b8784b419b39a5b3e9d1504e0 |
| SHA1 | ae63767dc10265ff79959a88b042e7ded8ffa18a |
| SHA256 | 9e0f2a671795826310bb4eeece4a6f350356f2b16383996372e8fc5f205cc238 |
| SHA512 | 8c76f4cd2792c3ecc4685c16876afa270f749d88bb6ddbc48b6bcf97633a8ab890adc0438d207c43336e1e57b365603453f50b9653cf2a8cfcf4a89d5acf7068 |
C:\Users\Admin\AppData\Local\Temp\iEAy.exe
| MD5 | b72aaa7c9e68a75d4ddfa76003589175 |
| SHA1 | 6dbca73ba39ec4b454f5ca420a1d83b9fcc64999 |
| SHA256 | 385a4138ae224af6ea2f3ed2e121a0c14d734f48586b87e6e1c43fc8e66fc897 |
| SHA512 | 9a9ab437ed97c0dd99f5bace8a29aa1439ae67546b5d057b823e8268b0021e636124be4561cc96e788b645fd2bdc35780ba33d8704a7988414764ab95638e4ff |
C:\Users\Admin\AppData\Local\Temp\KwYS.exe
| MD5 | 74cfe8fa9ca6ad096c6e2d43c43f3570 |
| SHA1 | da691a1755946770d6b56af568988ef868537524 |
| SHA256 | 9a1c84f6ee64071aa563971f3594179e6e7838a45384ce1c225286df5b1b6b3b |
| SHA512 | f85bc8df6f35bb79a53fd9136df08a17d4cb8ba9c3c751bc5d9692828681ef81cb04a57f98e0e274d3a903a26dbd706396ebb9def697826f97bd032979993ab8 |
C:\Users\Admin\AppData\Local\Temp\psAAcAsM.bat
| MD5 | 5b8e220cb15bfab298c1c5963a7ab411 |
| SHA1 | 50012989556e5c46dfc0a09f793489bf690bdd3c |
| SHA256 | 6d5cc466760ed759fe3e4d3c8ddb69a790ca67704bc9a5d38a8a115ee3d88ef8 |
| SHA512 | 6696878f7d780d4eadd94abb4d99014b2b729fda89f9d224bdf33781dd6a01f1eae6e134c7f56000fc05b9f08277781cfeefdfa7c498719654d908b9810fb790 |
C:\Users\Admin\AppData\Local\Temp\sook.exe
| MD5 | 304852e50b90cfcb7b1163dfe63c751c |
| SHA1 | bc05a4cd3964c8a379a9a8509f88cb60a6057842 |
| SHA256 | 7836c216131f254599e146bbc971cb16c0faf26aa59263697edf5db766bcc46c |
| SHA512 | 10c06cf7fe1d8852b74a5f926936d750efe1ca708b92230d053dd00dc398492fb5ea3d1210de3a88c7c9777f79cb06042ff7212c45c8d81a7af6f89a2c16e849 |
C:\Users\Admin\AppData\Local\Temp\awAU.exe
| MD5 | 0ff2d2a81054c2a1f12d43fdee32c3c8 |
| SHA1 | b2931cc4bac368f1bb1f7f72449a207be2241fba |
| SHA256 | cbeed01f2e3d1c2f9f7781787306f60c98ebc1124c33c52ac876443613ff3324 |
| SHA512 | 9db661779502ca01964b58e1865dda2b73ac7336079ac76ba3b4d1f5c8a6ea2a6e2a9d32d573d737c6a9e1a4e2f15b6dead1390bca3430a2cc98b652842e91ca |
C:\Users\Admin\AppData\Local\Temp\XqYoscAQ.bat
| MD5 | bafbbd33690fd24c9a6257fdec83dd2e |
| SHA1 | cf64525f9e862b84a6b827d0b8fff7435e2245e7 |
| SHA256 | 03fad2dd734cf012143a5169237fb0c79384f6310f28cccd66a49daa24244929 |
| SHA512 | 9746402687c2cec3797e1cd6bf9490935225ef16856549ab493f5c809b4be21d84baabc0955ca2f88c9d193d4ce33067c3bf8cda9db9d214c792d77f11fc04de |
C:\Users\Admin\AppData\Local\Temp\UcAs.exe
| MD5 | 52177577e2a790a0368908e2f19999a4 |
| SHA1 | c961ffcc7473de3475bbfaf3cd448f08293daad8 |
| SHA256 | 4c1c5c0a6e51af1dc7f3b17edf4e09de479d25bc0471ee3ec4fd2fc03c5b2a0f |
| SHA512 | b12c76ada1d3e9b857e323dff6014784605bf61631e09e6d680e4fdcc3d358fedc99835fe54b43367250e18c9fe35ebcea98bffc47a15483e5d7301f748026d0 |
C:\Users\Admin\AppData\Local\Temp\sMQEYggg.bat
| MD5 | 8f2281af631c47c6088165d04419b8e0 |
| SHA1 | d5e8a0289fb7c427703e343cda0ff8fd13723b7c |
| SHA256 | f4d139cc9f95128a357c3cdb50666e5434905ebbfc9626e7d03a9d27c65eb6d7 |
| SHA512 | 153bbb1d90266a727af525361c95cbd79d7482d5bf9aaed377c3b62563aaeae8e5fc6eeae5ac175d03973e4bc77356f0e4472821b7d01b423b5c783e6590e460 |
C:\Users\Admin\AppData\Local\Temp\QsIA.exe
| MD5 | cda5b60382ad3d4cba493f04c2f937e7 |
| SHA1 | 2808178d202e42b1091b1731f9ad806712a0fcb0 |
| SHA256 | e4491b1f0669b51c26824d01731e539abb8f5a78e6ebb4b9e2b31212d1226180 |
| SHA512 | dc85cd230998f53c4cbc7fda8662334ebbca191b85a4533dbfd9f0114ab0eb1dcd020594ea9577d3863d4fe2f785888e8ef3d4073cf086744394a8c0bcefbb73 |
C:\Users\Admin\AppData\Local\Temp\mWAwMkEg.bat
| MD5 | 38a4f916b31ad9f2033b69d047692646 |
| SHA1 | ebfc5ee84be87bae00c64746bf6cb4b6d6061ff9 |
| SHA256 | 43674509888d89a629710e5198dcb9c61d6813521ad8479758ade8385425be51 |
| SHA512 | 719b6dd68381ed54f7724cb791d6138d4ae6564f05e72f6e051b26a25b12bbdce925a97b7f7aec36ee218244644d3a60b52d605c0b7f70b7c4aef9cd06e9c8e4 |
C:\Users\Admin\AppData\Local\Temp\YUME.exe
| MD5 | c8a5401416b7c2e4c82b907b5282d053 |
| SHA1 | 10fb43acc25a6539e108ecd44962cce8bf84b0a1 |
| SHA256 | aea727de16c27fca253819fe582134ef433653a66db74dcbdea9a68f9c687d84 |
| SHA512 | 89afc41530a45ef0729dcf1ef6f5251a1d5d6f0e48825b0bf57cc50a9129da082ccc9bb3ff568253f8da587a44ba10a5c1e97ed640daa3d6d70e6d5c262b6c2b |
C:\Users\Admin\AppData\Local\Temp\AcYS.exe
| MD5 | b62e36a897aa61bbeae04e59de4ebbe4 |
| SHA1 | 2e6bab3f0166643ae435652105dfbe1a1f4439f5 |
| SHA256 | 5122beedf479c3df965a2766b473fcb727cbc69303ba3dcb34ed8e9a7019f614 |
| SHA512 | 66f4bd2e59285e9b0b61ab5a9dbf9b96ef7b040b03563aa7d2635fe8ed71738c4f3bfcdfd188cba94ce6962cdb4dcbd619497965bb17621f6cf9d05029268c3a |
C:\Users\Admin\AppData\Local\Temp\SgMm.exe
| MD5 | 262cf79cb4f0911e116721e7254d9713 |
| SHA1 | 80271b5205d0d86002f19f7d80ae7ef921485f89 |
| SHA256 | 1a2c347a30a626418afe8f38513bd8a6b4c16d8130ab5923dc56f8cb429a9c19 |
| SHA512 | fc8a044b6c6ec5c639db4802c3ea22e09cca949db388fde0c5b01f3263b68bd9e6493e515dca4b2d77b4bcb568bfc92e2453f139d3c62632524cf91094b8e14b |
C:\Users\Admin\AppData\Local\Temp\iIkwMogQ.bat
| MD5 | 9e384551213eac561a452ff073104473 |
| SHA1 | 8254a5ad8e2e34a5b3290563fe4c4e4bc4ab56ab |
| SHA256 | 8ab4111eb918a843d88cfdc15c4ef078b51baa3fa1e11f6847df4beab1234b2b |
| SHA512 | f1b25715b12c4a0ffebc7f411ea959c93013182e6debd1669f96c95c4f99706c0de84c8c3337ad72c0a361effe9dab9c0c789a6e25dcd775d8594a4cddf33e3a |
C:\Users\Admin\AppData\Local\Temp\SEcg.exe
| MD5 | 804b1f4240ca1ba8527e920b639291e7 |
| SHA1 | ff770d31821199c4728c0cf9aa295a513826f6c8 |
| SHA256 | 6f679d32000346a4337fdc43e291367026acd37731266b94cf224f52e5bce4d4 |
| SHA512 | ee06c0809d57f2a09bfa84124e52fa96c74f4e25c592ff45608a5cc1d462dcf7703b8abe9e417b54521af4a4ca648fdb0d3f5bee50d4addaa862079f35e76c9b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe
| MD5 | 7d943abf9e4412770064f9f47ba55faf |
| SHA1 | 144d3d6f34eeb99b3709ef3f1cd70e9376a31acf |
| SHA256 | 62065c110ce67947dd2e08bcbbdc5d2ccccf2458afcaa688131aee5837f1d5da |
| SHA512 | 046bdbe3ba16f68969c3db4d94fdc8423579d10c1bc39a8b03e90459344d4e6c81916ae9048ab65ce034a1ff09638ede3bc151ba05280403214aceb6f800cd0a |
C:\Users\Admin\AppData\Local\Temp\wKsockEU.bat
| MD5 | 1cf99b2242421eb1770203e2ded9e6a8 |
| SHA1 | fa572e87c63c35324bd78d931f1aa7d7b0c2fbc4 |
| SHA256 | 26fd0a9c6e4a5ab3b4b49cc22d78167a36928b231e143ad32a0fb2470ad4c466 |
| SHA512 | f401a585dc260dd03cf73e21f7d8b14d03394b0ea43b46e305a2cd753ddf58edd575c9f975ec8e533e8b179a8b80a61750ab81249b0eb55a2f011d48cfec7b0f |
C:\Users\Admin\AppData\Local\Temp\mMUI.exe
| MD5 | 67f1d543f98d6ee2e980be5fa825807a |
| SHA1 | b014ed318862d5d4378aef2c22eafd8b2986c30a |
| SHA256 | 6d08e0a3469b3fc3d7b2c8daee6299994833b808f35ca6950e45bd110d162e8d |
| SHA512 | 7e5e2832a792d33a14c17ee9d8b6bea8c899178fa09c200e3b2d6effb9a605ec56e53c94bc45266a4881465f0ad170d6aa31843a2c46ce436a224820fac262ff |
C:\Users\Admin\AppData\Local\Temp\MUMK.exe
| MD5 | 30ac3c547a16d5726ebe8c16c50aeca1 |
| SHA1 | 67a5602562f50677f23050eb115f684259943021 |
| SHA256 | 7fd2ec32f12b3a1045ca56d796e2e356378a1c2b7d50ce85e0010bb51d607ba9 |
| SHA512 | 0b859e86185206433b94f91651bb652c1bd743023852577edbae05d05bc52834151a29ca7691dabe81562878896d9fde4fefb42c42393455ba60e11854110fb1 |
C:\Users\Admin\AppData\Local\Temp\EMIw.exe
| MD5 | 8b3f2c9079dccb8c6b7659c81d3306e9 |
| SHA1 | e4fe59ac6714203ebb4489af2a4c52cc20bb23ff |
| SHA256 | 7cf25fe06e954411a6a95153ea34454637a00e351c51dbd61eb0d6a4f8120a75 |
| SHA512 | 9940c237204ac4d8aae477b4921bb1a92f00ff2985fa8cc504145128d13a9d6c1e92cd098f33c9128762870b3a6274f0ba6ab6d8847b3c902596a4b3496dc595 |
C:\Users\Admin\AppData\Local\Temp\ZGckIsQU.bat
| MD5 | 16b403c483366bffff806005043ec7a4 |
| SHA1 | 5932e6123bf7f7458b2db5183e4abb00819c41f3 |
| SHA256 | 4cbd1bd54fbd1048a046a3db6480e7809a3862d9779f2b68b0cf0a0d71f18546 |
| SHA512 | 507e14362c8ab9485ce7ca76f408d39aa2160a095374ce64947d3635bbc8aa5be60ce52a4859eaff640683f18f62c9b0dbf6f5e9f15c5cf243cb935ce50610af |
C:\Users\Admin\AppData\Local\Temp\IscW.exe
| MD5 | f45d37434ad5b6b533c5b1b31914b5c3 |
| SHA1 | 53ea13e2debc4958d318a6336b89c54a84d51c0d |
| SHA256 | 19973e0336db651681aa83ed7ef40927fc68db053e213811b38f8dd3bff2561f |
| SHA512 | b475856b89d85c35b2758610a548fec8629780d788f3b3c4e3ba5ea32b8f3c1da3d1f10a21c82733b6faa144cc9ab5d5578c12e8707658ee764c0a7a773ed684 |
C:\Users\Admin\AppData\Local\Temp\OMwa.exe
| MD5 | d1afbfb402382a81e3d6bf5647b5fc3e |
| SHA1 | b6a4ccf802811d2b66060dcc7206ad7c9ad26fe9 |
| SHA256 | 1cb590b6173c9f7968573d97a8352c4d479d3135b6be32efa83b61e4eceaf8ef |
| SHA512 | c7db5f813c3bdd725065863168b3afb1a36e4a5f6461f28a1576ded2fd303b354a140b94f4d58941ffc52c34f7b5e4a0d1361f4598371f1a5cc86aa7b6ef9cca |
C:\Users\Admin\AppData\Local\Temp\rUsIQMYA.bat
| MD5 | e8927a0f5e3db52faba34d2958f6ef51 |
| SHA1 | ebad169e2e201776490238606aeb857b4b1a7c6a |
| SHA256 | 10be8bdde215e2224d4c935e76b5ddb6d0537a194886861590f02f345f1bd435 |
| SHA512 | c9d6a2bc146b5ae8110c5c6c837b95dfd058b75c92cd1140f181b94fc00f5b92bd99426f359103a78c02e92c0b118009dacbbc6a2c8293732fd526639790544b |
C:\Users\Admin\AppData\Local\Temp\aMws.exe
| MD5 | 681529e6aea74b1d4834a3a66079a04c |
| SHA1 | 37258ecc08ab6c05460fbbd7596e04f831e9427e |
| SHA256 | 552125db9fef2036bf7fc327d7a4baec2968837bad3d66aa1f291a75c577acc6 |
| SHA512 | c89d8c096d88a255dc4ae3a3fc9a17c095171d07427f574556af2f74d9938c434a27ec84c6c7b8bf55e3502b7d4efb40feb8d67b35ef48f6159d42e7aed24d5b |
C:\Users\Admin\AppData\Local\Temp\Ccgq.exe
| MD5 | b63877b2e281b8044c792a61ef2154a5 |
| SHA1 | 99c5ca8aaede98e4a68d5322beaad1332519a2ab |
| SHA256 | 3e465665a82a1c1f841aa34aabe77842e77ab805214a2769dc4ec5538cb63c8f |
| SHA512 | 3c05a627fbd93657014e53a7498ea0b62704f93c6b28a77414a7c5c87a94064bb13bb4b0cae24e5a16d1690fd6ae11525a0d8df1b465ec9e212cc57e096c6ba6 |
C:\Users\Admin\AppData\Local\Temp\lCksEAcY.bat
| MD5 | d5c9c479cd8937da6f242cf8b03e0904 |
| SHA1 | a9f7837eed00a544842256bd411ef08263b47871 |
| SHA256 | 473a16308773ff897cd5593a92357b73c30a23ea0e9d6ec0fe98b0db88ad1c59 |
| SHA512 | 3d1e60d2d9e643550aeb22454e03f01083f4e41660ba1f1fc1d4acd96c34842fb1eabc4b91af18daebf8fce99ba234d9b1f0f6167956695d109e3d9a7a6681f0 |
C:\Users\Admin\AppData\Local\Temp\SgkU.exe
| MD5 | 4086b0d71d14e1891348c8abf10e791b |
| SHA1 | 2c4ffdae7ea89bba6fdbd6dda68efaff341515b3 |
| SHA256 | a987d731c1d4f776c8137ac8c79cc514293aa15767b7805589f145bb8f4390bf |
| SHA512 | 1f9c6c73b27d1b92e684afafcfd0a11ed52fe1558454d977b60976f63916f2c218540343e2714cb18c5507744fb69b82f59f38379fceddefce97dc38e259401b |
C:\Users\Admin\AppData\Local\Temp\AIAy.exe
| MD5 | f76111eb37ccc8a1c12c002fc251fa72 |
| SHA1 | 2c83cf50f9c8f99cbfe5dd1e6a51b74c2236251c |
| SHA256 | f55dae5e32252e33b69dabe7b6ad4711bf76baff3cb10bfef6387e090085cdde |
| SHA512 | 78b114547b474cb986d78b7bf99e02cb3f08c0a6d1437c39a32c488f18fd4102565827ba805a4279f72940a5d9296110e8f6457ce2b423ec75e0fcd11658b139 |
C:\Users\Admin\AppData\Local\Temp\CIAC.exe
| MD5 | 600601491eb104cac788b4d72f39e205 |
| SHA1 | cdefb3f55cee01323a8159dac0bb4f0f2e65def0 |
| SHA256 | 5ad189cc77ea64605185761db96afa0d0238b18e03894233edbfbc20774e0971 |
| SHA512 | a59026ff49efe66fb858cea1f7539fcbb4bde618d3c39986e0330a1ed667edc994752d4f96c34290c288148e5367e3d06050d2628551b1d0104ab8269a01db54 |
C:\Users\Admin\AppData\Local\Temp\LIkEsoUk.bat
| MD5 | e0d44cea511da95cfad829a4a483c6c5 |
| SHA1 | c9b14584d3f57a38ab496a616b06b51830960d17 |
| SHA256 | 73db35d29fb9395fabf3c71aa1d90f85c5d68baa40b0df08db54097c9683b27d |
| SHA512 | 0db82060827838cd5ead7befdefb054b76f5529491a566a13aaf7f89dec60cbe0a84f07457f03324eaac7378eeecbb649f1312af279b7eda5b86164951d81ced |
C:\Users\Admin\AppData\Local\Temp\eEgM.exe
| MD5 | f4ff388148d2936dde86300d65a32ff4 |
| SHA1 | 85ef0c79c266445041a012c4d32f584be4793065 |
| SHA256 | dbd8caec898bc42d96f2068beaf9b8e3b38bdb85e6dcab6f1c372e68c5116e03 |
| SHA512 | f6070c0dce88230dd459b1bc1f95d181870b3a9dde4031e0d931dd100a4a36934af9e7f432fac9c4ab68d999ff69e8c5a6d31cd45e04b6cce805f42db2b3d181 |
C:\Users\Admin\AppData\Local\Temp\UAkS.exe
| MD5 | c1dc69931058fd85cccd0ab8975680e8 |
| SHA1 | eb924ba043d64329ee950aa963aee4612f342609 |
| SHA256 | 1adb315a06cf460d3959e6c2304131b8ae613ac881ebd1a4b1c329e55f051e61 |
| SHA512 | da6e11d6c9fcf4b0cf723ebb1baff9ea3afc4bebdfec1c0958e2b2255459864bda893f48abdfe391b08ced7e80002074a65d3e427dd32354d859655e122db2a2 |
C:\Users\Admin\AppData\Local\Temp\GMQu.exe
| MD5 | ba70ea58f23d5a09c60a9b3d3490d1cd |
| SHA1 | d5670b8f6a9303a7a3021b6def7000a037a2c1aa |
| SHA256 | f5e12cc1ee1f25306a9b4dfbe26b3f55ce23d9499dd26e41c78ca2b9fdbbdd73 |
| SHA512 | a15564fa75968c5b696db236e0af5c9ba5c4346f26a5ee3f8a8b95833e0a7810a83ec986e7b4559e7abebb33df350fca7458f8f4e77b92d781f5efcce35ee378 |
C:\Users\Admin\AppData\Local\Temp\GcEE.exe
| MD5 | 250cfba3805fb83982baaf1ee030941a |
| SHA1 | a1a99630108a0b4cf8e21a9fa589b300aa904145 |
| SHA256 | 7f33f3fdbbd9c66f95aa6273d5b8b4ffc57bea4b15b5f4f55f69274ef7802b2a |
| SHA512 | 1984d0bb15387806caf45bd59026fed74d6526f54a78c7fb730de373f051e218abb63f0009f609ac2862ddbea40e79c8fb587434d01574bef64b5af17bd13bca |
C:\Users\Admin\AppData\Local\Temp\oMccwYkU.bat
| MD5 | 10c5e03f6bbf90a87d9bd271864655df |
| SHA1 | e95749b8d36c718f15fd8bbf4534d3dbf441240c |
| SHA256 | e39694e4bce16819c90a1c0855e4ed9b13c00e1615247670b0725de1369d4467 |
| SHA512 | a86b5e254ed62b646067772eacbc9dce4df1a670613cbf932735307caa279767f27de8c55e74c495aff6a4dfc9cf54897953eb9d5a7ec3554c69996692024e30 |
C:\Users\Admin\AppData\Local\Temp\kcQS.exe
| MD5 | 108acd4bb47b8888976248bc45fb744c |
| SHA1 | 58f9412cb04e75929e687bb540b495562bf752b7 |
| SHA256 | 576eda7057b9c007771641943099e3c5b68fcd9d07de0be846b7f8b5b872ca37 |
| SHA512 | aaf1c2d7491c9d493da82ec59a80e46994285c8e70f21d3db9a878d208dcf4fede298549d121d4a75db8c047946f86e9bbf4dca642b563c7c2cc0166676bd44b |
C:\Users\Admin\AppData\Local\Temp\KkIe.exe
| MD5 | d8f6c9734ff0b7b6382b5f4e403067f1 |
| SHA1 | 81deb6b55f7ecdcd235e4c5edb9e23bcd1b664c2 |
| SHA256 | 0a71e588155ca92caca5d9d084f206613a1542ea73cd0b707851cea6787a1eae |
| SHA512 | 0947d2fd4fc6f66adee994d76c5b1f3df6880cc96ccece4890e5185a6302c6a07ee728795bb9b45ebe81247e7c5fa0831be23fab4efd4a641d96095d75b30b83 |
C:\Users\Admin\AppData\Local\Temp\qsMg.exe
| MD5 | 7804ef52c8af98dcc98416e27b6798e0 |
| SHA1 | c8463ce918231e7eb3ca4a5aa55fb15fc84227ec |
| SHA256 | 73bc048ce368a833177160388995eae23fce3e96103265ba66eb31160230c09b |
| SHA512 | db591d42d16cf0061022c20b2f249fc3bd08db6abd110afcf8012f5558644c9c24bfb907c81c929cc20f7f20a502124002b8fa40dce753effffc352f1d11cab0 |
C:\Users\Admin\AppData\Local\Temp\UGAoUIEI.bat
| MD5 | 842ab8e79bde33f0e6516702645dffb6 |
| SHA1 | 5dfa26df17cb0de828e75f9bfca7c47a8ae3c696 |
| SHA256 | 4263bc5e0fccac7a0d2568a28ac59f4beb3ac25d115bac856abe585b784ffc8d |
| SHA512 | 7d71f024c62066ec052072a564758d95a2d37f0cbe7ce5e558a423705f59a9bc27ca3b3ad9e1eaf09c4e3f1cb32a8f1e49ab35acf6236e6cbfdb357e3f9d54dc |
C:\Users\Admin\AppData\Local\Temp\oowA.exe
| MD5 | 028f968e319dad3b7a6475a29e3fa66d |
| SHA1 | 419626d2bbe1d3f1a2da11cbac9869ec61db56b4 |
| SHA256 | ae632d9c4177849f4f155cd058db4f4c773662ae409aae006b2037f4a551b00f |
| SHA512 | da0e3a62ee82fd70486060b65a33cd8c7750a04dc1e036b815743b050a0fc160362ed8d4a5d2bb9645456350a6adac757d2091e215613161dc3f391b82d09af8 |
C:\Users\Admin\AppData\Local\Temp\qIEI.exe
| MD5 | b472ee9296f10e15167b4c0e818e9dd4 |
| SHA1 | 03c613adbf94c183fcb4a0de1e4975309888fc5f |
| SHA256 | c97ce5ac4fd7c484b80e42f7ab39fceaf8ba1d7caea1e45880b81d98a7c60a15 |
| SHA512 | 0dd343b9f72263339ea41baf1a9020c834831d1d5114854da62a5dedf6073c988d2690988ab6a6506b30c435f5612bc8b7ad433b7fe9f89e0109c33935254a44 |
C:\Users\Admin\AppData\Local\Temp\isIa.exe
| MD5 | a087ad331bb2cd34f4f28a29c3e6528f |
| SHA1 | a7337516e93962c10a1e6795e0e2953f191627c8 |
| SHA256 | 7b8c49cb5bf9a66be4eb3dc46bd0ab4d3d4d01b663de8d54a5bb3be39d191c1f |
| SHA512 | ad8e0dbc7e9e14b7a163f0bdda99f7067477346b3be443eba7bbab4f3eb3b58bb4aee653cc52c1d82d52cbe02c3ec92edbad085184292422a315d8deafb4999f |
C:\Users\Admin\AppData\Local\Temp\mmQgwEMc.bat
| MD5 | bed2280325fe75af463ed2ba6d824548 |
| SHA1 | e356d504fb8b78d5f31e3c32d1f425d1748fe130 |
| SHA256 | 7deb89020e19f2ae3d632b9872f7399aad82a987b4f802aad8b881326191397e |
| SHA512 | a2d432690433c5cc8aa96dad1f3fc66c076655fe4ca88175235a7b4cefa8e3eb966b91b5741ec87f2a0cb09425d4217327776df044d899c9a0ef7f94305dd9b0 |
C:\Users\Admin\AppData\Local\Temp\uUkW.exe
| MD5 | 1708d560d6730308fe674a191555698b |
| SHA1 | 3fbfe00d16a2ead5b0c6e2f5b7cb939920355c8e |
| SHA256 | 2678b73bcc08ee6f0b5a283d281778b4c2e64e49e519ea214766945243db11ba |
| SHA512 | 56125a6e9a2072f37c77d0c55ce88b87c050c9104746a1685c11ce3a753dc1727938cc0a247ae6a4335dd599dd83a56da76e09186c040034c4b8cc278ad97ec4 |
C:\Users\Admin\AppData\Local\Temp\iwQM.exe
| MD5 | 4febbcf8fa7a6d889208306d2b29b931 |
| SHA1 | 59b9bf743f274647015066f871daf9e3eb3e1bf0 |
| SHA256 | 784f1321f36a2933c18d8d2fca756135bcb882cac08180bd4a33feeed44aba41 |
| SHA512 | c743f69291154ea80706a5e808d2c1cf7eb6e9ba139227ce09904f4a5aa4045ee519e5103b652035039a8d5147274b84a8ee592fa7083121c6b470dd31a330a3 |
C:\Users\Admin\AppData\Local\Temp\CggS.exe
| MD5 | 046df69e0c911516b99ac554d4946986 |
| SHA1 | 8bb069695d66c6ad22abd9809fdb2b97c3c0dcda |
| SHA256 | c92ed2b5e9aafc92b1bc0d6b7e51805958736a86663f3fdd1e8b3ce026dc15f1 |
| SHA512 | 2fcf90aa635a15889bb77f0a58baf87230f2cb5f2aea3074a52f6787aba2f5484a1cde36db603cd3be331bb0ad84e5c22f20ef8e080bb4f5538cafc5ce01416f |
C:\Users\Admin\AppData\Local\Temp\UIcM.exe
| MD5 | b8198c7eb1d3bc16281241523fecf023 |
| SHA1 | 7d5dd8dd32751455495442ee31b36665c9eea0b0 |
| SHA256 | 80b25fc701109f6c91bb4458b5d1ae2e96c63e7ae867f4c6039f250c20f691bd |
| SHA512 | 4d19d6cbefec752da86f2324cf4a5802e02d55b300fa2f8f324287d3e9dff33811588b8f611487735212300bed56b8c04963d8a5e78dff559f5998e16eaad812 |
C:\Users\Admin\AppData\Local\Temp\VkccgAQs.bat
| MD5 | 5c99f3f7e9467029b48f6b76de680725 |
| SHA1 | 0e2220d465116b76e2303f9aa0226e589ba1ee17 |
| SHA256 | 9afda96e5410144cdd543f64234ecb0eb15ce7a9e0bebee5f6be982ffff966ff |
| SHA512 | b568b2f526ab6fccb951a10e580e989d42576555ff65041ecf88304bc52225875e02edcb5105e0a5323b0a7f13acb4f223764b55d80b9642e34d7a6c63b68506 |
C:\Users\Admin\AppData\Local\Temp\iUYE.exe
| MD5 | 0114d7b3c67f4b3678454eed360032b6 |
| SHA1 | 6af23442c6464c7a9155c6cdc1582f473b201133 |
| SHA256 | 117c0b76621182c3d9e01e5761e5168213695b4d7f1814326bae317043d4dd39 |
| SHA512 | 32a48210e3e808d90ac12712a7a814aa6088720b92b9609671ecc701a2de626cfd5bd11c35b1aa748aaf491f77c9b1a844f513e53fa8bc71be689755bc3370dc |
C:\Users\Admin\AppData\Local\Temp\RyAQcQMI.bat
| MD5 | eb2c001b153770db734fcb6a5fdd99d8 |
| SHA1 | caa9dad5ef58bf0ce6f80fd02c57af31cf5d7021 |
| SHA256 | cc987d392113cd255cfaced741c6493da72fa343cfd190edfd23c260315a3619 |
| SHA512 | eb5a3d4b0124f5a47aa06527cdad8a27c002ca7e82bea58dfc215ba8a1ebfb350eafc6b218bddcfd4535433ea2fa5028a9b7dcc9a9b06073e7faffd3e167dd40 |
C:\Users\Admin\AppData\Local\Temp\iwQC.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\xyYMcgAw.bat
| MD5 | 409fd33f37dbdfae35b24326657ffd0a |
| SHA1 | 3787f2e8e182996fd6739d4fc8fe63ee5720a3e3 |
| SHA256 | c33e64ca77e7289d0c112b1376ab45499e09bf00af82bce9fc44e96c8e08e0a4 |
| SHA512 | 92548b4c9163fc3f9e4ba65d392b704b2d31f1df59610fa62702b104c6d0899fbd8c9c0b50f7ca09769eaeb194c91c83ebe9162bedcee815808042e2c76a3aab |
C:\Users\Admin\AppData\Local\Temp\akIu.exe
| MD5 | ea1682e3b5b3d413fe22a64882468c44 |
| SHA1 | ba753bc048c1122f8434647754d2af04a51fa781 |
| SHA256 | c110fdeb4cb06eafac79a87cb40c77f2d6076122778e99a573b37419e2937892 |
| SHA512 | 7de63471a0e529329b88bd8d38c8a9ad23d87e053a330604da6d3774b4b469738354d0fbcacc1d657af410f3bda00ee9f98af5e070bd0522aff1745e5ca36183 |
C:\Users\Admin\AppData\Local\Temp\EMUM.exe
| MD5 | 9176610204fa9ebd53116cdc21a26525 |
| SHA1 | 5da34e663c01349ac6cc522f75a5be900758449c |
| SHA256 | ecc79df6b61108930255a93cf53fd1d99f2f24ca768941bc2576a4412487adab |
| SHA512 | 5812f5b922e2315e92ddd2362d8be8a2c310bd791409b831cf07c72597d4ff3d72bcff83e3c078dbb8bf6ca391379ead201c08fdf9a787c14e36fe09f23a3a21 |
C:\Users\Admin\AppData\Local\Temp\WUkg.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\aOwUUEMA.bat
| MD5 | bdf3b8956f6a9c6d22d3e0dce382c147 |
| SHA1 | 1ef6c0051b6f5147e8664fc0019b14a260f8057e |
| SHA256 | a488279950d58a12d86c71d868cc6dc1b03f99a2d78db2ac8685e20351cd13b4 |
| SHA512 | ef01437597c29d7e3549d9b5b7eb60225d46b6a6723e545ca1ab36a8199d874c4d3e900f411f14332e7178b41723f0b369bd25c570565f610581b23eb0d354e9 |
C:\Users\Admin\AppData\Local\Temp\CAMC.exe
| MD5 | 770e3353ec2b74ce3036181d7e9c095e |
| SHA1 | 25c6d7efa17ad9d62c50cc351447f58ab3a737c3 |
| SHA256 | 675290ace45acd8c16a020b87b4eeb21cc7f97740330e435736ab9d64136364c |
| SHA512 | 7c644c3fd6c283c15d35c63b0824c30ae466de99719e01b6ad056b57dc609d23b86e3079485b2976dd5755b3315cd108ea1a129a054a02f14916bb40e1328c0d |
C:\Users\Admin\AppData\Local\Temp\UMEG.exe
| MD5 | 9f9a17748121b375992c4c215f48227b |
| SHA1 | 084c6827df78cb2d3e196bf54e6cbf9835f97b7a |
| SHA256 | 53f15334ee60dd777554c4d19a820c77cf1e7685692dea1b25046b3f836be9e5 |
| SHA512 | 2eb002bbbad11303b20b420de7a444e196df9f37511b69d840a335def26aef4a11483d6ba11206e16c11c7f76449be690d640a5a0e8b63429a9238b4eddfeed2 |
C:\Users\Admin\AppData\Local\Temp\cywosMIQ.bat
| MD5 | 539d3443e23c49bfff264dacefe130e8 |
| SHA1 | 7f5dd18b34963b7d59134d934af23215aecfbda1 |
| SHA256 | 7062f85cd76209aaa4d7b1b87c77b0d6d55ec19604b95a8cc2d6b96affc199f7 |
| SHA512 | 6271ba0cd3201aeb7eb764aafd2a61ce8efe4a23d4110d45b2ddf98c3a0fd7db8d7ea896b7629877226c6221ca7500b7c0f65551f39e46bb20d75ceb0b9baaca |
C:\Users\Admin\AppData\Local\Temp\qMsE.exe
| MD5 | cc9542a676855cc42e89fe0f8c51fd63 |
| SHA1 | 75e28e1c6b916dd108233e0fc9445bd82fac88ec |
| SHA256 | d59aadbec126364bc8c0934852170859a2c68b81f9a4e19bdd1c9a7fd1611936 |
| SHA512 | dcffb02ee99c8132143e274ffba5bce2bfa5484f25922fa1e03b0d50f8689be9def1883cce6cc02b8baa1f66a17f3f2e0d0b43a3a959ddf9b2f5c388aa0c2a1d |
C:\Users\Admin\AppData\Local\Temp\qUAE.exe
| MD5 | c728820a28bca1792ecf696cbc7f4cff |
| SHA1 | 0745c6f764a2a8556d7d616f7ae28a0b18bf1e18 |
| SHA256 | 797e918c54ac7cbc3ac6432ea289eca29fafd6bda35be986a4fc55b1a81ea29a |
| SHA512 | 21cca696854b76a855554a9fd95697e91d801c4c47c23ec6745edf388f8ff37f3b06a89e4dff67a666dd194620938fffbd82501211656f28696715110193d106 |
C:\Users\Admin\AppData\Local\Temp\wkIk.exe
| MD5 | 2b3131372cc94036fd828ac44cc446a6 |
| SHA1 | 0efe9e45ba550861aa6188e68c51c2b40a038b35 |
| SHA256 | 0e3ae90eb0ec0d88a5d1f4e8c3229c08112305241419b0151e290797226cfcf3 |
| SHA512 | 8aa48053894b865a452c4bbe99357c5f109636f86e2a929488e32a9658cadd2d57493973edbb29d26bf154fc817233ecddd7207f26f5d7b2ec7723b8f4d13e11 |
C:\Users\Admin\AppData\Local\Temp\CEwG.exe
| MD5 | fdc3f663991b5f674e84275e669b64f3 |
| SHA1 | 838c2e6c0e0c84e2ab527aa1e5695f3aeec3b9a5 |
| SHA256 | 7859b85ec8a083dfc920f4bb7756e1b7132a65254188a1a6e727c79667a1256b |
| SHA512 | 5a3edf225bf602ce2265e598b788f40d602d6f23724b9576b4860c8f082a38bd5a634936d1b538ca2e2be59313391703e96541e3033818b27b77c61e4ab384d5 |
C:\Users\Admin\AppData\Local\Temp\zSQowQkk.bat
| MD5 | d0d58dd88fe3c66abe143f0ef70513ad |
| SHA1 | 712e93888386a6ff33070a33b667e0de5d0a8883 |
| SHA256 | f4e3cefd9d588a3c1871554648202f75fc0df0cb99dfed3b844766656747340e |
| SHA512 | 2c5891ce7785b7bf0239368ee09fbb794ea1c0627c4899c8692f8d8f33b96a7b37b27e44cd19664e5ba114cd9137b895ab978777cf4d6901ee226b0cfd6d7005 |
C:\Users\Admin\AppData\Local\Temp\cEsg.exe
| MD5 | 800767cfb881e0518f5e978dccf00b7e |
| SHA1 | 1b6ab0f580a3b683c33e7676372954e2d98f778f |
| SHA256 | ecf61c7bbfe07f4f3438ed95c988de6427da7cdd8e526432519b69ea48a05fae |
| SHA512 | 60f202b2de1a1486c7b151d041c94f522a5e07ff2b13b5a77ecac45582a62937449afcaa6e32579d1e958a778d8d326c871f04132f0ad8f653161259818672ff |
C:\Users\Admin\AppData\Local\Temp\jEAMAMgU.bat
| MD5 | cccefe3f10d33b108f94bc6378a9b17e |
| SHA1 | 108738e0e21678db034d386da93d0a37bac9e2b4 |
| SHA256 | 8c964d0012fb302bc6d33734fd0b4dc9d53b1be49f4398393a6cf56a95cd9b34 |
| SHA512 | 83b11693aa1e657813512fd53ef9c93b98032cbd962e69c0dadd0f7de7d64c754240ef4b24f70387b0b8693190874b3be5194f2dd2d01edb8ba2b965ebfdf877 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 11:25
Reported
2024-04-03 11:28
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (83) files with added filename extension
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe | N/A |
| N/A | N/A | C:\ProgramData\XAQIwkYQ\zqYEIMII.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmsQIEQE.exe = "C:\\Users\\Admin\\DmQIwUoI\\bmsQIEQE.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYEIMII.exe = "C:\\ProgramData\\XAQIwkYQ\\zqYEIMII.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmsQIEQE.exe = "C:\\Users\\Admin\\DmQIwUoI\\bmsQIEQE.exe" | C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYEIMII.exe = "C:\\ProgramData\\XAQIwkYQ\\zqYEIMII.exe" | C:\ProgramData\XAQIwkYQ\zqYEIMII.exe | N/A |
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe"
C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe
"C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe"
C:\ProgramData\XAQIwkYQ\zqYEIMII.exe
"C:\ProgramData\XAQIwkYQ\zqYEIMII.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eokQQwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQEwgYgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eswQEEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSEMcUME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaQUwUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWkEMMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQEEQcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUwMAkEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgUoYoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faEEMowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSwssYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuYMgMoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecAAQIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOQkcUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQcgAIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUwAcMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOMIkQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUsQMUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQAgIkUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccEUcIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiUcUMsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMcIgEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOwIwUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgIMYMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqAcIEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKcEQEgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSwYwgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIQoAokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUMYYIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIwMIIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaYYIkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEwggwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsksAYwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmIEQcEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcUIAEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiAwQQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSUIksIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeQcIIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGYYcIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 216.58.208.110:80 | google.com | tcp |
| NL | 216.58.208.110:80 | google.com | tcp |
| US | 8.8.8.8:53 | 110.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 249.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| NL | 142.251.36.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/1156-0-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\DmQIwUoI\bmsQIEQE.exe
| MD5 | 8cfa42e92c08b305de0db872a31bf387 |
| SHA1 | 800b60f758d1d7cba0b2e7aada7445ea564cdadf |
| SHA256 | ada56053fa1fa80baa90b9d70f28ce638391ed4779240f6d7a62eebeaf68f828 |
| SHA512 | 82177648610158346100f1442c6c37850791ced668b7be67b86e8c253de146876ec02775fec0f914be5a136cd7f3c0368f8046601319660545aea2e062a8bc33 |
memory/400-6-0x0000000000400000-0x0000000000433000-memory.dmp
C:\ProgramData\XAQIwkYQ\zqYEIMII.exe
| MD5 | 0b2fc3d9c3d1096726bb44e9731a6f3a |
| SHA1 | 9c27d9c42f6658ed74ee087c3dcc1e89bc6f47b2 |
| SHA256 | 074f49c4562440e2b9c9144b30f425e23bb0a07e58cbc1d88c6e20e93519e3b5 |
| SHA512 | 73ac953a4eca752e64b0045f2b92b421b669d64bd6d6d135c0aa984bda0073496176558108b2cfdc83e8321cd1bf754c2eeef52f48f4afa9d108abf9a49de945 |
memory/4968-15-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1156-20-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eokQQwwY.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock
| MD5 | 588e8e645526676ae2f8644d4dd82f06 |
| SHA1 | 607f0d19028f909a02b5a4b00ab7096dfb7f30d8 |
| SHA256 | 46f556f484064bb3cc55694c4fca9344b1432ac341861e56bac17d15cca46c7c |
| SHA512 | 69766a05b8874d7a0b4ce8b7fc7888b05cb4c3be56883db39fcd63d31742aca901c056b655b716960054fdde71abb56905d73038a5974682cd1092c5a7efe6c5 |
memory/3752-32-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3672-31-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/3752-43-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4432-47-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4432-56-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4340-68-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2468-81-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3156-78-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3156-92-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3224-94-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3224-106-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3376-117-0x0000000000400000-0x000000000043C000-memory.dmp
memory/436-130-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4608-131-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4608-140-0x0000000000400000-0x000000000043C000-memory.dmp
C:\ProgramData\XAQIwkYQ\zqYEIMII.inf
| MD5 | 4cf3e2e93b737c75078539ceeaedb539 |
| SHA1 | f5e75df255a12d5e528a9cb09c7454af30efb37c |
| SHA256 | 50bdad765c5248784df0a262034587b614545fa7322c6a43bdf2ade48cc0a44a |
| SHA512 | cfbb346664b804b6daa531c0d6c741cdca8599cd3e5d37b88e05e5d3709af3dc017ebf3c0c0258f21966d14e167e434bd639dd43b6e0fa8e30f50231e3ec5cde |
C:\Users\Admin\DmQIwUoI\bmsQIEQE.inf
| MD5 | 255147fcecd08c246a388ec26519fe35 |
| SHA1 | f6c01397945e69088baffda8d586c45e4d9a8ef8 |
| SHA256 | 9d146c17e922370a4c13b7bd6727970c22225a07cdd38939d9de2c01f61df98b |
| SHA512 | 6c3462b5962a29c1b9b9291f8a922a7be917c50dc15a365664789c45b39322f94c14085a9cbcaa01eb63934dffb55173f0fc0651706942698828cd85c61afb84 |
memory/736-146-0x0000000000400000-0x000000000043C000-memory.dmp
memory/736-158-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1244-169-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\DmQIwUoI\bmsQIEQE.inf
| MD5 | e18f8de57b1264024ede6cd037b37ee4 |
| SHA1 | a6983a6efc7766467d38e3774724e4c4d78163c6 |
| SHA256 | d5762b86da50a55ca995899c104646fc115fb7c2c1917ab0ddbd5ff422279c8d |
| SHA512 | 10a0ccca30691ff2f533a77b9425a057a44731ef616d4b944079f61be25a9bcfe6ff4592385dbd265fd9ab87c45451a02639b23bfa8a7b912bbb899d403eafb4 |
memory/776-184-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3888-195-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3112-196-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\DmQIwUoI\bmsQIEQE.inf
| MD5 | 403ba2bf7f214c42c5c6377e6bb2233d |
| SHA1 | df25a3fb6d66adb83d6ee7334039b6a131d5f0e2 |
| SHA256 | 491d1d01bc96c34613594d87ce9cf10041825e3c6973aafe2ea41aac281332fe |
| SHA512 | e0945935de4183516a480ee2675d446691c2f23af2f672793de80c8ede9ce689fe7a61ca70de8de108b99b5f677012ab89e8874318a36e1094bc3c774c9693c0 |
memory/3112-211-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2984-222-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3308-235-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\DmQIwUoI\bmsQIEQE.inf
| MD5 | ac7bf7a3a3c8ab65e0c3dd5c99e312fa |
| SHA1 | e0006252aa0850eddb008808626bf713506ada5a |
| SHA256 | 7a5f53233c1ee772081286039598f0636ad8d9b3ed5471618b48e69171d08f88 |
| SHA512 | 1bb7f88959fe024a3b8f29b3e972a85efbffea58783268abc4ad42c14782605fcb912f1d474698a7d223449e8b282cc3efb3a5671cf98042e1e3f9c4f9625650 |
memory/4604-240-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4604-248-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3296-249-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3296-259-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4056-267-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3916-268-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3916-278-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4108-286-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4080-296-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4820-297-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4820-306-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4108-315-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2288-316-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2288-325-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3052-334-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1244-335-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3052-343-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2996-344-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2996-354-0x0000000000400000-0x000000000043C000-memory.dmp
memory/636-362-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2964-371-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4928-380-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3988-389-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4508-390-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4508-399-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4368-400-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4368-408-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1900-423-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PckW.exe
| MD5 | 67ba75b1045d86a395e53af9ad3cd9ff |
| SHA1 | 9ac7d03caf7c2f58fbbc1f22ce85ad351b8bd1bc |
| SHA256 | b0284ee8353c7bac0cadd33b0642ea729557047c34c72624b5e1b48d5d7aeb32 |
| SHA512 | 6653cae4463b9819f632400f5d83b2900483db8158bdcc1c91205495219492d8bb4f8b7d971325150957a6b41c770a59722b3a2c814dc681d315c9d6f3e41dfd |
memory/2500-434-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2500-442-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4492-443-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4492-453-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ukAK.exe
| MD5 | cd262643065a7f392c14bad523d2b5ad |
| SHA1 | 9690b833d76a4358b1de4a7acde056bc0dc08adc |
| SHA256 | 7908b97d4accf2951b550ac48810699fefdb73472494820f6a8f135b031dc8e8 |
| SHA512 | 016ffe79e2383820eff2e8f8df011c059baefe19b925d34620f0b9ca6e865a0ea5c41fb594f02ab391517c0eff905f6fb7c7b438788191a78f3608c31cd9919d |
C:\Users\Admin\AppData\Local\Temp\HIES.exe
| MD5 | 53d37007306141bbae9f2075c841733e |
| SHA1 | a0994857158531ff257b84d29734052085cfb931 |
| SHA256 | 84c3412d0ae176477fcdad53489256398365b71557b89fd938d906d766052145 |
| SHA512 | 24fead236323de0bf677035fd79feff6f43712e85ea458d7dd444cedb7557f320aa1d14717322a829b649e187b730be5d6cbb33241af4b355a173ab39251a216 |
C:\Users\Admin\AppData\Local\Temp\ckAS.exe
| MD5 | 995dfcc0dd145fe1c8db28de3522466f |
| SHA1 | 4cd05b5c396e14794756db2a5b2b8dbe1a1143fb |
| SHA256 | 2b6178454d5174ecf97275320e900547d8e07c49e4edb247725bac674c26c9d9 |
| SHA512 | 7ed2c02500aa77ec2e0ae2e3791c0d4459a050a6c8fe64ace174956c8d425ff6f3fb3bf71614084652b1ac2facec24ac8f4fd9022ae772bf639e9eb9d8b96a19 |
C:\Users\Admin\AppData\Local\Temp\skkm.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\iAEu.exe
| MD5 | 0b1f22264becdf266220e29a6e0e9f0d |
| SHA1 | bdcea8065765edd3a24729303d69bf902ac6b26a |
| SHA256 | bfe490208b949a3b4a476ac940d8f463d5786e46709358047394050c3c6a6c20 |
| SHA512 | 4d6766975ee989c4b534457785c5ef1e530c73ee3fdc4a2c4f9b170cf5602a34124a2d6bab1f2bff4599162a0f3576d53edf22ddc5e2a3a5728a259d42917222 |
C:\Users\Admin\AppData\Local\Temp\mUYS.exe
| MD5 | 7c3c9062739b30a020681ec627fac797 |
| SHA1 | 0ae44d46436ca38dac1e59b20fb43d110a04372c |
| SHA256 | 2fd71a9c605c4f7acc793b87c06af3518fd0cfd005ffadda4ba62609d235f3df |
| SHA512 | 69a3e9fab71efdb841eb40959c8c32b1e44a0f451c212c2a671b16fec6f520694867146a39af75a7e12aca1cfffdf9bcf421d9b6d8bb7bafeec72c8456262228 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 626799e031a8b2272f80c55be048ae61 |
| SHA1 | 72de2f8c7532cfef8fe116beead6e3da21636fd4 |
| SHA256 | 7c6b9104bd575ccfcc6b38c84dd09c331950672782ea49b6a87ca6e78c9e2fc9 |
| SHA512 | 2c6db5a15dc8fc53c099849dc0efa85dcf512805bd057734f31ddf771d8f8adf3fca7d788491d1bdd068e356df206c24e4a3fd165e49d574e1ff88d350cc41d5 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 895049926e56cc19a286b5618589d8dc |
| SHA1 | c49600e8f1db1bbbc5d5ee6c62bc94c2b59b2fdc |
| SHA256 | 67351c41b9ccc71da699f51a099b8d9c2ba47400b652bec84962249a8401eac8 |
| SHA512 | 0c3ab2ec8e8d8106025e91ab652392389125e386fbc7e8166a84d53fff18188dc1ae3a92a773f7a09ea601b3226ff4e035bbdbe0a92bcbaaaed00a7c555f6fe4 |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
| MD5 | e74644687ee6d857bcd280bd0f60401e |
| SHA1 | 866a64c58b29b44c36573e6facb1670733210b76 |
| SHA256 | d9ac2b9567077b435aacb25fcdbc1d1dfc02c2af22d054d4a31004d8646b1214 |
| SHA512 | 335af230a4a75b0284d197c2d9e5e253eff5d5cd381d153512da7d3429de9806b88d2ddae244e3f318ac68ec51b3b9ac128699beedd58ae847b1c4a3aa92d29c |
C:\Users\Admin\AppData\Local\Temp\MAEy.exe
| MD5 | 0f3338589838801401ad93016a1fc7db |
| SHA1 | ec20e56a12aab0cc8c1cd418307dd687a8213b54 |
| SHA256 | ad5d1a35c4e3370d85420777ed259b696e40acb1e211b135ae625de90adfe048 |
| SHA512 | ea7d6e3d838f4bf9167de46b8295cc9ad7421e8392bc1ce170d8bc4705f4afd8d15ffda78cd3ceb7ea1cf6745a03c951dd29a4b1894543ccfd42e2508ff20d54 |
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe
| MD5 | 4893f29a237ff18f2ec74053f81a3964 |
| SHA1 | 20401904b6ebf1fd097b521dfc20d32d952cb1e4 |
| SHA256 | f2657c844a6d944632f0efe2ab4d03f6706ac8cb32bb269b58b2eb0696fea02d |
| SHA512 | 50437afde9ba7ed3176ffb9e2fc593cc392d47e60e2423d41d3d7fd0def2c9b61771e836219e52949b17e53a3c74fdf8dc16584c38298084d061f0944c69199b |
C:\Users\Admin\AppData\Local\Temp\QwsY.exe
| MD5 | 2838e1f9a2a91212fe9aa317378d39a6 |
| SHA1 | 036358a4f9921fb6df9bff39728adda7b2e3f6f8 |
| SHA256 | e2fe3025143afa42aa5069fb34c114e6e672dbe638bcaa2622310067708b9aa1 |
| SHA512 | 2a169654f1bfab6a0b1de8efe7bb01c03deb1f02868e6abea02a251e10efd6a6e75e510a541d424d7dab44e287aeaa5c159d99f6befb3897a8bedc4079ebebb6 |
C:\Users\Admin\AppData\Local\Temp\cYcC.exe
| MD5 | 36c21eb8ed1ff0f42c0fce3be8006566 |
| SHA1 | 6a6b9296e7b507f494a16ffa5eccf1cfde59cd6f |
| SHA256 | 3c47313735bee0b6a33a172ed50cdb4999a43c0aaa0e1f70ca9bd0b55b9f9fd8 |
| SHA512 | 5353298df2daa008861653128dfb36058c401bd208cf310e373b9de72470b94665b8adb9fb6b774d31e4f5d1f842c75d0aa15e16d14efc29aa42b16b6571623e |
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe
| MD5 | b8ec32628e286871d71ba038ea4d37e8 |
| SHA1 | d9be7b2334c0eace1e7ca705a32588ff98a0a819 |
| SHA256 | 1ca8e2336187045b1f83e15a1d37bf071b26c975ce6b3b6b77fc4c9b99634a9c |
| SHA512 | d126af86e964a3ba65e696c5551c50c17fda259cac5a36389440deedce4740112198f357b8d89f48994bcfd76c97d78465c6af07688f94c2e0e88f2b2bc26671 |
C:\Users\Admin\AppData\Local\Temp\MgcW.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\koIM.exe
| MD5 | d34917b7b075a48ff527c3ab587e721f |
| SHA1 | 5bd5e54d7819b43c6775ca4b961f76d8c7bb3e66 |
| SHA256 | 9dec909e47b2b79c38a730ddd48f40b549eb9f734c8852342e0c340c88105339 |
| SHA512 | e621eba3a6e0fd95b04b543514b2a8d4bb90ad45575698c3709a8ac2e618ed9bacedaeb1f9536578eaa77047a6c12817621979ffe800f6d75823b9346d6ed045 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
| MD5 | e742f7e5a772a5fe0c29a5ad5b8e97af |
| SHA1 | c97c4b4f3017bd13798d1bd4f48a8dcc1e1d4b02 |
| SHA256 | 684b3b8c59dc1bf2e7708f0bbb25ac796189b439a3d008cc45c8522c59bdca5e |
| SHA512 | 57d0ad4a99069a55d4b3f5bb1b58c320221dd1f550edf02bd153577d876816a487778d670bc0c520f779a872a0e7902a5c807d6aecea0f83cf489789fbeefd42 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | 60dd6e80706b0cd52e54deb6f2c5787e |
| SHA1 | f96753029db27f6f08b6346af4dae5806d5815ed |
| SHA256 | ada04f374b6b66aaa5e7f06f7938e24a52729f5bf37eb8c2f95f613c401bac7d |
| SHA512 | 5ab839d86e1e18498bc6a8e29babd440feb94a2282d3331d649d6075e2785c2ac836fb8f96dfc3560d55d6923bcead35ca9bde3eeb2957996cb3966a44c0a5c9 |
C:\Users\Admin\AppData\Local\Temp\CMIg.exe
| MD5 | b238b9ec5088b951521d19ff6cfd6999 |
| SHA1 | ba6bf7b2640de39682a144c4d7ca2cac32e5f449 |
| SHA256 | 4ac9499fac77dd83ec9a227b86f8241ddeef339742d7dda363a482610a69dd15 |
| SHA512 | efa802554de6471aaa7207ea9c62e85eb3a13fc100d06090234e134fa5156eb7df68445fb27517e96bffa7c824a52de97556d55225e2ebf4935770a7978c4322 |
C:\Users\Admin\AppData\Local\Temp\GgQG.exe
| MD5 | e666edbad1dd0529992e24e0bcda857a |
| SHA1 | be790bbe55ac37d3fd15831f72e779a0408f676c |
| SHA256 | 5c69075d859160654ec3404c8eb27f07d4b74c4001957728606c0ed8ac3f6fb0 |
| SHA512 | 9db622896f350da6853226fc98c15ea8cd9adb49ae9b3b16d936a97510acc83f3877f77637f70b57ef472d58f96a85eff46e6d7701c47bfaf2b6f38c540f312c |
C:\Users\Admin\AppData\Local\Temp\qYgQ.exe
| MD5 | d1e34ba9073da00650612401d4a40dbf |
| SHA1 | 587eba36f8d40d43f0e34528b83731f2f4367c46 |
| SHA256 | 852b70de901038f43314271b7110cd1554077480fbfb6e07dcc027b17955d124 |
| SHA512 | 997d85eea3dc5e65dafe837b8adc2876b715a7fe4fd12a141fe8371e77b12fcdce5e2506d72d42407bc611ab8956d4f7c60da135df3bb476619d02c809bd796e |
C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe
| MD5 | ba430e0c79797f17c8f636562e045b74 |
| SHA1 | 895ae49af9efbe16e3e312f19524865ac714e38b |
| SHA256 | 977f20c33d4d77f3d460b321461b08fa6c4ddc41d80f82f6d602fc93ac208319 |
| SHA512 | bf9a0721cbd9c7b717192c551789bc8b16993c424f7b9ab4e4f2a7953cdfea1db36bb6ba87052a4d3d5896ee7b3a0ae9585896b90f46e09e791f7f0270c39984 |
C:\Users\Admin\AppData\Local\Temp\bkEQ.exe
| MD5 | 74acd62c4702bfef17c11c60455b7ef1 |
| SHA1 | 583eb9c5d71407095c5ddb473dfd97b916898688 |
| SHA256 | d282cd79b91e05d55b43030881bb0edcb8e34de8f51a12f3c5fafc364d5e0f67 |
| SHA512 | 81a4cdc2cca56d05603fcdf95b097f2706814d30b003d02cadd371f738a664ea0f28574371b6637200371d0ee7a090e33804d5aae27ef7a5d228a4baf8384319 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
| MD5 | fd8527d6b4183b6ce454d952a3041283 |
| SHA1 | 5659b232763ffe31bdc52f06b76d5153a09d5548 |
| SHA256 | e94e991bb2f625ea793cc154e0616a1c7eb1577eec3502708795889cfe7b3dae |
| SHA512 | 64d23056da81d30bced138a772f8b0608eafeb953abdbb89effa6ec1d21487eee4fd1e3a5e88e0bd6dab3ebbe8151b011671dbfd7173ba37ff05b6b153908448 |
C:\Users\Admin\AppData\Local\Temp\zwsW.exe
| MD5 | 2f6520b78d6b1e1c1ac53603dfae0594 |
| SHA1 | 1ecc502bc5864aa3051d6e4092d045b3413ddc33 |
| SHA256 | fa96231a112cbb130a4306b3b6870bac43a23a036bafa94f7cf6d0886dbb4818 |
| SHA512 | 254c310cd9c28c5b145da232835a5552d199641abd722e8ac9ce9537c63254dfbf489fd06565cebd9647e82fd504ff130dfa49dd4e5a872d485ac86623215e7e |
C:\Users\Admin\AppData\Local\Temp\vIEw.exe
| MD5 | efebd6c0be9c5a752e128b926974fa7d |
| SHA1 | f17d2538aadccfbe4bcd27d5490ada63cc9322cc |
| SHA256 | c7e4390ec06a6c0fb21788c6178a7eafb6850b1e2823272a9b1499683a6a9f1c |
| SHA512 | 9aea2981ac1da4f8c7f593fe4cb2ecfd6a2fe65c63b5dae21a1aa2b2a0c7a9682805bbe7af38c843350121db99ab47f46601cabaf10aa1ea22e019ef74579bd6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe
| MD5 | 39bac7e1b8a250da1fdf43e773e6d59c |
| SHA1 | 027bd0ed0437873925ec0f26a8ee223ad2321dc2 |
| SHA256 | b7797cad5769ff2f79de81219c28bb410d69b660bb0e4b7edd332345b314177f |
| SHA512 | 7d724df76b231d82c3e89f895c90c492d43c7781c4cc503cd098689b6c318c6a6d0f9c4864fd5f8e00f73029e86d724be4d656d4c6f032eb83624c6af2c4af10 |
C:\Users\Admin\AppData\Local\Temp\pscG.exe
| MD5 | 42b7ee93e66750d65e10d5171ec15395 |
| SHA1 | 1277cf0ee8cb4f96d6eaaa623e195aec14e4180b |
| SHA256 | 7b89ea0781f42000013fd55249eba24eb2f958f9610417d4ff0095aa3831451c |
| SHA512 | 8d380dc9073fa68d632719308902316e7716175fa1ec1ed8077c553e65b85a4e35ee19333be6f6f5c0e92fa2a62820311305506000284a17f35f73f3db07957d |
C:\Users\Admin\AppData\Local\Temp\cMsU.exe
| MD5 | 9d75ce4c83c4772b76612dc5ba43dda6 |
| SHA1 | 351457c43eebc4a8efc0315a7700962867cf5666 |
| SHA256 | d020702c3a4361ef7a91c2cb46013306245161e21fb337fcbf4b1d95e20b609e |
| SHA512 | 98320964015e7723d2ad686d3b2d9ddb0000cef5deb8027b160974c241ab16951bef62c763bab3c85c8c45544fa02665f854518f0e031c6f17a1dc5c77b41103 |
C:\Users\Admin\AppData\Local\Temp\xcEo.exe
| MD5 | 304e8b21352828006b0e985a9624ab0c |
| SHA1 | 0b1a844499f2bc25ec6a0f968e79a76415c5c4b9 |
| SHA256 | 6fc80d43bca9c08732adcd625736512d8dcd9dd4e89ee2c8a869aaed92b160e2 |
| SHA512 | 6ad28d8f1a73a3de87cf6d98f5e389fdf5e6f89ea8b9f6c4d3eaf2991488935961833ee5385e38c4509b36a4b5efe5601257edf532eaa44dbe4c16465b893601 |
C:\Users\Admin\AppData\Local\Temp\wMca.exe
| MD5 | 803226c9de2cff9c4948c921a31e28fe |
| SHA1 | 3045478de1491cb7201d8262f4041cb73e36cc2c |
| SHA256 | 401f82f662bb301741bad397634f302f6e3795997cf6e83062ba5c030a090a74 |
| SHA512 | fe7db99f9c7467743db1ae13eb2d9594728373e3735d4f35575940b9c78ed048d45f48196562ab0f6510479428ae1883c99f13258b60c112ed3083d453ae9965 |
C:\Users\Admin\AppData\Local\Temp\Sgsc.exe
| MD5 | 91934bdcd425381b5bff57c2a5dccad9 |
| SHA1 | 7f7cf36a1aa5a35fee5a1bea52b20b1c81feab17 |
| SHA256 | b9cc614fd123997244515c78a22dc3fb216531566aac9d085153fb1d10918344 |
| SHA512 | 7c6ab6bb042bb6c41946b1573e14e8b5f607abcfe1285704ea9ceb2d6c4ad1f1f6a5d9841db65bf7782d32b7a5bb4881ac6bf615006b8f07e62e5d4b4b010587 |
C:\Users\Admin\AppData\Local\Temp\EIYC.exe
| MD5 | 04d8719f199a98e1eeca1daa551ba18d |
| SHA1 | 5e7bf137ef97d303e890937749aedf8523b72a44 |
| SHA256 | 347aa46004a908d6cd5d5a9ca91f11605e793f8790130ab5bd814554992201c4 |
| SHA512 | 7d3c37cbb47a59459fc80aa00c6e3813ce8e72883f4265ab3f4c9e40438e175a8dd6809ebe7812cd3926aa4071c8cf1f21a126945971143b282e800a7612514c |
C:\Users\Admin\AppData\Local\Temp\RMYe.exe
| MD5 | be92bd7425afb40b600434e14e45882a |
| SHA1 | 35cd8f056eee77580c09b7292b687ca6e9df7d0d |
| SHA256 | 6e4151518c5ebd0f29174f3ff5e8282cd9ecce889a0d7ac919abe2256207062b |
| SHA512 | d856a65be5b100b059869b0d78c6f321c60412c06a59aa5b97536f68eeaddf9655c2b7b9bf511b6986115c2d91bb23deef6c834167a34d5e603f0788cc15ff06 |
C:\Users\Admin\AppData\Local\Temp\rwEq.exe
| MD5 | d758a10015b5cb78773f269b8bdf5f16 |
| SHA1 | a5af57287b144bad7f9ff87339eab7f7ca13853d |
| SHA256 | c22b4d0ac99bac8ccd361ad687771b3464c3ab5c358b9eae2df6da3ca8a42506 |
| SHA512 | 12e44a24954dfc849f1720698407eb4faf0acfb923a87760b9576fd37dddcd50e779d689da77b1c76ed42d52f1b76964593ed95818f8959c67fbeb2e485b7fff |
C:\Users\Admin\AppData\Local\Temp\FgUE.exe
| MD5 | 5103affc66de2d21672e1a1eabf2f6f8 |
| SHA1 | 79abc39e23c68af7e6923bf4b42efe0c74a47507 |
| SHA256 | c06af98336cbbcc464ea818a48f75b57f816fcdc6d15f84c82362c59949764d8 |
| SHA512 | 23ea33eca85dfdec70446b3cd1b3bbb5116b0123c8dd2bc77c7db0e4e9833cc396f984c15ccc21d88d08dbec1bde5357aa41cd3ec8304bed20091400fa3885bd |
C:\Users\Admin\AppData\Local\Temp\CEYQ.exe
| MD5 | 6240e19293f45c6cce5ee457c8173d35 |
| SHA1 | 5d49b6ef1567ca0420e98fb9102d16a523bab3e9 |
| SHA256 | e47a44db20831abe2a9d826d40495e845457258cdd3c73b9dd46cc18c093b6a8 |
| SHA512 | 50c9908551f10391f95b28580ca5cc18797ab8c98c0f63a1d9087a8a8f0d1886185e91eec12de312160147facf5bf2359a7f94724ed45d6062118d54da9a75dc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
| MD5 | c957b38cdc8b6bf542a1d61a0561e045 |
| SHA1 | bb4fec529ac3bbeb0505d29f2365892032afcb24 |
| SHA256 | 4e7105e619de0b26388d82c48d9b1607bf93d16e8177d991613e190b83e40ec4 |
| SHA512 | e9768ee9c8215fdf74bf728873148c656ec9ea0a5a93dcb82781a82218b73ecc1f1c2012d244dd101026ca73ff04efbcd611102f3efd5798d95d58f5fefd5814 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
| MD5 | b8e63887c3e82b3b0e0c674e0716e152 |
| SHA1 | eca2fd4cf6c29f11ac1be468cc15b2e7564caf70 |
| SHA256 | 23879524600e4eebb83c7181f905807c5eb2677e8214fc98cdec7b95ab2a4b0f |
| SHA512 | 293c2be501b5f2b9e093122bf9ee20863cddf5003332815e057fecb7df12549d2f8313d95ba2761cb7868be192172e8e935f07060d691f974ddb88377f3a502c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
| MD5 | a479a7cb261c06243cf59a7cb8de4fee |
| SHA1 | ffeea876fc4530c4504b891288f26abf51207e54 |
| SHA256 | bdc0ee75eee17da32b1916e523c945d90de9343174b4d89f722f749d544a5c32 |
| SHA512 | e459ffe4bc316857a68ef6bf7fa7619124be56faa56152fda602a6378a2ecbf6a2f22a6fa92a3facaf063663fa2ab491089004a2065fd62e5509c5709c353844 |
C:\Users\Admin\AppData\Local\Temp\IUAY.exe
| MD5 | 1824493776e0c88cae7dba72f35133a6 |
| SHA1 | 69b1c0ab689a5f4198fb017997f453213c01327d |
| SHA256 | dc2bbddd480a3cdcb71b7a364ffb3019d33c99d131b9a6341af437273e1d40fd |
| SHA512 | 75385aef33ce6840f85f5912d632567f548b5d0312228e6b0e599748e1bc7be0150e5760b4b4aaf562e211724085d6b22e1bf3fabc5800654017fc88d2be7ec4 |
C:\Users\Admin\AppData\Local\Temp\MkAw.exe
| MD5 | ffab948a0075e208128c3338fcc820ff |
| SHA1 | c59aca6be132d010599edaf85718175eefd5faec |
| SHA256 | 76916b2e87c91567bc0881b0654bedad1d7a1bff5eb640bcc7659f2010e14a98 |
| SHA512 | bf8a2170b4169e3cf134624d7651f1666ee2c6bd7c5b8b30a741ba34dd491974f17526fffd4940fc6ed993aee3558bfc425ad1cd48c215a33f3a0f7c91a4ece5 |
C:\Users\Admin\AppData\Local\Temp\GUYA.exe
| MD5 | f4d1d3bb3a133c94aa0e6d64b7500103 |
| SHA1 | ab455a072f47b6d817a444ba765fb750f72282ea |
| SHA256 | cf4fdfd534421a546fa70f77b0fc22395b92295da25b0ce5c171d2a9093991f4 |
| SHA512 | 0f32a9d8e73f857a2d3e1bae5f3865016d0e44e4fe49ccbade579194d85be7f8f959512df2c74c6830e67404a0a46149fe57caf86f41484d14e8671ef3290525 |
C:\Users\Admin\AppData\Local\Temp\zUMq.exe
| MD5 | 0e4941442c71d8a68d375f96bb9eb93a |
| SHA1 | 641eab3dbce97cba63719c2926d35f1b057c21b3 |
| SHA256 | 6724ae567891f179473546246f14ea146206aa65a80ea32601f4405344c19320 |
| SHA512 | d9f85d485958c4ecbcddec24c1f526a1d7897a4c2aef7cc3ae7195f0c715412739274bf17845c87b14f5bed4dacfefbe67a8aac1f24b4c4cf50b57fd059b7819 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
| MD5 | f632314afe7983564943216f0561bcba |
| SHA1 | 227e692e38b52ae0c9e9c6915fe4460521d9509f |
| SHA256 | fbc7a0db9f9a023ea86528a39bc0249a4856e1370b74959d604ae51590cb3c2b |
| SHA512 | 6f3a11cf4f31a6e4bcdd5cdabecbe2bb795e6d0bc20c83af13a0062f77de299f4afe83f74109a3ddddf8c02ef219ebbdbcd7f8ede6d8f84bbdc4face1b814e86 |
C:\Users\Admin\AppData\Local\Temp\GcUi.exe
| MD5 | 3d8fb8aa15c05e6bd4f2a8de8a79450c |
| SHA1 | a0f31c1422a22111c584fe2a8cdd2e54d861b8a3 |
| SHA256 | 09303e5b1d96ff83f033f1b55e67b78467c58803c7f81fb654c09a7b61ced017 |
| SHA512 | 14337147343d4a739a661d592eb3de3c387444a34e9dda0e2942ef13b9a16330628814fc860f39d3fc92a6b067709e75461379fd8858f7eeff7b5ba9062a8855 |
C:\Users\Admin\AppData\Local\Temp\QEkq.exe
| MD5 | a248ebc65664ccd78e1b61efa715c84e |
| SHA1 | a1aac75b456dc6749e98f02db8e2461e1cbd24f2 |
| SHA256 | 83d47ecb16db7cd6bf2d6e2a866018ad4b811b32585ce6152bf8b918a0f2d335 |
| SHA512 | efb66b119a40cdbeae065417157df68352e2ba2d5f062a5d3917aacdd015e7a13f8fbce1a14001bf0c58926cdc4728a1ca347a01e3b5028de74b95e41ef36316 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe
| MD5 | a3d5c94be270c6b7c8a08a9e8cbda93a |
| SHA1 | 24189af7980d8956cdfe8cf081c7e3de634fcc0c |
| SHA256 | 42a53c1d66aa3452d31ced87518c876e1a79b4e980f95ebb7b0ead3e1617a51a |
| SHA512 | 989794e53f4d3f62cd197ad0d814b3890c0e7577b0b80095ac77f15fa3aa344f531bd8f48164c67a895138eb8e828d5f544e6b7a6702aa2dfe1b11211186533d |
C:\Users\Admin\AppData\Local\Temp\DMok.exe
| MD5 | 5cf232125e7c6f950f839f52616bbac6 |
| SHA1 | b122d15f934a510e757e98ff6071d943e7de998f |
| SHA256 | 008351ca523bbd73bab9f9d54abe462776a720ab93fc45f1272b8afe318a542d |
| SHA512 | 1e7095a8f59b1e4d6fd353fa1baa5b8cf7b35d5817506d893ef37d0ec5ac23ab00622e9fc18136ef87762773780d5e1593f87c8c181c8523074bf1d219910d20 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.73.6_0\128.png.exe
| MD5 | 7a6131d14a9c6cbda8cc4775b356c655 |
| SHA1 | edc024fdf18dd0303e91fc2b9fb63d8683225d2b |
| SHA256 | 80a16ef98de629b32ac857bfeae14c52db04333a4ae9965ed7527ab616bb87b9 |
| SHA512 | efd5e881982230a30b8f26e4639091de96a1ee990a29440578b0bf8be52bb36be48529adb62d1df6579d3927d6e001952155cd01545d090f0a05e56ad3642e1f |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
| MD5 | 6757fa2f0539d3ce6e99eecb3ceb7457 |
| SHA1 | af831a0129fd5b2f0bba2a67f32ddf1b26006097 |
| SHA256 | b2ffc4208685cf77ca2d50ace62123620831107c4099e3de6e157255e0afdecf |
| SHA512 | fe9f9da62e32b687f674f555fa92d65387cf80777f2093faee020123c97061be0b7c98beaa9273499bd98e1613df8cb944ed97f58caf147e96d3a03151732179 |
C:\Users\Admin\AppData\Local\Temp\IooK.exe
| MD5 | 965a25b90045d999b41efd9c94d86f18 |
| SHA1 | f06469f336cacb3dd10da12e4e426677869defd2 |
| SHA256 | 348c3dbfc432349bfa80f821cc8cc6ba2eb8b949edca5bd323989a6f974a74d9 |
| SHA512 | c33819c9855c5984184d33f023863d134ca22723199c89e30327b950c0bb2bf4633c93eacccce8e83a2a41d2876a7d56c352a9651dc34cb05004a9ed6b14c7d0 |
C:\Users\Admin\AppData\Local\Temp\UoEG.exe
| MD5 | 32bb2bd5d9d295549d5feb18cb7be859 |
| SHA1 | d7800d18fd2843f7f0409ff15d8266a537dc4f09 |
| SHA256 | 682635a78816780f3614699508ab28fcbea7db8e21750f719d05fc55fcdc5bda |
| SHA512 | cbbbe78d760282b250a16f8327982788408a7deaadca29fa5f2fbf00451d475abd25d89bd651d51d67a8cb8bab18deb963adfede41995a0a4e8e314aace3a0ea |
C:\Users\Admin\AppData\Local\Temp\xUks.exe
| MD5 | 23d9a46b6e23148a115f8eb789553f50 |
| SHA1 | 857c631604996a1a7a3c157641ce4dded11eeff6 |
| SHA256 | 4fc53123bdf524b44dd37df1cb66e43109428a791187ab3534c3722a2662a460 |
| SHA512 | 814da65492e019e6bfe7466541687f1badedac5d6851a9bf4674a776ac24941c43b10f59a39db60fd3d4093b5fe18c192952a1532729bcaf92ef6c1d96d94cd2 |
C:\Users\Admin\AppData\Local\Temp\MsoG.exe
| MD5 | d35c121353db9b26489c800f453ac2cc |
| SHA1 | 0104978b2041ee49a5ddc15614adb5685dc6f2c5 |
| SHA256 | b6c3a90c9b7007b503c3e83cf675b48ddcacda5ee4dfb73851776c297643446c |
| SHA512 | b64b12c863a0f57a6627231145e0524876003ddfdedb2bea3fa16ff21a6b9af7891eb09abb62b92d048e56528275e0b3a1762ff65820111b1fed7f983b9f31f9 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe
| MD5 | 6947f6a805254271c2f1a090a45126a0 |
| SHA1 | 209e2b135a2d5e476467168c59f5f5edd1805963 |
| SHA256 | 5fab7a0565bda75b49ec8558f47407c0882fe1d307cd7d1d50a1dfa9f49f37f9 |
| SHA512 | 13c6dc2481572b5d82b116366436600f3588b4d7021a816f7493ccc1f426a3a2b4618ae44b137e9f2ec04d7ba4b66f7ce029c798f55012b3c46af112db2ecea4 |
C:\Users\Admin\AppData\Local\Temp\WAYK.exe
| MD5 | 38389d04cd4eddd1d35218f7018f9ef9 |
| SHA1 | e11867156073483ea49153bf8f9e5c53f8c25dd2 |
| SHA256 | 1b6ceff4f85c492c477ea52aff654555e156e9fab84ca589bf6583be50de430c |
| SHA512 | f84df6b19214d5ec5ce866aee052964d66733dd93933fb8c6ec8fbc2af00c12d4e54383b78032806fbe3d78e1d4f73558843f6c29d87f507e4ed2dc009964452 |
C:\Users\Admin\AppData\Local\Temp\MwoS.exe
| MD5 | d5a6c58e417568743f6fcad148c33ffa |
| SHA1 | ede57fb0b30502f0ae1670b6089f1b3212e11322 |
| SHA256 | c25ae99e843842f94c87dde1d791fa30c268f233724d8a1c97efbcb3159ecdb0 |
| SHA512 | 7631242fe295ef2e2faf708aa7fee942e04a49dbf265eee91cafb94ed20d993238e4f306dd31f748fa2bc16afb95ce2e25d9e35c671be508c77be10a2d3598a8 |
C:\Users\Admin\AppData\Local\Temp\fogA.exe
| MD5 | 2e0e668b7bf4077eed301a2739c4edc4 |
| SHA1 | f90a335594743f2c4d45e9510b5b3b914de47e2b |
| SHA256 | eb5101bd078a4c9916a5f2de9b9fbde6cd277f1d21922e453854fc79e7f3aafe |
| SHA512 | aff1408b9c4f24e5965d3ed7f8a6eedb0fbf713927b9566a845418f880c2e918fedd19d1f98a487b62308cf8688ff444d68cfb1b3533ac3058fab5169838bd8e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
| MD5 | 60bbf84f4a480e04d8c9f97c4ebf9309 |
| SHA1 | 74ba150f5093c29011d59eae79f85bc03e3096c9 |
| SHA256 | 3c2894195b990e0ade235960a529c84e1e111a2116addc527ef1dc9047581d9c |
| SHA512 | a5cc9bdb9131a47d989f8fe84de4e620b8127529188dad81bf6da25cb73c12cc4938ce14a2a84ed7bdee23a28abb4cb8acc57ec5525d50ee8adacfa2bffd675a |
C:\Users\Admin\AppData\Local\Temp\mwUC.exe
| MD5 | 03e05492caf2226eda4475fbbf26e173 |
| SHA1 | e8fe3c6dd8c806f6da50f63e916e06f11c0a61df |
| SHA256 | 4518698a52b9732d0f6a52a5c3ded820a5fbf9930a18cda2e142bb643a63b43f |
| SHA512 | 7b401fd176f0cf124d4921983e90646285356c6dd3b8caa36ef072034488a592996ea6714f501000dbd090037ff0bba217d3488f556bddb732d91a1280887229 |
C:\Users\Admin\AppData\Local\Temp\IUwm.exe
| MD5 | 1e50ef1bcb2e7abe7e8822fce2b4563d |
| SHA1 | 9f3fd687bc36ef6834b31ce7db573b9d1b3e80aa |
| SHA256 | f13e6d933d1e77e422cbf66fea98abce17add42e97f7813853fa0eec0fbfeb2c |
| SHA512 | e0b238eec4c08039af45de27af2d09b0215fec93c8b58cd0a4f628c42935009eeeaf1fcffcd92b5795689089df78e372f115fc1f8c03071762c139db3ea475ef |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe
| MD5 | bffcd4d3fc1e2779e89f20536e529b8a |
| SHA1 | 67737b98559edfe689e895feae025908e05fe3a3 |
| SHA256 | 5af0cb2798210478e568c0828d53c97e1545a91b470ddddf38f5dd83c1c3e39a |
| SHA512 | 1362fd3760f06d265b2f2f19ce2d1ce9d16c7567c9828d413e112d3ffc1ebb1e4f881523cee7db303d3c7f40644ff5c01a4f5cb6d136e1132246449260885fdd |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe
| MD5 | 5b60c14d7a94e5a806571b45c34ec74c |
| SHA1 | df6f2bb9efcbcdb4c41105e1d423eacfc2139b5c |
| SHA256 | 0850fb1418338eade201263891091b4758a071bf0b88cd56839aa7696559e8f8 |
| SHA512 | 4c77113ad9fcc6bc27fb236d06923cd7931163a9db2bc7526ace80b09b9269f453853da904ecb071de60e512ba2142c3b0936caa6553bf0f658cf2821115c4e8 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
| MD5 | 146d1dca6b6c2fdcff7bb82ad0d9d780 |
| SHA1 | 21f4bfc0fee83767d10abae1a30c329e558fbe47 |
| SHA256 | 41be42dfd7f0764cf9f2669013f2849d06aa65ae0e89a7929be33abaec55d53e |
| SHA512 | 37941f40201fddc66ed4d506e5255492527ad442d6777a966cf9d60327f9eb43ba27378744e652be491276538c5e82ec359be81c687b9c49076a368004d40b79 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
| MD5 | 43d312a2bfae97280c3e8caf5e291a16 |
| SHA1 | 871baf8b2abe8f3ad7969d503a9ffe68960ebcc5 |
| SHA256 | 14740a77c165d921673f15d0a12f8a90aba3de43a3d2236e8f311bcdc514ce83 |
| SHA512 | 59f7bedd035302a8e270050d885c0c9d85d34e14d25172c7dbe508f7c08a95befb6410431eaff53e26338401df4fc7254ba151f601f2b42ccac5b667c94638eb |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe
| MD5 | 92dcdde9b538abbfc0ab9249c903ce11 |
| SHA1 | 705cea2bb940c509a0a8b1a52ffbe7b3eb858031 |
| SHA256 | 1129f6dd35cc53245f750e236beca15aa3d7f8f38a03806e6f43e4ee72ca1cb6 |
| SHA512 | 9b0ead280860cfd42f76c673ec8c0b6cf0e71c8361bbdce61f485d33663747d5a4e9cff05633bfaec878588fed422ae39529bf8dd5c58d96bad0afdd5a4f7950 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
| MD5 | 4723f250eaa5378c10cbbbc4dd32c9c2 |
| SHA1 | 7eca84eba1278bdc4156de2bb1410b130bae1991 |
| SHA256 | 933c05476bd1718e57872e4d2d18d6b4468cc5a695c48a8452f15ecf62a70c93 |
| SHA512 | 08a587d695ef9ef4f9d6225f0fa2f5fc818e30e4a433f0f75c3f916d7386d493c535af8477d5c1b9bc49976e0b7b71881931251e2c3bf3b2b4cddde38a27dda4 |
C:\Users\Admin\AppData\Local\Temp\fAAi.exe
| MD5 | 4d97a0d51d04e6b7ac062823aa2fac4e |
| SHA1 | e1b6d9bc4f0b2a30e950272ad903e2ca6b0b4b3a |
| SHA256 | e19d9c1d18ae3cb3a1efa48da28263af2f252e0ea378d340ba7e027b2aefdf5d |
| SHA512 | 02161d4d8018d91d47a960974fae480d8b4bf8e8bfd2106a812ec5b264e27955c83a3236948b9cf60de177f93599b63d51d0738a11a1d029f5b4a2a54f3af9db |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
| MD5 | 8af2cf4c294d38d00ec0e0cb0dbca59c |
| SHA1 | 85bc7518bd5c099fe4520077fd751e6008a0bcad |
| SHA256 | 7d2d2d26ad97218dc9569c3ba1cba78ab03132816f862bd98e3e68ebd225a423 |
| SHA512 | a363fd19c34f65b8e1cbeb90d1d01ea7bdca924d885e08b11f0ca8d12569fc6e0df0a4a06cfe4fd93bb93a21df3ddd2d6a626f03a497846e7e208d4d0e906c84 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
| MD5 | 8e1f4b2d55954bde2fd2d9308e910586 |
| SHA1 | 8fb784e78c82656434fd217d08014cb4604882d7 |
| SHA256 | 60b9a77a9e1c23d40270a5bcdde2a4a1a498fe21613de44c5d113aa97cc3fdcf |
| SHA512 | 6217469f9233f6207045ebfe326d26aeec0c3a28d5497e769628a3c047d2c654f62ca848de53324f964cdab567898039076dcc3ab6e56e02b206747c8f9f1778 |
C:\Users\Admin\AppData\Local\Temp\koow.exe
| MD5 | d6520ff25d1eab6b0a705dc979cee288 |
| SHA1 | d218cae2ffaf4f36b08333b298ff8e2285a963a2 |
| SHA256 | d48e1e4ea45ff0ba1252b5745b745ec036853b15de71e25cb68b9e733db048d5 |
| SHA512 | 5e56553d435c53f7c7550b53fb9057ab41698ce79820d97c77c7812a0e32f5a923ec62dd057e9cea3f9b3b2992b6d0c1b20cdeaaeb032e68ffa61fe5a9d5732d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe
| MD5 | 26bad2e3885bd8835e5699ceb799c861 |
| SHA1 | adb589011f616ad1806fd2a12f5912ca8a7fb533 |
| SHA256 | 90638168ba0652a7888e0ae59978bae9cd2fbf7e1a525abe6badcfc6707fde2c |
| SHA512 | 01072a3376bb432dac9e36812b63315787f120cdaf7647b15d99c314874df95cfb9c9ec848c90a5cfc374ef57dff7b4e1fb1b1267b9a4f05d892349eb4d0648e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
| MD5 | 2451f3f9595d601599c10b5002027f52 |
| SHA1 | 5c297cd094c35ac19d406f54d8aa52b2d8af683b |
| SHA256 | b2efa65022118d4c0a168f2fe212826114bf757be87354ae4d33d8a153a2e19f |
| SHA512 | 8bc9d9c8a6e8d564fad799add7cf025490c498b1570ee5637110743fdf12ecd29a6c64089f5f81bbcace639906594a750483daed99a59bc50037d28c384f9569 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | b2f4d8fcf875518de9b49eff8940d326 |
| SHA1 | 60c3c82f6742188b683c840aa65a271abdfb001b |
| SHA256 | fb04f8b8433bb1c2c0799fecc65d6e46cdabd27ff23277c3c4fd4902b1edb48e |
| SHA512 | a5b8ecae76531b273f56447a51aa5b7dab7a99af751347fbaf73ac40076fb32844ac281a04b190db92bcf72f7b05c41051001bba597ef9770ac3949efdba07fa |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe
| MD5 | 19a1c2a7d9a9a782fa0f06ebf89d1cb3 |
| SHA1 | 4f7b1a8b39eb79828c792f8492162a752df0d78e |
| SHA256 | b3de916fbae68e5aa2606150e732c129fe927a59767148b1615bfc2294c81d37 |
| SHA512 | 0beb1cd02b179cb7f20081acc7a227c5f1fd6cc242e28fe2704f9a2950b8d65d68e5d1975fe37034d5dd44a91b6f8050ab1d587bcf1595937b5198d80366e153 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
| MD5 | 1e41a8ab42526918f6cd066a697c44c0 |
| SHA1 | 1ea438abae0f2d2e66e05b3652fca6034fe994ed |
| SHA256 | 39ba951de06c57197d3625798b2b47bfebaf9e3119c170087c88b855b684e782 |
| SHA512 | cd98e41066dadbf461b67b82104b061e37ab39915d890e0dfdd418c602d23df380d174449e8d26a66b2e739fd84f3c04052db1ecabd3b7eeae20fc6c03217e46 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe
| MD5 | 1a788d46c1238354159a895dc174f5c8 |
| SHA1 | be377c75cd6629f2cf0c8681d6648de726b6e6df |
| SHA256 | dadc6a02c2c7bb141f4baa376666c42accfbd97391fe62634571aef096b2843b |
| SHA512 | 1008edecbc222296b4381228836fd07b2e7961b77612cb8aece8a7426a69f62182b4e14a4a8453bc5db4b62b88c1d6c125bf797587dc4654bc3de3b8457d0076 |
C:\Users\Admin\AppData\Local\Temp\AcoW.exe
| MD5 | 383bc6f77f128d82cdd2c08950b8ac4c |
| SHA1 | 152eadd59426326f30c5edd34eab1d5ef07ec08d |
| SHA256 | 1ce1e391b62d3944df172752588a453f454b968eef23e4045818602782bb1648 |
| SHA512 | b1b85bad6df6bafec8aa420ee9a8b2da5d1c7befef5b42a896b88a409d9d213ce220306a2f4d10b595dfb17f6e8e018bba7831f56e483261e8760e973bf3bbf1 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe
| MD5 | 47a5d7a4171c15441fcd7d40b5bcc496 |
| SHA1 | 87747171883e4f3978479fb053c57a7dd074ad3e |
| SHA256 | 55003527634479d3206bf6b2de33b74e41991cb45bc6b30d6960bd47c979d0d2 |
| SHA512 | 7571ffdfd660776d54ca2e32fdae4290831c7ae0a28eaefadfb23074712e36441275b0cd9fa74eda0279b327d54071f7f651fedb70be65b410b726df2b9860e9 |
C:\Users\Admin\AppData\Local\Temp\YEca.exe
| MD5 | 4ce1f94a14baee12586a946282ee9608 |
| SHA1 | 24be342e0e68e263b633d291868111d477803fb8 |
| SHA256 | 32db0328785f38de07a0579a602435af2a6481b44f7463c3f3d185c46d4543ba |
| SHA512 | 9a3ec5927ee50ac5a87646aed2bc1248b333bd0c573eed5e8186bfcd2d7ed52a75cbd263931a4a17c0df99cb5cdb9717a843adfe67d9fc363b336a29004a87d4 |
C:\Users\Admin\AppData\Roaming\UnlockWatch.doc.exe
| MD5 | 6bda564f5fc51e5848f6862364aeeaea |
| SHA1 | 24b3a9f57f106e24f2788d7b310052dc68d82476 |
| SHA256 | eea2fc8084d1c79ed08b5e8f538323c76aa5c1939e7ea10934d59db039d87c3e |
| SHA512 | 2739a4736a92754ebe4d713af1d68941182fb820a8b3545a45e64dfd0d1c92729efd462a693bce89ac7811ffe3bd3aa01dd095c4edb9cff4a744df115e1aab61 |
C:\Users\Admin\AppData\Local\Temp\AooE.exe
| MD5 | 26a0272e689b885e3304db408c9d668c |
| SHA1 | 142019242c414d49c93755c4397ff16dc1c6c6cc |
| SHA256 | 2bde2cdb6100ea0fd1a631bb4095512411686c049ee0a5d6ac30799f183e438d |
| SHA512 | 192e179b99c3431b18a07fbd5d2fc83e6b939493081f854606fcf6bec70ec0b27f6b3e91e4771adbe21d3c51c68596faeb0776a86b6465c20940c47e6a61297e |
C:\Users\Admin\AppData\Local\Temp\UQgu.ico
| MD5 | 7ebb1c3b3f5ee39434e36aeb4c07ee8b |
| SHA1 | 7b4e7562e3a12b37862e0d5ecf94581ec130658f |
| SHA256 | be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742 |
| SHA512 | 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6 |
C:\Users\Admin\AppData\Local\Temp\wAQM.exe
| MD5 | 5e30b5fa73ebace16ae4a361ba2aee1c |
| SHA1 | b51437950d433a2e3748810bec5739ba0ab3379e |
| SHA256 | b0a4e642a40771d33ccdda5002c51a3f31a5ccc5e2448ba02a357cc8cf7daf47 |
| SHA512 | 4a05da3583f888d7f4119f3b614d0ece8fa3f1a51b92503d30cbf74c214de115807851e67d2c96fc27f0f0bdd3dea86233327f8d51c9ca3b61c08685b7968295 |
C:\Users\Admin\AppData\Local\Temp\zAQC.exe
| MD5 | 35b917733dc1e8e3cc6ac527e565cdac |
| SHA1 | 747ea8919ac00447561fd193ea7a62f4d08c4f2b |
| SHA256 | ee4acac9d8b3c5a20cef97ad4a833f574f13600cd58d346d9a11f1586917e0e7 |
| SHA512 | 00c0c7f22a3eefcd4cf5acd00f38e1701fdc151a6cab9e5db7767caad8355944f23131649ab615ff05100f8b9c3aa57b64da33ef35d79e25d1f8e2b81cf1d4fa |
C:\Users\Admin\Music\ImportResize.png.exe
| MD5 | eb434b1a9bca09f399844647fb8dad71 |
| SHA1 | b3ef2e344a256f8502d7e585cea0bf0eeceafcb1 |
| SHA256 | 486aaafe8c3909b01cbf70e9a0f76ab7aa2d6103a16cf763b87ad294f183eed1 |
| SHA512 | 3452ede8077fa708d11d44559564c83589632e3ebb6c480da7b3ca63773c2a1c3e233f262898894e8193199c69742c891d3dc76b7cf3a3d93e747b49998a7898 |
C:\Users\Admin\AppData\Local\Temp\uoQI.exe
| MD5 | 18d1e12f4c5f4aa6dfa868a03d742726 |
| SHA1 | 14ce11fbb971dc1c9fa92387fe6e5e0c715da78c |
| SHA256 | 1a155bd067ca2ee7b340e11fa51d66734322aae16c8b853760ecec21d503bba4 |
| SHA512 | ffb37e899a10e0c4da00a8fab05e3f4e065767979675fd6df18f5534ba267f0989eec15772c3196d1fadb59297e9403c2d302edec1e75f5f96229d5b8cb4d5f6 |
C:\Users\Admin\AppData\Local\Temp\cUYI.exe
| MD5 | 6792a42ad156a56ebec3d94bff99c467 |
| SHA1 | 0caf5ba5c543659986a8a7a82391979f936c17aa |
| SHA256 | aa8028564ba5b217cdb694f822c183e261ebc570594c574f6cfb57000f89e4be |
| SHA512 | 8d86b277aaa4329e345282ea1fcca151e6e93fc1a1e42b8a32339d69a36666d7f82def2fcd50d10f9a7a1cc525ccd10e3d9d09a4a55d21903d0a687871799fd9 |
C:\Users\Admin\AppData\Local\Temp\LUcI.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\xksw.exe
| MD5 | 1e99cde2b552a42742bfc27c026d507c |
| SHA1 | 972a45cf4147884a77940f9b52021ac03eb48146 |
| SHA256 | df22cd6bd514911e6f5b7a55078692153420872c36f91fc8008e0189e2cebb6c |
| SHA512 | 64195317bdd6f74a64eeb3ccb3731debd03a040780ef3eab75bd286e15ae72efddb2f785c8d734ac820a815cd38c10065da1c5aa13109084866e35e9f21202eb |
C:\Users\Admin\AppData\Local\Temp\ooQS.exe
| MD5 | 8317a50d38d49aea26135b442e960c55 |
| SHA1 | 9f968c260946d6ee31666495cb06bd02b2f7b920 |
| SHA256 | 61bad755f061b95f0f3bec0a79a9ad9f98731d1f87a09f7742a4978e7c8d501f |
| SHA512 | 4e4fba5232e478b91208b90bde1563f06a2a4b03e309afb81f4a395bf3ab5083cdb96606ea860a9ae718c73da98d89e864d2cb005b0a565e28712a067c4bf5b1 |
C:\Users\Admin\Pictures\ConnectDebug.gif.exe
| MD5 | b96c5d10edb007c1b57e044e16be9e16 |
| SHA1 | a1d617b848fc3bbe0ca2824c0e3c13a1c272f1e9 |
| SHA256 | 546791998b0877428c23bdb9009f658c7e4a8bbac1732b8dfa20fd3c1ff728de |
| SHA512 | d93cc9af3ecf2d6852ec5f880c88accfe57d203c9074334a00c5d8ab143abeae67734a697466abbd700663e84067cfc5132bb68f8bce5eeba0ef11d39377362d |
C:\Users\Admin\Pictures\ConvertFromWait.jpg.exe
| MD5 | a853d83fd46e2db6de13cebf54ec452e |
| SHA1 | f8c8be6c24f5955575627433f319feecbb271075 |
| SHA256 | acefd3522060c23309ffda1622dd5b6e70c97a55f9e77b5acdc7eb1d73f6fc7b |
| SHA512 | 16a524417ba6c65fce7e4017bbf0d4e04a73f86a7c553cf6726191dd6466bf4b8530f412bb047db880cac0e6d915d70e0d6369e490b2bf8084061230fa93682e |
C:\Users\Admin\AppData\Local\Temp\vUIS.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\Pictures\DenySubmit.jpg.exe
| MD5 | 8b4c928543602c1f986601c3e97772e1 |
| SHA1 | 087e02c812985bfbd8f268f45ddaea6ef892cdde |
| SHA256 | 53eafb6e9c70ccfa4e4e18c640e9334026c74e84a3904e0dfbb40511826a4eab |
| SHA512 | 6b50470cf0e01728b498e12b028a50f5b63bb8defbeebfb051542e94dd66b52599078d557fc40e78a107634907c3efe3021015ef3bf249a6c2720d2c307befd3 |
C:\Users\Admin\Pictures\DisableUnlock.png.exe
| MD5 | dbb744b9efa4e071a81395fc1ea96ae8 |
| SHA1 | 8be21d27801e3389577e3077db016ce5330f698d |
| SHA256 | 30a00798807b578a0ced5b28b1e98204c7710872b9b82b04b9e0a8c74ac5177b |
| SHA512 | 78592a60314b275f27d6b987b87ded31115c93e38713bd2f00d0919b52207feab67f987cdbac68ea485054ba376cc93cb86ae144d4fe42d78d2a226c3c40ccd5 |
C:\Users\Admin\AppData\Local\Temp\VcUO.exe
| MD5 | fd2ce97cc80fea7cf7391d1c41366da8 |
| SHA1 | bac12c10521d24c40f34011e3fc410f723267365 |
| SHA256 | 11cfd3b39753cff36bf647a45d570a0b0eaa7679b87b9a12382eb075688f0c4d |
| SHA512 | f7cffbf6c413c51f7592e4e7e0deef912b46a7958e82711c40135f121db68ea8aaed5a305061a4e781f76c44e4f983d1c73dc4a517c73d5c3a1a66405d2a8344 |
C:\Users\Admin\AppData\Local\Temp\eEQA.exe
| MD5 | 7d3f9b2d49acbfe10ba2f76facec7d8a |
| SHA1 | bf0bf7fec2c13ec017b325357f9ad1f48bc85f13 |
| SHA256 | aa4a7ae3e4e88e0469f26225700a0257fedcef43ebe0fd8ea113c785bea8117c |
| SHA512 | b5e073aa34044afe1c97c9ac240649f6cbd769688d688ac15c0b276e26a2a30ad29dc77b68370f41a5f952b86f985ff4fa8cfed1756322acf89eca93228ce191 |
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
| MD5 | a22b28b3d00c68ce5a2882cbc18b5e22 |
| SHA1 | a7cac59d625147abaf397af78209dfed2ce05139 |
| SHA256 | 9df5327062ba49e654641e61bfa460c24abc4c14bad15c0325794faee95c6fbe |
| SHA512 | ecb463f5fcc26e090d268315ee6e17c6aa572f5d9547b7b0ee42ba4173f056e04769ed173c22154e9c760385833cc74e6c543b9105908ee1d41beb79cdc9dfe6 |
C:\Users\Admin\AppData\Local\Temp\OoMQ.exe
| MD5 | 6b777306d515b984ef2419f1e17098e9 |
| SHA1 | ed5f12403ae08c0eabe0f7378a98c91865f2dccf |
| SHA256 | aa9992d89786646335a390ebf3a658572825c328439315df435cc74eaf59eec2 |
| SHA512 | cdf8386f28d2908dbecdd050441eed621e3477367a9e0869469c070e2f8b0c3deabc4adc146721ef15b424b7f8a0db8f7816ddaed01facbe8051b363cd58f3c2 |
C:\Users\Admin\AppData\Local\Temp\ekQQ.exe
| MD5 | 14074f1b1d7aea8a19925e598c39da0b |
| SHA1 | 779d65b4cf5f5e6f33af4895c7969e5d935117cd |
| SHA256 | 43572b5033fc5a4d0fd2599b7d90f3bb13ed80cc3553a6687c63de63081fa252 |
| SHA512 | 6021f1ccc4a97001f4525932ffd1fd8a2eeed03a692c610c347971f834b122b76497966faff3404660cbd97f27c4440c2a651ee0080c70243421269a2204f1a5 |
C:\Users\Admin\Pictures\SearchRead.gif.exe
| MD5 | 990c9b45155467fbe47b4389afdbf764 |
| SHA1 | c7a8c5413801ed9f0a0d606b4e099df20e9eac36 |
| SHA256 | cbbb2f7bc0a2d879c7617869957237da0516a617d1cca7d83c922ebdb1776994 |
| SHA512 | ea8762e1ab8ba4339d507daf37069e52cb6a182fda5fbe4dce78ed2a68c4f21d5f7083ba52b29bcdc82d137ac7c9aee4d69c2b4ded92173c1e7b44866b8c0e08 |
C:\Users\Admin\Pictures\UnregisterGrant.bmp.exe
| MD5 | eb7afa93f07bd9059afb936a87cc99d4 |
| SHA1 | ea87a15425359f9c55abcfcb43bb352509850b93 |
| SHA256 | d7ab2d6f30116f81299c089daa8e411515987133cd0ab14ee3af432ac5764877 |
| SHA512 | 9d561b22bbce7a902ddbab4bf65ef5330d4c1d0551d4824524fc1d7bc6a7700d6c04186bc75847492affaa4010135aeb466ee86596c1925b0bfa0b94bea7df4f |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | 421e0957e57f41ece00be3b218f7d67a |
| SHA1 | 76d7d4e1d707163c79f915964d7a9312609b4dc3 |
| SHA256 | e1811555236540fd17b84ffc6a61beb53fcb44c49d314f52d2f3bc34893d92b6 |
| SHA512 | b86df142c5437dcee087ee3edc7f0790a3d93e317efe66b838db6d1359aed50a8ff853fb7e0846e4a91b08e9e98f9b02ca7149c5067a6bb302c91c19172ac927 |
C:\Users\Admin\AppData\Local\Temp\fcIi.exe
| MD5 | 2869002c856db189b6c4146df224ffa5 |
| SHA1 | 5b811560bacf8ff90bcdeb6416df29b4d57397e8 |
| SHA256 | 4a9265c05e0052c8a8dd7c85ddc7de5f6f0a321c21e07e0ef9bc48ccac0e4de2 |
| SHA512 | 7e161f78e6b771e3a1b55a300a14ddfc9cb013ee1914381612620c4b3877f9edac1ce491042920745e9995841d9a78ae31097d47af64900ca12cc3b63605b541 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | c8d2357aa0d924a1ac32e80b91dc8913 |
| SHA1 | 3552d2c55b9ac8c311452abbf14b5e22c6e8350d |
| SHA256 | a8a37c6796a2b305d21707b8c950ddaf229fd8d304d4b73c45b20bc405088ca4 |
| SHA512 | ea13ab190e499ec4a2dbc7bb1cd84f73e0ca59ca0ddcea5ea9fb67e4f9ce7d884d19154a865a2899dfd9f27c830f02256191bbee28e25a2f7630855d786e8d0d |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 823b989fa3aaa83dccd031fb9ba0bfee |
| SHA1 | 08dae482ef1269056b477fb08e7db69203a5553d |
| SHA256 | ca6c79402ab1afd7ae1f9588cb904c533f994d59c932d2c76c8465cc57109eb3 |
| SHA512 | da3791d715aa39a3c11b7fc9cffe7e42465b699e1a9216a2c5938abebd5d8b7261c2340a007294f2dd820b9472f64c2c3fb1cf556d5691d6b179faed27581798 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | f4ce1b192c630d06b6ac48974066d285 |
| SHA1 | 9e5f322e4db39973c00cc09fde413f4de74f83bd |
| SHA256 | 1f5cad478d7d9ae2d4b4ffbf1590c600953fae579ab66822316df2247867e9ca |
| SHA512 | 6e67786c613a30e4619a1f7df5956b1b2e3cc3aead1fda2b576ad7535ec3e736595d0b9109d18f2c496338a4f3425015154d56e602a091e26d2c9545e6aa35c9 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 54a6d18a64982c4fb4a62f490feb96ff |
| SHA1 | 963de4739ed03b5ca415b8b52bd006dbebaee84f |
| SHA256 | 1318fe05a1764840e3aeb300885ffb68a49a92cae20dfc6cf56628a36697e32e |
| SHA512 | fc2b18f8d3463492fe750a425d64c4b2c6a7e5b865e74611b54be6c5c2c05e18503b95aacb772a0dae31fb8d540905ddf8765adfee12c2e85099c28759330fc6 |
memory/400-2160-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4968-2165-0x0000000000400000-0x0000000000433000-memory.dmp