Analysis Overview
SHA256
4b55af0b4dc465f8602b815562f7ee3373eae6a4d8e840ffa3f3d5ebdc4cd57e
Threat Level: Known bad
The file 2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
UAC bypass
Modifies visibility of file extensions in Explorer
UPX dump on OEP (original entry point)
Renames multiple (79) files with added filename extension
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks computer location settings
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 11:43
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 11:43
Reported
2024-04-03 11:45
Platform
win7-20240319-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe | N/A |
| N/A | N/A | C:\ProgramData\PUQYsUkI\HEUcgocU.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HEUcgocU.exe = "C:\\ProgramData\\PUQYsUkI\\HEUcgocU.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\FOcgoIsc.exe = "C:\\Users\\Admin\\DwsAIoEY\\FOcgoIsc.exe" | C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HEUcgocU.exe = "C:\\ProgramData\\PUQYsUkI\\HEUcgocU.exe" | C:\ProgramData\PUQYsUkI\HEUcgocU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\FOcgoIsc.exe = "C:\\Users\\Admin\\DwsAIoEY\\FOcgoIsc.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe | N/A |
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe"
C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe
"C:\Users\Admin\DwsAIoEY\FOcgoIsc.exe"
C:\ProgramData\PUQYsUkI\HEUcgocU.exe
"C:\ProgramData\PUQYsUkI\HEUcgocU.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LygcoMQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiQYsMsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AKccEYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YqYwgEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcooIMEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qAwsAkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYwooUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCAAkscA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIUwMUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "982850551-1827256527112714102010765497062138409825-5708321972042977718-1310193349"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "441101911478081259-29561069310184093726748213791151448767-189414610-1838979945"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\awsYMYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIsEIAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\voYgsUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9141638251590510877-821547750-277112308110244313-21229965771338270719-59857456"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgUEAgAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWwAkMYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zaksEMkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-973284350-1534019470-1988482592-1544381736-628988146-174432968-892173183-1718717969"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwUoAQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKsUAEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWMoQAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1802118083219702957-936120935-213967804187176673-13120927531485651783-409857673"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEEYoAsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1594602574-353697237-639790933775659775-310925637428090589751567773-34327730"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2081620197-771711776-66441832264710862-861499497288064118223982566-667011280"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BkIQAMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16896658471878398578-1836774310-3640799251381214071-1787217035-621779195-1044988160"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqEYMcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XigosAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1373528465259611938-1422519294-1290185850-19803406911276053801326036395128217709"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JqkYgIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-114343638639602639151107758111727894114114942551809542772-2045296689567549758"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CykcocYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1483779509-316889710-16798809931116543430-477302492-19268786401823287862-1194580955"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAIkgQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MYcIsoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "77843880-137659196410093953700957858-3517319941975153527564949191-892220546"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "54851559684780836958705960711636898998459166251361559997784100-954313868"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgAwcYEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYkQgQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6755134391642288799-203784352916581445811488755972247795611298189981-79061929"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RUYwggkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1847051280-1254068126532777440-11356325241616440922-1767996685973643952-656466159"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcEQswcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1761807378-314854632-1409216962-1278326401-1490617865-21106238775254620431087808284"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6396849607729030427823173521280598380-8082698-1562326869-874550357-413868744"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQMUMQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-132549135237973828119999735341362685158-379308992-1981470077-1152985969689577608"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5545184481039618886-691236102-11081809231714124851251528114305519207-706460608"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1758931716-7734768951649651493-1536769599-750504892-838233980-841277534-1008990125"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XmAIgsMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 216.58.208.110:80 | google.com | tcp |
| NL | 216.58.208.110:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2188-0-0x0000000000400000-0x000000000043B000-memory.dmp
\Users\Admin\DwsAIoEY\FOcgoIsc.exe
| MD5 | 71031b8ca96717ca03820f38bcf1ceee |
| SHA1 | 0f8b7c28f91c36b460f77909376eef813e66b56f |
| SHA256 | 61e608041f94799a9fe75ba90b0cc7e8bb6b2628abe4545dc81ea43431598706 |
| SHA512 | 76afd3ece4a01673b2aadbbfd59499cdfdb3a70a4c694868acac79c2726d76e133cbf79389f54b8642f0f8501d99f6d4125d327463a56a8389bcd60d04d88fc5 |
memory/2188-13-0x0000000000470000-0x00000000004A3000-memory.dmp
C:\ProgramData\PUQYsUkI\HEUcgocU.exe
| MD5 | 6ef6a14cb76e048301e66cdb950d3aec |
| SHA1 | 6c875145040dae00e5fa0726c2474bf5fbeb7e96 |
| SHA256 | 09463eb8a2bcd7ed89a64b6d2b07e55c563eeedfeb2425e79de50f93e938c44d |
| SHA512 | 0e41fb1f024a25faef374d7ce25fd487f03af03820b7fcbba0ea045eb837ead7a37c8c1e0154e79707f7d5e912a28720844a145b41db4f17fd39339cd9e06f00 |
C:\Users\Admin\AppData\Local\Temp\kKAUowQM.bat
| MD5 | 20ccb81aace2e03f8c0817faa3502922 |
| SHA1 | 020ae06d3acbf32e7ba0f94e5948b7edf27d416b |
| SHA256 | 114295aedd736d14e56c1c080511ec12cb624e9aa16cc3b33b1b3261907f9c31 |
| SHA512 | b76a8014dcb60f71fa11b525cdcf02b659f4826adb897c18e3b9b83f6c8f9593c17742c192b0bb843b2c2ab374c0110b28119d2995edc3621b49fe813c31d226 |
memory/2188-5-0x0000000000470000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PIwgwsUA.bat
| MD5 | 44543943725680630b543d75807e951c |
| SHA1 | bab86f2d45e412950d298b034e6d84f79fd63a42 |
| SHA256 | b8972823bcaf099ee57937cf27a789cccb5ba30f3a44a45240aae34bab06a4bd |
| SHA512 | a409af7e26390ca1b5e2cd857f4cddd866bd82d9176506309df8e20ce0320a2dd1fc160d32efd7bf7f1bc1dab0c76903dcb4ca00e6783a49ee4af3133d5647b8 |
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
| MD5 | 5f6870e505406f5a8e8fa594b6d5bafb |
| SHA1 | 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb |
| SHA256 | f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a |
| SHA512 | b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf |
C:\Users\Admin\AppData\Local\Temp\LygcoMQI.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2644-56-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ookEsIQA.bat
| MD5 | 3306169adaaab1d3443bf6b7d1c7dd94 |
| SHA1 | 4288ca23908e1814fc35c74ec6d4e1227a803084 |
| SHA256 | eed4a08dc17134bed369869458e04ed211191507ba4f3a3db572b9ef712928a3 |
| SHA512 | 2635bd997d3c9001956e64f3f2ace0c4d634dfa5997e1212527da4722e9fc8c4c996285f818cb760ad4c52d6c6b4af4768c40d9d3b3ebfebf622eb66e1b4f905 |
memory/2188-57-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2916-80-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\oMssUgMQ.bat
| MD5 | 6451da4fab235d458bf10b7bad70b195 |
| SHA1 | f8ce0f0c35406a5c67197dd2077707289eb7e204 |
| SHA256 | fc71d4cffcfa51e292cd214c2fd555e0701ab73e3b37e0ce7e432c1e8b7c5967 |
| SHA512 | f4f957fa5c4ccc17de25f95ba406a8c823703aa788ba41a15542c810ecc327df459d7559b535790c70cd7cb8011a41080c86ea66d7ad255dd7e98f18e8bbe420 |
memory/1696-101-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2720-103-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1744-106-0x0000000000160000-0x000000000019B000-memory.dmp
memory/1172-107-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CUQYEsoo.bat
| MD5 | 0cba06d4a449cc0ba3366875c4295d90 |
| SHA1 | 22921e60042d9d3a91722f8935b32a5ab7494cc5 |
| SHA256 | 572df41561f10ebb22a51a485acc2998ae36c29c7c1a5c4a163fa7e4cf0d97ef |
| SHA512 | 1ab3bb9cd0dc84dbc17033dd53ac500b85425d84caeb901dcada9aae0ab65b39867702830a0766da9812546fe56cf7f51ac8c71e73019ad8131dbecc95af8a6c |
memory/1172-129-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1764-130-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2236-128-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2236-120-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UoYEoQII.bat
| MD5 | d4a3af41765f1128c8cde32a837f782d |
| SHA1 | 8091c6995956830ad7c8fe8426acd84fb12fc54b |
| SHA256 | 5515a435994b38cae912da50be16e7556776dc0ad511e10716f3ccbfa069abaf |
| SHA512 | 3417b85b6540d8af37eb70dbd6d06406d814c9934f0eca44bcd83b80f07c2fb98c393d1bd76e54591d60be0f29e581ca0d555c1ec8a34fca932aebd1b846ffb3 |
memory/2808-155-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1764-154-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1528-146-0x0000000000220000-0x000000000025B000-memory.dmp
memory/1528-145-0x0000000000220000-0x000000000025B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GYcgIUkc.bat
| MD5 | 316b27572cfa0cedca74172fcfd6f58f |
| SHA1 | 3fe103be271845fd0c4280ad69233a322f20cbdd |
| SHA256 | a4ac1c48140966ab218908176881a6aea14c2e485b31bc201fe1d97140d31e1f |
| SHA512 | ab9bff9dcb0bd701d77559711ad6bd4dd63ead07151ee4882f067ce6e09723a257440d730b9d55e8534c2fbfc9e7a8ace9285a62ec66fd69ba255b5a0bd34623 |
memory/2636-175-0x0000000000160000-0x000000000019B000-memory.dmp
memory/2808-177-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2396-178-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GkUgYcEE.bat
| MD5 | 8d63983e70480b56b7baac132edbd3bb |
| SHA1 | 94fd0607381b4d4b85ae105a3c924953c64f46a7 |
| SHA256 | 776e64bd72dc01b96556a2341c9099847150e3ab38973a96d5233c0db78d53f6 |
| SHA512 | 673d1646bfa16638dbfef1005f5f09696013ea1263b0278b65e767c116799ac2bf815a6cd2e7f7d73f555f73bebcd8d2d09836dd92965525b19aafc007fef524 |
memory/2396-199-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2384-201-0x00000000001C0000-0x00000000001FB000-memory.dmp
memory/2364-202-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WcYMoUsw.bat
| MD5 | 4af4a48a582a5d45baab08e78da189b0 |
| SHA1 | 6024ba94c718611a7f1aa0eff1b38ec6a149588a |
| SHA256 | 627725c323b3f350e10dc4d54937ab46c9d9e653047bfd262e8cc064789e2faf |
| SHA512 | 4849e1068db4bb277cb0c1025695eaef7e8e9ffbef053b1534d809281996e4616231dbc1ba77d89267a50ffc4578b74150a7a20fb03105f0daec19061c620acb |
memory/2624-216-0x0000000000750000-0x000000000078B000-memory.dmp
memory/2592-226-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2364-225-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MAgAQwMA.bat
| MD5 | 220836c588988350a160d46e7149ad8a |
| SHA1 | ef6d8ecbe4dde21e2a3009a7b6b7991e5791aebd |
| SHA256 | cd2aeb19a3925e5fefffa93b63bc6a4df16fa27cb5922519776f28bcbecdf2a4 |
| SHA512 | 74ad3a133b1f98f74a44ecdae0e0756f1d98ac56acbfefcbabda0a1ed1dcb01c9414b133e3385151382c66fc29cf3b43eb36e59719d692afe549885a52b9d3e2 |
memory/328-247-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2780-246-0x0000000000260000-0x000000000029B000-memory.dmp
memory/2592-245-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GWcMMIYc.bat
| MD5 | 6557665cdeefd6a9beb1b23c0608a7f9 |
| SHA1 | c77907e2ca34e4e3620a691d45bdc251f6fcbe5d |
| SHA256 | 9a25e8615ede38c37b1fc9953e55db6f2d251438761f47abda6c5728076f9e9d |
| SHA512 | cfb84ef0cc2b42300a5de4487c19a4e4637dcaf38e66619ccaec3b6056993d1d31fce695c046f4b719a73a30aae39c2ecfb20309eab1b19400aa995fcc67e94d |
memory/1748-260-0x0000000000160000-0x000000000019B000-memory.dmp
memory/328-271-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2420-262-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LUwEcNUA.bat
| MD5 | da792c8448c8315a4dee30d9b7562ac4 |
| SHA1 | 78d073f1eca4319b424fb354948b0d32194ff7e5 |
| SHA256 | 699dbf611be2145a7475e056d7c7d336e12242b9e0d50c492049df443db5871a |
| SHA512 | 56d9d59633305e01ebef8fc2926b709078480dca5ab4a20e747f4b18cc2584211043c15fd3d51d225de1effc905d4cdf8a3e3ebf9d7a12da98c1077fd0ffa652 |
memory/2420-294-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1764-285-0x00000000001B0000-0x00000000001EB000-memory.dmp
memory/1472-296-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1764-295-0x00000000001B0000-0x00000000001EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KUcMAswU.bat
| MD5 | fe60cf8c7db65a50451c54e9d42a8ba9 |
| SHA1 | 629787865498602b802aa4f61a4285cfb398a568 |
| SHA256 | e77e87216b2028a5b47b46ca9d9a188e74fefe43ed6a687df789d51423e4a206 |
| SHA512 | 92f51de496a139512fb5036bfab0c197090f91a2970a34680a0b7eb44fec7be68a99876db0f8c875c7192543bfb30b30f7dde293a89ddd730a3e024724ec899b |
memory/1604-311-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1472-319-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1604-310-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2188-320-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dAkkUsgg.bat
| MD5 | 1d673b544d201412592f47e1fe88fe26 |
| SHA1 | 7b15ce28c228cabcbe124bc0955d46f9bf7a1fa2 |
| SHA256 | acdb4819bdef9a99268e753dea8499216f07c0bb31a7818918adf743769a257c |
| SHA512 | 451a13142dd68a816c4bf02958785afecd02aebcc2f5d0ace9e05265d4c34878fc040a3bdfa42cb832992481ef6d8b92a2453c17e341368692dac8f0389fe200 |
memory/1640-334-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2672-333-0x0000000000170000-0x00000000001AB000-memory.dmp
memory/2188-343-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ikwAcsIQ.bat
| MD5 | f6b6ac0662d0805be08069e91a3a5fdc |
| SHA1 | 1a45275de047c5530a60f98fbe60214f755c1046 |
| SHA256 | 809608445e9dc05b26958216606c721200cf8f280af1f3d44694cdb439f13912 |
| SHA512 | 31740832436ef4242037d0eb3d461b11e5fde16f5672b26e05a7823b46cf7097e9cbe0048944dec8dbfa0f547e0694150f24e7eee93f40b8bb591d711467b66c |
memory/1804-368-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2440-364-0x00000000001E0000-0x000000000021B000-memory.dmp
memory/1640-366-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YGgkQokM.bat
| MD5 | f1fc603276035da692f2a124133fe1e9 |
| SHA1 | acb1b932092c3b27362fc8e60baf0ee98b929730 |
| SHA256 | d5ef1e893621da1e998ba791ee7c1cb76b9fc5844fb0f27f90c53e3f895d0103 |
| SHA512 | 35ef91b900b73856ffa66e8f06b082750390f899547f9e0031515c2b6acd483696f3d7cae49ede3ddae1a89c57478068edd197b193eea18f14023a582bb71de2 |
memory/2792-389-0x00000000002E0000-0x000000000031B000-memory.dmp
memory/1804-390-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2792-391-0x00000000002E0000-0x000000000031B000-memory.dmp
memory/3060-392-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QuEUwMwY.bat
| MD5 | d50b689a54d1ebfa4b2dd328ac1659aa |
| SHA1 | f7c2b10538555605cefc87d993625b2af283fc22 |
| SHA256 | 74dc8d6df937113cc9fa6267fd7034150054454f5d1f04250118a8596a99d9be |
| SHA512 | b8304df6c81a899889b5868e12047f6d0e5785bf88809975983f7d7e23e1d42331ab928f97af5337c4de360b135982924e7bef4e9d1f3af9c6a49bdbc16ff50e |
memory/3060-413-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2092-415-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1744-414-0x0000000000160000-0x000000000019B000-memory.dmp
memory/1744-405-0x0000000000160000-0x000000000019B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GoEYAYQk.bat
| MD5 | b9dcdb2ad4c1eb6a43accf03c31ba435 |
| SHA1 | 2c6b0470ace051791c562e0adcbbc33ca933d79b |
| SHA256 | 4039bf326e2ca455933a05314c066daedf0679872df75e3e14bc298e07d329b7 |
| SHA512 | 3e1ee52a3d8ca410903b24318efa05f8ca43dc833e03318d8c08e69c8078ae48370ca6b02e9b02be497d42d800429174ca449f15905b04efacdf7dd602ad12f0 |
C:\ProgramData\PUQYsUkI\HEUcgocU.inf
| MD5 | e54e29644d0609bff2e754de4e96583f |
| SHA1 | f4856254dd6901df4b52c0d5424fd94019b2c7bb |
| SHA256 | 2a60f6d9fc8c4d6a6c3e3c7159b61cfffe6821d7df4f060756296cc6c9e8edda |
| SHA512 | 00f2022f64476ef294bab5f1dffc73710fdfd16cdf4245253ca33389b802819ab41f4e39c672aa4e4b40ef729f1d26ad0c09e0bd647cebb8fc6f5cb2858d8de6 |
memory/2828-427-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2092-437-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\DwsAIoEY\FOcgoIsc.inf
| MD5 | 7d62b510ef400c8f593e0b2115e748c4 |
| SHA1 | 102a791b1809407a7e12dbc6aee782147e63ffa1 |
| SHA256 | e2732cb8425f19b3ff67f9bb069bf7d5409eb00f4d2692a89f3339d252a4bdea |
| SHA512 | ec2dc1834525a41306438f52d49d16b05ef04712c98e511353bf94023a781ba142a76de05ea4121973a2a25df81fa30e5a476081ac9bbd5b953688b6eae3a87e |
memory/1664-443-0x0000000001F00000-0x0000000001F22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WeoMcock.bat
| MD5 | 97562ffaefaaa15dedf3b040a9e634c7 |
| SHA1 | 07600eba8d6a0cbb7d4e986f30be6130b05f174f |
| SHA256 | 35d49520415899e7f1aaa5fa53cf62bd710e032bb6b73924b6e5909e4304be09 |
| SHA512 | 52d130d6dbee493bb28c30eb5f45b8657a88a1bae02e84b87dca868a54794500f8381d66a35bf7610d53583404dcc83f55ee2232be33de209f6be43ce5dd5a15 |
memory/2736-464-0x00000000001A0000-0x00000000001DB000-memory.dmp
memory/2736-465-0x00000000001A0000-0x00000000001DB000-memory.dmp
memory/2828-463-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2300-466-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qaAsAwkk.bat
| MD5 | 327acced86335a06e3dcd674d3174139 |
| SHA1 | 60b73b4dc55eab373c12ca23de3896a6c653f6d2 |
| SHA256 | 0967f6eebe79184684b2f1143baa9882ab9c29d7eae269aac8ad2c79ced92ad5 |
| SHA512 | a4b7cbdffc6b3cb4b35a8dffca050a467a1aa9b6ad3d29cd13d3b328404f78a57240dc46d090613a36ca8762b189bca4767ea922c1783d74ea29fe4416a0a58d |
memory/2300-487-0x0000000000400000-0x000000000043B000-memory.dmp
memory/320-488-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PaQUIwko.bat
| MD5 | b89dae8f25330eb7c65958be7fc13016 |
| SHA1 | 7e0a3ffbe24dd94a8ac44fd0a388845760aeab4f |
| SHA256 | 8817db1abbf193110f949ac2796ccb47fe681c991d2d086ccdfe56d37fe8bc03 |
| SHA512 | 936d42e8fe20a2b2a86fa7436673a1281a27ed6c6b5b0bc47d1b6668d8162f3dbcbf3782d89f39cac2b044aa446b5dfe816cb6ff6831d16c70374adadbb69a20 |
memory/320-509-0x0000000000400000-0x000000000043B000-memory.dmp
memory/816-510-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2408-500-0x0000000000260000-0x000000000029B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\imYQkkIQ.bat
| MD5 | 331e4867eeec971c667dcc6a0c3c7ee9 |
| SHA1 | 280f396b04004ca27ec8ced105cebd634a816dfe |
| SHA256 | 6686e32f39939f190fc57fe881f5df5b0c994fe73b841d56644246cbe9bd8af1 |
| SHA512 | 81e5badbc83c3b2cb273b2d18ef97e1670774666576a4df1d6e0bb9d6ec76f1a42505f7928e8cfcf4b49df1f84a025486bf53951e94c848b853615d24d9984f0 |
memory/2844-522-0x00000000005C0000-0x00000000005FB000-memory.dmp
memory/816-531-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vEksUsAI.bat
| MD5 | 8590e8894261e25567c811154c920ff7 |
| SHA1 | b49c1bb12a9cbb859d9ca568f4b39d1f02534c5c |
| SHA256 | b000f79547015fd882334122016f0e75ce55ae1f31da927ec7bc4b40cff51067 |
| SHA512 | 7fd312aed04ff510e2610099d1293b7d160a6ec6b2c9596a485e5b228094be69d4f1bba1d751fb4c9b7af8fa1969b76b2bd384dfed25fe53caf51ca0d6697a81 |
memory/2020-541-0x00000000002E0000-0x000000000031B000-memory.dmp
memory/1076-543-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2120-551-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gkEEgAEc.bat
| MD5 | 20ab3a373730e597f47d0ef53380d565 |
| SHA1 | 0764d6a6fe9bfec0a94cb7c6541639727a14a096 |
| SHA256 | 07ff46b9c0318461178c8e92deb41b255677bf3cca2d772e3d286f82bb11702a |
| SHA512 | 2c9dd7d755a01ba99a4e40ba35c8c15dc618db7e5291af741e9aa63900f4f757cf7ba57d9acf767cec9a090df33da1fcc030d4803fb690d1e188fc9c4e15fb26 |
memory/996-561-0x0000000000270000-0x00000000002AB000-memory.dmp
memory/1076-571-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2452-563-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CggUsscg.bat
| MD5 | 0a78dfa8e79e16312b00beab7ef2f390 |
| SHA1 | 2121d199e6dea7b7ba5a99dfd5579a97dafa9201 |
| SHA256 | fbe69bb672141b733d8d78db6509accde81258585aa2f74a7dca69d02457ef73 |
| SHA512 | 0ff2758ec7a03c27a6ed988a47f5de5536a4e4db830633fe7288a0df2f3012d28ed32ef34cb2fc3788b4dcdf1fb25d950a8a57346802edb1fa2affc250195958 |
memory/2556-591-0x0000000000160000-0x000000000019B000-memory.dmp
memory/2808-592-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2452-590-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EWYkAssk.bat
| MD5 | c396e88a0ea4fcae0932fb29ac170cd5 |
| SHA1 | a279932ced35ca37d8e0f7d2367940ea5bb73c3a |
| SHA256 | e7e07096804d57fd96a01bdb40522f296b5d767559f3cc00dd1d30141114194b |
| SHA512 | e4409dc9da036898e54f01ac37c5a2ef3be245964d47adbf11729f87f6a68f51c113da238af8cc608d63ce2b13da99ba59dea5341095d13aa766b81cc4eac14f |
C:\Users\Admin\AppData\Local\Temp\fwYe.exe
| MD5 | da22fd8a3b48dca52f268dcef6f1cb3b |
| SHA1 | 11a6070428f77a1d6593047adfbf8f0e238082c3 |
| SHA256 | 81eb656a0ca7eaf773083c547f69877398f0dc65c8b394c0b214be252f3d55c4 |
| SHA512 | 5accfe6d764c57a209a441bc51511fb73a5c53e4f6017727bb213b64636f7baf03fa1d020b8ebcaa9921ec57b1ed983a3d79e66fc9d390bd330558e478d9c3f6 |
memory/2808-625-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1740-627-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1072-628-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1740-626-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KSAUsAgM.bat
| MD5 | bd5b4fb7dbc4ab6a30c6232da3d1a388 |
| SHA1 | 9c7d77fc4cec947b41c3e5d95daf22e49078586e |
| SHA256 | 6140c3585fc5f392aecfefc11d9b525abd99ae50bf32d97b49ae7b1bd4be675c |
| SHA512 | 16bceb7796536df6df92ed6a51030e03f07962d5cd721760fcdc0403b67e06a2ffbf47ef42dc6dfec4bb265306779127b9047ea024d0d5e80060413eb0b7146e |
memory/2080-638-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1072-647-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NcooIEoE.bat
| MD5 | f6510691a4a865ab657d8e20d5d78400 |
| SHA1 | 1315385cd0ad42607aee5dbded2a03a781a75975 |
| SHA256 | dfd378a4d802c0da8af32756533d93ead78b10c3ba518a033e1b3ccfc5e6e730 |
| SHA512 | 409e0965647cf75a20c801779a8a1e62e561d8c64035c0a942d8e107f400ae9205efb858d371a935e9f3a6bbf17592269a070df6df3d7995e182bf09a96ff084 |
memory/2352-657-0x0000000000320000-0x000000000035B000-memory.dmp
memory/2080-667-0x0000000000400000-0x000000000043B000-memory.dmp
memory/576-658-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LWMUUYck.bat
| MD5 | 7484d9d53f69453ff95b29869494b042 |
| SHA1 | d008d1101fb67c3bf8f1229cb4045012b76734e1 |
| SHA256 | 2af01d1ba643884217deb9b7f09d3e9d719bec850ddede39f2f9dd10c2e53606 |
| SHA512 | 8730ecc456c15cef4ac057230e7fe3569fb0a52e377383183f38f81defe64759b3be3118608be182d95f8af3e2edf8d0a8dd637481d33f54beb7b0c3dd32c1d4 |
memory/1680-688-0x0000000000400000-0x000000000043B000-memory.dmp
memory/576-687-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1632-689-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oacMUEAQ.bat
| MD5 | c53a51e5a5d24867d71367b1e662765d |
| SHA1 | db21ceb7a437e2ffae4205f1c7cdea63a86354a7 |
| SHA256 | 8317f3525aae4c0cd5113fb079e282c3db3a7ea5c996b8cfa1a9c9f75eccf730 |
| SHA512 | bb25882727ad8bbfffc0e7aeaab91e9abe75751d994a308a84c5521a3b2fbe03d3f983d9f9f28f2cdc045b2a820ddf0389975e48a262b80d3c6d122ea4208e90 |
memory/1632-708-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2948-700-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wyccMgMI.bat
| MD5 | 46761cc80f04cffe806932307a8f8891 |
| SHA1 | 4baeaffcf287236c561b5b718413e21fdee73c77 |
| SHA256 | f70c090ca252e1a87c8473b377619828a471316042819c1da623c7000115028b |
| SHA512 | dd65047af0ebeb3d3ee15762917d425a2730df5595183b9efcc580162d9ef97ae69f72c7f7989562288031107181e0234a2bdcd1c30dbe791d7825ed4a0cf13e |
memory/2492-718-0x0000000000260000-0x000000000029B000-memory.dmp
memory/2948-728-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1192-720-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WEEcQooQ.bat
| MD5 | 703dabf4d683baacca2cdb5dbe688f91 |
| SHA1 | 5b8d1efa6fe9b93e9d5ad2983b5707547df50dab |
| SHA256 | 51cb2fff1c6b481848b2f485bb9b86b8ce44b9967a47844559f602c8aeed87c3 |
| SHA512 | 8b6d822889aa10980be903238127aa6677b2af51ebea77c5d8101e0dddfa9190dbeda6e19a90ab8b4f80d65535e04a47cee9d9ed70376e9b746bb1f592b32478 |
memory/1192-746-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qQIi.exe
| MD5 | 171e5b7936f87ea534ecf605c542dae0 |
| SHA1 | 1352e972e350d66d87902ca35d9a80680967c443 |
| SHA256 | f96ccc9817c7fba58d892b759146a411339979c76f042472a99226a481a373ba |
| SHA512 | d00575fc4d0ea597d9bd6a1e98bc21e6a1a77f5cc855c7249d0c47b5408598d4b2f88a6591cf0dacf5db59bdfc7bc44fac7ead0ae533a1809b1b31f7fa49a6ff |
C:\Users\Admin\AppData\Local\Temp\rsEI.exe
| MD5 | 0d408d8e76043065d96ec260f239ef57 |
| SHA1 | b72884caff7be3cd702527efa6baaf4d8aeea6d4 |
| SHA256 | a01792fea12638f8e4e0ab696ff76efab74285f3b7cd2221aecf838d2a4d2f93 |
| SHA512 | c37c30ed8815e6ed199e3dc99e14a4d19c586362319763c6821c614f235db3ccaa6745c2eaa2ae0149ca01b39880712d30923c5b634c38177d255564b71dcba9 |
C:\Users\Admin\AppData\Local\Temp\pIIg.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\GIYw.exe
| MD5 | aa169e9dab75062b8ec17286526d9122 |
| SHA1 | 6cdc8ecb480a708bcda180dd84a4daa1f83f6b0b |
| SHA256 | e7c46ce598149b790ee5d1a7f8fe7fc9f61fc33a9909b9c3a333e1c74205d54c |
| SHA512 | 5b6655d227dc72a2a52a982d7558a6cd2ec7dfd560d29da3add261056697ad113e33034d1b743cb9b5907182c108c9a1d8448f06138d20ea39c6b976e878c344 |
C:\Users\Admin\AppData\Local\Temp\QEsW.exe
| MD5 | fb7ab3b6c358dcdf75edcc9914b7c525 |
| SHA1 | e7c63c764350a33bbb4c524ca539c51c4c128877 |
| SHA256 | fece08b2a3d7d9d7ea09838f0538a9c8388a9527d0974c505cf2b3b53b4fe1c7 |
| SHA512 | b9df02caa9657dfe2a018c577485b993124605fa5d672bbf7ab94867db12b28d569aa10cd090048667472eb64d5d0b9a97ffa264a7488dccc04343e5b6939a84 |
C:\Users\Admin\AppData\Local\Temp\vQQK.exe
| MD5 | cb36c1bcb344931d2e58e1b2821030e9 |
| SHA1 | 802eafd1dcc1436eb197653d1efb6d6dbaf3f295 |
| SHA256 | 7dcfc8c19eea990d6bf93ac4d6002a8ee44b1708fd30156323f25c69a70cb925 |
| SHA512 | ff28c5ca9f18a750f3d636430e0b464a174c5c91251193a8d16705c73cde70275524011a90b54d1469b50a5002b48788f33b72d5da2a180fb3bf3f6e4712df0a |
C:\Users\Admin\AppData\Local\Temp\jsUw.exe
| MD5 | d0a29ccd3665ee95168ea08e6ef4575e |
| SHA1 | 2a1e9b076f94779be2bb8430dbd02b0aeba6c83e |
| SHA256 | 9a1b7727d9ea7d1d586447388ee824c0b58efb6cb64cbc515351a11c60aad4f2 |
| SHA512 | eebe089da6322e506c598c359cd211ac3643e9a551eb4bccb28d78382138a61326f8a8c709312b6e0649c564ec3381ce0dc98d553eb6ea13108000ef1c5c6944 |
C:\Users\Admin\AppData\Local\Temp\wYwg.exe
| MD5 | dded33c6d3373803d3d2f51ca0e8a202 |
| SHA1 | 042a79535ed584a515ece85c7ee2b87d7cfe2378 |
| SHA256 | 700a1bf5047e1396d6e40dd4fdecff7e3bcb89c28248069bab9142d24e25a147 |
| SHA512 | f2495531e5821eef8b14fd546b1318fb36b379b2c9594ab64f68e56addefc4719c586beb3e94914c5833c3481ee67faa77a072b81cea0ca7150a4fd109393ff2 |
C:\Users\Admin\AppData\Local\Temp\gQMC.exe
| MD5 | 71a3d85023dfa25e2d4f24e7a8617fc4 |
| SHA1 | 5c8e25c940faa415aa719438a18ff850e4fc91d3 |
| SHA256 | 532c25e537ebedaa31e7b605137da47e2a3fcee0416786b4aafc5b200a480353 |
| SHA512 | d4ec139a4ce12c381268c6456b29bd5bbdfda29a13dc993f50a101e98104a72fc49568cb9adfaca3bdd06d2dd96313a4d0bb70226c4c786d26aee9e988f12952 |
C:\Users\Admin\AppData\Local\Temp\SccY.exe
| MD5 | b5e1afee24697696b8742f1acb1aee31 |
| SHA1 | d0cab8849a5e8589103261f18b349165b41bc7cf |
| SHA256 | 4dcb117522dd1224115d083abcc22e06387647361c3fb0d075c40213335d0da5 |
| SHA512 | 92a557785b023047311633a3b48e3e0c83c06dbaaba50548e9919be6492a0efe051c6e12ba9675fc47d8c55c80946dc1280caf2035ca58a239b2c59ca39db83e |
C:\Users\Admin\AppData\Local\Temp\SQIC.exe
| MD5 | 81a9a55a47f98e5c439112c68614006b |
| SHA1 | 12672d9e5b47fd4cabb84ff798ce9daf4f818220 |
| SHA256 | faad5a06b0474684d1c4991a8eaa3b9529358c248c07cf722f84fb33de18b8d6 |
| SHA512 | 11c8d1af496e3b69aeab88636af7cef3dfe2b1e5087bb1c967d3ce60320fff4c7b9701854f13d59cdf88a8d4d0f27566fe3f565fd848f34e13bd90e475abc67d |
C:\Users\Admin\AppData\Local\Temp\AIkw.exe
| MD5 | 102213453f0f7de4a69628ece63768a6 |
| SHA1 | 8b37c47388ee133da6a2125d6d774bec3f5081f8 |
| SHA256 | eac81ad6350e087f75df86c3439b4edb180e01231d76a6234a4c81e12384d08c |
| SHA512 | a706a2c662a1fbea22af537396d606d6629a0776c9ddc1edd730d47818d78d2ed4084a4a38c963231577fa687f9d7904a1fa088a7dff0b20d708c3b02238543d |
C:\Users\Admin\AppData\Local\Temp\BkwM.exe
| MD5 | 131a2abcef8e84c2d10ddf9bc4f7df08 |
| SHA1 | dde0f9ff669a8b4a752d10a9feb2c15acb397691 |
| SHA256 | 13f84088f449105b6e680a5e0482eff8a00460f7f61003039fc4e847bd9f7916 |
| SHA512 | 0f1a4226c5659ab7b98c3d6f1fc5c20a78b121a72474d52294e4758d6de273561352a804b8c28baae12acd05d80dbd569be63554450cc795784330fc43fc0a52 |
C:\Users\Admin\AppData\Local\Temp\VAAu.exe
| MD5 | a4e027937598373c4fba9a07335d130b |
| SHA1 | a3e1b71e489cb13c4d0d5394bf3386423d5b0516 |
| SHA256 | 007d9f83b42790ad66756bf014f70fd6649c2988c53b2c96072be5b18f2f81c4 |
| SHA512 | 6cd8c39fce443df691ae60a2797de5508817be991025e29103e1e990d9f639777142b020c7d7d8574fbd88c3cc5acd8038521497c39c3391527aba8c98d61e9f |
C:\Users\Admin\AppData\Local\Temp\YooS.exe
| MD5 | 182a19ca711c6ff9e1490142754f5e32 |
| SHA1 | 43b08d60dfa82815475eaa406dd18ed72fd17625 |
| SHA256 | a5035b01612aaad2189b633215300f1894708b2752e29f442f444133ceccefcf |
| SHA512 | 58e0391f17f21bd93612f4548bfeffaa133b0d0e2e11be1f48049b627baef44d93394b9ace9e9f5446608a0b2c3aaf302807b2771feb3969b0adee11afcb3460 |
C:\Users\Admin\AppData\Local\Temp\GooM.exe
| MD5 | 4f1e32c00fd6402372b91034f6e0c0fa |
| SHA1 | fa3461033aac070985203d53ddd333307f1928b8 |
| SHA256 | 778f460cda651b2f4448065ad0e22ddf153ac83fd402cf1894da2778f8472762 |
| SHA512 | 644fa9c7de2994ca1841be11eef7dddebff47ae7c417a3ff74eb491d4521e700b740b1fb368f828d02ff40004c392743d75441feee509d93a5752d26a2752ead |
C:\Users\Admin\AppData\Local\Temp\ZwMm.exe
| MD5 | 38f892e5bcc70a8f2a0ddfdbfa7fc141 |
| SHA1 | 58d8cb19dc3a26af9324c5f87c44f74c1bab173e |
| SHA256 | 56b09633d19a59ca212426025a37d8208ad94cefb2d564498587f19da16975b0 |
| SHA512 | de49e3e4c191e7556a804d81dae6285e76a8a8900a6dd25abfe375eae45b9bfcb7abe97442ab988cbaf67e784a5ca49e6096c478d12331a7669097006defcc68 |
C:\Users\Admin\AppData\Local\Temp\aEQC.exe
| MD5 | 54a64dbb261aebd424f3093f771b5c09 |
| SHA1 | 3965a90ca3508156702ebc495f30f3da20a26797 |
| SHA256 | 051e228e130e4cadde3d15b78311c0535afe9743e44cc6ae54c7318a8900ba14 |
| SHA512 | dcb624d18148a153828e7c64232cabc9224eb719b4dfa64991ef808b1e2602dd6b975ede22e559ae34aa4cf1793bc65e6c6e69b835c10bb3a985abbccc3e0e51 |
C:\Users\Admin\AppData\Local\Temp\VEsS.exe
| MD5 | 5240893b55e71f852a1edfe0dda7c13b |
| SHA1 | e33f0388b2884a429b25d4b5bd16a31bacaf1f73 |
| SHA256 | 3daf917fc7da4304ed331aad7032961c1850229250ced4c904d442a29d7ba4d0 |
| SHA512 | f19ce21fa08fd91bb142c9d14a0ce95148e640e7db4f27f7173ac312019c1deca6d52175aebf0313b3111840586abcfb7714c4bf7203aebd9102f82f7d9148b7 |
C:\Users\Admin\AppData\Local\Temp\GIsU.exe
| MD5 | aca32dd0f8d49c8a32e57584312aeb4b |
| SHA1 | 0b714dc9c7b94e14ceedcdd7dc4f9316a1d3e71f |
| SHA256 | 76dd5b585ebbb6ce4177af1dbbe072bae67828cc456585e1637ddb555e3f8492 |
| SHA512 | 4cdda69f5176554d5a9ecb0531581c422dfe7625c2639a2ec53c1166f9d9ca4eda450e04a55e80ee65b9f7b4ba81f067a1e9901059b35be768ee2d936294f669 |
C:\Users\Admin\AppData\Local\Temp\iggs.exe
| MD5 | 4b56255635a3583ee1695c0b71d0c7bc |
| SHA1 | 750ddde05041f56500d8fce75b3466d57412499a |
| SHA256 | 98a49d509c81083c16ecf21fe5177900e56d3733c4e22657ed388ec8c8cf9ef3 |
| SHA512 | e35d9a147e94068bb0bc9c36d52f285f1be45d456e342b56d1051e094eaf4770e48445219a7c60a57e2c7161b22856a4c4e8f7474a9847bd183b8e5c2048451e |
C:\Users\Admin\AppData\Local\Temp\HkEo.exe
| MD5 | 5c06c793cf16314dab78d8cecf3ebb83 |
| SHA1 | 6ff4c54156e05a54f084e0847d30a4bfa42e17ce |
| SHA256 | 1b72779e4e6f2e72ec24de80823741176d9c107edf26a4b85e1eff3aa6720dcc |
| SHA512 | f506227fc7b9bb4480e9cd18b997413995fd009f2b7131d05981df7861d5b9be66fd992d544cc1326aacfdb5fffad81f1cfe2b9907b1dd36b4e5f1150cd138cc |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe
| MD5 | 88bfbdd20128f41f6e44089cf0b9446e |
| SHA1 | abd6b9e269b216f2f278aadd4e341673535bd8ea |
| SHA256 | 8425ab7dc70747bed46c0a5ca9fbb477c8e85734ceb8c33376f99b17189b3475 |
| SHA512 | 184127f37c1043dca5f1809b50536910f312adb1a4a753d4eec5e536964270dcd32b30952d9b55e2a13b5ffdf73c4da844ec1606359b887d8b5debef4fa9732e |
C:\Users\Admin\AppData\Local\Temp\CAkU.exe
| MD5 | 50ed157a559446d3fd1417abcddd3802 |
| SHA1 | 2afe8e465695cd1639d1a2a404a48d2614069189 |
| SHA256 | 71b8951be43973d9839a3e574ceed1f643d4a12dd3b608f7426497f1c08bf781 |
| SHA512 | 7b00eeac6e6daec9795d1fee1da389146b959f3f8b764d52d11c8b5fd2a636ebd3b54ac8e954ad3c30d97664ad92563b54d063e0be4b9bd01c16311ced17ca42 |
C:\Users\Admin\AppData\Local\Temp\wwIu.exe
| MD5 | 620c086326064722f47078c35d52e830 |
| SHA1 | 023644b54464982d30a709ececfd6a90a52c3298 |
| SHA256 | 977d8c7fb534b26b54ae2f8f72566d3a17a45d7ac653def13b3849b9628034cc |
| SHA512 | 07af82c669a431340d1358717ea2acbdde41149ff10f6617e4e9a6adecaadd13873f49b6f1bcdf634d0414e1293ced50d1a3185a12eb4a458d6f5abd8a941bac |
C:\Users\Admin\AppData\Local\Temp\Okgq.exe
| MD5 | 51362e21549212b22e411e737ff18ddb |
| SHA1 | 8e15db7537a9dc2619c982704abd1164917e4c98 |
| SHA256 | cbed7901f06c0c129ca49ee5f26849b5766413756e1b72ed0fdb5fb9528d1135 |
| SHA512 | 3b08af4912d96156ff2d8dfd829e5d4ba457077b5a1386734479205aac58453cdcf9e4799a15cecffa9e94298e28115c818c75114ad0f93cd7658dcaf44595b4 |
C:\Users\Admin\AppData\Local\Temp\RQsS.exe
| MD5 | 7ae9db0c12c76c2f75fb64911b505960 |
| SHA1 | a62e55e5375a2956d0f79ca6e92e07b713c80eda |
| SHA256 | 30b2bf0da9522be1cb58033b98f5ce47afa5fee117371b4d49c7f885b3a2ac95 |
| SHA512 | 33ee5131fcbb2142d07b1f2ee52e21bbd944b3721c5a1d5cd674fad036873873900d06c0edc6868b6742b175b024b769187a3a0f9e12ae26efbd2499b60dd046 |
C:\Users\Admin\AppData\Local\Temp\rEUq.exe
| MD5 | 37981ecc6bf7775fb8f6909e4e064c45 |
| SHA1 | 81731189c4fd22beb489307e94b7f5aedda141a6 |
| SHA256 | b2a9a5b2191a02eff390f1a591a5f275b3d1366793a47783327a4bbc90c1f59e |
| SHA512 | 18f388703dc3632d63968e6b48eff63d92e45ae46f6b555d9e97185dad973b39668132007be218cd59a7b155a4540139fc61590cb9a7457e5322dad6942faa86 |
C:\Users\Admin\AppData\Local\Temp\UkMe.exe
| MD5 | f5b1ff63f81fcef3d093c637be7528d4 |
| SHA1 | 72c31e77dd33c2817bdcdc02cc3110e396917115 |
| SHA256 | e2fc0e3e864e097b576165e06f2010835170107a1d0ec8a40393584eee1f9d71 |
| SHA512 | eeb166c7dd4ff55d6b279bbbb65c29adf13133e80c0a0863e89b424f681ce8d0553abf390a23434f3d125f643b5e094333c20c8644ccaa969e8fd04f50b20d8d |
C:\Users\Admin\AppData\Local\Temp\Lcwm.exe
| MD5 | c43f7a0e562574860fe0a6105a815d9b |
| SHA1 | b41b1b170f19340317cbfedf20e2f4918932517b |
| SHA256 | 3b3a8a70def2efe00e28214cf4e9655ae2b4b188adf01a2bd003d445c546d5ca |
| SHA512 | 9ede0cc8f084f36e56f4cbb654d1ded48e42deef9292fea1696a7a17e5aeb9f80d32bdf3d78c92638ecffbbe67c497ea95e3bd3cce68150dedeaafdfb7cb8adf |
C:\Users\Admin\AppData\Local\Temp\MYUC.exe
| MD5 | 9a35391a8e17b18127616ff33c351a50 |
| SHA1 | ff84df2fb990641391f6cf9294dc071dcbc522a6 |
| SHA256 | 5e5a98518bbbc3a4d930abfb13d511ba0c136a2478abfe2d5221138848cd8bb0 |
| SHA512 | 9e63cd2afa5c94d43da981c32d8ed9fa0874fe08819d42a5fb4a57fc6b79f37ee4a99412b851634b25380af561968e2638a43f38b8d14fec23ea04dd4fc4c607 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
| MD5 | d9a3dda95f55b0e9fcc483680da30367 |
| SHA1 | 015195d69a112fc6adb0f6d64b057a1688205caf |
| SHA256 | 381d81fdde70669b7c134f002003c5e9f8b56277e03f74b55db0f0625119ccf8 |
| SHA512 | 0d41d5127f1237826cfa380744e98ea25ead020357cd3dc82b2c1520ec07fc78f84b9175b4f041800cc596c7e9db3843d69c38f5d3edb7cee512e45d19852f38 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe
| MD5 | 6f6b56611a901bc51022e9c3f44a5110 |
| SHA1 | 3b76cd3c8ec875ce1e92e2078da5c61aca492fba |
| SHA256 | 4cc973d85672d9f92568c90bdb495ff80ae91f8964b0f133b68c126d44bb3ef0 |
| SHA512 | e86ea6605fca300453ce866ecbbbe23fb607da1c90d4d1a9a11db0cc70d573209e0add6d983178a4169052ebdd87848183282a0e04998f603bb234c67c1eeb73 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
| MD5 | b808a2046b2ae231d868d84fb1f608b1 |
| SHA1 | 4e6b679acc8f879c565dec2de1cb84c916e64e8e |
| SHA256 | 8c7cea84f47bef438ebafa4e97adb5d3f3fdb5b62a227332d0521cad3ec56844 |
| SHA512 | 8b39643a74d4248d55f6a02340792cf1edda636587d36129bef3a38fa7c4f3904050bd549c3c07507f759c3007ac12f1b867d357e1d1c7a7dbee5330a14df5d4 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe
| MD5 | ac30e39f7d6cfa12b6f04ae869a85431 |
| SHA1 | 0e0e8edbf9e23d13c77f681862aea1daa4e2eacc |
| SHA256 | 7b319c78132df64881f4a875b764d8b0a8d73486f9628aa0553c4c8f2a98fd37 |
| SHA512 | 7087f828e8cf6ac6d07177d3e1091678c546ba9dd11930ba1eb50113e05691d90ca3b3d70843c5d29954cbff745e8ea4fe5f8af39a15807b8e4fa96343c03c52 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
| MD5 | 3d5a48cf7868dcbd3780410465e7b7f5 |
| SHA1 | 45c0631422a29b11926aa41a2c430554d1d15faa |
| SHA256 | b51708024e8b44ca7e893dee39e77b5400236a0cfdf59b7c81b9f65815a2a7c9 |
| SHA512 | adb50e4dc95ab137b13865408b7cb6011296a573a744b30da53b68e98590f6bf5005d3f97adb6a6fb022ff7a469997580a33223dd2155a31a2d48f7fa11e326a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
| MD5 | 80ccee6de01fd0180d0a6347a35776ef |
| SHA1 | 201aafe1fd7aba252769f4e99a5e7cc4434bb82d |
| SHA256 | abd81ecf26ee2d322d2ab41eeecf59b1aeb58eb21b8ac921b5d62fe4346272a1 |
| SHA512 | 0c745dfb5c17eaf17f6a70e5ba1c00fcbc654698d3f27c0dbc8c9d616d55c9839af9eb97b33fa5e67388de8caa8358e7293a1c10e3c4ac7509b8fb54934d82ea |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe
| MD5 | 613b238a2a1a1f11afb23fe2de05d0e5 |
| SHA1 | dca825803d90d4c2ed321c78c6ee1e8c6f6ab254 |
| SHA256 | aecf97d072ebdd38708db619550370a1b3787c656e3e190fe5064d1cd5936dee |
| SHA512 | 87e897d23f0f2944e0830441dc9b31b2e63d3d78963b20694a482e5b3673d2f15e2a4dc26738128823c1cd80f2003980a94456e33696ea172a81cfe16844e3b8 |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
| MD5 | cb143860a533cf99e83ea8a6dab4a473 |
| SHA1 | bea0675b0c9dc48e6fd321a437c8834284c6bad5 |
| SHA256 | d7924d97fc57a97c6563d7d6cb157573ecb6d2870b2b89b79e0e5192426a1a97 |
| SHA512 | f6c9f9685703496a00ad0a2ba51afdab163d0010851d35b001d49f185b50863c6b43845af88ddb798b4f6bf4220fa9021151709caf2baac2fc75e40c9c79316a |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
| MD5 | cc8ce375fdeb8cea6a20e73754eccd22 |
| SHA1 | 74d74494a4f0d4ab4ee84db83e3a7a7242de7518 |
| SHA256 | 01c3edf4be76d64fab0a49f5d62db6e80b10950e887b52855c7e42eed372eba3 |
| SHA512 | 510e3031e76e514a042acb7fee933e2ea5b3dc80e50a7c503ab4da08750a49c09f4a24430e4a533dd0433561f7dfa1d1445d18d83c82f485484c10403da38c87 |
C:\Users\Admin\AppData\Local\Temp\QMIu.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | 37ecd0dbb0d65f3b204ae02f37c915fc |
| SHA1 | 6763d44ad8b9a35396cf12e8f8bb0e003c8a6f71 |
| SHA256 | fc0bf1630d43a1469bcefd2f5b7fdbe655a84f4fff6846589fc838bd56001a19 |
| SHA512 | 5579214d87b69bf51c8b54062cfa9bdd1cc2882c538688f891905c0fefed0dd4881a5e76bf2c5efcd5864d85f2140e49c2a6debd332e65ca4c8256e18a709128 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | c7503eb684221b51eed1da39d87a18f5 |
| SHA1 | ae523a148978f105933022a694f672052fa6cb30 |
| SHA256 | f86ca006806b2fa1dcf261a189fda1ca23aa38b87907dc64bc8a63a36258a41d |
| SHA512 | 54f4e2a51fdf084538e6212a39c0057ded5773217edda6c16762bfb245b60f1a19174b6ad1a941cd605f48d78ebcf7c01172397df46623781ae7632189081faa |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
| MD5 | 67190686258304c13c13edc547037e26 |
| SHA1 | 4e93f11731982f7556a968b694ad6b235050a276 |
| SHA256 | 8e389afe001517514d073d160b4e9ed342ec8dd4755fe5aa874824909ee7850e |
| SHA512 | 27902660825a2eeccbc4ad1720d27d0a20786692fc8e838dc12e3ac5b4f473882efc82a7b69056b91d0285434d41020cfc5c516c8cc8e43124fd450bf0280152 |
C:\Users\Admin\AppData\Local\Temp\lIUw.exe
| MD5 | a32aeaa0fb5fdd2f1b31bf76184f1852 |
| SHA1 | 88ca51f71e212d7d58915b6254d833bcd36185a5 |
| SHA256 | 9987e5fe9234d35659de14a4a75dcc89dc22f5319184bc3abeb66b7f7e176972 |
| SHA512 | 6538dc7ebb2f9f398076f3ee9f013a08025f0c785ad2347c3bdaa7c3c5ddb05754ed16fa55c3b18bd3412387f8a2e487697db70b9b959b586c42da2078da58ae |
C:\Users\Admin\AppData\Local\Temp\xMMc.exe
| MD5 | 150f69f398369711c03cd5c910f9248a |
| SHA1 | 8f6ba5343dba5011925f1e87116f6b2bbad8d967 |
| SHA256 | 4c1922d8ba6d4e8db93f2594714b7642f610d9f2135834ca0327cba7951801eb |
| SHA512 | b3f609131b62bd409a79a7c08f5ddfbe21da7dee36de7e1619138b27ff8652f332569ea3ac48d9056d84fb3ed64f6a98c560c80b82a6fa6945ef7e2fc0acd5eb |
C:\Users\Admin\AppData\Local\Temp\PQYU.exe
| MD5 | 8642e51f38a2ce18b7906fd16347c515 |
| SHA1 | 03497b74530eba928e77f9805af27209afec2334 |
| SHA256 | 6130b1de59eac5d5c60687f9fdba5101e3e395795af49a2fc3a7b414c9ae4f7a |
| SHA512 | 09fe5b1b1c33b90c8f4f9aa5188645d60942ec6f4f660b65439c734066c9d94b371243f4f34d5512f408d385acf97fc08e70b7ad21d18d0a72e200ba97d4f94c |
C:\Users\Admin\AppData\Local\Temp\uccW.exe
| MD5 | 582de885f977be7ed74389c84a2099ba |
| SHA1 | 001a80de91a8635ad2a0ffb282922b2c17999b1d |
| SHA256 | dba68f72a5f1a977c353ebc5487f383101095057e7a3d91b834716e812a274b0 |
| SHA512 | 1892b63dbc9857f738d77c3f9f7040c52648d61b5d57c7003706b1cd8ad6454c3cf39b39c6722df4e31c83ee7ee4e4288cafc725a5bafd0e445de553b6f001bb |
C:\Users\Admin\AppData\Local\Temp\pYIC.exe
| MD5 | 18d43c54de7e9117e7aaca5413ebfc9b |
| SHA1 | 636f0242befc4636c89291546a3081fdb21c83fd |
| SHA256 | ed5496c9171abafe92a3193b463a597a90ec1d552cd275a4954ac5a93cd75348 |
| SHA512 | 5b23a7899a1cde9f79ecb9ad958bd33a5f1aecd22d8d0ad5b36cf0c11f377af3535d688e084d27de25d94f93e5760b2da36cf571eec0598a5a3ecca74317cae8 |
C:\Users\Admin\AppData\Local\Temp\sQga.exe
| MD5 | 5120fa6c7fbd97250c1fbb5e07dd9caf |
| SHA1 | 27c733df751213c269bcd4f63b581b5117db9b80 |
| SHA256 | d8b80c698be00d7f600208554ddd061472809c049a5217b018fc016932a55547 |
| SHA512 | 3f99eb39e0d02e2bec3b239e46dfe53a497b1468cca57d0afb8afc05822e90547d189b35552118751d935719dadc67412bf57bdd6914805945da1b0f1064b474 |
C:\Users\Admin\AppData\Local\Temp\iwka.exe
| MD5 | 08085b9b775729e9b8220c7cf386951f |
| SHA1 | 4b86deb554c21c53e1d65915c383394e302df182 |
| SHA256 | 20d6ac9e8d052e59b61854bb0baa1e752b5c7f7680eab2752ca9ef7169113d89 |
| SHA512 | fe01f0ecc9318075791629771656dff4a4fa02c528f4d03d5d8aa25a9080be25ccc218a808cacee9240715c45cdb4a0086f7b98aa56080610ca2a53d14992d82 |
C:\Users\Admin\AppData\Local\Temp\fkwM.exe
| MD5 | 7d2c64ccea1dd4b8d4a9bcdb98b2b5a7 |
| SHA1 | 5548b13c067c1444128512b5042e116c4845b5c4 |
| SHA256 | 97d6214d2a50ca1c20c5d9224a4f6afea9d4e668c3052f98eac5d62af5b3cce2 |
| SHA512 | cccd270b813647f9ccbe15c8928f518d680213bb8eaece0f3ac3747082d1efb7ac4800e0e030445d423a99fec3221ae37cc0b80c8315696764f9af368ebeb778 |
C:\Users\Admin\AppData\Local\Temp\ZkkC.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\AppData\Local\Temp\PoYS.exe
| MD5 | 561ae61b4f189cb3da7268d41db9d348 |
| SHA1 | 098bb31eff6d12de69614eb71410ccc847fda58c |
| SHA256 | 1606dd2d595293a3db648a06783bffad6d19f495a8c3965b21ccea4c43727a1e |
| SHA512 | 90d12e9f964526a26259f84aefaee0e44c7a187c137ff84f37c66faf9c25723dafc807b8dd1bebb4eccf2c75fe3d83ac84de3623896162b4c142fe6bcb7b79b8 |
C:\Users\Admin\AppData\Local\Temp\NwcY.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\CUIe.exe
| MD5 | 4b3a2035f6bac5f3acdae37b99499b64 |
| SHA1 | 09f9a49203b6325b7441c4900c2e078c1ffa4bab |
| SHA256 | a152fb61aaeaab1dc12132376c65d213cc737f7a56396a7dca6cc1e35c2c7188 |
| SHA512 | 3fce37eaaf6263ea8505cf108af8d09d12fed75c368f4d5afa58d15ec55e04acc981063d8482f6ab62d4f5d214b8db6d8fff5a68ad3fb258dd32a8991bfe09f7 |
C:\Users\Admin\AppData\Local\Temp\vUUK.exe
| MD5 | 7f3fe9beb8a0fbd86001f16e48d31b8b |
| SHA1 | fec90026587e74f153bfc3cf245962f8ff3db1fa |
| SHA256 | 9556fe4516f2fd0463773c3e79d61b102aafc71030dc56e02cf45dfd0ed694f8 |
| SHA512 | 5aeade6e985833b868d945f922f768d9d09d271c395e91c744a5428aa5d82955e58833c43434032401e0cd229dbf63fd416206d6209457d4712b9b366bef4d6c |
C:\Users\Admin\AppData\Local\Temp\sgcM.exe
| MD5 | 9c6363a4bd5cefc1a011ad9e92b3b535 |
| SHA1 | c4f0ca7ce61d77eb8559f22050f73be6712ac4a2 |
| SHA256 | dd4d67af4c01a6630cd3f6d4099af97b208f5ac815e9eb6285a7383d92b5a546 |
| SHA512 | c01750873536245e92364d843f72cddb69c75b5d287406aaab650811d34d998644afc115578c7b6b29517669afcd742ab3da56413723ff20c64a8c5c5834977f |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | a887e92afc41b3989f8e58cb80c1ccd5 |
| SHA1 | d3549aa07fae6a84c0594c2820541e2e863e6296 |
| SHA256 | 3e4df523c6c47fc0747d74f0e7ad5f78ff03ec4fb8111c8a3409006a4a897d35 |
| SHA512 | a1fc8cc00b114e434945c8133d332412bcb26f37fe051eaf2fc86042ab41fe193ad109fc3738caad53e57b185ed4a967f92adba7be9c48070cc43a39fe788006 |
C:\Users\Admin\AppData\Local\Temp\vUMK.exe
| MD5 | 95b6308dac9788b07060cb96b5d4d606 |
| SHA1 | 64f4062b86c78d53a48a90ef680c06dacd4cc4be |
| SHA256 | 8f3bc432e67c985cc92a204457d11922a9af5cdf65aac0f5da853f2cee25e264 |
| SHA512 | 94a98597af976b28313f55dcb771f1491b1800ba0bf5335435ab74c30f2f79f50a47a4cd188ca37f0179f47a549e6381d63b895b0d784347220a30789f5a606b |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 7329489910a2d17e9a8cb04c384d5ebb |
| SHA1 | 32ce1b924f75b24d8d287b41b30de2d198a8585c |
| SHA256 | 0aa3503468f5965fad19bca72d53908edf3059a6e6db92d8a3075bab042ec0c1 |
| SHA512 | a8ff4f2cacec3e2a9003e10bc8acf179f0d4aa23029f57143b2839da157b6cdf227e70f6f9a357e5e52324d923f5a770ab206653123f1f079e7937a8752e4885 |
C:\Users\Admin\AppData\Local\Temp\zgIm.exe
| MD5 | bfae846777a30d1650c1eb6332fe51c0 |
| SHA1 | 7d0bd727ca285275f4e245649d09357976ce759d |
| SHA256 | 1d09522ffd5ac4574695a4f85d15cada244a8cc9bcc70ac57a0f0f5eda1f5b6f |
| SHA512 | df6029c9fa46e6865b6fd1a98f81b02ae4ebcdbbd133f7c12863ea4bf0e0939546b2b0b8740e5f07406de6caf4265c94254e945f78ecc3bc87d9e3e0cab1cb98 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | f09a2f115d38514efda9c154266b968e |
| SHA1 | 96e6979ac52f923a1ba414e5925213c7360c49c8 |
| SHA256 | 6fcfb47a0baa187945b0888f8316a8f5baa4985fdda5af6df05e6426bcc2370b |
| SHA512 | 6daad4e4221720f185f13174cf38a887fcc50036b4d084bd89c21311337d41796cd9040a150ed2d48e94aabaae8bf3886ade57668fa39aa7111014f7324da19e |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | 72000e57cd033dcba32d141c178766c6 |
| SHA1 | c29004055b7e2461532a662bbbe31c81263c7d02 |
| SHA256 | 1ce2cb9400a4429bbe30c610447502eff2eb16785e71971e276ff690f6f40ea2 |
| SHA512 | 5e3e22f986e371bbf93110e4231b14267ead69f8e0bae8f5d7493f05f60ad1b0c0fde83d443f97fe3d9fa002e02b6bc6675bb8456baa4ace1290abca24978052 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe
| MD5 | 96b889bea7244aaa5d0d29ee7cf7b31d |
| SHA1 | 4ca9cb444699a75d383610311fdd59a06ab1aa80 |
| SHA256 | 88167937c3ac65c1ab14748173a065aab7397cbff0c529c17d25ddfc4c9fc813 |
| SHA512 | 8dbb9d03d2144efe3ab3b203258dfb5962389940e203c9b9df3ae20c0692a9eecfa6fd68904f8cbed849585cf18d3d3dfdfeee06194eecb9a66ea0fbf9fc5300 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe
| MD5 | bec95a813c52a85895f939e639d2b1a1 |
| SHA1 | 928d5b680a12c1a9a7b298bb877678dd0ee753da |
| SHA256 | d203cfe3d6321e3000ed5b7953a1a205720c0e32db8573265472505de107c30a |
| SHA512 | 90247faa2c8b98ad93d35999f8791f8801a750b9941a8a8074008023a9e272d694349186167220143f8f6a441745220efd65b9654493797ba3145b42d760bd0a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe
| MD5 | d3ae8b1df909bbd078a0a82eb093acca |
| SHA1 | 7d79ee8642535736335c37cbdb7f5ba2ad26c607 |
| SHA256 | 3da07686eb5cbc4073ee9e097af1c02fb80c8be7cebf4ff7ac1c7dc14daa56ec |
| SHA512 | d3448c451e6d3c1587b78fd43601450c25126424e29e0caa785b973db1423323eb9821708620fcafc63c442af180da39704e4c9c8fe825d42189fc60d9422b87 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe
| MD5 | 64ffc1ba6b782f400ce1d94eded4c6e1 |
| SHA1 | 42ce80be444f7c8c2209ccca41c390784e9f8568 |
| SHA256 | f10136c93d065bb71f48323a9f45ecdd8d7543bad30df741f908ae019b304928 |
| SHA512 | 3b75ce7ada5e02572b9284c05ee62fe31c03fda7f9b3bf0d4862cbbd6152c2f4abde204f50ca3db9f9c137a41afd8d221e0580286a45da6ae0f627eec3532a16 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe
| MD5 | 608be248a0a5a6baf34a09bd7e52b978 |
| SHA1 | 8eaf8348252f4cf6da1c04168d86c8999d554c06 |
| SHA256 | 5093d3af7350d06e19e828b3bf0132ec4c6ec59c3099b4f079f6bcfad799ef24 |
| SHA512 | 28e1155ddb4ec675f4972f819c5e9fd29ccf0747ab55c4ce65fa123866baae81b00e54baa646bdba79eb3d1d367469ab7c05b1dfa3d77669f20de16ac159dc34 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
| MD5 | 630b0b1865d0303996798ccf5f00989a |
| SHA1 | ad404cdcfff0b0ce71102fe7aca15e3b4e8f0d18 |
| SHA256 | 6646bfde705bf1cb4e3d9d963fed80b5b3411d6bf4cfda61d4cdaffb978860a3 |
| SHA512 | ae75390c1313f7e67fc0fc23614f2cea9268caf9de0d86f29ce8922679d20f989537db3f2b7d819f60d0e8a62398b7bf45274cf14b2db12cd018817837c54a7b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe
| MD5 | 0a22e33e34ee4da3672a37764352efa8 |
| SHA1 | 9e8a9fcc501a6d6ec68b39468ba544b339066e19 |
| SHA256 | 1b8ae1502aa7592f791244c7822a316c8e43e4e852817bd56258c178d6c48f80 |
| SHA512 | ab7aa3b38832ada1b05fa0a40ff0a58fab2af9dc5729671a93b70ae5ec425413ba981ee4e8a5da1f7f62219da205fd46875fdaaaf76dd99776e9df72f2d78170 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe
| MD5 | bc9526bdf8181497df8e6b81862b490e |
| SHA1 | 79fc6ff59d27463c00a43fb2d45fa3354c1cadd0 |
| SHA256 | 555a1db99a362eb894a5edb3875ba66d6d3bad9d2823421d29f2a6789dc00f48 |
| SHA512 | 26902c32788d0ed76ade0d28ce785d77e5f5b73cdcfe4b9e91af6b56f371505a6940086dd2a9b8ab08e7a94e4c043bcaed36a1e2cd9f90128cce703f266c3a5b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe
| MD5 | 7ae1eb1e5acfad8cad72efceaf5c518e |
| SHA1 | b50079f3c2bd7b52d18dfa595f556009d4bb7371 |
| SHA256 | 04f194127d6e148cdf52590245ffe2ab9024e3249160ec6e592ed4a40e7395ee |
| SHA512 | 4345441299b8443341b749273e1bb331cfdc081d9594bd1e265b5908b80b37a59a53b32eff0d8651b8a2c3afec75a6f69bce56a139c3a062b0339355c05e73f5 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe
| MD5 | 41220611d5740a27b0dd947b6d868890 |
| SHA1 | be2948d1ae4619854c50dbcd39bbcd9b35eb89a5 |
| SHA256 | b85f04cfa916bd71481a0fd2f7fe0f1f6ada451da5277cacffb5e111d5fe8b68 |
| SHA512 | 622bbe723f707d129df645839e423d3172e26eda4cde534bd37d610f05f3564f3eae8750f77edb4a05594cd0dee856de2a93b9335a24c45a3fe7af28aa5fe94f |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe
| MD5 | 4452eaf120000570aff31e439ed57731 |
| SHA1 | 4296eb55eb5e31241a6c81ea89a1093b79442c9b |
| SHA256 | b813792b50619b66f7b8debbd32a2ce44422908bdaf9c6b5a0159d177bf15800 |
| SHA512 | 2bce25ef09aa30be934b24d7131fcce51962234478317aa26b145362dff1aaeabf2614a35141e4edffa282d8c34f0f30bc6e74c9112d1d74035ee6dc61bab2dd |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe
| MD5 | edd22b40b040c65fe473dc21372a99ba |
| SHA1 | 8fdfd745f5d07235b68bcabfeaddda0a4eac112f |
| SHA256 | 8ee5e98908cf29ef812bb6d917b776baae7d377cf1196fcd7a44351f8b32a571 |
| SHA512 | 47afe29f2b5ea90e46fe7d218093fe4a2f16e38d0801f6f931a1ec4afb3dbea945ee2fae40e4c665fd1d0e03ecf6ee85b688d9111849e5f79ea7ef1285ad16ad |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe
| MD5 | 0109e54d57d3b0703c59b946e0d58a8d |
| SHA1 | 6b1d0e9e2b667d9288559774879c8debe784cfff |
| SHA256 | 5003baacb3cf2e9649204194a704e69381319c401c73b8e95d96a05a7c700345 |
| SHA512 | e86514cce096a3e5e2b60801c8c031cdafe255b69c143ead5b6db48d141c519ba86e700bb0d48c23a7fa846a012cd85b33c29fe2dd563e49f2d70e4eea161dca |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe
| MD5 | bc78566387ef5bec09918686b76d1ff9 |
| SHA1 | 65f648f585a2d600f3ffa8de3ae1c30f78526049 |
| SHA256 | f11acb6b5b8453e79cc5958d54a293feaf606c2f7aa443de6f1eaefdf9f896bd |
| SHA512 | 219543ac1cc60c1948c9f4bef25527bcb40bb8c2af13abe5a3afb159108bfba5aa02cbbe4504f3f7c001d443997107634d564ee47d5ce3dab32ba6a6a74f377a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
| MD5 | ff3b4b1a40ab001a57dc0a643f624ab2 |
| SHA1 | 8107f78133710ca5c9dc7fca969f50ead8ab477e |
| SHA256 | bf0cdcd19622fc6c2a22ca3b8401558696f707d1b6997ddbeca40e3ea9bed37d |
| SHA512 | fff2a7741dbe8a2d77f1fa9ad4b79d0fe73af50667d22336ed3662deaaae2ce065884f4f63a499f3f23dbef17572d692e3f2aab76286bb65fc1b5c23a1d0ca09 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe
| MD5 | 316fc49239c8cdfd5c54d99412f5203b |
| SHA1 | 8102eb48e9f2b96fbfbf00920aaa6ac22c3bdd66 |
| SHA256 | d140b163c6a9025ad6b7900c5cb4414c647e3f2cf2a69318daac7e8454ca9492 |
| SHA512 | 5be9a8bd24a56328879df21016120a8d5a541cf0ad328b8907e550cb63296dac7d9cedb13a9930137565091696e88a5bc0eefdc8418aa5ae0487c6c272ee9dd8 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe
| MD5 | a4002da6339b87bae1b0569e2d9703b0 |
| SHA1 | bbfd0ee47e9dda76ecc7ea88c7ebee9250169bca |
| SHA256 | 4571631efc48f425a91fe4e50c06f96187483aab808bc4e18897685753d1cec2 |
| SHA512 | b0a39ae2dc10ef61e65413479cd4522498ac00ebde005f25fed72a126c3adb20b581545ca54686bf4bd3dc82aca9dcacbf84d9f5f7ca0db32c518e6a1948a760 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe
| MD5 | 3b8117bed4974bed4443e889c45ef2bf |
| SHA1 | f48bdc2f32a723a40f922a59826ec6a118d06b83 |
| SHA256 | 43bba1caa9f8c3cdea2049dc0bcb8690fbbb7d4df55a469fcd737681822dd96a |
| SHA512 | ae8cb2beab5a15c9db34dbec8c83859d5871c32d252cf3970d0539b1f39d8ce5b8f5c6f39d296f5bcf551a675fdd9097f5d651ee62538825284bd16c8e875737 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe
| MD5 | d1e8ca395bec5c886079efa69cd36885 |
| SHA1 | 34219aa545e3e29ce20d7df4c1780f25a953ac99 |
| SHA256 | a437028c0cc7803d2971e4f92c8c62b02b7ed49d8bcfa9935ba61fde72a750aa |
| SHA512 | 303004e7e0491e48feec83f36e8749c5714af4627193a7e4855293e88da622260a29b2f42128c0b860e9832e7228f4f16f33faaeb53babb62beebad4a908db0c |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
| MD5 | 9a090e040dba94eb6f93d701ba5d70b4 |
| SHA1 | dd9ed61a98e413b8fc51c64e2001fd2f893a2f70 |
| SHA256 | e1bbc604b68cc9e53a8e72e54d88568704737df49c5763814b35ea24ad8037c8 |
| SHA512 | ce2f3cadfa19a9c2ab2c6c32f600234deb5d56ebc3f4a5eca835c573e7f6ac7196d6f82f5bd46a948f99737b9fa5769a35d577c7ed93f8907c4eb6a266f2daed |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe
| MD5 | fbfb8608d5628317768aae45bfd9cd41 |
| SHA1 | ac9534b178662306432f8380a3e27090a64682a1 |
| SHA256 | 78ef9b578091672b5420ef48a64e4bb88a3e19179f59b02000a3e71f7af17a55 |
| SHA512 | ea3a02c38477103512925dc91c43464289340ea21d5b82f3600c7dbb506a03d72ebf36bac4f8bc7df7059711b0c89b5b946674e3c8277bf8c543e0d624fba442 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe
| MD5 | 359d9072878c538de0d951e710c8f2b6 |
| SHA1 | 0bfd4f934cf75980ebeebd65a4b610206c4c0e39 |
| SHA256 | 442e425b7fad36fc7183d5191c40d320cb0a95fa202bac648211ecf1158cacc6 |
| SHA512 | dc30ca796825da5e7aee1969f8f96876868b23b861b77d9bcf59279951420b585508748f8dc2d52fca2020f3a52c42473f62f6339800e0df5c1a1f5f4ec1cd2c |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
| MD5 | 7606544074a80a5b7364e95aff5a2e6a |
| SHA1 | b0211e05647cd6b31e6fcd87a53a912c798b27ca |
| SHA256 | c8d5e295ca284d658f35a97eef118be4d7edbaf39adc62e06d50e73cf5c425eb |
| SHA512 | 68cdc8fe6e6311dd639126cde223c9875d92fa2ed3c78f025b0f31e29efe1a12b6572bcd826379420e672d9dfa0ffb532f85f0010596947896a753985c145575 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
| MD5 | cdafdaf5cc0e2a09dd81c8c7e80780f0 |
| SHA1 | 026753a6e81e92f15dfc8b0b35d01ba081219950 |
| SHA256 | 1d45bad11d37d4dde8eb9612e84aa2dd7e976470debf8dff45475d31342df66b |
| SHA512 | 3feb4c20aa67887deeb314d2d2e7eeb9e8877f30cb8b256007b2fc7b51c366579b33602244c15da9414e26190f921c773f2e0d26aa34064ee5cf30cfee046af1 |
C:\Users\Admin\AppData\Local\Temp\sEoq.exe
| MD5 | 94338e622cdc427dd58b69157ca9cd55 |
| SHA1 | c042ba49fce55a95eba8f5417caecb1e20e97e06 |
| SHA256 | 5bab9d30fba185dd98ccab52170533c8bdb90e9c03be54d5a1b1fb374b71e226 |
| SHA512 | 567948be641853aa8bd335fe8288159c4f12acc3e6dc68acff27fa41b31f2c2b0ccec8e1b331aa6ad2f56f74365025a675f5c9ab2d2645b017e443397875a827 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe
| MD5 | a4ab4edbb4d98aaa9e163389dab75fd6 |
| SHA1 | 309c7d054a33a7b9c6bf6fea783a1dff0a3a7d04 |
| SHA256 | 5f81e1c97572de019ed571047461f1658d32cd5db8005be9593d76806304ec7b |
| SHA512 | 7b316b98c58dd7a1e5060230c407755b193bb0bcb691b8e261b86f1d8064bfb6bcb21f1a8d95533d6e78794d4c8bb9f1c7e4f73ce78d5ce42010f8797e745bb8 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
| MD5 | 872184ae370c43effb44e7235a4ee55c |
| SHA1 | 037eb76b7cd49b4527a04cec0996b757e6fdf6be |
| SHA256 | 9a16f073a6238bce08b79505cd31799a9438bb86fe8f2510984b602da66c36e8 |
| SHA512 | 7c9f4bb8fc241fa22fa3b69326ffc3f1cba8a1d8b1b1e53cd1d6fecc9ecb4bbac1d369779d9b5c372d6359cfa60588b2431beea58e19e4f7b8247ad60874428b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
| MD5 | 8101edff8c1457361cbda4516298847e |
| SHA1 | 250ccff7509253bbc137e3fb18277d4de377a7eb |
| SHA256 | 55d75732faf9203e2a91221becf3aa5ba925ebc26809aa2709cfd0ba002b7230 |
| SHA512 | 907c2e0b7741f339ab9ef06a23ddf7e15bc6915cdbbc4da2f200b9cafc627f3b1a034045a52b3a58a17b46f8b94172663f8ed97065fce4edd38bd1198abcd3da |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe
| MD5 | cdb8c108216d0022517cfaec0e37e35f |
| SHA1 | 8fe3e0fcf6791a714becf8573601c53da13b9170 |
| SHA256 | 22c22939c7c0a78c3b4fe45385c98150cde2b1f300126e4562eb3ba638804c10 |
| SHA512 | 5d9e2152cbc824e88415f8d3117a22a0e5271063b911dae6f7ff2a3ddb63e93f135aaa460dcb6600147ce1087686b9badb47d13193c943e8496a3948537a088a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
| MD5 | 445829706384c734b102ae0588f1a706 |
| SHA1 | d9f7dee1668eec7cda378c562470775caac95cbb |
| SHA256 | efe223f1a1b5a26310b4c0c7f3816202f0cb0f6d161914351140b36a83629f2c |
| SHA512 | 9aa406a6ad9eac456fb3e3c42b0b497101b2f8f3a2cc985942ed43e81f032b900c1dc97ed24f0691fffccc95248b83662da7ac48f37e46210e870c50e56341c5 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe
| MD5 | 5ea89923ca909391ed57e1c42341a619 |
| SHA1 | dca7070e1c25de53fcdf8ee7fecf33ff96c2c956 |
| SHA256 | f74da9dd86a0b253f41f54b400d97b276a2977632e89967e92498441b6e90629 |
| SHA512 | 429f109fd10d29e3ccfeb5b690e3e581f9764ed489b1e0158d086a09310de4c8112ba715877f5af24ab5680e95cc5375546f9c444d02d515d4e9c806a32230f0 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
| MD5 | df839a3bc2395ebea7d976d6e7fcd39a |
| SHA1 | cf3c157e3ef42b1e0270a5a13e026a22cd6840f8 |
| SHA256 | c911f2477ff1840c13f2bb2a0f67f9af67ac93b7337462280288faf2ec427d5e |
| SHA512 | c3395d2dc33547236fd76bb574dd87a76221c7734f80af291d47ec576e66044edffd0500ad6e4fb6afeac11d57115d8c1f1c7f7bef3c85cfc8d311ded0f82d78 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe
| MD5 | b08b2920a860ec0719ead86440bc74e5 |
| SHA1 | 73ec7a33b7d7f6262056341405f7c8849418a7d3 |
| SHA256 | 3f70adf8c5c4f13a0885c9e6008e7203e8f90328ee8b816f540e352cdfce9d9a |
| SHA512 | 0a64df2e46e2ba4c9fffe17781f726c7ee9cf2f2ffed3eb3fd9881edc1e4cbc8d0e55d6f5ab157f826c024442ce1a63ac4e578b9c4d4e152b430fc3273383f30 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
| MD5 | 4ef13eb19f737887224d190f498e0c5a |
| SHA1 | 9410f0d54800893de1ffe1e83526d025593ddc54 |
| SHA256 | b9d22d0432d4b4cd3c09296277d9f15256c3f822394d41823c5f4418a1ee883e |
| SHA512 | 49939ff9a4d4af28b3a682001a1e2393a383e3d382ca8fd82bf9713009e6408e3dce5051328055b01099898474ec77ffc12f1061f0dcac9d07aa3310a3649370 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe
| MD5 | 05c11a0b2751f6893a01d6d8e24db966 |
| SHA1 | ce074fcc2146955a91296b5fb65f5378b53a5053 |
| SHA256 | 76feec77bb529d152ed6f09811991f78d3bf7e75fe5996dccc4f3d308dab7b39 |
| SHA512 | c56fef86eba9d7d302cbb5d088e79d254fa96bb73b0094eadaf8ec6ca5893146ed1f72f5044ddfebb3d0182165103da786ae989e58c315a93f6d5019961a0114 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
| MD5 | 517560afb92b82d4001bcf06b4f02926 |
| SHA1 | 534a025c07438375f84f16b4477580eae0106cdb |
| SHA256 | 51f4edb1a282d8b56e79ffbb1faedb03af0cde439f584b4f309ced97ef76e725 |
| SHA512 | c810e8aa1899a5c8087048d54f0907b03165dd59b71c1401fc556dc2b913ebf704eb47986e1e748c0e84f09f899e806578edc8fa324e4c242639354c1f654d08 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
| MD5 | d7cc7251166dc04851e991fa010454e5 |
| SHA1 | e415bfce0a6ffde6e939f69bab54b430b6fd3967 |
| SHA256 | 78e57eabac3ce1c9fab8d6c188b86ca19c0adf0fd534d77b5e72accd8f481a12 |
| SHA512 | 007b78a75754f529a42500f518cf21c7f998358de9eea4f24d67d276c17d9f78a72aea4217ecbf0dc131633c515e838efff40f5036330856e52bc80e69e40b9a |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 5c7b40abcd771202f7348471a62b3cdb |
| SHA1 | b28c986da2b167e128559cd20f77a726673516fb |
| SHA256 | ab5124d34a16cc5f27c3deaf8a30b609c2cfa1b3159fd5f4be8cadb160b6d08c |
| SHA512 | e809117342ae3068644e45cc465fba2f269ec743916bc268d6358e08a2585496d3b797992443eb33f13bfdddead71f52ecd8e1553b76a98e16bdbea6a5255e12 |
C:\Users\Admin\AppData\Local\Temp\nIQa.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe
| MD5 | cc60526ab5f4599275b86ed64e8540f1 |
| SHA1 | 94fc7d37708fa3caeeab51542e9db4f00e7972e0 |
| SHA256 | da3025f8cf80af954c1483cc2ee4c0a1805762ce14932fedd3f17a05c7627dd3 |
| SHA512 | f7ebdb3542addb61fde8eb3cb953b14ea0ddc21626a7fb39a6bb5a6f17a102f0621caf6311e31aea1452232eba5c8122c06998e7724b075d5a840eb82f601abd |
C:\Users\Admin\AppData\Local\Temp\pgcM.exe
| MD5 | e6b7f2d129406f725d5feb01cb87fc3b |
| SHA1 | 43d1ee3ba2539c46c10f5c9d58387cc1266c0ddd |
| SHA256 | a6bb042810b1015257ac91b32846931554deb44119e55e1a439995ef95aeffa5 |
| SHA512 | c1b997c87af256a3226bb0f27e150d8d44aecb0ff2016f0b1b4e409776b1d65fa34f2967b522a68fa79df2031597007900c16d6a5e548b6c7501c1865804a7e9 |
C:\Users\Admin\AppData\Local\Temp\UgUG.exe
| MD5 | d85cb5694236431558ed016f0c31e62d |
| SHA1 | 8a39a805e443ea61fa4b1a6e2bbeef546ba90bf6 |
| SHA256 | 01c73475ace17d15d30be9b21b1e829480f124165768ee1cbe6f2b9b23f7b0f5 |
| SHA512 | 5af89a2e73695935813f4c24331a0300b978462c59482c4ba3324c90e8a54ed42dec23a5c080942fb9dec44c31a56b1b576a367647db97b5f5975a81700edaaa |
C:\Users\Admin\AppData\Local\Temp\MkkG.exe
| MD5 | 85f21e7b67ff0880f9e89af03fc35fbf |
| SHA1 | cd651514b6e174bc431d6dd34c814406387d158a |
| SHA256 | 7dd4d4d07060b0c7f1302802965cc896df620a5b9234d74c74af626ed770f022 |
| SHA512 | aff8446d01b874d231bd55e22bf7e6ae1fec80bf719f1efc167e78f90b0fdcd27a528c40b28cc0bf99b0585396344b25fb5cd9ca30606809f8dd15ebd9f30483 |
C:\Users\Admin\AppData\Local\Temp\HkwM.exe
| MD5 | 543c256a994b8806dc1f3cae828bcc73 |
| SHA1 | bab280000884c0b1a976d86b3b82174dd8bf8a30 |
| SHA256 | 619e440ed1d12c71b97c6fdd1b5877fbe64fa68dbad88d193a91dc31fb5233d1 |
| SHA512 | 28085a5fb07eb803350eef31c269c42d145db3ab8239db78066d7a1ada83ab8a50ec41a314c9f0e4e9d307ccc229f9859f2bbea8ab278be16b96dcacd9efc642 |
C:\Users\Admin\AppData\Local\Temp\SwYY.exe
| MD5 | 9bf9baf2570055a5ff4691eb432ce3a7 |
| SHA1 | 3749b55c7b294f3215b382f8d1c8dc3e2f29a4ba |
| SHA256 | b7e96679fbca2aba6daadf2641073a9b3ea4fc65cdaf0c16ed146058126317de |
| SHA512 | 6f03ee9f7b73cad367fcb796dfbe8284eb0165bd013a966747601e67ccb66f018f5c02e37c613443ff4bb84c53202feff924aa860d404d66caeb01277c880951 |
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.exe
| MD5 | dabb59f25c80c1f681a827041859d685 |
| SHA1 | a1ceea70112ffe04f0efd8e5ae1b3d3fc6929a91 |
| SHA256 | d19a9366a46d54d069f22c56ae4af045ea5a8b3230a456899713be903c23e9cf |
| SHA512 | 96ac196b0c79807126d312939d95c4d849840257303297fb29f0847041400a0618e17db5aa2d8df5ca0537b81733fabcfbe1aca4fb909d8553d25294e20b78f3 |
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe
| MD5 | 48ffbb64736b973bd57c94965179b656 |
| SHA1 | c93b3f2b561a16fd1f21bcabb10387436bd97ff4 |
| SHA256 | c3bf976186242278bcbaf2050c1c6f49aed4f13ef8681c5bcec980c2b61b0729 |
| SHA512 | aa35905a6ae8d9ed990fd4f9f1b7b9a1947bff7ce36cc2dc4e0aa17d2c420e5acd3a1cd7755464cd4191796690d1e11766bfd9357994e22f9dee4492f488badf |
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe
| MD5 | 7428aafc0557569fc194b69f840bb818 |
| SHA1 | f89d4116c33e071aba350b100770abe3295a18e5 |
| SHA256 | f0ed2e56bb232751e0c12fb77815651e59236939966b29bff4eae62a3c458625 |
| SHA512 | 4f7e55f2522ee3aa95f830cb183870cf0b078ef4069575ea7784a3134c25c4095ca694b72871ea94ad39e312133de1ba562431d17256c24d1a7d1b298006f735 |
C:\Users\Admin\AppData\Local\Temp\EcUI.exe
| MD5 | 6fa8ac72c22fd4f036d107e537ae820b |
| SHA1 | b115e00fc0b3ddb0b2a3a4d8b90919fe2054ae4c |
| SHA256 | 55bbe54ac6e23b7d632e20fee45b918eedba0ad777f2c530669cb5e05a1ce362 |
| SHA512 | 47517a9f04700d3108ca2e06cd0947423eba6850539aaee40eee1f297657a160541cb25ec7ce98523e08e5eb1dfb06f7a77a27308a5fa5fc1e684ecdf3a37c14 |
memory/2928-2576-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 11:43
Reported
2024-04-03 11:46
Platform
win10v2004-20240226-en
Max time kernel
162s
Max time network
157s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (79) files with added filename extension
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\DyYIUwYA\foQkUccc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DyYIUwYA\foQkUccc.exe | N/A |
| N/A | N/A | C:\ProgramData\HkAQogYk\HIgkEkcU.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HIgkEkcU.exe = "C:\\ProgramData\\HkAQogYk\\HIgkEkcU.exe" | C:\ProgramData\HkAQogYk\HIgkEkcU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foQkUccc.exe = "C:\\Users\\Admin\\DyYIUwYA\\foQkUccc.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HIgkEkcU.exe = "C:\\ProgramData\\HkAQogYk\\HIgkEkcU.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foQkUccc.exe = "C:\\Users\\Admin\\DyYIUwYA\\foQkUccc.exe" | C:\Users\Admin\DyYIUwYA\foQkUccc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\DyYIUwYA\foQkUccc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\DyYIUwYA\foQkUccc.exe | N/A |
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DyYIUwYA\foQkUccc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe"
C:\Users\Admin\DyYIUwYA\foQkUccc.exe
"C:\Users\Admin\DyYIUwYA\foQkUccc.exe"
C:\ProgramData\HkAQogYk\HIgkEkcU.exe
"C:\ProgramData\HkAQogYk\HIgkEkcU.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koMcEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugAIsoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiUEMwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEMMIQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWQAQogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCkQEQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Weowwwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmEsYoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsoQIcoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIMgkgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeUQQgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWcIEIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XoAgUMME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGYMUowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAoUwMss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qewgQoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgwEcAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEccEYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWgscwck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaAckAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqsMUMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JigoYgwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOYYcQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGsswQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYUgIswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOYUIgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkMQYgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emAYAQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeAgwwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEscQsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tygQQgEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TskccIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jokQUoEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEkAMwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKccIkYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKkUEAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOkMwMUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcIowMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGkkUsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCkscsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkQMIowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSAEAkMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diMEYEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYgQMYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeUEcMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UesAUMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqEIMMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyksEQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgAQYYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv mhMZqsZCu0+bXjztmnJRyQ.0.2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUoogQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeEEoosw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAUwksAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmoIMMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqccUAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOYcMAUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmUoIgYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naokMYgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMokMkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deggUMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKUcwwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKIosksA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUgYAwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuUoYkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYUokQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCwoIwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQUwYswE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWEkgkwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYEQIows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qewcEUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYgUsoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUEAskEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baYwIcAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWoYsMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYEcooIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksoIwggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSIQEkMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkskgYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCEcMAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEkwkQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyAcwUwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcYwAwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIMgcUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUcQsokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCcUEMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyMoUgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmQsIAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCIUMUYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMIwcEUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgAogQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieoIMgIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOQQAgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEgccYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqcYcYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgcsAUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUMgwAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuoQEcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWYkwkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOgEwMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiooAYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgIwEMsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCMoIQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuwUUYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| NL | 216.58.208.110:80 | google.com | tcp |
| NL | 216.58.208.110:80 | google.com | tcp |
| US | 8.8.8.8:53 | 110.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/1040-0-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\DyYIUwYA\foQkUccc.exe
| MD5 | c899b7e19f7bd94f4da25366869630e7 |
| SHA1 | f9edbbe97e9cb02c34ad0563112b7ed00f8aba60 |
| SHA256 | 354414cd170e1ebc267e00dab4a1ece294f02d2e2687e171b83547297b14553e |
| SHA512 | 5948a6b13aa9fd969f4eb8af50ee301844935aad83fb78a11a14d199c9b64ab5cb3297b7b40bcc405b8976acae54ba55ea38286259e6a56036ce83433322449a |
memory/3360-6-0x0000000000400000-0x000000000042F000-memory.dmp
C:\ProgramData\HkAQogYk\HIgkEkcU.exe
| MD5 | e351bca8df21a31a6f2462ac0f00d878 |
| SHA1 | 832eedfbb3c1f56eb3ad9f4d0acc5a1ff567b05e |
| SHA256 | 2e314716e1b5daf17409c9248712ffffa3794e0f722f4f8cc91a95eae0b59ced |
| SHA512 | f430303a0b7841e342dc5cd57df4e39d5231825900eb34c19d7d707f1bec56b6a9508b6cef75c9aa6ddaf641ec09059425f975ec4df4801b906282903819efa0 |
memory/4848-15-0x0000000000400000-0x0000000000431000-memory.dmp
memory/1040-19-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4908-21-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\koMcEgMQ.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-04-03_d6e0ac2dad377548df7a1bc100552f83_virlock
| MD5 | 5f6870e505406f5a8e8fa594b6d5bafb |
| SHA1 | 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb |
| SHA256 | f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a |
| SHA512 | b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf |
memory/912-30-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4908-33-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/2316-41-0x0000000000400000-0x000000000043B000-memory.dmp
memory/912-44-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3932-52-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2316-56-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3932-68-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1672-80-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1552-91-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4232-92-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4840-101-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4232-105-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3816-114-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4840-118-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3008-129-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3816-130-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3008-141-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2996-151-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4896-155-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2996-166-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3012-177-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2192-178-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2192-189-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2708-190-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1624-203-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2708-204-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1624-215-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1676-223-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4472-227-0x0000000000400000-0x000000000043B000-memory.dmp
C:\ProgramData\HkAQogYk\HIgkEkcU.inf
| MD5 | 4f4820453a250531e498b74f904cda6c |
| SHA1 | 363d9616e2fa6b4702279168e08d714413319592 |
| SHA256 | cdea11886c9ebad6beb8a3854a06b68709c8db83b0a4ef7a8d8acbdfcd58727f |
| SHA512 | d2617d7b0bfc856d1fb60fd38faf0cf024e5fd19436f7c02e4a5be085bfdd3cd854bf54dc6289cd309d08bd5b99834ca959a294f477fc40c56eaad91715e0b19 |
memory/1676-241-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3980-254-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4656-251-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4860-264-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4656-265-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4860-274-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2924-276-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1920-282-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2924-285-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1920-293-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1128-301-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1712-311-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4416-312-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4416-320-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3736-321-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3736-330-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4104-333-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4104-340-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3448-342-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3448-349-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1688-352-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1688-360-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2072-361-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2072-369-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1828-378-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4308-379-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4308-388-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2056-389-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2056-397-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3892-398-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3892-407-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4680-409-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4680-417-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1744-422-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4884-426-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1744-435-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4256-436-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4256-445-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4416-446-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4416-454-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1300-464-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1128-463-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1128-473-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2636-474-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2636-482-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2216-492-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4880-493-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2216-501-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4916-502-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4916-510-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4232-517-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4796-521-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4232-529-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4832-538-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3448-547-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3032-548-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3032-556-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2208-557-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KkIw.exe
| MD5 | c92d54c05fe7257f352ca40fa71357d7 |
| SHA1 | 76d28a1f5afb1dadaea8dda9a23354d661bebcf7 |
| SHA256 | 5f95396e7988141d95c8f471d724317babe71bfe8da669739737a8569f867ea4 |
| SHA512 | e60ed9dad72e9d37b5cd65549d72c02462c4f06a0c830a363062b0a69d2990f9f9f3391b410e6dd94a2d1beff9f4eb5c5ca10b0213e24dd1013fa4d7ca297de1 |
memory/2208-582-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1408-590-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4916-592-0x0000000000400000-0x000000000043B000-memory.dmp
memory/64-601-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4916-602-0x0000000000400000-0x000000000043B000-memory.dmp
memory/64-610-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4264-611-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4680-620-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4264-619-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3924-627-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4680-631-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3924-639-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2184-647-0x0000000000400000-0x000000000043B000-memory.dmp
memory/4364-657-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1496-665-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1380-666-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1380-674-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3600-676-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3600-685-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3540-686-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3540-696-0x0000000000400000-0x000000000043B000-memory.dmp
memory/2340-695-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gkIM.exe
| MD5 | d5d96c54df33ced05c138884a5bed642 |
| SHA1 | a2e6e2db5f47baccc84735c2e06622c8e9e07295 |
| SHA256 | 03cbeca3cd22bd54f87ebedd1522b613abc709ff5cdcca7bb2031524d78662c2 |
| SHA512 | 255f04c250d18228fc667fc7fa74fa031be7fb8803f86d1fb465349a0d6d8ed8ff5cec2c46d6fd60a29d253f74df817011502bb9c3b14ba0aa9d266bb05a1e41 |
memory/2340-720-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1056-735-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1500-745-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fkgi.exe
| MD5 | c48639a8dcf43aa980b2721bbda6559e |
| SHA1 | 88e0a8d846f43630e04b2cf05d9f6c196bcc600c |
| SHA256 | 73b90826008817c79da6db87b8e37af8761c199c8f746f528f13e23ea035e720 |
| SHA512 | e89d4a7d21f4a5f09ce1aa16bc79dc199e330324b9f11838f08555faf348c522d9cbd42ee7ebab044c0157b3053b11899c654fc258f1ce72e8acb7bee70b6f13 |
C:\Users\Admin\AppData\Local\Temp\DQAa.exe
| MD5 | 125b1ddfefc1338d6985f6bfffc176de |
| SHA1 | 44f91d182e6458ea40a4efbee7b0773f4994a191 |
| SHA256 | 7b3e4dc6cb1d95606033c0b3313d76d6da0cd538152fee440c86859863f0c946 |
| SHA512 | 01a171dd717bea617e5353fbece67a72bf303cd2724dc1de763317e9e4353999764909aafe12321c2fc822729b568e2268248f803c62ed078a5164b81255ec9c |
C:\Users\Admin\AppData\Local\Temp\XMAa.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\bUgC.exe
| MD5 | b01eb8db637885b05ab5c66d1a52638f |
| SHA1 | 031b54cec4b5f478908a3c61580656761b580cd7 |
| SHA256 | f83f72b912062c99d2a6300a18fee4974938f37454557c7f1ac57339fe6d92ed |
| SHA512 | a68f324185799fcd6e1d50191002ac2e434a57803d264b7bf890d74f209e80cf60c624f4b1abeb2f5c78db0ae3000080d1a683d7e706a7881e01e1dbb874a9fc |
memory/1248-782-0x0000000000400000-0x000000000043B000-memory.dmp
memory/1056-783-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JgYG.exe
| MD5 | 6f08fd0a1f32bc92692ac0d6e315ebab |
| SHA1 | d16cb72e143f8722a527c3491013df587a09eaf1 |
| SHA256 | 373b4faed5a55a332f66af33dd4925b416b068e8d6432b4e7c9b43a3149ee3a9 |
| SHA512 | bfda8849994acd623b30936d00e46b5f60b85f8ae87c50a268e9e192853293b9b85ed1edb4d6ac912ea9aa97b56af479a11f3321417ae82676914a2f66c93bb1 |
C:\Users\Admin\AppData\Local\Temp\Qgwe.exe
| MD5 | 64ace508c1519456ce658721fc74055d |
| SHA1 | f620dc31bb4ef439234fcdde7241b2143872e5b1 |
| SHA256 | e740ca9ac7a117149ed531c45c4a93d83c2adc0b7fa78e1f2a28cca6272dd94d |
| SHA512 | 59c88eb391dd3a3c7e30fc347b4938351d52effee8d55fc20c5d3ef640fb4ad05c1785d1cade99b1a3c7cb185c97d745bae7297de76ac0ad2b304bf5bd3ff9b1 |
C:\Users\Admin\AppData\Local\Temp\Vwsw.exe
| MD5 | 4be738ff34889099640c94b9f6befaa4 |
| SHA1 | ac8318bc0a638d190f2f73fb173b5ae2ded07033 |
| SHA256 | ee89b9ac40749641b25e8620b38c28b63b9c393a4eff86a5215730ea5aa63db2 |
| SHA512 | 14684167cc6b92a348c222e62c539ca7be1c8f2926cfa594fb48b45f68c3cbf78a942057a76bb77c009d545393003885e98afc5ee6c2535ff50e5ed60237f1ca |
memory/1248-835-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ikUC.exe
| MD5 | 86e35daf73e344fbe342fe408deef873 |
| SHA1 | cad682de34ead459cf465d961d7e839888e699c5 |
| SHA256 | d9bec6a75011329de395732221f6d409c2aa8edbd6ea04f6acfb41a7e8795863 |
| SHA512 | c300adf98266d4b0a310cb390b0460808a864d7cee1a7ad69626f1e432a6595d18ce234958ae1b4a9c7d0bc3c6580ded934c3b2e36259d631bbe28a9133ece91 |
memory/1104-865-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aQwq.exe
| MD5 | e2d9799401fefacdf9f5f5538f71efa7 |
| SHA1 | 56ff3a41ebcc1ea474db807f833971096df4932b |
| SHA256 | 8a2166e4e76daf8ee4365a524a4fbdac0e52970d984c9f8b2d939ebad32ca52f |
| SHA512 | f9ab6dcefa6e0feb22311c824515fcbd7d4bddfd2712ae0cfc1684248ff8931fb48015d3c31bec0c015bcfa53345870f0c4da321712980d95be4b762ac687149 |
C:\Users\Admin\AppData\Local\Temp\fsYO.exe
| MD5 | 039412469f1bcff1a4103ddc42512a86 |
| SHA1 | ebe24e0bfb52eb54d6d55611b3f3ddbd22e21ed3 |
| SHA256 | 26ed2c47db3225b2194283eeb940fad3d67672877b558cb41bd2f79d8fd496a5 |
| SHA512 | 5f8fb1c0c87a206222affaa86edb387f059eae42bd4ab3ff6e06b6b791255127944da6e73e15089ce0d877418e990a9b674ac12959a8539871d907b2d0ce748c |
memory/1104-888-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AAMQ.exe
| MD5 | 728f5304cf6e15be4b68d59b0aee5950 |
| SHA1 | 8e60a1aaa330528ec7edd7379d56c0138d45c105 |
| SHA256 | 856c32d0a016a50117c17d5e0f690edfd2eab42e42f42a92d40c484f526d36a2 |
| SHA512 | 7efbc942ec33153d0ebe6cc1ec29e976670dde62dd285dd355d02a73170ce715902707c237ef2b482f35bdc0f9d8f088e967fd056b8502fd86b746abab9b125b |
memory/2184-905-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XMQO.exe
| MD5 | a10346b5e2bb8ac1c667711f775b891b |
| SHA1 | 45f3566ac39c7f5423f7b10d9dbb7389bee5002b |
| SHA256 | a47fafb8a8e56c607a129d30fa27e398c730cd3b44617b164c2496d4051d7aa8 |
| SHA512 | c0927ba623bbb690f8e8632e480d05bd4343efb3605c6ec847138399ac4b99aaf7cfc169d7865edeceac07a3a6c0339b9751458ee4bec5883b86c962781206e9 |
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe
| MD5 | 538f01aa1aa759bce0127e587c8ebb54 |
| SHA1 | e9ecdb1958cab65262223f78900a4317536f12c3 |
| SHA256 | 931904d98b55db2c5ace7a9557200a5a580fcdc5db74bdc89202d4d14c12fc98 |
| SHA512 | 19385835323d5ddb1d2ffa48236a7b798fe5739b33fa3b070c5a60e5c0e79c35d923f4b526d7e714f23f7292fa6cf94d4473dca425504bed7c4fb2714c221f94 |
C:\Users\Admin\AppData\Local\Temp\tkIO.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\Tcka.exe
| MD5 | 89819ad15ed31bd53abdc48397e1c8d7 |
| SHA1 | dd02b31f74e045d108e0bdc48cbf5600b9f26507 |
| SHA256 | 24262807821a573ca7c25c89a9efd6f1433461f21cb60f845b0be62ea3bcb87d |
| SHA512 | b9e6cc6075ec651129f8c9e09c31f79d93332f91fa5fcf58cf4985a82ce7e1fe7ab3032d34f18e38e8c2f84612f4fab125c2621464eb85418d66b5d631a86de6 |
memory/2184-954-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eQYy.exe
| MD5 | 28028558daa6870517e4ab31982ca3c6 |
| SHA1 | fdafbb783f8e2f3e982caaea9df7207c3e30a308 |
| SHA256 | 3ef9b9f089cb69764b1062af163fdeea2a334954d6570da1f6a0ac736d7037cf |
| SHA512 | e5a35d0e5e2cef30b3c4d2741e0b6bb8b0c0cd2255eca6d8badf5d9d1759bccd76bfa9b02a074982c14a132931c538bbb2aa10fa8a49e76eef1d9247dbb26761 |
C:\Users\Admin\AppData\Local\Temp\IcIk.exe
| MD5 | 1290f2b62fe2935a561413a921c7bc96 |
| SHA1 | 6ad6252a4af779091d962c5e70c9fc5b4b3e88b0 |
| SHA256 | 717b6ec5035ecc1e72f9871a41d1ec081d4bf5f5c24056e3c5f5b8adad0d96eb |
| SHA512 | 8248b71c56bae81e82b511e2e3fe456aba96292364f18334958f5de4eea7e792d62ae7a0f4a892ed504e77c35d9756dc73f5b6e8c69204f2c48569d1a089de1f |
memory/2516-972-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AMAw.exe
| MD5 | d7adc823d514e16aff866e34df1ef3e1 |
| SHA1 | f1f147cee5355de54b315b7b5832af1c174e458b |
| SHA256 | 2846572042dc8c7b64dfa149219bc7e26a8acdeec74bfa17a6af2d621e04656f |
| SHA512 | cb0a10329f7a49a4ed67e473fbacb15e0fbc65c498523915433037dec94da74493d82797db692a9fd0624220269fef2ab53f4831e7c616c581fb2254366281e9 |
C:\Users\Admin\AppData\Local\Temp\JocI.exe
| MD5 | 2f2630e0d50f22a0e2a01f2688d72c67 |
| SHA1 | f6ac926b63d5b39fef78d6c25e926473fa666726 |
| SHA256 | d37b2dfa890b2aac880778455273712c33ea1096f65500da12f032a94034f979 |
| SHA512 | a65b9d16721c5738774cb03973910d93783c40e0c773ed0360fc39fb44461bedd1463a9465332a5321b2321952e5237d6ca306ad83fcd74004b2c9b11a842e2c |
memory/2516-1022-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PckY.exe
| MD5 | 37d92cad35cdc7d6163df6f463f87066 |
| SHA1 | e1787578da10a4faeb8f8f1844de2429b96a52ed |
| SHA256 | fa92b8ce6df91f4f589f2d351bf7092e387763c4c114c707244ae12bf097257b |
| SHA512 | c13e6cb3684ccd0559d69df5244cdba9825fa3fa1fb6fb72472bb5d22ac650d4e5a1dcd3528c7d4e1b84ee7eb1f033d8bc750b0ca760e0d88d9f545a3a0bc123 |
C:\Users\Admin\AppData\Local\Temp\YUks.exe
| MD5 | 8bf39e7284e172c0fa2715e4617203b1 |
| SHA1 | 5aa9cc0a842ba06182520cabc34eb13d30278dcf |
| SHA256 | 1cf737cda6751b8ec71b41a55bd1418e846a9c03cd1ee9d55ab88df81164ff09 |
| SHA512 | 1bfe848e3a71005fbd01cbf40c8a3cce3c36b667dd3d34eb4874d7f37ac50679a5107638f1a08c5342c1cd3615f3a5809d1a816020a7c1ef9a4510120000ca1b |
memory/3296-1051-0x0000000000400000-0x000000000043B000-memory.dmp
memory/3296-1061-0x0000000000400000-0x000000000043B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uEEO.exe
| MD5 | 255fcbdfbf27f85919c9018960ef69aa |
| SHA1 | 7e2a84803a8ba02f60539c66297ec52a28530c9d |
| SHA256 | f84c6a70f0fb1fc8af9475e982dca32805c93bef22adab3763fd02833d60fc3c |
| SHA512 | e48eb3c6852a459bed149d0dfe6d6e477d6d9d96e16ef039337cc034e90f08e1ade8d924517edc57b622a755eed72b7b839025006a94073733efbe0fdf63d1fb |
C:\Users\Admin\AppData\Local\Temp\dEgA.exe
| MD5 | a0b3c9eb227359c6b29f7f0a04671764 |
| SHA1 | dcdf745d2c6e344ecd19f175f8c95c27bedc64a6 |
| SHA256 | 4df50d68928ea377ac13e305efbbaa98d2e7cb0233d544e79eeb23ba2e47ebc4 |
| SHA512 | 4e5648523f547cb2bd8d2b99e10efbcff29cde8bdfc529dd22e7f1931b115da1bea5400efc330a5a93ea1c1235a5b2ff5927c098e933b8e1ee30459479811c0d |
C:\Users\Admin\AppData\Local\Temp\EEgI.exe
| MD5 | 51af8f9690c46553b714ac3211fab122 |
| SHA1 | ecf2c714e9bed64bd086ca5918ace7e6f7b0ccbf |
| SHA256 | 5bb2487549ebfcd95e8df3b8d05b035f35d98f9f4f959c463af7f99de9b462ca |
| SHA512 | a245f377f77c3d292fba8e0fd66756141c8dec5b16321f6a165af57ffd99c1185d6640053c53c4d7afb50a15d006493fe43bdc166888b3bb5b3b11b42b1b5bbb |
C:\Users\Admin\AppData\Local\Temp\AEYE.exe
| MD5 | ea8458c59e8ae1ff7877ae4fe2adc8dd |
| SHA1 | 4286eafa0b48089d43ebd36e7cbbf068d364877a |
| SHA256 | b6c53a80735c02b9c4d454a578d21b1f7f50261a6950d3a4d1be8d090970c394 |
| SHA512 | 362f88e4f32f8ad4e25a7d1627f9c726214d12cf7401b1d9406e8d42cb3683dd051da2d228e21c52a313baa8892b262fe21ecc6ab192eefd5d854826bcd733a7 |
C:\Users\Admin\AppData\Local\Temp\woUg.exe
| MD5 | 6ced7d1c6d3fe4d40bd5557a17dcf3c3 |
| SHA1 | 5418f953e1c24b5ee5306e382c186ce000ccd9e3 |
| SHA256 | 7e423de275d46f74198deff904c66a7337cc104c70ac3bef42931bb7df077816 |
| SHA512 | a93840fb158d1e985490c23ca448912d3bfa0bbf761cb1909fe2190251365776ca000e4edbc93b1131fd1269600b40c33c56d0fccedbfed850379b03b46fc39c |
C:\Users\Admin\AppData\Local\Temp\BEoK.exe
| MD5 | 82eaa9b875a79e1366b11be21b578803 |
| SHA1 | 258c1c15542a0180685cda35225ad022d4688216 |
| SHA256 | 69bf55519e90fa9c6ac07e6353174aa9d84fb7245f0dbba417260ede7c77e004 |
| SHA512 | afccbe33cc9f30f0d2f61ba04ea357d9e17a198a00075b39c43fe2b8c08179dca63d01ad3bc23446ecf45690d61274c5ef1eef161c5777d5fa02f7a28444e159 |
C:\Users\Admin\AppData\Local\Temp\Igwm.exe
| MD5 | 32bd45c85932567232e78d80056e9cd2 |
| SHA1 | 1a84b0256e41d11e50c56a03a1fc25d84ac79464 |
| SHA256 | 669359b67ba81c62a70fe32667c38757f6b30aa54b26ffe67d7af756047e2ee0 |
| SHA512 | 2c0230613c4123f1fef7137a80cf45d6b55ed7b5f6bb8906530ab28d63edfd042dfc0eb08c31b96b0dd50037f7981071f68015c73759b7c85824d8f57e03fc2a |
C:\Users\Admin\AppData\Local\Temp\bkQa.exe
| MD5 | bd222cb1c11868d43ac8900b7b17445b |
| SHA1 | 98f514aceea37ede9a105e4a7add08a15500a5a0 |
| SHA256 | 415f1c64f294cc09404cfe139d3e6aa5cc1422b5fce1ce637f453734dc396a27 |
| SHA512 | 349883af2107d0df6204e24804a1da009cd4717cf6c1a9029dfc5ff50e7ca58f17cbb4fa13d262af84f25d8c6d388ec50f8237a4bf822d2a1f5e78facdfd00a5 |
C:\Users\Admin\AppData\Local\Temp\JUYw.exe
| MD5 | a4b2e1bdef892a69fa2f0ed9f9ed370e |
| SHA1 | 32b56520ea09944330c4bf09424183ed052ab4c4 |
| SHA256 | b1857342ccbfe9805ad82dc2022aa325c2b44d82273a7e9a48f5b42f9e17da49 |
| SHA512 | 60073881cd91006976fe3373e4ab3e79d6c24fc98a1f1864d11de94f6ed4a7db4713d1e23df6f5a4f7529ceadbe7be11907e79787aa7743f330820651cf90c4d |
C:\Users\Admin\AppData\Local\Temp\IUMS.exe
| MD5 | 99220b410792f087e5b63d5724817369 |
| SHA1 | 02d242a1aed16378a713f322d1211d5c09864d0b |
| SHA256 | 900612efa0de24b1a5f6a9834fd0d2764d23db0999f78707a91b66064ad54dcb |
| SHA512 | 576d3ff3ef4c62bc4c191d796ee097ae25f17adb853dcf1f8bfa9966aa730c6bdc8e6a0a94f0384ba94133bd2cdd993031acab7c082fca9640c8d93807cbfc7c |
C:\Users\Admin\AppData\Local\Temp\sAsY.exe
| MD5 | 0586e6d993e78eb12b5edf2a9f54a458 |
| SHA1 | 696170c34c5c83e8ff12a7d92f796db1dcecfc10 |
| SHA256 | 3306e60f8eddbf1ab6b55bad2f98568984deec9d84f23bd0e48f07869cde2e06 |
| SHA512 | fb8b68b6763eae7b665ad76b8ee4754f24f470c678b8ffa9974087a07d90cd19abc2579e18e2b96ea33e121d1b99c1e51c20bb6878fcaf068029f3c11f9a0114 |
C:\Users\Admin\AppData\Local\Temp\fYwy.exe
| MD5 | 6006f6b9ad32f2a50a62c0f5e39c1d8a |
| SHA1 | 6b161b99cd05eb00981220b4e9051f70b1a77f81 |
| SHA256 | fb1bc494a9d63ca8a200cd193287f2b702aeaf4fc496020471e8f1a4f582f9b0 |
| SHA512 | 14e766c2a579196e001ee802b18bd76b01d605ee9ae6d602d5ced9c07f8ab0eca5297278b13e1ed6b20f617a31187c2547cd34ec9d04bad93097b9f0ff30f853 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe
| MD5 | 8e695e783e75c3be6fd76c09999ef398 |
| SHA1 | 5ac072465b7bde3a587235436feae3d1004c1edc |
| SHA256 | e70ec4d0601334099769c90ca9b2a920ac283c718417b2f559bb0330e0e7532c |
| SHA512 | e85eb972e57d9d3dbdac167f1da307a4151d7b8750ca5ffafd4a4f3e09e17b075a74322a58fcef94c2202552287406c7ed3d48d442d1c4829e29eb758b7fa9f5 |
C:\Users\Admin\AppData\Local\Temp\ZIwI.exe
| MD5 | fab8a68115ef23b34028c14ed357339d |
| SHA1 | d77550ac97c1ac63bd062398666c3a429e65a515 |
| SHA256 | 7046c68f8fbaccce39e733519d932112eb93e06447cedd547760a80e2278813b |
| SHA512 | 6681ed0de4603105a0e0996c37b3ce34c680c29e6f6b57654a9b3ffec86c2249206db361a88a6b4dab12f4896a2acb226200c63b782a26e06de12344d05bafea |
C:\Users\Admin\AppData\Local\Temp\tQEs.exe
| MD5 | 2afbb9202e7901035060d14ec02b27f5 |
| SHA1 | 59dad92b102b4c9baa2abca7e7aeefefe1cee62a |
| SHA256 | 903a8726aab42fd09de345f8aa953638f92bac18f51c104550f835337ac7b995 |
| SHA512 | bc0aa9f1d2866a449f791a96c7f39fc21370105d2ca72178b2aa46271989d26b8808654ad1085dc1658d724b88e7cf3b73d2908708033e42187dd8df2f548531 |
C:\Users\Admin\AppData\Local\Temp\xQYS.exe
| MD5 | 7c5bdb7248addb14e59c296b5adc9c51 |
| SHA1 | b1c800830b5d0f0005bbc439d88fa4011731e583 |
| SHA256 | 70cdccdfa2ea47fcddfd21441b491636f776d04fbe9e90734b9eded8f6f67849 |
| SHA512 | 918101787ecfbb5aa0103bbc52466888d914e735d8bb3b98c6db0852944471eccf30133148a5be705a98aa1228378fdf1bdc0a63b5e54c005e9bddff50b0b1d2 |
C:\Users\Admin\AppData\Local\Temp\CAge.exe
| MD5 | 3fe5e8a08df706eadd55cd3a5afbb7b8 |
| SHA1 | 907e0130f1dbf88e66c93a26f207966be6c7661c |
| SHA256 | 1df6eea1137181c0c984b2b0399e89d131b70c71ca02d93f88184ff8f7fa5171 |
| SHA512 | c4e9fb9030fe922debe8250a50c694821e772332e3fe19b216d3a87329a1ed8305609e9623868c0434bf33d538ac6c660201b3a7435fb437e0f3317e9ebad2e1 |
C:\Users\Admin\AppData\Local\Temp\xQIu.exe
| MD5 | 41db8163fff3e53a9c25bd6a6e134d39 |
| SHA1 | de3677f31c9117750777031057437c3e2fad6ccb |
| SHA256 | f3a3ca90150e0b3b35214a54be80e286c13b2e618c8df8e8432c67146e1b241b |
| SHA512 | 18a0be11feafeed99060699938b27a00efcb7149b9e0fc71a81d33b1e9ddf8304001bc233e50a86ae78e8fe66eebeed59ee53aa3f26dec2b5dc750cf8050fa18 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
| MD5 | ee708548dcb82c5e47785a108aa3b4a3 |
| SHA1 | 9644476f3528a368d70b592b46c51d91ca844faf |
| SHA256 | ae9e624e80f3d92b2b67361aa914f735eaaeb618cd6da418bdabfc7268e5b9ae |
| SHA512 | 1d3f6f766c43e250daf5d2316b4498077de8e70aaadbbd5e0402702ed028e6bde7dea5e3fca25eb92b0d9da484a0965187ab2dcf4152bd2a2d78f452c44d93a6 |
C:\Users\Admin\AppData\Local\Temp\UQIO.exe
| MD5 | f5d7893eac70f77de333376f6611454b |
| SHA1 | 51412c34a69d4a9cc9bd30e6a76e115b8c0f7679 |
| SHA256 | 50935b5e5e13b67f020a00e6162e387ac0ecf52a3235e24581f25371d17464a7 |
| SHA512 | b0158a2531f0c7b7b8f68a55927f3351684079edfc439aa3d3f5ead0b9268eb27d903abc4a9650a30c4560b0bf64d27570bbeb370b96c939d45bccc3faedac29 |
C:\Users\Admin\AppData\Local\Temp\joIw.exe
| MD5 | 62adf320605665e0b623ca831f020c41 |
| SHA1 | 58b2752b09610b67f43833f1a18ae112cc361ff5 |
| SHA256 | b4dda4790f3959b64d647ba83531a19834ade3fc30cfa693d55556e5aa4eea80 |
| SHA512 | 38301bcf0a26eb5edef3c3ee7fcc655e183272c161afed06b9b42b1567b70bd464e60f47d1dd79e4ab2b330ff0da4c6214deb3eda4b1810c755c87bf48f31d0c |
C:\Users\Admin\AppData\Local\Temp\Vgoe.exe
| MD5 | 2fd00dd79c48463b9b635b5c95b1d462 |
| SHA1 | b5b65aee0b0f85521e00be337bc23d8bb6ea5c4b |
| SHA256 | 13e91df7f85fba88d207169c389b6f52fe3b0b99fb4c1c7f62202952bb2a7dc1 |
| SHA512 | 6cbb661d41eee36511205bea5807e73af717a7a70f6c65a48fdf7095b467676de8d77f771d094c752c7f2dbcb70d3810b46e318a6f11391ed297d95d91c6000f |
C:\Users\Admin\AppData\Local\Temp\tQUU.exe
| MD5 | 51f706f701d0fa00fe176d5802931108 |
| SHA1 | 5070d568d57b24d70b934263f978252fda3cb40b |
| SHA256 | b89168c1b08eb9df3ab1c40e8908bd4b8c404d5596790cc61d183f23a4a5f86d |
| SHA512 | 87b979a1fd51cba6a6012f230d61a59a27e431cddff64142ab074b8a7ea0e209daf8af0c8567c29db4ff27af29dc0f22f2808927d9010af48e474db51c267e69 |
C:\Users\Admin\AppData\Local\Temp\xYkq.exe
| MD5 | 51192e9aeda79f70935a4e72b7177f48 |
| SHA1 | dbe1b31d670224ce97fc0003ca0cc5d04ca9765f |
| SHA256 | c95f905047914d19cb6d62902a6bb665ba725e5961fcad49ce737d9b1f6e6649 |
| SHA512 | 77943f8e21d9329cea9a74406bb1c98b7c16ec33850eab955be9809d81000b3fe8fb9530ecabb94190f7534840e6b65213a69e1837a4b287d3d167f326407d35 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe
| MD5 | 0c1e2cd86eeda2c95d31f8e18c217c3a |
| SHA1 | 1253bcb99763976943065b39926d8c20391d71f7 |
| SHA256 | 233fc27ab2300747f5ca385e7709eb006535a720f58f3e211751a169a1bd1f0d |
| SHA512 | aa17a393acf297de3ba32736a040aab238b5c036bdabac498112c8ae327e89a4279dd102e9f560e4114bf0c53d49178be03e3f5536c2af77d6cffea75104d90c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe
| MD5 | c0eaf7d4113fb1f64324907d5918b72b |
| SHA1 | 3453aa26525e521663653870d6f06f40697bb5da |
| SHA256 | 3b29c25a17f1ecc318895cbeaff6787e5a53a866e4a341fa84351ac81bfae021 |
| SHA512 | c58b254da6d14d7bd0c1ade3ee458b93dada0b95f6ac518c7b6651f4b146082b2fb55cd41036ff4a2a2c1b3ace99b837a0f1fe06c7b4303c40a8f57370a65b68 |
C:\Users\Admin\AppData\Local\Temp\ZkUe.exe
| MD5 | 6d51661beb716afaa8620ee33c11123b |
| SHA1 | 867e78998b3d1402e5d5abb3d5e309b2098c78ca |
| SHA256 | 35406b1745b2cc449acfd3b3d1c58ea02addb0b1836d3c51445b704df5389201 |
| SHA512 | f699404eb15f009b2266ea21dff8ca3225d8dfe72492653b59b019746e2d1bf3d9964a9b9aa9e04b65bd90cefd76e02b51eb4559ca63a2606c5b57cb5c18b9e4 |
C:\Users\Admin\AppData\Local\Temp\agso.exe
| MD5 | ed315fb7ecf18fb5bfc9ab63b8477753 |
| SHA1 | 0fbfaba9d7d09eae710ced07e6c8a99af8011c3e |
| SHA256 | 55669d98797d9e4a6325d7c9a82bd15f964e7ff311513696207db2aec6faa424 |
| SHA512 | e24144f0d909e22ea1acc4cdf7de3d7cddf2c1a50aa108de9ea0df6f5c14fd1135e112c23e89e1b897dd82c59ebde9246c5f53f094db54770dfed3ee19608c5f |
C:\Users\Admin\AppData\Local\Temp\XYcM.exe
| MD5 | a875b97c6f85bb9aadb400cdb804d0a6 |
| SHA1 | c1e86e5c1d6f16813b988132c00c03d44ccc2769 |
| SHA256 | b9c6ba455a2dac6f0298bb8cf5c607575f7a0feaf3c4deda5cd8e4d25ee45573 |
| SHA512 | 2ce63fa2c1236a6dfb03cc7b2dd1c1bdf7e8c1c4ad01444f4a3c90d2c0c5f98012edd717d0e78f6d292434a910106f03e32a11626aa39febb2a3ac40f5772725 |
C:\Users\Admin\AppData\Local\Temp\CUQu.exe
| MD5 | b4f9e861814df4bd069a4e6a7197ac4c |
| SHA1 | 49f9cd56ddc2dfd6f9e158e6b8774039db331152 |
| SHA256 | b1517fda599dd163224b488b7e42c9effb15a0c8973a813fb7ab3ce39c7787b0 |
| SHA512 | 3346d624b0c55db1be31a82d8a647e0ec602af3287b006139f176862314bc45857a26ad41876bc3617ff1838718af98c316b4efc60a540fca4346f5e7dff94f3 |
C:\Users\Admin\AppData\Local\Temp\MEAE.exe
| MD5 | 11368d31799d994b8b5f2bea706c9968 |
| SHA1 | 533db0d18500ee07bfe178fbe98fbde043f85e1a |
| SHA256 | d4e0209a7ea824b8fc8af3cf1a9335aec3881f38d0a9f847428cea99a07838da |
| SHA512 | 479f9a5306c8317b9ec53fff93110d22c20425fa78bbe89ea9035ce7b108ceb99e28ddf7be3b6fc081faebb85309d982edc264883007b0b8e849bb5955783e3a |
C:\Users\Admin\AppData\Local\Temp\eUki.exe
| MD5 | 44d39c66b8012c64451444b6e77f803a |
| SHA1 | eee194c2d74494a3e4b77ae6117b5dbb8fbd766a |
| SHA256 | 5b7873ebb7a98691e9855d25f84781c835591f57dbf41ea53638c43a5aece37c |
| SHA512 | 3b6348c299e0878894b7401eac8ba371f71aa7704d666a1c507ed6dc00539e3e3cf017b55d2606b937a7f33786214439c21a32f6a03f58fd471fa5879a47da08 |
C:\Users\Admin\AppData\Local\Temp\moIk.exe
| MD5 | b86566892656b0e13622e092b0744a86 |
| SHA1 | 1e51c0daf30201c0c7eab61d2298d4b7280abf5c |
| SHA256 | 8646c06207874cd53993771ffce17bd72d75e1e25c1b10f5c2b2dfb89adcda6a |
| SHA512 | 3efae7354090f00b0e58ea44df5ecd34a4fc8b1aa73df4339d9e538d65b50de5e462a4490384984e9d3a96a0bdccffb7f6f6274c78b385dd2f8356cef7a99171 |
C:\Users\Admin\AppData\Local\Temp\yIou.exe
| MD5 | e045abd74e1e00069fd379ca0180aeac |
| SHA1 | 2efa1dfa3fd01f9f9d5ec83a16ee8b28ff979f4b |
| SHA256 | 9be3cba70c0185d393c3489d77eac5682513ce83a8ff6604af59709f1ca368f3 |
| SHA512 | f24eecff060df5e56ec97676493461aacc9d40c9fffc03b52e22fa1f3346ac3e029398e1d0e8f4944639988a90a988f59e40fc155b20f4c5a54ff03dd9da9186 |
C:\Users\Admin\AppData\Local\Temp\yAgY.exe
| MD5 | 38b426bcfaa0ccc3e03bfa4882c1069f |
| SHA1 | 6320991e56c03a6fa5061933d680492cd2bfc6ed |
| SHA256 | 108a50dc8ad599aac58d086575e33d974f9ca80b0f4c70893ce0bfb7c6d024a5 |
| SHA512 | c4b26b7de5f15ab2836bc970cb247943733651367ebc9aa0a61cf3339cc7543a43074e60704ff4e921749c521107fb6543c06fed8e8e2d1c701d40cfd3072d67 |
C:\Users\Admin\AppData\Local\Temp\LEow.exe
| MD5 | 63088827005e6fefe7ad2cc38b87bc3e |
| SHA1 | 2f5917d1cb860df28fa30246e77f66fb25d8c712 |
| SHA256 | cad553be26237b4318e6d3442b59ad0fd7af689ca32007310af3e14ad21f54ee |
| SHA512 | b2a3c896ab4374a30efab29a23b3a4235f609d33d1a81a6a62d0018d43616e3dd371405182c8c94ad181d6f79d0a27c9988243506279cbcd859b8428125d6c7e |
C:\Users\Admin\AppData\Local\Temp\yYUW.exe
| MD5 | e284c73ae051b75652132f19e81e2578 |
| SHA1 | 10f196e2425ce93db9df5ea8a6ad43d52ed2d097 |
| SHA256 | 9d1ed2d0b51492dcebe28437d819746515bbf6c4e244580faaa06ad6bae72c69 |
| SHA512 | 2a01dee3d6ab509b7c88c7d69ad8f274f66d053afa0b48baa8d34c4b76dc65ffeb3cb94b3a0620f944958e9947ed34095f2f4ec22032a47e8b82bbbd813da839 |
C:\Users\Admin\AppData\Local\Temp\Rssm.exe
| MD5 | fa3017f33401cae1d339e4f818a3d815 |
| SHA1 | 4dcbb3202392b05ff6d4ef6193b48a210754ac47 |
| SHA256 | c7ecc52e9b5c72575e17dd7c2c9cd12336d5c4a5f978236af473b8c488c7f2a8 |
| SHA512 | 1251f47bce80fb6a5720892549396337619b9c25128875715f0821278591c0089b2bb802973ff44a9553f4ed6f7766ca1c7d044f8a9a79ed704d508e77a06ea1 |
C:\Users\Admin\AppData\Local\Temp\CEsK.exe
| MD5 | 22dae3152accadc493498859a699496b |
| SHA1 | 93f80ff5e7e64372d09faa180117153c0dba9dd8 |
| SHA256 | eaf56a08df20cd64a7626865e8d08c1772979f8cb4d520c47b192521c87cbdfb |
| SHA512 | cb6343fa2b34f377fc8fa4aed595a94e994543cdb57d6c3d55dd747fef20f2623e4a7d5b69aa827558488aa74a811bd6e99e34facf2e94a7cd200e87b2891739 |
C:\Users\Admin\AppData\Local\Temp\AUYe.exe
| MD5 | fa3ff2f4d20f54cb03fd0f2c9a2933cb |
| SHA1 | fb8c4f713a8bcbf4246ed1a03ef5beb5d2897918 |
| SHA256 | c5d4f1b6f812b4e1e99f11e2b7f738feaa4dbec2c92989ca9470b7af4c1449bc |
| SHA512 | 0e47324a9935976b652e8e58b4e0a97b1a5e7ed1c3ce4f06208eb49b41c1cfa02981451210d6d44d90d47c217f49defdb6428eba8030e57d6692e812c92e6da8 |
C:\Users\Admin\AppData\Local\Temp\PoAE.exe
| MD5 | 7c1470b4e39a468a53023c87c2152d29 |
| SHA1 | ab283836aabc90c85e01f9fd001d232ce1ea1e50 |
| SHA256 | 3a1366a3f730eac58d7160b3f54f3a5d67b1021995a161a1f71e4ad029022ab3 |
| SHA512 | f8613fcbd7774334af1a705ef9846717d0d7b7695ca963153e61f9c489d06be754545e77a225536a480e872bfd131a990cb7baf89b8d882f3fa0d011eb89d1d1 |
C:\Users\Admin\AppData\Local\Temp\wQwk.exe
| MD5 | 3fb6b7c4bad98484a3dc1d834807a743 |
| SHA1 | c548c9a25364ccd3dc547e94e4f7352016e5ad81 |
| SHA256 | 030217cbf2fa54e49654314b83c54d9af68a9568e17fc2b303600fb9d1711249 |
| SHA512 | 0c87dbb5172fb1ce855d7c263034b059d9502a3ea0a887bd78297905a9c0aa0fd6e56d8aeff38d41391e37aad56ae5297b75e82322fdc4c2199080e39f31dfd2 |
C:\Users\Admin\AppData\Local\Temp\VYIu.exe
| MD5 | 63a1fecc947ea060f034460ce1761ef0 |
| SHA1 | f93e3d39ba9080bf9993b7e5e19947795933701e |
| SHA256 | 0910cf912c4c3f292051d184af70d532fa9908096f9c631d87569a0328f00779 |
| SHA512 | 242b902e3fad8fc7f3d193920389ccd86d94da23df20b228ad7522316e865911af716ecbe2e378651ffb40228447e0faa89aacbc8b3f9c8ca1364ddae7bbb13e |
C:\Users\Admin\AppData\Local\Temp\skAK.exe
| MD5 | 1af90f2d118317a9df1c0c2d41f2d488 |
| SHA1 | 1a39ba6dd288cf117a3a4fe0f716a6dea3d03c52 |
| SHA256 | c0cbcb7f1131778b185153edf7cf3d52455c129322381575ce1899b07e8d8dc5 |
| SHA512 | c251ece54e1274b1a7d880fb28203d4fd19a92903ba5e715952851c9784b86896d33a9e23cd5983b3eb8f5c64eda5100d9af4efa2a2025fa9716f756a6f086aa |
C:\Users\Admin\AppData\Local\Temp\wEEM.exe
| MD5 | 3ba2a89988554c52af09bd892530c3c9 |
| SHA1 | 700b4eee560ebdafd401d479d5c59c8dca201aa5 |
| SHA256 | a24a0cbff2976a75bb394b39034073cfb644b138ddd9a997561086f4b7fb253f |
| SHA512 | ad60a0245b068dfe569f09c929c6d414203396fadd0d849b5df6dbacb815ed9740d9b6dde5de2944ea9d64b53cc14490fa975ba69e4619565138230a057d72ae |
C:\Users\Admin\AppData\Local\Temp\rMku.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\xYQE.exe
| MD5 | 6784312f2755bfc627654501c2f3124f |
| SHA1 | 0f850bb78fc17805cc5f9fc7a589d592ec963cd0 |
| SHA256 | 8ea2cc28e0b9423abf79c382c84b75f1546e54a4898b9df4863f95dc6be01278 |
| SHA512 | 3d237febc492ee24bf411e9711719a3c89812b24ccd5f3e207695d7a43520a3308554a4b06e50beaa3a8eccc94b85472df9927be3adc3fcc3442d11ccef30f50 |
C:\Users\Admin\AppData\Local\Temp\IgQu.exe
| MD5 | 853014e61b39919fdb745519aa8ce516 |
| SHA1 | e9c7b5e784977d8e6a6a08283c64cfc469642950 |
| SHA256 | 1c8f81ec3bf0ecff3cce00a123609f0ef24357ae69e5736b72c07fa9d555aa88 |
| SHA512 | f59337984eddfd5bd588721d0425497aa529128aa7c0e938c3b0a5af6cfc22a632ee3d34438eac66d0e59958bf64c69875e3f454586b192efcd8cef0772824a7 |
C:\Users\Admin\AppData\Local\Temp\CsAo.exe
| MD5 | 7bffe5f679118b975c413fba814226e3 |
| SHA1 | 94a54f30fa5e6bcb8a3383bfff9a69885093c13b |
| SHA256 | 3b16bf492a50f3b1296ee18320fcf0f37d24ccc48b70c24722ac3a008f3432da |
| SHA512 | 67d17adc8a9c546fe4224923d2b5a97c00aaf94107f5a43dbe5677dad79a9a4d4aef04016ff08c19341fb9782d47a4aad368cd13a60ea788c2e39aab96cd0cf9 |
C:\Users\Admin\AppData\Local\Temp\osUU.exe
| MD5 | e256882fde48a050d37b8afb4cf155b8 |
| SHA1 | 455c0a1483268b6d625f99b9e134ac05a48500b6 |
| SHA256 | afe8d389a256075519d63c5b42819b1fdbae1e297d34c14e96596152a394549f |
| SHA512 | daf300d4a41c0c7882a35f3c52a6b2fe2e94475deb35196388e08475c90478fa74f398c33bbdb2e1f8f1604211ab532985ce61154722cb237a13caaae2f58f7d |
C:\Users\Admin\AppData\Local\Temp\EwUW.exe
| MD5 | e69d22fea1a3363a8347de1c610c0185 |
| SHA1 | 9bb8ce0086ab44e9a13baa8b5e74210c0bfa6fcb |
| SHA256 | c7248be8d02c8c8e671006b23835eb7ade536b84963d9e1e07e24e46ce8e8be1 |
| SHA512 | 00b251dcf5b68b53dd2ea17e95a12b3c6f041fad07a392a1bef6f86cd402ddd729ced7e2318481718125f0006e794fe7dc318e73b81b330680af06b7e75a50b7 |
C:\Users\Admin\AppData\Local\Temp\rEse.exe
| MD5 | 3f1fb10a6fcbafac6a8251406df1da24 |
| SHA1 | d6438bfc446e1cf8d3def12c2a30958e0a6deda7 |
| SHA256 | 0f850acfbfb86bc9821f0931bada1d1e830ea82354d420b0475450f8b263a658 |
| SHA512 | cc39af01049608225db2732bf5adea3c1ef5a0f70d3536c1cbcd44e50ed4153cf402388cdba24645b62c5dfb4d3288b92a881d48bf0d846c43f5e7caaca1ffaf |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
| MD5 | 816ea173c7773eafbe5ba65dd6941c9b |
| SHA1 | 380da07b5cc0cdcb42d61f66e470122a6044e081 |
| SHA256 | b5b2160e96945cb963c989e622ce409cfead7ed0eccbc9d71c79c354b3908c46 |
| SHA512 | 7da9ded4a67346c1d80db1a98ae1dfcff8cbff1c80bd92260a24efddfa68d29b7fd39bcea0f598108cf204c4fa3d9aaddd1df981e503b5d473d8a04c03b075c8 |
C:\Users\Admin\AppData\Local\Temp\JcEs.exe
| MD5 | efb4261dc0527b364e49391cc42ba8b8 |
| SHA1 | 4f844c416d9bdd053a686f2a1cd918102f5f9fd1 |
| SHA256 | cc7c90381ea0edf4cd3899bd5f32b9f76a02367da89e10c081e7de87d74f9750 |
| SHA512 | ad049be0fad7cacb25a806e8875960992c615cdae092b51f9ec7498ca9ec9c9660bca10b5ed29982b5babfb9a8495dbf5c8d6a98cc91a3a206711f0661af63c6 |
C:\Users\Admin\AppData\Local\Temp\OIkQ.exe
| MD5 | 6790e1dc633be9f9ebad6032307ccd9f |
| SHA1 | 39e8de6acaffb1a2b6095cb8f23b4d4fee052d12 |
| SHA256 | bbd6589a7c57532d8c9da405e0a1f94d15801bcfe068809a82ca128095dff35a |
| SHA512 | 50b5484c46c0115dcb96e9a291dd1a62c12a2d93d44d3af5028e551c5b7cdb3f9f4c860c214521bd223b11f560df140d213f818f0d3deb9998ac1c5a1dd27bf9 |
C:\Users\Admin\AppData\Local\Temp\DcMK.exe
| MD5 | 93414d5bf62c487480b8e4218e451a18 |
| SHA1 | d4201b4fe040a70fcc58fcd556fcfafe54acc164 |
| SHA256 | 945297a75b7d8ae550aa8a5f14df485e9b89fb113b5a15a362a6abc8822d792f |
| SHA512 | ba0ad42882d07ff58ce7c0b6db286b1ce0f74887400d8e57ca356f386017a115d606afd236718506a7c406dca70b390b67f75c0a8e84c2163bd87f167b0723e5 |
C:\Users\Admin\AppData\Local\Temp\QkMS.exe
| MD5 | df293b00ed58597840ea01def8fbf99c |
| SHA1 | 940ac50bd1a969409bec7e231cce8b465c659f1a |
| SHA256 | 8e7a76c67d957d6e265880937cecb6b198cda2c0b361e7579d611d1f5657bef2 |
| SHA512 | d745b640efc6aed950509130808f24b95a0b4004c2c397ab31f4f220e780625932afbdafbc43de8e4b8e86662e757b8851e4867bf263cfd5c35e4084d5b5b00e |
C:\Users\Admin\AppData\Local\Temp\LcMG.exe
| MD5 | 1c454dd4a0883957eedf49bd9fa7cccf |
| SHA1 | f1669ca0e1633d159439f933d4cb78af4e7dcaf7 |
| SHA256 | e2ca31ca31520927db10fc4382afa46a6e310662356c7f45c59f84de97bc134f |
| SHA512 | 8bf1017d3607c85bacc49328fc8791686fa02440f35ab29ed88f04cba3d271e0a3beb1145588d6b6271f354ac76943421b534859137d7d0e9f1f9fdf3305c21a |
C:\Users\Admin\AppData\Local\Temp\dAYM.exe
| MD5 | 16a7adbe1fe42c5692a5d6ba7fbddbc5 |
| SHA1 | 914b3c16d21d32928f2ce1a9a837f09529d0d566 |
| SHA256 | 947e99b194c9215e84ef58e626e450012481a557d675ffd0fb1fd96e92bb92c6 |
| SHA512 | 39b32a7690928c8e307157ac461ad8aaf8033d38ad0a69733a8e8da7828ef9b41f896328460d63e957156634e66c4f730571cdd54f174d62a5ee518c59499b00 |
C:\Users\Admin\AppData\Local\Temp\CUcO.exe
| MD5 | 3e48c1293997cb33abd6a90ee7fff287 |
| SHA1 | 472a42c8725b27ab25348712ef98008c28969f8f |
| SHA256 | 4fb20e910925463f66a877bcb83e803d3d9ad5937be570e1df8de2b9858e25d8 |
| SHA512 | a7e83c3eef8946d24b8ac9d063cd0b10e4c4c141f787a3d7c490ab0d6c27eab16f7eb4d59f292bcc8298809f524b82925d5f537e991fb4b28b678f0e2d5328e2 |
C:\Users\Admin\AppData\Local\Temp\CEws.exe
| MD5 | a5404b8676c18606c064cb60435149d3 |
| SHA1 | d12f06cf5ce778fdcbe7f560cef2a4cc707eaeb0 |
| SHA256 | 5059368eedf2ad7b16e12105bb20203c30810302a9283466c37f71b4c704e74f |
| SHA512 | 8dec90819652ca766dd954f58c7dcbebc95f85c657a9c005dbe857f032bbc9393e9a941cad5dfb8db6a11c0cd847ce86c8a6920108a26f4cf76de1a0a7b952d7 |
C:\Users\Admin\AppData\Local\Temp\gcAE.exe
| MD5 | 99bcbc46f5913804b1209719f7a52b37 |
| SHA1 | c5296f7fa4e96bf2cd21b55a0e28df925a252e56 |
| SHA256 | 77bef45b3c1d5ee6641344e8b80272ef46f719b44b4b69ea9b3ea016ad006ac9 |
| SHA512 | 0e9286729b3ba5e7ca5b76c09aa460601d54b0b4936980fb1e1336970549272eadc8d8a4f8f0b6ea84036bc9ef2dd9eff195b3b60f8bd465c467bc383c182bc3 |
C:\Users\Admin\AppData\Local\Temp\Bwwy.exe
| MD5 | 82a7ed108e9f994e36174a764bdb3670 |
| SHA1 | 749b464daad9af36f3879a65d35e1b7df41d0b3e |
| SHA256 | 6967fba6806934f7c475087644a7c4f9ed9f23405a7e9f4688bd7b8eba0ee1b4 |
| SHA512 | 72fb38a85f12e2711e319db70ea3ad1bad58a4e063ae42ef01457e88ac7b6cbb1ce81091803557de51bb4bbe922c29069cb8b5c3ffa8e34e132056d0bde7a749 |
C:\Users\Admin\AppData\Local\Temp\SoMK.exe
| MD5 | 3e3336faff2924740cca466b372a4411 |
| SHA1 | 3c234989faed404784ec8ce31d87d0ba469ad488 |
| SHA256 | 53a075745ea236d23c74c8e86c18383f9f9a9f45b92a6cd212b22e076d8871c5 |
| SHA512 | 27c2ecd402f82b49e4a9cab5778ec4423e9339366bce2e29fccc6c6db68dd3bc5b161a771afb2204783bacd9f8980714673a38da18a1ae2b8d2da8f83d7d2600 |
C:\Users\Admin\AppData\Local\Temp\CcQq.ico
| MD5 | d07076334c046eb9c4fdf5ec067b2f99 |
| SHA1 | 5d411403fed6aec47f892c4eaa1bafcde56c4ea9 |
| SHA256 | a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86 |
| SHA512 | 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd |
C:\Users\Admin\AppData\Local\Temp\ZMYM.exe
| MD5 | 27bff923bcac3ab05d2332c02da34e75 |
| SHA1 | 81f2f72642302e069f09b34addc55cb4af3aa297 |
| SHA256 | 05b93be1b0398aa59232dc5284c1eff584448ef9f905733a855a3d8db5484cae |
| SHA512 | 6b8ab94ea5b225d82a99a3730e5b683c8897ea6635bd0f7af007806de6c437cef02d7e9efec8722202f1d48fdb5da353f43f9f5735064a2cfc2ddf538b475ee7 |
C:\Users\Admin\AppData\Local\Temp\fUcC.exe
| MD5 | 938c5bb6d6d92f04684baec8419aad82 |
| SHA1 | ed0f43fcad41d84ad28cec635a05bbe61306fea5 |
| SHA256 | 024f938968109e9326704380fca23bd8e7aad86a38804f8dfdb86a0353e7e02e |
| SHA512 | c6e6737bcfd2b30f6c36f8f659bcfae3e46c96e9bd83ec88c85812bcc6f10773be615b6d81fd9aa60d2d51ffd0a3cdfd988080d548955bed1e01e569d8e51165 |
C:\Users\Admin\AppData\Local\Temp\RgAC.exe
| MD5 | 199c351763d125f099d92766c5809750 |
| SHA1 | 0cb0748b1f17e3f0e6fadac138d5a3a4e71eea7e |
| SHA256 | bc200efa31640923df8729e418a623bb67f7f99c4af5e5a14369666674eb7633 |
| SHA512 | 2eb3cb544667f7e90bac71015aeffab273f54085ae82d4ea1ee35ce6e6bd34875d4d8fa82d90d943a1fc4b064d9de22c42e7b13147413b0adcb20c2016fb1d5d |
C:\Users\Admin\AppData\Local\Temp\IwAA.exe
| MD5 | 030d86d37f2cf3e2cf925bcd1633ebed |
| SHA1 | a9fe48540bd92b8fcd783ee9287bb5ad93642cdb |
| SHA256 | 22bb5601b674595b8055c77383184f9ad3b01a95cf11f2f05cd0de9e47c562c4 |
| SHA512 | f0e3575bc62bcbcd504937c2923bd020299d4aeb397a582caa2713df41ec213f2737d2a55ff9a7d425f3b6033abf3280314b730a72226c9a2a475b12780aa821 |
C:\Users\Admin\AppData\Local\Temp\EwQC.exe
| MD5 | 7ccc7d410107eaeae99872826fcfab24 |
| SHA1 | a7674b9578f883be8a0f2039fd44a4bf7da11ead |
| SHA256 | 82df1ff9003f9a2a33f7210c5e68e73ecf9f3c4733a89bf41d2fcb319c120f56 |
| SHA512 | 02631f1c9f3df44317eb507ecfb3581c71616f212faa5bb8ace27bc10c1bb8073b850266bb164fdc390a6f36d0db99cd64a9de10b208136ec77cc9da3985ea4c |
C:\Users\Admin\AppData\Local\Temp\WQsE.exe
| MD5 | 77a473902c225a6c2d9e51959f88c584 |
| SHA1 | a610f896918e3bd94f49abc276305d58e78435f3 |
| SHA256 | aac04f67e35e914184a798947f5f8ac5ff41213e9a4e15f54311cc75a93bfd48 |
| SHA512 | f9ce648590c8c269a95b851f5ce6b094c958d7bc4ca652d6d2b45110c2a7451b614377e11ebf016a760fe000546e7f810d1320073860fc6d7816be2def4d151c |
C:\Users\Admin\AppData\Local\Temp\EcEe.exe
| MD5 | 8d7650ffd22fdd0e5e13b4bb76d76385 |
| SHA1 | 79ee815fd4e25832bd7432bf08ddf14fac27a5cd |
| SHA256 | e26d11affa4ea6db527bcb4270a0db03d341616f93127f82817b62d5d8865242 |
| SHA512 | c459f36e75426da3502849420d5c5ed2b7506ad72810f71ed7538c72314e5cbec27b8924b0492a0c45c7877b14428ef8bc0106c25426e65bb0f2a8f050866161 |
C:\Users\Admin\Downloads\EditProtect.bmp.exe
| MD5 | d32b72fd2b30e54244036b5728bc6d5f |
| SHA1 | eb18ac6c60985fa018a2a3f48dcd687f1bea1d36 |
| SHA256 | 076b7ef6088327f43e6c51939b594fc9cd190d8d642c819441976f96c49e20f1 |
| SHA512 | a521c91b11006f0ec662e9b108d192f5b3e06ddebc2d23b417c0bb562e7ce1298c5a616fda70cd09c18f450242a5abfd10f7a52f2c83cfe5bcfbc106a1dced9b |
C:\Users\Admin\Downloads\EnterSend.xls.exe
| MD5 | c1a17959e84015245ad5e72a0ddf302f |
| SHA1 | ca7e5450c143bd0f425331de353d1a4f378ead4a |
| SHA256 | 46f0e72e02223996eec4399428a55d721a6dbaaf80cde0009e37465d6d37ad48 |
| SHA512 | a7de4628b5a67e899fbaa82004d59ed2db92cbcbbb21fce59c515307182a30c35dc9a7d728cd0846681eb7b0f2126fc81a398a2c6cf2ce09b604598d6b3993bf |
C:\Users\Admin\AppData\Local\Temp\ZUsw.exe
| MD5 | d6c2fdd764a1dd30f751e134ad397fda |
| SHA1 | 19b932c14212c2677ab9c8a5eb6c22ce9fa4d2a7 |
| SHA256 | 688d1d396a54d3fcd3dbd604075c68f8340ecf7e603dcb5bec0113d2e50c0f6c |
| SHA512 | f613702cbdfdf2ee69e2294ae6a6a0648d7db35b65eb2e2028435fe6e1cd996309c2bb24c1e16b7bc09036fa272c5928375c6023b726f159a7b6831c191920ac |
C:\Users\Admin\Pictures\ConvertToPush.png.exe
| MD5 | 5941773fc9a6d75beb85f638a98707a3 |
| SHA1 | 694b42f91cd231355d5e16d22833e1d37183264f |
| SHA256 | 4ad1a3d660b9f7980f3b12958aa575ca0bf9c9f645620fe0df8e485b5495173e |
| SHA512 | 96b02978c44b07277b379c618e44b8ebc738b5e7cc7a319df58a897a7ac59a8cdbb9d2f744319b3dea4450a2da160dcb81a9db6b7e36e53e87fa5d8c8ba3d118 |
C:\Users\Admin\AppData\Local\Temp\lggs.exe
| MD5 | 85f9a586005e23a21c1e68cbcc712552 |
| SHA1 | c2913b722389f30b9173bd8c9628c113a31659b6 |
| SHA256 | 3d3d799f734372387af6f2f34b6f6ce44a2e2c2e911eb463fd10b054b8776c44 |
| SHA512 | e6ba6cc9331bd160fbf21136c77de7dcb7238c6502c78caae67af32e926e854d4422ef440aa7d86b29c94bc850fa72a506322be369e9ab099c968b6298062a26 |
C:\Users\Admin\AppData\Local\Temp\gQYS.ico
| MD5 | 7ebb1c3b3f5ee39434e36aeb4c07ee8b |
| SHA1 | 7b4e7562e3a12b37862e0d5ecf94581ec130658f |
| SHA256 | be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742 |
| SHA512 | 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6 |
C:\Users\Admin\AppData\Local\Temp\hAIg.exe
| MD5 | f4d55c986f5e80ad2758b0c405268933 |
| SHA1 | 09ada049a55f867547c33ae2fb6ab1945deaca5b |
| SHA256 | 1db72545d8a7dff0d782759eb23185ceb77c561d664eb21c3f3ca168bdbca62f |
| SHA512 | 30eee79470487cc73f3c56f088abb3fec652305c0790b989222d85522530d9b0a8539df5907a84d3bd8d00bcd13d113aca4ffb220ac5c2558dafa56b8e04eb5a |
C:\Users\Admin\Pictures\JoinSend.png.exe
| MD5 | 5d097edb5f0a92f345aede36bc5da810 |
| SHA1 | 0ba592450ee5cb848ccadcf7d704fd44064910f5 |
| SHA256 | 314d4060f7c7be0d8b94199cc032430560e9dccdd141a2643f396eee5376d476 |
| SHA512 | 661102f7e0dc90cee3467c42abb83faa59262ba033301aa579a6317438dec17ec3cf11ea6fb49eca07de6ebdcc07ca3065bd82b0324c6d3711fad614273114fb |
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
| MD5 | eff924f5395b3d36e80691595bb95245 |
| SHA1 | b8a0e9e48602a9378df27b2763f1e56c4b11ce8b |
| SHA256 | 41be46c78e6b183d680d0a24d9395e287038dafa0777a96b97a0597199d6219e |
| SHA512 | b4189a85fac1df97e02c6671cea1e67de4f1fa3516210a5aa20d4375f2add990f8757f9df01c869205d5262f8837ca71270fd71c6b5cef4dd39193bb0928db96 |
C:\Users\Admin\Pictures\SyncStep.gif.exe
| MD5 | c5f93b3737498198a6e2b41c33ddc5e5 |
| SHA1 | 015fa012e2b4628cde61c5c22ff89eccda1df13c |
| SHA256 | 8238012eecf44a04cbdae4b3406253fd0342e2d4882fda820407ce153dd83062 |
| SHA512 | c4523926293f626e6144ae05a9856e32594944f4e0b860aee3bde21a6e96856a12c30f43fc07a2e54df9b4bf3409279670802af560575715659b80e2d9299619 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | 1bb41a04a4de8779bcc8def044a74e19 |
| SHA1 | ac7a4951aa5f45eadd3cca77eef5de9119522956 |
| SHA256 | dced877c1eed4749ee29caa3bf0f987d48c46c8485e2386f6150a1f006adf063 |
| SHA512 | a4384bd913f97f3f84884e4865712fa75658f627c0639b4cc059a270991fcc5ecb7ba57b80c5928f225b486d5a409ff356b3d6c4279a29f22b84dfad979faab8 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | e6c4cba51ba1ef5fe6ad815a52cc5bef |
| SHA1 | 6ac1c3d5c7a0646dcded1293d8f5c95ba7101aae |
| SHA256 | 352ed4bee08314046ee74c6c7cb7d15796d98c8c025ef2dbab889cc0a822cdc0 |
| SHA512 | 45e9d19c8877a8de4ee3c52475df8d6ddec4f0c372f6671292525861acc07067fbde758ed09f99c368bb64af4ce635b9d5a89429c6e191290787267eb5043db8 |
C:\Users\Admin\AppData\Local\Temp\qckk.exe
| MD5 | 0acde208bb5044386110e243b147ccf9 |
| SHA1 | a56bb5fc166d8505285bee5de1276ca40ec9ca52 |
| SHA256 | 88aec4a7b22273139ba9cc1b8ee851eabc4bc65fdbb4a0c4b9f04a460dc94697 |
| SHA512 | ee885398ed5b80515cef7e914a84d0a922f8d96daf646395f5d344e8fdc81204a2d2f9abfa158fd9784e7aa39c9eb45b43cd2474b3ad4d1572bc30ee432dd7b4 |
C:\Users\Admin\AppData\Local\Temp\jIAM.exe
| MD5 | 4388e1507366747de205af40eed36397 |
| SHA1 | 548b80eb2bdd217993c871d0a6a7a52491ad48a2 |
| SHA256 | 9b98d19be5171f6a4b8626d6ee3e6d97c963712ff3e7a60138a34ec455cff686 |
| SHA512 | 66e3ac796d941bd714c78fe8587fac10f036b61373dbd735e9a1ec84dba38bb3ec28218b5a3da676ab16a8371485016b7bfb1f220dfd494923bb5935bf8da227 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 6c494b029866de253e26dc4990d804da |
| SHA1 | a74f69bb01a2b8476e182a1fa5dcc388f4b7ec29 |
| SHA256 | 29a97b0bd34ac9d9053ea5f182d954c2c8bb2927bf2b7dbd6e18e3bee051b8c7 |
| SHA512 | 939f36dd317b93fae5502254d853710c2a6a591f16022366d571101be643148d10009b390379bbab896c0b396b8e79dc2546d569d8d272e9d530c056714c3075 |
C:\Users\Admin\AppData\Local\Temp\uIYs.exe
| MD5 | b2235d6732409fed88d390f380828449 |
| SHA1 | e3c05d0c916aa8a9efbe7810239376d9397f618f |
| SHA256 | 4a29e89e79775aed2e7363ca0457307405ff19d2b30e56165393679ccb7602ee |
| SHA512 | c6409205676a8b82770a0fa5fd41dbbd1c604113436cb7d5e6c65baa484888a03e720f0e20c61c3059343a3e72e1b709e28b9372e0337a3547db9b5126101232 |