Analysis Overview
SHA256
019ba77eb3cfe5913c47625dcc9618b4c04f085fc1a0f9e2c68cdc5ef1a569f6
Threat Level: Known bad
The file 2024-04-03_9a09071140d404e8fad58688d42d888a_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (77) files with added filename extension
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 18:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 18:46
Reported
2024-04-03 18:49
Platform
win7-20231129-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe | N/A |
| N/A | N/A | C:\ProgramData\raYskYow\jEgwUQkA.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\suYIIMok.exe = "C:\\ProgramData\\dKsEgkks\\suYIIMok.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOgUUkoY.exe = "C:\\Users\\Admin\\RwYoUMIo\\wOgUUkoY.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jEgwUQkA.exe = "C:\\ProgramData\\raYskYow\\jEgwUQkA.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wOgUUkoY.exe = "C:\\Users\\Admin\\RwYoUMIo\\wOgUUkoY.exe" | C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jEgwUQkA.exe = "C:\\ProgramData\\raYskYow\\jEgwUQkA.exe" | C:\ProgramData\raYskYow\jEgwUQkA.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\QmYkMAUk.exe = "C:\\Users\\Admin\\wwkAEgoU\\QmYkMAUk.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\wwkAEgoU\QmYkMAUk.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\dKsEgkks\suYIIMok.exe |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"
C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe
"C:\Users\Admin\RwYoUMIo\wOgUUkoY.exe"
C:\ProgramData\raYskYow\jEgwUQkA.exe
"C:\ProgramData\raYskYow\jEgwUQkA.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CksUUUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AukAkgkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XSMokIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAookkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOoEsIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zOQMcoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqcYwowo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UUoYYMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCUQgMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ySkIkgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSgIkMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUYsQQoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zecQIIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUIkYAQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIIMEAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKYsoMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GyUssMIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cyssMEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\wwkAEgoU\QmYkMAUk.exe
"C:\Users\Admin\wwkAEgoU\QmYkMAUk.exe"
C:\ProgramData\dKsEgkks\suYIIMok.exe
"C:\ProgramData\dKsEgkks\suYIIMok.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 36
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QGYosQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 36
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUIwQIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dYcQEAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lygoUoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyoAMAww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hOYkwEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MgQIIooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wacAUEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cogAkAQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\skkIgswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwcAsMoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSYgYwQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TgEokMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-270828653-3433920889451377532045526450-3726448042395989062138636734-668945241"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xkAMMowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-275480136-6284876341336537968-13684575-15478983651341227007606191268-144242530"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOIgckIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1667511033661321299455517472138870033686169734856209561599891277-1681998621"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3762587961688163917-16562530701152411132-328952369-726515368-895286630413830774"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkIMMEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUAAQEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSokUEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aeogQQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "389707233-1709991136-1895280635-902981937-1256161847-274129642-601398146-435960426"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgksQkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEkMMsgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "34776989-2019594162-1823067977-1365323659217136561624773293-155028210-1671521995"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\biYAAkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hCIcgsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AqsEgkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "333680948-703840974-5993028311158654142189465476620538832542086432908-464828824"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMockwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-793974375-517968169-191132726-95437802-1345152671-172093706-11420105001917363527"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1940081043212481157716334464511153932461-1460633014-572373680-776085410-90765768"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEwIQkMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-140378559-476509192-1235499057-1593932687-1451344907-31426164-17461575551152102760"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18072336971551736898294010735-66488820117021050291214712972-2036266837-1352399130"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGEgowks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqMMwoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14856328291043985263-1510694893-35204432356543903173359700-1291283744-652789759"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ToMIoIQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PIYsoIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgwIIEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZeYsAQcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oGcMoMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10334128191098605962-17049070211029025704-266793456918989737-6520075071224469070"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkEkwwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "175108959961351537-1078222692-5666535422058909979-17470887571403184646-534311351"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIQwYsoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1044721534-1295297519-135467219957287083418584922581892698002-13025081081093207283"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\icQgkIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1546925832-17409640961798430634-1035442880-1762397523751421021-18190628551781113770"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAAowAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\feYEYoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5421114721760929396-199079370115838130499704241331550742282-7124792441353040615"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1923626958968404054-1557823914-1460407726-156400806-94927004-1869717165-714764886"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkggIkMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqooowAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OoYYwUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "839469612983808470-89842458518143955921180669341313289167-1647787370-617546614"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWIQcYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "46269973820022983711647792208897545278-206618721339149131-13416122952118659680"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWwgQUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIIgwgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BygYgYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "53612972129005235536388761717939749411012779146-1200020240-150655432-2034310830"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1560817602-1748394187-1973404953-2110323467873087158-78372553119716041-1098897421"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15427051142128635650-21180225061230546611-1581807624993613545-673926684601700171"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tKYAkEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1685691737-418220560-10991424778219081326081145069088172131143542513-1351464208"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUwwAcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1607083376-952820408-14100637131630527910-481463504-4640023521998582451515170804"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XCMAUUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcEMsUAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SMYAsgQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 142.250.200.46:80 | google.com | tcp |
| GB | 142.250.200.46:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2168-0-0x0000000000400000-0x00000000004B4000-memory.dmp
\Users\Admin\RwYoUMIo\wOgUUkoY.exe
| MD5 | cbc28a6f51c26bcdc45396d92f944224 |
| SHA1 | 44e83c267f5883d3f7daa1906634d45c319ca268 |
| SHA256 | 455a5e66dceb45a2c6e6b13caf6c740cbcbad2afb1a38d8bdac2cf2c818a13db |
| SHA512 | 31cd398faabe719b06caebd28ebeb238474311ea7894d34539b0804de67a1aefe9b6654e73f3cc88f79b4e581f22ed6c5dc49f4999df2f9c82a8d053d3a66e7c |
memory/2168-4-0x00000000003E0000-0x00000000003FD000-memory.dmp
memory/2908-31-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2168-30-0x00000000003E0000-0x00000000003FD000-memory.dmp
memory/1812-29-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mGEwIoYk.bat
| MD5 | eea9284b0795b53f73667ee5c98156bd |
| SHA1 | d24fa96f86b96c3c14bff7984c7ca9e5b575cf5e |
| SHA256 | 28bc60a7837b53aaf411bf4d06b33b70c3ac5183d01c03ff29e47f67e078ff15 |
| SHA512 | 9073f1014c1a2e63f8b4a5ef4b58b6403573a25ee13b604c2cd32f41a73ff760e8e408ea04dccdd53e9d48a3b824f95f37ac447a8814c96707e21c001553b243 |
memory/2168-19-0x00000000003E0000-0x00000000003FD000-memory.dmp
C:\ProgramData\raYskYow\jEgwUQkA.exe
| MD5 | e20343612eb5a5c56d1bf32991a8d22d |
| SHA1 | 3b4191c0f40b0afcc5bd6ad8b907e674e968330e |
| SHA256 | 1f8c255c5901bbb5e589d1c197aa3050b32adcebbeca4420dc001ef7c2b8390b |
| SHA512 | ed14a4ebed3e0805b289970055c7f085e5daca2ff63e6619541befb0ff3aad8fa1a3fe1e75f0adbe5931fdcab5785cf6ff97a95455481b61bf28f493c1d876aa |
memory/2564-33-0x0000000000160000-0x0000000000214000-memory.dmp
memory/2564-34-0x0000000000160000-0x0000000000214000-memory.dmp
memory/2676-35-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CksUUUUI.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2168-43-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
| MD5 | f2271fe569c058dc724d9b9e53811e31 |
| SHA1 | ea276fc14127875413ac387f017bd2291a987f4b |
| SHA256 | bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6 |
| SHA512 | c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d |
C:\Users\Admin\AppData\Local\Temp\SGYwgAcI.bat
| MD5 | 19d17a2217b72ae37cb5eaca7de08afd |
| SHA1 | 5557425b353260fa6fdd4f206ecd85b57a5daeed |
| SHA256 | d59b1b2b8b05bb9b4cb822f219716e5257ab1832eddfefcdb9d32aad8cb2795c |
| SHA512 | f9507f83079199e70002fbe9328307bdf2ece6a3b03a9d7ea16ad3e8138765021375db0f0595662a289c22fd25ec5c7073f303424ac297a665364cf83e406d39 |
memory/2960-56-0x0000000002390000-0x0000000002444000-memory.dmp
memory/892-57-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2676-66-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CYUkQQUU.bat
| MD5 | d874dd7ec720ee0c246cff973557e639 |
| SHA1 | e63e9ea3460d848fa88d9bae4f53ef66a12148bf |
| SHA256 | 5c9de8e5725f07302415aa9ef0ab926911d0d9c1b65434f61a241a3c938eb0f9 |
| SHA512 | 12a0f76fbf4652dc47ba300e0f04c6576c983be901633c1ac4276ae7376240df45ff1239d7219aa74128977527e5be95067862078a641efed326b83a1f39e998 |
memory/892-88-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1420-79-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RWssIUow.bat
| MD5 | a1bd9d6cc3431533165dc9f1c5319ed5 |
| SHA1 | bbd69bec093510e89976dd58f07d548ca0e52864 |
| SHA256 | 518ef555ddd94be263cbf70f1a477b4f1cf0915c9122321229cf5a08d8d72689 |
| SHA512 | e5d1cf927b113183214f67f616b0dc4255795ac6ac0eb7621de19b38d0220a422f011bee7a2e471d397753a51e18562371d1bc6d695891f4e0943990f8f8a2cf |
memory/2236-101-0x00000000001B0000-0x0000000000264000-memory.dmp
memory/1420-111-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1804-102-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NqMMMYEI.bat
| MD5 | 549c33aea87107e95df9050ffc216ba1 |
| SHA1 | a743131100e23cb92d4ac88d7044d65aa159666f |
| SHA256 | 3247bee2e7a78a408234dd091bc0bcac3d968885550aeab2896bfa34985cc3d9 |
| SHA512 | 415cdd9f2dd0d85c7f51006f7aa60718b98e4f7ba4600f2a6d93264fd2bbf691513966f62474dbf0b21a1b132ed0ac2092e874ac94ac88a0e3de34f6964b7530 |
memory/1164-124-0x0000000002340000-0x00000000023F4000-memory.dmp
memory/1528-126-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1804-134-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tWEwEYcw.bat
| MD5 | 5b8eb1492bdfb4377c97937d421f6a1b |
| SHA1 | 032075d45af9973e8cca8a0c6bcaeb70c1fc1d8e |
| SHA256 | 99cda6acd5c784f3017041123843d18fdbf4f79d7bb3bb635e6283a2b68d14ba |
| SHA512 | 1205152759956139e6ac194a802a49f0fc888b9a5d0c1556faf09a4ba17846527e5df2e81caa7c2f1549972933b99cf28f90e7b409453cccf87a2ef91bf5e344 |
memory/2356-147-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1528-157-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/880-149-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\POUkEEUc.bat
| MD5 | 57c9c6dbbdce3ca967c0952a46e40b11 |
| SHA1 | df029db49fc7d5b03365c41403f3734e95aa7686 |
| SHA256 | 828ced1b2b9102932ad066439d744a94d1eb10a8af1b20b311538c6c18ef2294 |
| SHA512 | be09a4c7cb598dace1efb835672cec7813a8b8af301f317c91ea978ec54f2f33291be632fa1d2e8e60719bda13a578d9e23cfb2543d5e97398811f8a0ba72e3b |
memory/2712-170-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/880-179-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AyEcsEMw.bat
| MD5 | 07e7b50041775d7d177a5f47654e855b |
| SHA1 | 4ef2700e8e33fa1fb69ca5891d9a9a0988bfb2d5 |
| SHA256 | a067eb6263c0484f62b9a82a413892c90ec358ed89aa315e501da75959a8476f |
| SHA512 | 6cd8f33056f6e0ca44287a03d648237c3b1cb542d9026e42f64bac7bddc63f5f87f6a7b83f040d8923fe575109f204df3856b5996e8a04392748ddf83c732421 |
memory/1972-193-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1084-192-0x0000000002410000-0x00000000024C4000-memory.dmp
memory/2712-202-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Swcogcgg.bat
| MD5 | 7957c30554bb40417a7911c43635f099 |
| SHA1 | ffa065c2a068119391420fb4e77d94b5b81c49fd |
| SHA256 | d9851e6da2eb1ad0416f31eab9f21f44e101fa7049b4d29d41f9bcf136b53cf0 |
| SHA512 | 88ef6fb7f7bea223c9e11294af84bed5704f0caf0086f8c75749c4baada859ca3dda4aa4033de8e7061b21a304d64ffd638e1f9eb1643f07ad6cc5315a3c1246 |
memory/1520-215-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1972-224-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QUsAkMkk.bat
| MD5 | d9da833deb7c44b94210663590f23bb0 |
| SHA1 | b33b0375a7d623afa8b25cb65c4ee5636e254a38 |
| SHA256 | 0150e2cde60f4694cf87201e8635b34962f25d2586cfbfcd1521243a76e0c5a4 |
| SHA512 | 70372b9678b8e252e12171e462bf8d1fa6593c0a7b012ce49ae207d65ad86c8734d2917a95f91a7bf5b575ca943c39b3355d89c90f82afcabe0b560e280c3ae7 |
memory/1520-246-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1524-238-0x00000000004B0000-0x0000000000564000-memory.dmp
memory/1600-247-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\YKkYAIsY.bat
| MD5 | 594b941e984ec8cc454805ec297a309f |
| SHA1 | 549018a538abba70a0b4a01727822594e41cafbf |
| SHA256 | cb90718797d93b894f249bdaa86780c0a3800c1b80022f3f05a65ccaf9c4366a |
| SHA512 | 0ba0bcc3d594e765a8f53d455b306c519278e26d74a594babe23d6f66eb04197ac44bab3b370641b774d5a62c50509c668052d796cc2a4cd4939030a1823fd7d |
memory/1544-260-0x0000000002290000-0x0000000002344000-memory.dmp
memory/1600-270-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1532-269-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\omwQQgoI.bat
| MD5 | 97b0c66dc223128c838c366aa94cdd19 |
| SHA1 | b870666f13ff4b08a5c6447852bd2866abe70004 |
| SHA256 | abf8bc82987455c87fc5161f27f32f6303d74d0a3060f66b5ff4502acd0460d3 |
| SHA512 | c5f7e767fade23b82d9b6d9ddf8e1ec6ab9352d19d5aa2f84fdc0e7559ec98f941ec472cf5bc7d34b444e32ab57f39072c89f305cc02d37f5b9a20b9f430f411 |
memory/1532-292-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2916-283-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lCgYgosQ.bat
| MD5 | fa714037bf27a42d12fa4919e2b00556 |
| SHA1 | a0d5d627fe2bfa66eb77b1bdbc1020a47cc29e63 |
| SHA256 | 37cfe63d64b8006bc2e7e01e7b6128b8ff6833e9682c997eda09042512b9f94b |
| SHA512 | a28a7376fdfc6d8d2a9b5ffccdbeab6afe0ad5ec9e9c9376435292eddbf61aaa994b4647383ad1686035a5449e64ffc6792813b2c8f282e4dfac64726ef28359 |
memory/2916-314-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1508-306-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rasYkIYc.bat
| MD5 | 898702ca12b29ce171f4d031ded6a2bc |
| SHA1 | 64f6e26cd76715cb0b03944defde3196b5e42c86 |
| SHA256 | 24ca895d52a6fbd617ce3a5ac1c1b4e6d2bf52f354f75efcea04cb5ef92d3748 |
| SHA512 | 2da0a2a7b8bde712a2e91624c4c25ea460bd82064f9e6948fc42b6fb5438f4d7227c8cdb401bc3b30e91d2155ab331df9e06dfca3f6c53c7d77c1767d501e647 |
memory/2476-327-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1508-336-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BCQkwgQw.bat
| MD5 | f04e477a1deacd5fad26d4b36e69a102 |
| SHA1 | b326fd68c5f26060f7f1726b2a6f7d536139ef43 |
| SHA256 | 02624fc17258d1602827e6251e756d1d1fa0ab26308054a28d9ea19fdd72a42e |
| SHA512 | 612b8d225f1ed60997ac6cfadbd7c3e0aae06dbcdd50d9b76daa90f27f360858167d5c80b2dc2cd30585d7b7ed4254be44918414f35fcc17b55781b8c4255038 |
memory/2052-349-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2476-358-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BgUwsoAk.bat
| MD5 | 9861311a97547a1fbc0cbb97ab3aa337 |
| SHA1 | 7d8bf3823e09f6fdce9f36c9d9bc112b7adb0d88 |
| SHA256 | 84c6785e884e56caeb5573899d9c3f9efa9610055e9324c5835c4f7a25b17ef4 |
| SHA512 | 7df6414dda1fc055339470d6bf9824a1efc6c166df98e9e8f869d6c48ff656658195bdf6fb6fd12cdd37ea0bd315d17ceaa726ca8f46ad3135fa0b735a29a486 |
memory/1420-371-0x0000000002370000-0x0000000002424000-memory.dmp
memory/540-372-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2052-381-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\imMwgUcg.bat
| MD5 | a4522bb006cbce45b0e9daa3f0927979 |
| SHA1 | 7135799115ec1078713a3b23bcc1cb5692553a19 |
| SHA256 | cf97182ff69702cc34d2139428958ae12956977a8a8783b184079e1dccf04d2c |
| SHA512 | ef686ea4bbcf1eec4e21660c28e5bf30d4e56a16af4b32bc2bc46e374a84dff00fcce4378e5b6b58371d3bcd92f6f3be7c71f03d50f255b96fe489a0d106a2fb |
memory/976-394-0x0000000000480000-0x0000000000534000-memory.dmp
memory/900-395-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/540-404-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ukEYEkwc.bat
| MD5 | 0200118f7a130cfc499bbd1c8fb47aa6 |
| SHA1 | 014ae8a9411739ad40313f47af2574c99f8b29d6 |
| SHA256 | 2c077e509bf930df38098a7798c3f93e8748f24ee467342d4a4311fea44e6d62 |
| SHA512 | 94eb701d65f457c7218cdeb1db0f5a8c8dee6b8abdf235b24a12cfdf7b0804bd7bfc38ab53c4e21b8a5bc90a779439388bbb50a51a8e3bc9effc6bc2a937499f |
memory/1996-417-0x0000000000170000-0x0000000000224000-memory.dmp
memory/1840-418-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/900-427-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1840-431-0x0000000001C80000-0x0000000001C9D000-memory.dmp
memory/2584-433-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1840-432-0x0000000001C80000-0x0000000001C9D000-memory.dmp
memory/1840-434-0x0000000001C80000-0x0000000001C9D000-memory.dmp
memory/2572-435-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2000-440-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1528-438-0x0000000002310000-0x00000000023C4000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
memory/1840-445-0x0000000000400000-0x00000000004B4000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
C:\Users\Admin\AppData\Local\Temp\eYAe.exe
| MD5 | 3f29c8b95cd41e075c28932e0c0d0fa7 |
| SHA1 | 580df0eac49d407cc696a1e2d17bddcc68e08592 |
| SHA256 | a547e6d65423d9517e32713a2741bbf33ab07c74a14e2fa878e5073ed46d723a |
| SHA512 | 0fbaf691bcf00968176d0c63c3382fc3e7608678315083ecadb80bb81cd822e3e597c51b4657f1c921f8dde8862534455bca1010b1019af486840d48e3df861b |
C:\Users\Admin\AppData\Local\Temp\YewwMIYs.bat
| MD5 | c1e18aad9ba9718972884279b2d32fbc |
| SHA1 | 47f519952437e4b91a23ab04689ff049fc754593 |
| SHA256 | e0790a1ae205d2f175507c9c6eb52c6468cc9bbe033ac731fed5e56d6d5f9441 |
| SHA512 | 0640353be71282a023106a87cf813a6e139d279220125d1f82f7ce9ea4fdfc125f05bc40bee562187573ea87103aeb6db2410d7139741742faed1686d433500f |
memory/2012-473-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2064-472-0x0000000002310000-0x00000000023C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GcIM.exe
| MD5 | 647d557824e371474206eac36fa3d2b3 |
| SHA1 | 4b86425872b5f204659eeacc9f74f7776736c2a0 |
| SHA256 | 0214e4de5e78fb286c646d8d841d017a345b814fe4ba07264a6da4b4e6f2a039 |
| SHA512 | 2786539b4e9407aab8ab72723f7486f76e6e903c71b39f9b8eb80dfdce09de1320e246d08fb572432155cc1c77979fae016c64ed4e0c58420e2c3bb5a2933776 |
C:\Users\Admin\AppData\Local\Temp\yEcq.exe
| MD5 | 9855386f39fb048f45f3c58244f2ffc5 |
| SHA1 | 82f2e0071d92ce686f257bcb9d44e274dfe32e0a |
| SHA256 | 80c5f1693f48dc9f080b37f40cacd51e7e04c7c842f3aa911ff7896c4c0782a2 |
| SHA512 | 4bffe6abb3038e70a0dc735858266f3a23309b35d66bef0d246726feb96cc6d8f357f99b60ed32a1ac8e22993143f94f4b91c96c50d5ba244cc282be469d0e09 |
C:\Users\Admin\AppData\Local\Temp\gQEW.exe
| MD5 | 0e6e33899d43b6472311e97ef355e825 |
| SHA1 | 5112c8e5c875e5461227aa8ddf73089f2abb06de |
| SHA256 | 2b0a2584b8936941534ad6818563a9024786e0fbddcf152d635eef905e018944 |
| SHA512 | 7921921305705b93f8b72164dec55b0036be593db52ef0183ef42cd204b9a39bedcdb2fcc8b01e35d49f9f5c283b2d6d441f0b7f7428919c42d6a7a44a3f4ce8 |
C:\Users\Admin\AppData\Local\Temp\iYgW.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\dOAgMYwA.bat
| MD5 | 4e5e61bee3b4fb333743209d95e652f2 |
| SHA1 | 4f9e0680918f015664d258b4e518b47bd7c1031d |
| SHA256 | 7640971d316da1d4545bf82da13fd63a382d2f102d39b863de62beae0830ec3c |
| SHA512 | 2164d29de8f4bcaddc65ff1286a0a47c249fa726831eec16d6bc8d92b695495ccfabcb66a6f23d6c7dc9f32d494d7874aec01353214d64e2696dbc60ee04e8fb |
C:\Users\Admin\AppData\Local\Temp\GsYy.exe
| MD5 | 68b9ce5a6037544c440cc30557f0b829 |
| SHA1 | ea5b1521e111180401d633ef44ecd7bba2b40622 |
| SHA256 | bc74028ff5f415e656d2399073a26b301c8f2f6914206be4ad845f7e91d69c6f |
| SHA512 | 960ef5fc5d9677fc22f8a0c38520b217a9a65cae425ddbe66bf4ce720b5f6cc984324b00fd522f6c0022d27732cc4004e041ae91426e1f97d2b59ed2768b527e |
C:\Users\Admin\AppData\Local\Temp\OMkG.exe
| MD5 | 29d7137586160d76ec814b50691dc418 |
| SHA1 | 40ae0600950c74dfd792281e18e1096f338c6f59 |
| SHA256 | f7e817d4233f400554579e83caaa88c8e1caabc2be17a36f825b6379ddb5a622 |
| SHA512 | d91b667a1d2584c04c6360b2c50f5b0b2c573a533756411731362405d32d7b5cff62c9cbf764f4e5fe626f5bb18af5c24f03802d6fbc925d25caee1afbee5759 |
C:\Users\Admin\AppData\Local\Temp\GsYS.exe
| MD5 | b86386307ae3eae3e1cbb3a5ec19d882 |
| SHA1 | 5e4461c01a7df9aa3be317c230e659270337defe |
| SHA256 | cfb1c763f43c4f78567d35973417213e68931e43b4cde227e2ea357a9f71df69 |
| SHA512 | 82014b5e2747194515b355d3efe777a489147d5e681cf4ac0c05878b0b7cd1bfac0c9a1571fe0a50f8ed552dc06a187e9723492920c8a1363a5d6e18bba8173b |
C:\Users\Admin\AppData\Local\Temp\mAom.exe
| MD5 | 4a97ae7149f81d2833ccbd04172e4be7 |
| SHA1 | 14bae82f5aad3433b11c8a1267c790e67e9e0f81 |
| SHA256 | d4364bf6aaa1bc2822f2d120950f72eac04cf95200dd1f2b756749f92fc0c20c |
| SHA512 | 222feb2de98957bc8d2552ec752740a70f7883d71b0f4affe5c7ab2fa3150359b30bf0fa63396e2873d937203f493c52bbb1bae9ca2ea509b1d66fc491cd41f5 |
C:\Users\Admin\AppData\Local\Temp\Ewke.exe
| MD5 | 7e0dd7bbcfc70cb76315d863aa24baec |
| SHA1 | abfa16838fffd42526360cfde49d892a1a4c8e1c |
| SHA256 | 1bd27f536e38c53bf4840709b872d110c2adfe580cd17c3105a7a81749bed785 |
| SHA512 | 18a8423e91b7f060bb94dc341227f9c4e6faa9072c98731513aadaad70afe15bd1cf46a168cf0cde76c57fb42da85e30d19b861e3042ebcfc549c6f45843129c |
C:\Users\Admin\AppData\Local\Temp\csAI.exe
| MD5 | 43138e8706dbb08df03bad3ba64c937f |
| SHA1 | f7033f486a0419bac17f9b784d662d6a16a7d59f |
| SHA256 | 4c0f80523a671c7241815d8f9e6fdaeed639104c9527597e3abf2344f4cca681 |
| SHA512 | 7264a358087c58806718a6701fde49014531d5e43cb8455ff465ba5ce3d0e5751e72c05e814b2e6b3156645458fcd66bc971ae29c392bd93ce1c4f7434f61d83 |
C:\Users\Admin\AppData\Local\Temp\BwIskcYU.bat
| MD5 | 367e3053709cce38828716d6aecc45f5 |
| SHA1 | 522a22661252edec8ed83fc9f0fea85933effed0 |
| SHA256 | 7b48c4fb4ada2f4205f4e937e33032c1e68db3d1a1770700e35b6c05639149e3 |
| SHA512 | 50ce051145fb46803705328e59691dad7f23a67c44920852e798398e0462774c774eccf9bd9e2afeb7c6dd3566b932a30198a75d21bca8a993e0e5af827ade6c |
C:\Users\Admin\AppData\Local\Temp\yAkW.exe
| MD5 | 2fc8aa5d37a23fceeb56a5fa902f1f13 |
| SHA1 | 882d76a137098a378be4033fe011e3c56c79eb40 |
| SHA256 | 04f5ffb27c3d6aa14d0d238e5dab3569d55395d1494f1de21150d9b67eaa19f1 |
| SHA512 | 5f710ac004a18b72e513ab6105b693a1b583d98940c2e73ec7c1a8b68b0cdc8a3706334b6e4dd732c73d8f7cfc594f5aa8ed1f570086bbcb3cf524737b480668 |
C:\Users\Admin\AppData\Local\Temp\WMYO.exe
| MD5 | a0551c5bac48ca558030766a269e5c5c |
| SHA1 | 5874d01b528bdabbb6580726b96031fb2b7b9dfe |
| SHA256 | cdac5f385e645a7ad78c63b367ceb1ba37a446e6a2e77e189ca28658f2c549db |
| SHA512 | 3a737102db60991f0667b2c5c95a8e5be36728f3637572aa231d987bcc1939983962dcd7a96be58a5cd0ff6f58c245235bf76604701590d82d91fbd43a657a1a |
C:\Users\Admin\AppData\Local\Temp\MAsG.exe
| MD5 | c436ab4cb05deaa567e9cb405cc3c3d0 |
| SHA1 | 03ac638b5e663e9f01424b578d2e24c160af1233 |
| SHA256 | 4f5a38b35c79c05d24a67c731fdd2e95f4198d19cb04321616cfb369c15798b4 |
| SHA512 | a062665a7e2efafe03be0d0527cb55928bc630457193136de238b1f4fe682b1f68141be31f963d755de082ee6395daf1e8a363a936799bb813bceff469ba786f |
C:\Users\Admin\AppData\Local\Temp\qEsE.exe
| MD5 | 0dc627f57b2b1f448aeabe4920638cce |
| SHA1 | 8adda20737e1ceb22dca9124253c3a242fe7da2b |
| SHA256 | 2e8196c783b33f4f27f1faf03b8d49e7ae43be9f4b70f8315e5d10e0b1b9566e |
| SHA512 | b33d9c98a9fef2fb9d11b7e8ab99441cb0352f175a103c6f9f92fe201bbd66ca4f08a657aa24ce8586b39f0902a13d3257dee6668d8b79159145d986ac73e57d |
C:\Users\Admin\AppData\Local\Temp\ikAS.exe
| MD5 | e26d3d6ffd6f82fdcf163737a016e20a |
| SHA1 | 1c2374641643530dc058275524e3ba208c23ac40 |
| SHA256 | b522689cc5d190a15f9a977e51466ed9e04999cf57614f7279e98973d112841d |
| SHA512 | 6d3fae79bda39b9d7203da072ac51a47f7730634da03372b290547f23596d10501a3280dc8a1040fc819e69c10a4edeed341f9ac2d9c460fd176fec2d20e1c62 |
C:\Users\Admin\AppData\Local\Temp\rwYYYUMw.bat
| MD5 | 5d9b5c9003fcbcea4c9168fc9a42c82b |
| SHA1 | fd6c8c2955ee3d97e0fffd2e923c8d904c9c42ad |
| SHA256 | 9b5834aaefdd557ed0467a29d593a57c85791b5692775dac57c7719fe9e36306 |
| SHA512 | 5b6eb8655c02e9f3667d1b36e08170a200edc32fac1bd33c2cc2abd44d9a587fe95e0059fdf9e138efd3fa24a3f410a8e219a5a56648fe76497a120231681a6e |
C:\Users\Admin\AppData\Local\Temp\EccE.exe
| MD5 | 5d21cead18485c0d3e8badfa41ee9d1d |
| SHA1 | 78b7992471ad912489c7586a83274497a8435a04 |
| SHA256 | eb1f155e467fd471114dd10f974fe684b456e29109a70ac79a63d2e92ee41aa4 |
| SHA512 | bf82f11060db0f8442854d073a7287d232be8c9be42bb19e9b8f276561209b15897963d2210c15cf456c36a3d2fbff1aa33b43266d9df407d14b37a5849ebfd9 |
C:\Users\Admin\AppData\Local\Temp\wIAE.exe
| MD5 | e7af5978200e3bae946fe8787b9ff1c8 |
| SHA1 | 3b29ff8f7d2e12161e5b7c2e04cb66f41306fdd7 |
| SHA256 | 2203bda1927897382016e1aa36779ecaa09839a5365ce10dc8d20c837cbba1c2 |
| SHA512 | 261bb149dbcc140cf896a96e9f41dc4af601b39fb246fee9cb6c075f4865334f4db934198ad8bc59c8f4091314dea2dc2ca9623a7b8a036dd16fdcccb99e2c17 |
C:\Users\Admin\AppData\Local\Temp\Wsci.exe
| MD5 | 436837c77de549076023d4047b57d1ea |
| SHA1 | 889f38c054c35c371023e2bc44a5ca87bbdbcd04 |
| SHA256 | ebae5f2c992711885919215468a69c910847c1e08caf5db189232489272a3d56 |
| SHA512 | fdcfb7d4a3d043cc8ceea19448efbf9f0d1e3e47c088e506d33b7f9b23245f964d34be77bd4a39a40f1b1d4a42b05a8af7f8397d8767f10057e74a7b45c7e5bc |
C:\Users\Admin\AppData\Local\Temp\IUMO.exe
| MD5 | 420adaec6be2c2126492c743165c5630 |
| SHA1 | 38bfa2d46cd22b5ecb7020325aeac10f72cc6e23 |
| SHA256 | a4e8f13dc32c2995d5be6c95937d35c4ea11d9f24d360a65e152f2068e8adc6e |
| SHA512 | b04fcda0e92671e21bc22e52f48289b5e2b05ce0da0bf0388f2e0804f26456736a71ef3f53c16638b8453867b8b7fc4d7e44bfdb6cbf2121fdc31c4e110021a3 |
C:\Users\Admin\AppData\Local\Temp\ygcO.exe
| MD5 | fc5cb628c09bd9e0f4fca2d26e357134 |
| SHA1 | ad85148fd7b74ef91e4eb7a425352668549c8a63 |
| SHA256 | e5b79eff5af01fe82a32cf10c3fc3152eeeebe75bfe21ed9a99d71915580b443 |
| SHA512 | 255b14d720ff61acddc93b5c24e400a9f637e4fdae925cd9b1f759d2b5fe42c26c0061fb0f0af14d72fdd1c92a86a0cf751047028b5425b7517234850b2ab508 |
C:\Users\Admin\AppData\Local\Temp\sgQu.exe
| MD5 | 93e49c6f7c43031465ac37ca9ac8a3d2 |
| SHA1 | 13a678c008dbe108539fe09b2c175c7841de42b7 |
| SHA256 | d8b6d84564c8e3ae391755192b1a945197992a80aea0911779d31d50cf4f1dac |
| SHA512 | a28a2b0a12960d7f36011dd21bf21ea32fea46b55f7463114518b94cd56cc753674b5c49671d6ea6e9cd82243437d0036d680763041189fe7cf1d7d3ec2f2f79 |
C:\Users\Admin\AppData\Local\Temp\koAe.exe
| MD5 | 98b505a8b6ee4ab01ec0888eecdc2020 |
| SHA1 | 23d04dbd1e2894bacbc46e5bcdc631eae83c3f75 |
| SHA256 | ec65159c0c9fbb91fec90629668c86fe3082ba00c6449701d100111149a1a5cb |
| SHA512 | b7d5f7464c06d448588581d36990d58d6e1479e7a4a60a39500dfafdd96fd6aac7fe8a874fe92d3981d8b1a28aa81189aef4acfba9def5ac3d6c446210e1261e |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe
| MD5 | 39abb78553eca51c9411f38f3a51a279 |
| SHA1 | 74da1d28027874d90a9eb1df235222259af4bfca |
| SHA256 | a4496feb01b20aacd0a464691ceec3c723a8504c4e7b88b8e4577435087af4de |
| SHA512 | a834ac8db4077c6733afa0e415716258f0c190b08a1a4c6337d34f867eb905409e3175308c32349a3ef93f336c5fc210a8a7db9a55afa4aa74493f64f845d18f |
C:\Users\Admin\AppData\Local\Temp\jucYIIEw.bat
| MD5 | e48cd7729642aa9730f635286d02b83e |
| SHA1 | 0ebdc8c9f93699706ccc07cb944b0f25e003651a |
| SHA256 | 7b69885a028836ef18024d55bccdb2ce174d2ebaea2f4b31be87d84a9266a38f |
| SHA512 | 31c4f13039f0f1d30972cc5bb77343c8c11cf06b007b0c0dcb0fbc1d7d4e4246173b2f9062f6aa381f4c7070f45f372bbfe1ab4fa918764bd2f0a7541ad74885 |
C:\Users\Admin\AppData\Local\Temp\CkcW.exe
| MD5 | a7a7f58bec5f44714e3e1dbba523ff21 |
| SHA1 | db77e93b8fa2a8198565a00ba5dfd2213a00a405 |
| SHA256 | 87ae0a9183594d4b474c2d82e9ca4bb5a39e78658ddcc696620aaec212654bba |
| SHA512 | b26667f99fe6be057c7008da808cca72ca42d25e456a48d708fd0de31ca4bddaacae170b076784bbeb46239c3ee3504ff96cdbf523d916803aa0daa0768d5def |
C:\Users\Admin\AppData\Local\Temp\Kkgs.exe
| MD5 | 0b2c5be60eab4ddcd08ca1cb6a1b3227 |
| SHA1 | def0232582d6e05e10305f05bc8225c4ea993843 |
| SHA256 | a8cbf1e7161bdfc6973dee655d3c30c350706738f100185443b99a1ceea0300f |
| SHA512 | 6ef1d388418c2fa8e5d611c20962b135e44010a1016461eb9006bc374794d1d9ffa3b6881db6f31f83be00110303a29b2a0c5b3e8fb560447a33ef23f82915c0 |
C:\Users\Admin\AppData\Local\Temp\sQYs.exe
| MD5 | 1e18fd1a44ec917151168d676efbc0ad |
| SHA1 | 24f69fee8d0ed78258a6e1faa3e2d6040a0425ba |
| SHA256 | b240df34289833980e30c0b0bcbb8d1d88493f2fd37cae114025be5c77051709 |
| SHA512 | ce71c8d4a41661f7e591f4433bd4a279ed2a2bb13335149e2e78981b3a7cc2b245c0a380cfb78452c142a3b83e3f76e8d20d4052dab488921ccef32120f4d528 |
C:\Users\Admin\AppData\Local\Temp\eYgi.exe
| MD5 | c0de3dc09ebadd4236934cfbac8f1aea |
| SHA1 | 4cc97eaba94412034685b7421d9890cdbf16994d |
| SHA256 | e4bbcaada5b6742f9a68c8e4da8369186f19d91cb3085801edf2b2720abf4139 |
| SHA512 | 91d8f22dac34c3bc5bb4fccee10773c380d468398b8d4d286c1219e666ed767e313fb0d6a0b99cccdf0beab8b5e6069dfdbfff8d1ea60eb8ef40619394c042b1 |
C:\Users\Admin\AppData\Local\Temp\oUYw.exe
| MD5 | d037b35ff8735767dc9dc0239ea479d7 |
| SHA1 | 020389b908dcce17dc3584856f2f5d02e5bc25cd |
| SHA256 | b35dc3bd4249e528599d634d0ffb9b440ffd8e00de269587d29f1c33cbdce205 |
| SHA512 | 31b9d7d60bc18a9416421da65612d91582e7dcf4ec33c577e1f6e568a2f09c321ea947c9aa0e0b372b154187eb1933970bf41bee2d1335be466588fbd43feb4b |
C:\Users\Admin\AppData\Local\Temp\SQAI.exe
| MD5 | 06fe246a6931f1839e544a54195ff900 |
| SHA1 | d9a7d07e891917fe9325053694869d454d9db514 |
| SHA256 | 025094d82bb551902274ec9546b985c89ac5e9fbfbccb1fa4bf0de23b83bd7b8 |
| SHA512 | 9fd8adac5e41dd5e0a1439f452ec828a88a6618df9feb2efcfa19cb33118f458ca577276ba01ce7b6c1e52f0b54b0038ae6d360cdf57e1b9664527d42152466f |
C:\Users\Admin\AppData\Local\Temp\AskEockQ.bat
| MD5 | f217ebc0db23c60eb68fef8d4067f151 |
| SHA1 | 0992f5cf5751c72e56d714f160019c27162667f4 |
| SHA256 | cd56f67e9661b75dddf7908282bc91b4002a3af9a67c0b80be0c1bd385acbbb4 |
| SHA512 | b36c2c0db875a91234bddfdad0f594386c7859f8e866c73ed58ae41a20875d69b829afd7d04e86b9a972036802775a8933818b12b4225e82e4060c66d6a8a3fd |
C:\Users\Admin\AppData\Local\Temp\eYQI.exe
| MD5 | 6ca6b37881248918483c8ac06fa8fb89 |
| SHA1 | a46372a807f7d011f4d5919c4b78b044366acc99 |
| SHA256 | 8c70a44aaceb9551c8431fb80763e55c8c4e1ad83fd7636fe498967fc5ffa474 |
| SHA512 | d14e236e1bbdc42f0dd654931328a501fba11cd9a0dbfbf6003af455a4063b99b8128516801d0308e2d774291e68da1b7a07684e0af05fdb03e3c4d026a96568 |
C:\Users\Admin\AppData\Local\Temp\cIQU.exe
| MD5 | 81f37f893c4f84a0da6702d86ffb74db |
| SHA1 | edd8b6f13c166eb85ddfc52c5d544e78010dc31f |
| SHA256 | 758dd2e7187309ee2f39b2a80deba67a6c9ef770baf853e0c61db02554d93bcf |
| SHA512 | 648dc7e1a0857c0bb4bc00b3876af78bf246218c725e56b02bd8d6604caaabe47e0a43df0c7b2259f6bc60918b4e5fcc80c187c60c513aee24af65c1f80f2785 |
C:\Users\Admin\AppData\Local\Temp\gYIi.exe
| MD5 | 04267c64bac6d9839ba2a43497d93e00 |
| SHA1 | 16490fbdbf1d8c5e4269b279b69a01fb1a3d7c91 |
| SHA256 | f887a9224aab599b1c38b4ab5a6e1912f635a299b2c1aa728402359174a4bd3f |
| SHA512 | 0b6e467f91c3fad2f996f44a394e6501b0d9f2a87c44665aabce885fc76bd66d8fa063dfaaf4506e7c2ccc1809cc44a332ac5e90cbbf16f5fabde08ecf274dd2 |
C:\Users\Admin\AppData\Local\Temp\UIAW.exe
| MD5 | c245084790154fb1420658121cc9f667 |
| SHA1 | 174659eb2efe5bb112f942b0a66cad05fcb4ac45 |
| SHA256 | c27560469e99e8df2a179dcce65c673c3d6047f842b8dc3aceb5454dfa1ecf78 |
| SHA512 | d7b4273bda2fc1508fed99fc0dab113cde1a0377c348a3b5da099b30876c2171c0620eb56465a1ec692570c0b957403e6ab803044e61bf5a7e6d020ff98a4241 |
C:\Users\Admin\AppData\Local\Temp\kcwe.exe
| MD5 | 88d3d9d37a04830681c522cfeb8f5a66 |
| SHA1 | 3d82f590a0d04c41c538f71f34d021e01d2d59e1 |
| SHA256 | b8708944b9a39d3a1c3f2a8f83bec9226e90feebec3af750b48ec80f6edeb721 |
| SHA512 | 17dde4b232f8d0c7b6a6c85ecf5fbe4f6ac6de2b3231a87f07af31fb256c5a829612dc51797c50f575df514640c05750f254ae187f460976efd3029040cd9ad3 |
C:\Users\Admin\AppData\Local\Temp\WeskwYYY.bat
| MD5 | 4a531df1f68125d1fd192a9b6a6c3214 |
| SHA1 | 3cb08ea3e1f1a70fd9c9b843ac1e6077f66d3689 |
| SHA256 | 0c992fd284979d16e82eeada566c1b5a46f095c795f9ee25b65ebbb176d21728 |
| SHA512 | 3284aca3f200c8cfc9b35083dbb024ab59fa7624805ff395a9ba77e54846ad6f2b99b72a0df11d6924ef41013e13e0f7f106a1e367838cd84619f0865768ed9c |
C:\Users\Admin\AppData\Local\Temp\CwUE.exe
| MD5 | a156a8bb699f4c069dea1c1db0058709 |
| SHA1 | 3315fd92107e5575d34398320ee46d952e57bbbe |
| SHA256 | dbabd9bb7e11b55fec67240459d3022b423824241a4e4d2035ffed965e1abb66 |
| SHA512 | d8759e0ac2cf09a4dbb3429f1407b05b41cda6266a17564e4f72857e684c29fd72431faa2102d0bd6cf88882292c8242955478b936b57e759ab29e8f25eb0fb8 |
C:\Users\Admin\AppData\Local\Temp\WwgG.exe
| MD5 | 8c98fecd1c6072c7e988736f169cdd8c |
| SHA1 | 9becfb294eb22dd2383333afee0ded08b211205f |
| SHA256 | 167093ff7be24ce6fdbdd3251c7d6f6648668a711d4fed314a5788a6b681d70a |
| SHA512 | 5d2322e0de98be7249d0dac0a495f7e36cd4b1c7f3fab196669920b6c0d3260d26a66e8ae131556f28095a136f36158e805f2a925a2efde6cfc531fcebf78995 |
C:\Users\Admin\AppData\Local\Temp\MUsA.exe
| MD5 | 35a799f91b922f8fc922275adcc7ad38 |
| SHA1 | d7a7fb3cd79fc28ea8919858b8770e81d85fd2b9 |
| SHA256 | 5e7e2434e62d3df0e46bcf7aedf3c662413b25365ee54da6001ad0ce42541432 |
| SHA512 | 713c0c26a4d1c083316d13b0772e5a1d2b288d37b0e4b45f7b3909a5f9712b2027a4bcfd110baf1eeba2ccc946fa2cfc53765b82f3cb9217c03f6354d17bbabc |
C:\Users\Admin\AppData\Local\Temp\wgwa.exe
| MD5 | 4e681f7771ca8670023b902bd06d55c0 |
| SHA1 | fa2330920a2addc65435e9a318e610fb2ce8704f |
| SHA256 | 41af4a122122f1ca6d1ced276604770ae2183cdad21742064cd851bf523a2ed4 |
| SHA512 | 9287fbb5eec1db3ab199a3307facd26a645694e0dc5d55f822fb048944369d6ddb66213ca94c12f880538144d3eccfb6fa379a31acc9778ab64fb240b37948d8 |
C:\Users\Admin\AppData\Local\Temp\IIge.exe
| MD5 | bf239913aea2f3b99e320f4df064c713 |
| SHA1 | 738d9bd9c06a973c7638ca32a4d46dc796cc9dcf |
| SHA256 | 6aadac9e4f243912fd2eb8b010b4c4ad5a4ed4ac13e8244b60f541e5c3afe435 |
| SHA512 | 45af60b436a9b989269042d214d5304e5569a572c3a99b6fde9dd41a483f6c213070dc09010282b2993f4dafb88bc7043cf9f82c5e2c0bce89cef9fa283be147 |
C:\Users\Admin\AppData\Local\Temp\QgEG.exe
| MD5 | caf9a8e6eb4dafab03444a627ff1a387 |
| SHA1 | 9f8188935efa0e8bf89ec70ea7fc05330fa595c2 |
| SHA256 | 0a1b3f7166a458a8e40a16360ac14a038822aac3637d28c8df2e14316a60fc1a |
| SHA512 | 36b086e68a3ef91f1e83b7073a6444022990681843a9180c2e73ad1d0cebfe9fc861081f5ca2a945a3a435907e6c0db4f6c07f8ce99cb728891c94b0c3a43714 |
C:\Users\Admin\AppData\Local\Temp\IwQo.exe
| MD5 | 39f9cdb70e52600804a6efb5a161efcf |
| SHA1 | 437aabc13840ab1dc04c19fea990e58431b91980 |
| SHA256 | 5ce09cc6665287d71fb2d88ca001a41115b4998e8a141b812866ef91d3d36043 |
| SHA512 | f79ba6cb5d0bdb0cef8074790bebdfd2281319ee43ef3a9a35478315f02701109cd6d70b67e1caf5550c50e185e26c04d629a513a3cc62738173d705dff7f7d8 |
C:\Users\Admin\AppData\Local\Temp\uwIe.exe
| MD5 | 5979f937c297b48fe44c51ac143f3600 |
| SHA1 | 6ae90d7c2926934ec85fa2807f34a4af31c62c34 |
| SHA256 | 93bd6c62ce90935d6179de96e536a8c067a0a7783f8c513ed9bb0b59d8c9472e |
| SHA512 | b6148b827caf3b9b63df8cc459f58d10a9e275c2964021eb64f98a9d14767605ef716008cf63f6d5d4411369356ef21eeb42c1184b31909806faa8cdf7ba3806 |
C:\Users\Admin\AppData\Local\Temp\CwowsYok.bat
| MD5 | e9e8ce2b44ab21ae0e1811a4e5c2583e |
| SHA1 | 363f4a246ae246bf989fe54c43e87b8ece1b598e |
| SHA256 | 1a81b7efac9fe333dffced9b23c035d5db4b3a73579dfc1c2f4f60dedeaa571c |
| SHA512 | 2f2dca9a3d15281a735c512362a9fb92e9cfa1341a72ef60288ed344003123e48629138348285a692b23d334d609615e8d612b08f7864892f3780be527f39c81 |
C:\Users\Admin\AppData\Local\Temp\KUwS.exe
| MD5 | 8624c422e884a0143915f01900b9ce50 |
| SHA1 | d30e113931048126f053aa91059c8d00c9abe5c4 |
| SHA256 | 86fc0ac732427ad393e628a2409ee9676cfd0b375f249d4aeaeff4e164852b09 |
| SHA512 | 8ff22d8e7ea6b9cc58d8ab0554fb2e0e2ac4180a217f7bf43dff207b50d83d9fe02749d83f6201e7c8307d56265dca6e6d6b9dbc3bb66ed03c888b924612ef42 |
C:\Users\Admin\AppData\Local\Temp\YggE.exe
| MD5 | bfd9dc3a0ef04507cc64a1547ec512f2 |
| SHA1 | bc47edd97a3a33762199f937dffc73c29c8deb39 |
| SHA256 | 48cee882871cc62c1d6abb37c390554f23b8345806de5245e247dc07ce08607b |
| SHA512 | 7f6dd6c1714d2bc211680b13a2e2c06ad45b1ec5a6b0051c5739861218cbf97d917bd383be092134402e9dcfcd6e4e91d040596429ef6eb572dc229b386412b9 |
C:\Users\Admin\AppData\Local\Temp\sUIM.exe
| MD5 | 5f14c7d7ddf6fe66af73b67f644cef2b |
| SHA1 | a599bac0838ca602dd8248e1b3c3c4394dccb252 |
| SHA256 | 81dae72f168e0c9ff936ff355858fcad730f66c4771780e023ed74484731a58d |
| SHA512 | aff5c6e39016f8f7ad9d7078d33d7797185d40f4c1c167a43250e5f1b02c448f55046e070ceb4acb31f4255c8a994bfd743f83f0682a582ce10a7f7e0e02ea1a |
C:\Users\Admin\AppData\Local\Temp\ckYe.exe
| MD5 | 29c07e8d6e0d41b189962d2ecca0ed14 |
| SHA1 | a9d5cdf4b5c8e54026783a21b795c73955d0f5ff |
| SHA256 | 09cd3e770e4dee5ca330c399ac258f983da036b94ce29c9c7714a6b03a2333e6 |
| SHA512 | 7c1b69254dfe0a8374c571dd47543a5f6fe9ea655b3c624ad4d732800fc02aec58d09c048b2633e3711371f59f63939a6e3cf9c737b1a826eee05ebd7333be67 |
C:\Users\Admin\AppData\Local\Temp\eUkM.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\yMkW.exe
| MD5 | 960658f8f25573334855532a0eb62995 |
| SHA1 | 4f1c6049e71f5812e05c491d0330b197b6d329f7 |
| SHA256 | fab212541e7b88d8fb09cafd8986da7c6c6c7ac33ddf6d10f846d85fe08c1ccc |
| SHA512 | fc32502b9e4239e66c24c152ab58527190724a088e2039d01a04787b2f73b5a209996d792aff8d52e49aba9f300b13b90aab88829684d34679514d7b1572dd06 |
C:\Users\Admin\AppData\Local\Temp\iqQAwEII.bat
| MD5 | 112d67d61a1a63969ce83a93f597b81a |
| SHA1 | e1077c231eb5dd2308cc66ed7f4fd5b5bd03bd99 |
| SHA256 | 4e1da0bccf39f61aa969975379901040a10caa85b6b50ca5581565c847c527a2 |
| SHA512 | 8f3c330e556eb6efa355228f0bbaa4f932e2fdb1167ff881696bcfbdfdf0bba59efa7b8c3d0595deac40324835b2aea3c1d4bdfd5595790c909bd4de55a25c47 |
C:\Users\Admin\AppData\Local\Temp\qQMm.exe
| MD5 | cd7857ce5ae3c6cb97d71d7e0fd3e24b |
| SHA1 | a4cef0eef6085598b9d4e960f85c915c7c8dabaf |
| SHA256 | e00dfe4daef286a1d074bcc665eca5f956d6dd51335a78bbb278e92a043996f1 |
| SHA512 | 2bc86c7e368d602180faf29d083f7cb56325957e750fb6fa3881baa6ff1f0e4b4a295cb08ffdc1b2ecf95601ce9898a709bdcceba4977d45d2b613dac0397574 |
C:\Users\Admin\AppData\Local\Temp\qAga.exe
| MD5 | 843a0484d58c89a17ef41f777a0f867d |
| SHA1 | eaf5640016ffcafab65cf97b3e6bba8dd5853bee |
| SHA256 | b8733159c4f8724578481e82812d76f8c8f0101983dbbc423e3bc333fb19ed8f |
| SHA512 | 943e714e1550a0935b64857b000fee76f35d372226a423ff6d134c328a7c5aeee549234145c1f5334c96dcdce9b6e7e3be9f099b2a10493a13dc7f0659aa4e5e |
C:\Users\Admin\AppData\Local\Temp\Swko.exe
| MD5 | 1fecf65c136d1efe082dc5c60b814826 |
| SHA1 | c8b6e68071e76287d331cc67390b406d99863786 |
| SHA256 | 19bb4418911c9fe01b2debd9a773885939e4b375ff568120b22f41f6abd9083f |
| SHA512 | 15c8a61c4c664e061f6ba893a2808b2628bb32830fed813d2aaee3e1649876219df243774bf0dfc1556768e7dd3e68e7e80063540399f75dcf136ecb6240303b |
C:\Users\Admin\AppData\Local\Temp\Uggi.exe
| MD5 | e4d200a4551680d9c87d1d3f5ba43eb3 |
| SHA1 | a2e61a02fabe6479371e45b919dc4ba04de86988 |
| SHA256 | 064f57944b3ca6b9a20a3426c59f96bf9c143ffcb04301b0e85ca0c29ac7bc9d |
| SHA512 | 4f05f8164a5de577102fe44453bb1f6d616260263449a9f520a76b23f835d51f22494606bc7763ee739cdb72c6a703bb36405b338599d8aff5f1ede55e8c9e47 |
C:\Users\Admin\AppData\Local\Temp\LcQUMQgU.bat
| MD5 | bf70bff57be0ef581f72579a85cc5034 |
| SHA1 | fa2505626998c77268c956f60ae2b07b3d7b7301 |
| SHA256 | 266be50b88da4a656b71d685de84417430112859ceb63096f1fceecfec795cba |
| SHA512 | 9f3a23b94733878dcdae932d52ea3329859190e473f91ad7c4da27830801da301c1ae52023d7bb1207b9ff0f941b0065fbd4d54e1334b1080b43b82393a205dc |
C:\Users\Admin\AppData\Local\Temp\CAwS.exe
| MD5 | 8f40c6296df71ee9c2ab8834346f0162 |
| SHA1 | e01477f6f6da5fdec704de312628a18c508e02d5 |
| SHA256 | 3d5ae7a3a1d8e851929d3725c230df74bc4632a4d454b2257d03cea9838ae5df |
| SHA512 | 222067f1d8504c7b8aad893a5382f59f46226068dc67444278c361225b57475c9b3d0a938702717a3bf8e53e19248c418794131343ce24576acd8a4f5f0b6021 |
C:\Users\Admin\AppData\Local\Temp\OwIG.exe
| MD5 | 03c5d78ab07a635e18f828c9c50716ef |
| SHA1 | b923a7084316950ff451127761adb59b8b61efc0 |
| SHA256 | f7b0cf94a75839e39ab34bb4f6b96c4d62ec04a13ed12b514561fccc32ea2f67 |
| SHA512 | eb219d0432834ffccf6038c3a39f5629ef5699b0d3d3caf9aec997326b21638a1028e93c6207d592d2286acc6212312233f2d57e50478443b5122f6f9fe41176 |
C:\Users\Admin\AppData\Local\Temp\SsoI.exe
| MD5 | c575396e111dcb265e0edb217892fe8d |
| SHA1 | 6dfe4712f348c21859950e441d6b5f23b3514710 |
| SHA256 | 40f412bd7e5c9be1d2f407e85ddc83ff809ec2a032c29e308666375d5e13a9f7 |
| SHA512 | 98ab0ada1ca0e46b7efafc71997ce33cd912075f9ed9f98379fc506eae510b9fd8ebd7149bad027a26b6b372a982c04ac4b705bdf56359487fe72caacdeb793a |
C:\Users\Admin\AppData\Local\Temp\LQwIYMoI.bat
| MD5 | c16a43985778ba0f0e262004f887cdef |
| SHA1 | e8b08730d9f372b27e6f59b6604bdd0a5dfed04b |
| SHA256 | 884fe65d240619866f73ce966b50d2bc9ca719334a30d47a13070f1788453b37 |
| SHA512 | 21b540fa3fed3c34debac08cbf3e41562ca193f6fbc663cde82beee6c940db3b9c4cb7357ea3a13d7c60a77a7612c478e483772918f677570428f85ba169c199 |
C:\Users\Admin\AppData\Local\Temp\ugsC.exe
| MD5 | 83747e69108ac2b3033084b6aacfc6ef |
| SHA1 | 245b8a8ba5708c413f7f9cddf554399ec14088ec |
| SHA256 | d67dc251a256e92df23b4a663ef38ee3740b9c660074c78f9e3736ab645a7ccb |
| SHA512 | b846e13411ed6258dd6c732066212d3ffddead81309443f6f203fb17d92c57eced555d8fd3eecbdd3ebb37e1db15a5564223c1727cf1ae03ed5646cb9256bc5e |
C:\Users\Admin\AppData\Local\Temp\GAIk.exe
| MD5 | 9126f75fae990e8bb41a4c60c810ef99 |
| SHA1 | 1043375ce94bae5da8a0f5fa23a8c529fe0af3ff |
| SHA256 | ffea86df7de55c5fc21b15bb44c61ba6f7d51665f6ebc71b05d5f3d164c1e236 |
| SHA512 | c90c19b88f990fd816f3b4107342e2e0df059a9903cc31e7a7f885be32dae1b5632e3d8d31943fa8a399a4cca3af70dde4779938ed065779520e6a754a548884 |
C:\Users\Admin\AppData\Local\Temp\ccIA.exe
| MD5 | 03c885f683bf2c2ddca17d258a92e873 |
| SHA1 | 6580e40b1dbf24de3341660af7e89b14a865d624 |
| SHA256 | 07c99eb7cbdaa04c029e29784dc10bc05dda2562960207e2a836c70db75c4adb |
| SHA512 | 862ec99b639a11daeaa3b4e7b31c83db7ce116bbf1c9efe64e4da52bd05ddda44b3a555c81cd0bb6a7ba310d0a16adb5c825136f7c41dca05596f6dd0662fc5c |
C:\Users\Admin\AppData\Local\Temp\gUEm.exe
| MD5 | 7af4b6f194eb46279ea77485f5289346 |
| SHA1 | c99a3dd32374236941a982b25505c3d937e292d1 |
| SHA256 | e3965119cf783e9057cfb684fa328c088f0ab50182b8c32f920e9af764ef5985 |
| SHA512 | c7f950c2ff2a324989881f880932b84df8f4792a3575a529714e8e5abad0033b97e40c6291fa7c4d7d1fc39601dba4f009f1ad25c09a11dc1d1c54485f546fc5 |
C:\Users\Admin\AppData\Local\Temp\iQcC.ico
| MD5 | 68eff758b02205fd81fa05edd176d441 |
| SHA1 | f17593c1cdd859301cea25274ebf8e97adf310e2 |
| SHA256 | 37f472ca606725b24912ab009c20ce5e4d7521fca58c6353a80f4f816ffa17d5 |
| SHA512 | d2cbf62540845614cdc2168b9c11637e8ab6eb77e969f8f48735467668af77bc113b8ac08a06d6772081dde342358f7879429f3acc6984554a9b1341f596e03a |
C:\Users\Admin\AppData\Local\Temp\wMUI.exe
| MD5 | 3a68c8785e878c7bdbfdf358f315ce65 |
| SHA1 | 9098206f6ec4e096d5e398e1f4569e060788d557 |
| SHA256 | 8c8e38f1af718f8ce9d0a64dc36c2102c462b03e3ed5242e3ff5083467fb95f4 |
| SHA512 | 25a1b66b8ebecab68a751f5efff40ccca9460036a062ae9290dd84c313e5d5ec00240f82d2f63c3d05b6f37acc13259dad8ac1d07d245b9cdda42e4b1b4679e3 |
C:\Users\Admin\AppData\Local\Temp\Scgg.exe
| MD5 | 79067bc69aba5842f3dde02c5973a45b |
| SHA1 | 4c403481af61a0fcef3635afe41ff850ed36c0db |
| SHA256 | f60e958ea570fe2c47355b0771b6b4093edd63306d2cb6a4b5910b750cf1e7bd |
| SHA512 | 507345ee6367d23824e8c2906bcddc70a6eb502f149823b18073244ae9e712934f41683981d6877d47ec4b69ee1875181fd99fdab2cdfccc7dd352ab8e932dcb |
C:\Users\Admin\AppData\Local\Temp\jSocwEwg.bat
| MD5 | 737d6364de09fef2c1c3a5e909accfa8 |
| SHA1 | ff6dea41d4fa1fa9bcc33573174785d85c3e98ac |
| SHA256 | eecce6a2244506f00e8d37891dc641c6b4523156f14b7fe49de904ac4aea5c8d |
| SHA512 | 3846c81064add115ef4bbe5b1782fc9016f67822fe8d61ce7f45d0a78751cdc5436869b49362cede0ec05ea97a98d17753b50ceb69ec1f4ace8d84104f4b4539 |
C:\Users\Admin\AppData\Local\Temp\McAO.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\mAAg.exe
| MD5 | 9c04584deb120edcd584b3fb3977c492 |
| SHA1 | 76f6ed5f1f114f96ce9774824c13587137c934b7 |
| SHA256 | d8b5cd74d406bd5dab2e9ffedb106ca84e11335fac5731e492de1000404c3933 |
| SHA512 | 8271d952ab8b451a0c1690ce3bf5d062a7d55b83aedf57f3322a00274adcda018f3d61d83c4327a94dc037aff89047ded5559425a7e3e21d1f14d4c2ad634b2d |
C:\Users\Admin\AppData\Local\Temp\ywUO.exe
| MD5 | 95d7e2c6a5404af78ad4bb92ab03168c |
| SHA1 | 152eecd52ec8bb4329da534bbf1c6cf6ce3858f1 |
| SHA256 | ccfa5502c6e4bb2a49ee526a638b6460abeebd371106bc3686d143c4d5a62baf |
| SHA512 | 7531d368b353cc05ed02f5597a3d7de8e3d74e22fb4d764f1beafa3912a0d8fd67789d0c57c350f90826c9400234bb8ccc865ed735f6971287d1d57f5abd3e2a |
C:\Users\Admin\AppData\Local\Temp\GQIE.exe
| MD5 | bc81fbfa0e927fe8eccfb7e0e8d115f8 |
| SHA1 | 2acdcd71bcc055b691954810a78fa6d6a381615c |
| SHA256 | 27a3af7a1dd1f4de023b339f276bf9cc3e1bf7a60266df697d7e7d055cf70bda |
| SHA512 | 0cbb41d8f17c25c9308c10215c15252e78b1b4b3cbfa4117e5742cb11ca3c2d086a1ca95f03e5605dacfc936349cdb81dc0833711febd6ae9bc5e4462c33e05e |
C:\Users\Admin\AppData\Local\Temp\yAgo.exe
| MD5 | a4295076fe5b263280e28892ac8f037f |
| SHA1 | 702a84208e02f57f5b5c61983d6a7d861f6f0e71 |
| SHA256 | c809caa8f57a1df1ff6df3de4ea75dc3a56ba055846504ef64489b25ffa8a2f2 |
| SHA512 | 060c3c6f35b9591c1e878cde294f7ec4475cf4effff482f9a3afff432aa6f38c2fb8577bac8a6cb98e7eb7625970ce8bcf85b12bc2d0952ed9e6823a859e092c |
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe
| MD5 | 3067180dcefb2ba80dcbfe21a169cb4b |
| SHA1 | 0a4916b0c6a42179f17374655e25ec66bc276414 |
| SHA256 | d453cfb7feb4793c93f30bd16782302140e8f4e68a34499304ea77a276a71b62 |
| SHA512 | a99987e9b588f11e5abca775f16b3a963e4e269a4d92ae868f7b80715e2b301f6544ccc558dc32ecb937fbe2965c0a36e163d1f11fe7fb13fdc8deb4d33403d5 |
C:\Users\Admin\AppData\Local\Temp\zOQwwYwQ.bat
| MD5 | 644fec677a22db62d5a5e72f4422eb4c |
| SHA1 | df99cf97640d35d101bf926a16528931405d01e8 |
| SHA256 | 6a1b95366a130656ac57300113cac74618d3dd572ab53d35ff585a44eb3c2556 |
| SHA512 | 4381731d1e9ebd1f1a103a71788410a60623fbfcae4ad8692c37afb88f7964e93d037a944a8928bc506e8aa496f6f9dbe6500ba681b4cf94adf345194e8b24d7 |
C:\Users\Admin\AppData\Local\Temp\EcwO.exe
| MD5 | 2fe1b3696e25d0a9019e0fdf83cde2ad |
| SHA1 | b2ba8229177fec52eb9a2ae34bc570b4c87750aa |
| SHA256 | d52d60dd2bce31dda98a9930d1f48a41419995b5fcd7fdc2632e6c199906ea3e |
| SHA512 | 0623722e22f03642b2b1f09679e9532150eb6036ccce53df07f81a53c5a88e62ea499ae8ff15317a90e1c915b1ea4e791f50bbb9a2e5ffc08ce3537e3047c5e9 |
C:\Users\Admin\AppData\Local\Temp\AkgA.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\MgEy.exe
| MD5 | 704428bab2d435b9a93e3e58fef51b70 |
| SHA1 | a56d547a51afd2028e965805889f2c088d6bd553 |
| SHA256 | 3897c1fc1bdf39961b635a215e78ece4956cbed3de2d193bdf6c1a1a1fae0e41 |
| SHA512 | da9dda8a91d1c1629374467c82e7463e798d6dd904ab4bdafd15a9ea7c6c195caa6e5b7353bbb4539eb7a335fd7407e361b0b05dedb30305fb98eba2acc3de0e |
C:\Users\Admin\AppData\Local\Temp\gGAUMkAk.bat
| MD5 | 7b511e7f5dc990f27956a730e88d3907 |
| SHA1 | 8fa4c625649a40d64289cb6b759adcdcb94df40a |
| SHA256 | c457749439bc99a6e9a99da5d7ed57b715470fa73e162a89e86b23678e14438a |
| SHA512 | 5d5257da4114cbe7780a999e1f2d0d5444e3469704ffd973697f1aacd89d9102686e290ff3475588999c41f6e20e001a755000078377d880c207ef648b6c8c13 |
C:\Users\Admin\AppData\Local\Temp\AYcU.exe
| MD5 | 53f2608c1b754fa9299d99e3dc454239 |
| SHA1 | 5fcc1267cd59581db4de0c3a2f8f8397fedc5b40 |
| SHA256 | 6bee8a280fe4e5e766fbf50cc4c367c1618eccbd6272db1c3dea86736fffd872 |
| SHA512 | b6526748a13d073feeb89296e906c702d92cfaab8ef519999e70dbc80675f5ccc335145873e38cd1f2abe282eb78abc667e236ea1c61bccb24f7ac4cf21c6633 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | a5d21bdcc80a0af64970a9eccefd5132 |
| SHA1 | 45a9903f7805fd5d1708b934e1f5cddb603cda10 |
| SHA256 | 953636458b5098a89d4563923e68d0a3ba3230f2195ffaa0a5f37f6005f6c302 |
| SHA512 | 4b4c65046e4ee4f9e84699e67e2c46a7c85eb781986ffea57e72c1dfeffe5883b1e9f4c9bfd8d3bde893da41caa6498fd4dd7c607b7a8d722e55f3657fb32cae |
C:\Users\Admin\AppData\Local\Temp\guMYIQIA.bat
| MD5 | 14e8c7c5ec94befab5ed74858a1327ff |
| SHA1 | e6df7c716e26d9bebda8a739d44ef331dc5ba4f1 |
| SHA256 | 9f79b57a1d0442338828e229111c06116dbe737fbb89d02220df4fe9a5dfdee6 |
| SHA512 | 94c884fbd20260a3040f08d5a77088b2c088b89dfe2b836dfbe1e1df272ae4e010f489f801e46e2b36987d8ae9f293c977142833a1a8cce273cd7a4794ea1dbc |
C:\Users\Admin\AppData\Local\Temp\IgUe.exe
| MD5 | 55a3263daed36fa719404c77446347cf |
| SHA1 | 281aee5b24176e57265361dd2ce78e1dc60ad1d8 |
| SHA256 | 7966b29c0ae505b81d24bd9903cc9e9abbcb6ee5edd985ef3f9e2b4862f37522 |
| SHA512 | da7b81377a4484f7f9c864070c33d759479421e5d23edeb4110c60bfe6c39a2b19247d14b05c42dc2036b04b12fdb826eda95057d708396cdcd0704c3fd7c107 |
C:\Users\Admin\AppData\Local\Temp\ISkwwUwY.bat
| MD5 | 6bc67db82d0c7e50ac2dfebb342d7094 |
| SHA1 | 328f06f41595e23d2373a5b5924385e354caf0f0 |
| SHA256 | 245cb61d099a0a7092d125483a8889086424426d99d62a82f50a1217a70b926c |
| SHA512 | 86113a743c9504149cc6e016bf599175b53b46e202741c4a273d8a42827957b47d5b05b55b9c079e8f11870dea817bff88d248d6a86c2837bc90a883d03f9f9c |
C:\Users\Admin\AppData\Local\Temp\agco.exe
| MD5 | dfbf46e8b20969bd968f2c85262260ec |
| SHA1 | eb82a7a7895014e6d448d4ea0cee9ae8c3d00a14 |
| SHA256 | 0118acda358507b939c853300bdb21633aa93c17bfc0de5c92937636da9770b8 |
| SHA512 | 2665b9ee66f0760294b7aaab0a204e90fd6ed5aebbfd637cc52736737182c6908d733fe23b42b34e11579f9f8c816f3ad6dcc98027c98533a76d33f12c796a14 |
C:\Users\Admin\AppData\Local\Temp\EAkm.exe
| MD5 | 61291d386982888b84332d1ce2e8546d |
| SHA1 | f198690c28c010b0713fdd1c809d7a4f3545146a |
| SHA256 | 0b07eff50568fb6253e9a56432bec2654642554c14eeff0794c6b01c7715512c |
| SHA512 | 9b74b1c9189af579fde079fe4c4c1ef8c7a40cddc9bab7a112b26817ca29e75284a051cfc47dc1451c44a0924d15640ddf17fa5b35d2f606afce5b39454e61ba |
C:\Users\Admin\AppData\Local\Temp\cYQgAIgk.bat
| MD5 | 215fdc5b80d19f3932d2504380570c57 |
| SHA1 | 31a789e975644926bfba5a5ffd6cb0c6a0898a2f |
| SHA256 | 8bd153ca19ee7f2d2f8092cff8399d7176a9ce46d0a41b00123ddea298e59fb1 |
| SHA512 | 4c4aeb68e04edc949722ca10ebf76e8686ed35b5bff2dcf80523997f61a1a08081796324eb07e178aed91ba6bd1750485ae093411519c0616c03a5b86d3120f4 |
C:\Users\Admin\AppData\Local\Temp\ScIs.exe
| MD5 | 339cbad762a75e4eefbdb4350fcb39cf |
| SHA1 | b24c8dff44579051bdd2444f8d3afa0225541843 |
| SHA256 | 178f0640efc897c0ad5906cd8f5b1ba3c6a78c6861a5b956e1710b98ef938ac5 |
| SHA512 | d4829a8acb7973019a0138fccc54e25d7d32ea2d5189a10ce77e13ea48ed903709ad28ef0f3f90f07fd7309a32875c8ac20f326134631c1a472d767eab7bb5ec |
C:\Users\Admin\AppData\Local\Temp\Okoi.exe
| MD5 | 8e96c832e18db36245d49ad809c44c32 |
| SHA1 | c23820af56c6ef718d9b7aff0dea61215000c2f2 |
| SHA256 | a47cf410be769ec7522d9bd110a049f8ceb6c47c1485790ac72e559eab03e39e |
| SHA512 | 9775d072a9156985359c6ec59ea4d3e24d035dd84114e2675f56f0d5a17150a03d5c98b16023c80d0ace3089df7f139bf79a88b5621a0d10bd7546cd792305c9 |
C:\Users\Admin\AppData\Local\Temp\kgso.exe
| MD5 | c759d8b7c5cd37bce0af688eb11263b1 |
| SHA1 | b5c573edc372678d9ba0cef47696c6dc110d91be |
| SHA256 | 51b11eff17b3e6d4f6b96cc69b49bdfe55159109370083c01f59f55482200ff3 |
| SHA512 | 55b9eb3aac6bef3b39e79952e2cc57f83c5c7348e9a0c7d6bbac18444c5856ed0d52bc34f8f07b9f307573fb0d53a41ef81a99cb2cb4c848759888e4888d416c |
C:\Users\Admin\AppData\Local\Temp\OiQwUcQE.bat
| MD5 | d6434610fbb1a9ba01d8a2e40a17f213 |
| SHA1 | 7070b38f95992ae2743012cac6e34d6da562f3c7 |
| SHA256 | e79958f748ef76084678459f5df8826cf82c3d62be0e9b6674530519ce4b6e22 |
| SHA512 | bf18189804f49f16c0d22ee60a251edee0723a78347ea334e65b2148db60f8d7fca3d936dd40a5982d183116a0973b29ebe19dd28938f9d34408c6611a9c4241 |
C:\Users\Admin\AppData\Local\Temp\GwEc.exe
| MD5 | 5596771ecce669c22af0e40af475470f |
| SHA1 | 03cb55f95be7625c8acfc7f6b3655908bd7bd39b |
| SHA256 | a6a3e2d26f9723823aef8f36cb942d80435fe2460abaf30c32524c08f68cde50 |
| SHA512 | abe79ca7b505eae3ee0edcded5d35933d92fe3565d46f0231f0a5b4a17b59020ee4bcd44c0535cff53e597b4a3c9615c8ccb3852908b3f295918f3a89bab3c8c |
C:\Users\Admin\AppData\Local\Temp\IMUo.exe
| MD5 | cda6a032cee26d30af9fcadcdc695ebf |
| SHA1 | e3a3bf9f0fcfbc7de79f57250e42df38c48d452b |
| SHA256 | 04e6375e387b183964d169560a5b5bb123abf2b4281b9a75ef8ac95edfd482a4 |
| SHA512 | e2c07c93e931ec56d81025188b9bcd7ab65e2f4acadbf93a29dd29e5980f84a031d24a4c7cb35b255b36907482c22986e3016dd7499c2a9c2c0d538fbc98ce21 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
| MD5 | 9cac93f62b5c3ee1f264b642a8478f2a |
| SHA1 | 59a8a1ad4851de0137d4346f76c639ea0da57b6d |
| SHA256 | 723f12ec23648e52515d9cf1f45e96a4e4cb4488481a35535b1314f253da77aa |
| SHA512 | e323846d49542b14d1bba1bea166582375a4fc357c386d613124fc0c564e895c1130a0890e7040a453381afa734bdba548fd4f790bf28bd5c706e6e6d1557bb5 |
C:\Users\Admin\AppData\Local\Temp\CoAIEcws.bat
| MD5 | dab8ed5677d5220fe81147dbbc8db557 |
| SHA1 | 7ac4343fce9e65d9d3e867b593c969204b399d59 |
| SHA256 | 524a9b020c6fee0c1ee0ee024ba614f6633bbebda1d9c0351c19ef11ac5c1bce |
| SHA512 | 8593e79b3e4f4831f2cc95405002c458ccdd0b41942b4294c7f56ff983f962e5c4b7abebcdcb799a28ecf1c2bf22d7a94405044d5aab6218dee1b17ca49c2a45 |
C:\Users\Admin\AppData\Local\Temp\owke.exe
| MD5 | 79c5073dd663bd8785fad46f5959ce9a |
| SHA1 | 3ede847ad1841bdd4362bf0b0d35b8589fe52f7b |
| SHA256 | b2066ef9b8fc0827d49d4898cb1f5c1ca2129d6d198bde1f3a4f9765b09cc8eb |
| SHA512 | ef3e89d6cb376bdbb2d01d55cfbe10b9abb70b1f3a25d2b6df64ec1f70ebd2babbd265c84a06437579541b5960985ed54857f32eefff3962fb576e044d2396dc |
C:\Users\Admin\AppData\Local\Temp\WkUq.exe
| MD5 | 3c2bde5b0875b02d66610bafcbb56ff9 |
| SHA1 | d20a8b65049f33b964578ae91e429331ce0db496 |
| SHA256 | e696eb4247ad2d838edced6e32d9ea5779c1937ea56fd9ee2eb40459217039ed |
| SHA512 | 9982026875c1f0d0c9730d68f6cb5125317e4b104afa4163bf6618a022fb0493674b322fb3c6437edc5dd5a01fd75a2d69855e2d6d8f574c3a7c65df0acb1fab |
C:\Users\Admin\AppData\Local\Temp\cIgy.exe
| MD5 | 428b0614b46576471fb1bc33eb777f3d |
| SHA1 | 767384e4ae915aefa0bd535f46de304c786f3627 |
| SHA256 | 55d9e264fe63f09a59c9a0d22639be74954039af4ab43b32606e578d2500a37d |
| SHA512 | f766033c9d5b9a2be390d5ab3e5363a4e1f8ac7d21c772d5809ad1e75969d516a5ba084c154b88cea428b2623decc8671ee84a43589f140d48166903cb099c67 |
C:\Users\Admin\AppData\Local\Temp\qQAA.exe
| MD5 | 4962818cb55e70d810718b748cb6cb20 |
| SHA1 | 8b7e77d3097e5b4736cc3e0c6013a7b3a6b1c579 |
| SHA256 | 7b6084c0b7f65096dcbdbfbbcfcf254ceb3a68f5cbc011802b0721a75b3f7c2b |
| SHA512 | dbc55da5d5313c7d33bf765c7d20280a3e8ad5c74138833433697a3b3b6cb10fff049204bc7cec54dfafa80e2873343fed4bf7cc059d8b048ebc955866891196 |
C:\Users\Admin\AppData\Local\Temp\UIMy.exe
| MD5 | b4cf125988732202a490edb37e41cc36 |
| SHA1 | dcfe9e94b6c32ec126946fde3fa20ff84db1409e |
| SHA256 | d92f44c563b2fcc1ed770ea4e20422883dff05c740d9eeca9db810654f6a067e |
| SHA512 | 1147c812d146dd0f41f9e10828691c35607f86b20218a768561872692ab43f997534be1973b9c79945ab0053b40c33a33107f18ed83a572313da0ff3dfdaf901 |
C:\Users\Admin\AppData\Local\Temp\DWUYUwMU.bat
| MD5 | 0bcada31685fd2e38baeb691ef1a29a8 |
| SHA1 | ab1efd2d2b497dde1e1ff99d847b369391d4887e |
| SHA256 | 43adb77d3301d60d6013643a92bc0ccd6693f284691d39855e52b689668bb434 |
| SHA512 | 7a8f4a81d8d5ab9e327ca9c0736660f53b1bd12df1931a001bf69a4aeaebd1945c7429e5c977ef56db1d64de4f96a4f94f7076b169dd785383b5cd6ffe3c0e37 |
C:\Users\Admin\AppData\Local\Temp\ossU.exe
| MD5 | 0f6da1d42896ceaf526b22a82cfe96e0 |
| SHA1 | 0037e5fdf962aad70ce5ef7ad1d6f3ce0ee12f40 |
| SHA256 | b8cd1ca911ee399116ce0ad44df7c51437d11f0c81f9dc7fe05c7a47e23b7704 |
| SHA512 | ab4cd1656f663716d3e25dfcbccc203c4be00e6c3193ffc09f6a29dec971b777e44a939de7dc92ae499be46e2096cbd8ddc144c3ea077932b29fb65d7c317d3f |
C:\Users\Admin\AppData\Local\Temp\ecsM.exe
| MD5 | e9fa31a865529aba2d1736a71237f930 |
| SHA1 | 010e71acb6a5cd299af159e5e73b560fcf1721ec |
| SHA256 | 9e176277ffd4cca063b02b979bbe3ff3efbd35ccbe872d610b701ca5d5359e2c |
| SHA512 | 9b172a54af306317348f08bb6655d7836073ecd4131264f7f5e2ce870de369ac98d7e9ad57f9a2f4e7504b2f54e0a2354d5cff6f3fa353832eb572678aa4a337 |
C:\Users\Admin\AppData\Local\Temp\yMsk.exe
| MD5 | 189938b4f0662c6b2468478a9723b656 |
| SHA1 | c2ca6ca9172e7a795b439436f4ace162fccbe105 |
| SHA256 | 3476e084d712ecbf13a49fa9ebf861ebb80e80a2eeac345f6f1614a3a9a83cc3 |
| SHA512 | 18f1180e7899fd35930827d78878f203294c81fa179d4649877f540d19b29584f9369bcfe2fa7632b133a27daeb35b87db6875527886cf5fd28207da00240aeb |
C:\Users\Admin\AppData\Local\Temp\fIIwosMI.bat
| MD5 | e7de401eb85a6bed13839d2c0d515ed4 |
| SHA1 | 653adad7c3ac61b5080bed488a15d4a911e8ede8 |
| SHA256 | 6fdb7d359cf97da614e38efd73eb522a38ad3ec3393185fc66d574f288a3d4fc |
| SHA512 | 3667c4e203ba336eb9551d1ef70195ec7002574313b97c3889c37a487815af4f25fffb85870395c3bc6ae0b117175bf0d5719a05c2ab551dd880ca78b2ab978d |
C:\Users\Admin\AppData\Local\Temp\OMEm.exe
| MD5 | 776a406eb905af85e2387f8cae357a2c |
| SHA1 | 834d0ad5c02ddb0156f72e3c6ee3ce2e2fa6b623 |
| SHA256 | f9517414cb6d524fb18ca3ab693dbef29c57d314692a057c8fea9cb4cc6b874e |
| SHA512 | d5ee0c900cfaa728d992423b61a83d1f76660a47f8695bd4230ad1a8dd32912e8e7db7e1f98ea106e66a585fe30148d66d2c05a826aaa89606b141a67652c310 |
C:\Users\Admin\AppData\Local\Temp\yocq.exe
| MD5 | e71449956616d0b0efde8b0df94f54c8 |
| SHA1 | e7bac8c31251cba4d95c3ab868c1984a449eca7c |
| SHA256 | a01a0134938ea8cf9e5e91430c9fbfd71086ff5988dfce0281abe24fb35e66ad |
| SHA512 | 730a6054f11963e356d44b6b367a967376a86fbf15d4f85f3d7fba06717b25785a81fdcc01bd3efa7cd952bd06d5785666dbda6787b199f6864218d26ab20037 |
C:\Users\Admin\AppData\Local\Temp\QggG.exe
| MD5 | d0763d3d09825ac528ac065aee5612fe |
| SHA1 | aa9c55f29c09da905d373271a7947cfa23e23bff |
| SHA256 | 713ae3f197dc512180ed782e5e036f2e02c260616878c42f86668b3cc2b8131f |
| SHA512 | fe79814dc5d901bbcf4b9ac10351b21e1bf0bd8e3a9a2f6e8842980d206c78f62352601174c31d7c11b2ad964727058f4d56463f062b6a18be8a8a5f03695e0a |
C:\Users\Admin\AppData\Local\Temp\zogEkoAc.bat
| MD5 | ec8c8e7ae93d671314146e26cf80b751 |
| SHA1 | 2a2dde3f613e364c258053974c1f4a31ffb4d7e3 |
| SHA256 | 88efd37eced19ac83c7e11bdd26496829e47f530d98ecf5975766a9ef183cc83 |
| SHA512 | 8757535e48bda3783095a9cdff074c97048431423103ac3aff328e622321f86ada237a1a5484374b8795bf83455c0a1483d4aaf79ee488db3465f8cabda6b541 |
C:\Users\Admin\AppData\Local\Temp\qIMW.exe
| MD5 | 6f28c29fc046f471af68e0cc94d770bd |
| SHA1 | 3bc993fac4b9d91a990a8c80ae1bef62699b3c5d |
| SHA256 | f7f0d6197ae2c267d1a461191c3d88b46f7b64138b1ff737d3fc15919f9c2445 |
| SHA512 | 4ac857fa53b77b8ef986b89f3eeb97d2d5a748bf485c5f1532ba21eba15f6c4d1b0b99fde5dddd93f17292cafbe3308aac75adc8e77a93e60b5e8ef3c97ca079 |
C:\Users\Admin\AppData\Local\Temp\jSIkcwMM.bat
| MD5 | 96c55f5d0d32a4468d57ef58b4ec8836 |
| SHA1 | ae7671cd8cd5ca4318f82ffc528d8fbd24fa6d31 |
| SHA256 | 01ae3724eb80eb2939fb85f3ae6d13568b839c0e76a7501dca56da0322472924 |
| SHA512 | 82311ec2268981ef817bfe23e910978592fe66b394f73deba40f0c11ef0e1af58b043c63ac4d131d5aeecbace10c7c55ccda45f36d1a4e3ad539826197be4427 |
C:\Users\Admin\AppData\Local\Temp\KIsm.exe
| MD5 | 155d4cac0fb49932ebbfb0fbf1bed153 |
| SHA1 | 23a8fde380da7ed455151e22541f2b3d743b3c06 |
| SHA256 | 52be2e876a30f4c28b18f8ceaa016d7432754d051d7b6ded6234ee8150d80e2d |
| SHA512 | 244ddb0ecf61a47c68b2d04e6a873b91c8e9197fd52227dd335db763669495729da9e4131c013c03ed41f604685b26b48280c13dde9f37ea72220e5710427bec |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
| MD5 | a24892464b3247613b826eabbf2a31ac |
| SHA1 | 940efa53ffe9837daaf5b241455800a9da913866 |
| SHA256 | 091a42b072ff3dfc150b23f20bdfe866813e233c6c190fca154752d3859ce9bc |
| SHA512 | 3fed91cc8fc1de872a3eae761c46365ff7b8bb792ac28e5565784558d745680ce475c3b14cec466cd6bf5a49d2a37a31824cc3fc7e0ee220f63725a8b7f2197c |
C:\Users\Admin\AppData\Local\Temp\UyMMoQwk.bat
| MD5 | 104e9a2f535ec538445e9fd3647b22a5 |
| SHA1 | 9b3a022ae6e6b8480c60cc8ec1a20ec631dc6539 |
| SHA256 | e06196c8c2be6b66fa8388608a722af75f0bf680ce93a546fd73db4072f0f237 |
| SHA512 | ef05cbf8686298605c928c4bc9f60729cd3f874196edc31589a9f1c976d73e033e945351ee515ff664b1db5a20f12a76a53075631bc3b7b7a7a59a253d86003f |
C:\Users\Admin\AppData\Local\Temp\kcEE.exe
| MD5 | b433307260af7b1b42063b51ab28ff22 |
| SHA1 | 9812dfa07cd46c483097079b4718bf1821b0f7ab |
| SHA256 | 356f3f7b476938a1301f0a387a56edef11855a6ff85224a5ea1944de2061ff3a |
| SHA512 | bff2714052d8decdcd377ce87803f5a5af129659b7c8ad169a0cce3680e50972fc650dffea492a05e3d6e3fb2361e9c45aa70c7d10ed753c2288a5c2040f14f8 |
C:\Users\Admin\AppData\Local\Temp\ikwi.exe
| MD5 | ae07a00e7d93e78f3eba2b93458c7ab9 |
| SHA1 | 320adedec745106ae4ae4a910060d6116196646e |
| SHA256 | 919acbf4e9081a268b20a03669e3770c7e3289f5b9dfbc106017b8ea343aa253 |
| SHA512 | 2c6da377fb5c0e48ead4abff3d9ffb97429f44a4b28a14fa4461230e1767ce1285d27106c444114b30c1c76d240656728f58fc3d41772a3f292adeb5c94985a2 |
C:\Users\Admin\AppData\Local\Temp\iIEA.exe
| MD5 | 36c9dde0d2d23ebc6b3609bc0e5cd2a8 |
| SHA1 | 03abef383b0571034a81f580a0739417d001275f |
| SHA256 | d43abd54a6a3b9def0507213e70a5c3bf68c1a95ded890823e77094d83f98aea |
| SHA512 | 03fd6fc32e9218f70835d6c27fb5a1fdf9006747f8bc6f087e45e1b37a61a7d39f6ca7f22bcdf057f275ee79a8b34a5967aad21c5c411c298ed82be7514218df |
C:\Users\Admin\AppData\Local\Temp\WmwYcgYM.bat
| MD5 | 4cebaa976499754379edd2f792b89758 |
| SHA1 | 08d70b997b6334715a66eb8e8c66a8d13e279deb |
| SHA256 | 5564f146cc2b17b8a352642bb9f27363a15d619eec5451a3e098d03838b0e56c |
| SHA512 | 0498300f3e2d0d90e47b77bbb4373896597aa328efd0da4b0ee9bda5c184752d8ba73cb7acbb2e838f0386cacc323d58ed5799a7b05c29a4e95bb0c23a42a828 |
C:\Users\Admin\AppData\Local\Temp\EskK.exe
| MD5 | cd4ceae943bdf2bdccc2525afeb7e531 |
| SHA1 | 0cfd00bc8af6d6d6d268c4a13c07bf36b9490e1a |
| SHA256 | 0a0dbcc29e925051d5951734e82263d9eca15d93b2c3569001be2f00d1453b54 |
| SHA512 | cd1fb5353ac118a619b9c4342fcda27b122b87ae393b0aa65ede393770dfc5747ce84b07701e6e55e342fdfbd29fab36b066da97999d1637faed4e5ee2df5202 |
C:\Users\Admin\AppData\Local\Temp\cggk.exe
| MD5 | 3182f4491045593f8d61fc832bcba652 |
| SHA1 | 66ae3df9624b08f9e0ce4ae90895c8a43e9e44ec |
| SHA256 | d2db2871ae5f5842d46f7c85e1b5a7fc0368938c22788aabeffa910aec041aea |
| SHA512 | ac74a882eaccf98c5393e6df2864abaec4bbd04c25716df817611c7de2de2c20b9ba9b3ea9513f2f0000302155aaa2840b5f0cc1353fa96ffd0633487b85a9da |
C:\Users\Admin\AppData\Local\Temp\EEos.exe
| MD5 | 9bb6bb16f91b2dfd8940bbdb3aea06a7 |
| SHA1 | cd847edacc44bde378fdcfc184a989c2c3087d9f |
| SHA256 | cdc03ece44deb704dc3956b98530328b84584c05f905cf91b59a0db278ebadc2 |
| SHA512 | 8c6eb22b47811f6d9e8662bab2418f3a3c4ba7a0dbdaae8ce01b74743f1ab8fcc4b8c181d749784328eafe84b98a9158d5e68bc1f52430bf55553c81ae4b5482 |
C:\Users\Admin\AppData\Local\Temp\maUAMkUo.bat
| MD5 | 46ffc281896ef3590053c89788fc0cee |
| SHA1 | 2b68ad574c0d9339aefe9a78be67178533f5de2b |
| SHA256 | 57917a73973d7861cdc81028a4dffdd4623aafc4dc85a9e3e2aed34556d128af |
| SHA512 | 5c09d4475406debdb2bc59cf9f553b34535a541f7069937cd86b418fa73861f467053ad2c55566aee4652d304ae465af6fe056b8038a8479d6d54805b5086e24 |
C:\Users\Admin\AppData\Local\Temp\kgYy.exe
| MD5 | 6c1e620aeebd801a21e795b83beb6df3 |
| SHA1 | 91d14b7f6ea597583eff57c1863050e17c882448 |
| SHA256 | 33416a4b7cddf73cfe660d7f786f9aea51d6d865b3293922d759903202205e1f |
| SHA512 | fa74709d8877c454f01c282fae45d3151f49436c1b23a7dbe64c3553c2a3c4ab6212d0571d50a55d6baa7d221629e4c5d181b644bc217197b0bb48814731d459 |
C:\Users\Admin\AppData\Local\Temp\CkUc.exe
| MD5 | f34430c17135f5c609cc3feeb5907e97 |
| SHA1 | 73b1f9e564d7b8f20f5af7ba41f1bfb3568fb2f3 |
| SHA256 | ba6b40e844da456c4bf5b3e15d5b0e88b46000d17c7f6f29c7167128d151bb8f |
| SHA512 | e6836362144b81133024b1ae0ea49ba9cda9b38af79d8cb5ac7849c13094150ce903dac8f57c59220368201025f3d5de21b766a31b7f38d083dfa237561b5474 |
C:\Users\Admin\AppData\Local\Temp\qCUsYMAw.bat
| MD5 | 248afa18fa2807215302030e8954d81e |
| SHA1 | ad1cc3548e7b2683a6dc0999a6c0cb2838270ddc |
| SHA256 | 25fda0b63786b5f1777e2ef8afbac004f5041ffab9e89dce80cc62232d811a8d |
| SHA512 | 3d823fabe9491ab4d72f953e7b76455dd3e8b4a521fcd219818884046df1674b1f79028b7368eacea19c80582f2e08ab51c6c345525fdb52f79bf0b79dbe3767 |
C:\Users\Admin\AppData\Local\Temp\YMEs.exe
| MD5 | abf0cfe8e7102ab12eeac674f95ff50e |
| SHA1 | 786490d9242d4dafd47e1a8ecd99e128c6f35fbb |
| SHA256 | 27d58124b2dc620bcf561171be192caadb6bff0de6ce73271dbd4939d187a399 |
| SHA512 | bcc2e5b78f7fe2c9fcdf491dfbff83662844fe63c4223de09cd56573267de254bbdd23fd716f8c5cf99c397689480d697a018950d268f9b661010be56a594265 |
C:\Users\Admin\AppData\Local\Temp\IAwg.exe
| MD5 | f530473fa6c0fcb73cc51f36e6a628f0 |
| SHA1 | 033b79948e79d178262f5c21f5edc1b7b8c6a0df |
| SHA256 | 9672f993f830c53b9e09f7d76a60ec7aebb3835477366bdac0fdccc619c2408d |
| SHA512 | b95df680b397c13f08d0ed48a222c12cff8dc76145d3f8b27143b99082091f9dee49edd50664cbbc85eb3e55559b8e7c930768a6cad9541ba7e62b99b37b32d5 |
C:\Users\Admin\AppData\Local\Temp\moos.exe
| MD5 | b6abe61e33e61c037248cc294ab0e127 |
| SHA1 | dc1e5ef36549ff6e5dd4e12e9a6f109f85e2f95c |
| SHA256 | 61363bd18114d932d1716b2a90a8b4f5e6d9db02e9891ee20e98130bc581235d |
| SHA512 | 22464aa75a2802acb83ecf7c57fe5a6fe444c677012525638c2cd278e99cb45025fd097c4e8715a0d07da52ead7c2170cdaf56b7bd271757a1115c42b7c747b4 |
C:\Users\Admin\AppData\Local\Temp\Ossy.exe
| MD5 | 045061be0ce5995b23a90d0c2d9e265f |
| SHA1 | bfa1e75177e083df4401a9d4349500d181d884c4 |
| SHA256 | 257eee1ba0cb0e7b90fa46a6d82267a7ebf4c3421f47d1700e4e9316f71d6b32 |
| SHA512 | 2761b97d3c99c10a0a77983a827db7fff318f6669d7952d71ba89c5c077a3dd8aedebb47e93aa7629b9e691ad72a786ade1352bc3e4792e86955365e6667ae38 |
C:\Users\Admin\AppData\Local\Temp\DCwgMYIU.bat
| MD5 | 5fe0409a663600530ea2adb05361ed34 |
| SHA1 | 054419bad90b150feca82d50b91aa64a6008fb1d |
| SHA256 | bdc0979292d08e14a08672758f810fdde9ec6c178cb9122d3a21affec5373130 |
| SHA512 | 0832d9f01d335ba045143844622842a954e6dbe2ca0ad25ed9e3be24b571d2f6ff9c81f916991a42eb9055e402fc807115820a08fcd1bd2286f56461b88fb9ce |
C:\Users\Admin\AppData\Local\Temp\KQks.exe
| MD5 | 6c20d5b08791a90fd262acafe0948479 |
| SHA1 | 2ccd991091701261abb3a2b1044bc15f021b9c34 |
| SHA256 | dcffdec5415a569985e692bd399e639dcef55387a20f806da217ff557752e17f |
| SHA512 | 3cfc9ae908205126001b9ebff1dd6e7a40a799a9cf49e00b5344fa968a692cd03930dfa79d5ff3cbdb75321729c3ffe0cba210a41454157c0dc2e8134edf9888 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
| MD5 | 3c4209039d1f2e2bfec19be1df85c24f |
| SHA1 | 7991141273c5d3c86ae4204e4719f3c8c3ebb8bf |
| SHA256 | 924d19d0bb5e3cbcfb9e04f4c1b110eb74cfc84b4f87044e068eb6f162e39a1e |
| SHA512 | 9ad4ca07c72aee61c0191be4a1b7b7b86713c75d7c20ea3f185e2a5bf5223670202ca95deb16aaa0b0110b464033eb10ca3192ef554e269b2b7ab29a8ab36615 |
C:\Users\Admin\AppData\Local\Temp\dsQYUMIk.bat
| MD5 | 767a44379f54ab2190ebbb2f4d1a8412 |
| SHA1 | 76eb1c07beb6bc4fd9412000b9fa6a6d11b81080 |
| SHA256 | 3c86f8d37addc971dc890336cb542b62df2ab0eb41ac866f4cf43afe68ee9196 |
| SHA512 | 74e3b2f4d16d40fae0739360c32fb8b1a886bdced751dd16ccd1d85c7d5ed2504b6fa62cd1b842f09603db34d9abae1e03c6be75a3ad9400ebf59b28536e7b50 |
C:\Users\Admin\AppData\Local\Temp\ykwo.exe
| MD5 | d44882afb5cb23806a95684c54970e7c |
| SHA1 | 15ab2a5e4616514a0755dd864f70a3b88904a43f |
| SHA256 | 0892efcb573eebc8a9f2645ac3cac83497eae05f239d32beb0fa620141e0edbb |
| SHA512 | 312512d2413e99151344b9a14d379a30cd4d13d64e9f4a89bca77e522d268ef87dbaa9d116ffd1f28f2fb856943063b2422be2ff8e2812acb5694f5334aa493c |
C:\Users\Admin\AppData\Local\Temp\buoYIgcQ.bat
| MD5 | 5af77006a86d29c29b501fa2ecf7fd0f |
| SHA1 | 60cbd46cf3c467594afbc6bfc174e93c5bebc937 |
| SHA256 | 12c68dd8e8e07d13ae77d04cfff7d60262e5f9b43cf3932726b7419e7a476e38 |
| SHA512 | 8c1b9f93fdbda75290424fa28c469e76bd97bbbd308f92df044afa7f9422809e852e2ab7bb97cc83936f183389bf5ed7aabe594a80c0c0cab3b1e980045add5c |
C:\Users\Admin\AppData\Local\Temp\ZugkgscI.bat
| MD5 | 991331250333a96afcb45bfd3fcc092e |
| SHA1 | 850bb5eb38b58b0f86c69594146d439fc14b54a8 |
| SHA256 | 95933022fee5d3ac901785931b57b9f47e5026f8cb94098aec6c1bfe7f8b27ec |
| SHA512 | 05a478c56fc3b457a43b231053d1bce091e566e7110a4df274dda34a65314a03baae17126759951ffd195542c623a7a8a943567a45616ea8ef3aae0f76791afe |
C:\Users\Admin\AppData\Local\Temp\FekYoQAc.bat
| MD5 | cb3e30a250c35546d06970999133f851 |
| SHA1 | 72fd7d23394dec729a3920a91deaadc51c0090e8 |
| SHA256 | 0871f1254190caed92921dc8bb9974deea5a1aba2d6ab1983d1ebbcf7684eb07 |
| SHA512 | 5208ff64c96687a9be2968666ef370f0ec000a0b870d3cb5b6262906ec2d7ef319ee7d92eeae3a829c04ef386eef9f6ec58f155c106da7dae06fbf95cd824e90 |
C:\Users\Admin\AppData\Local\Temp\wQIQ.exe
| MD5 | 77d479181f2a48dd375fed30027b2af1 |
| SHA1 | 3cf789a09747f6e1677a1f499da82b7c6a527f8a |
| SHA256 | fd8115ad42e61e10777e26d02cd8a649164ec58dd95b04931019d18124f1e2e7 |
| SHA512 | 85d1e5daec54402097a189a70ad14563cb4c42b55476a2c07883c0e2f975011df1fbcfbec4c49ebdbd1e6fcbef9db4e29388bddf14f593d870b6cc8bb8b2a606 |
C:\Users\Admin\AppData\Local\Temp\IQsG.exe
| MD5 | ac39cecfe5f56da899b58ece64b39eb3 |
| SHA1 | 065480a4d0d3a0be5c703771df46f2cdf355fb14 |
| SHA256 | 337bd9d39f782c8a6c98905762ad2be55537644e756831669d7d61f4764b0b43 |
| SHA512 | 613bc373b58504b3be45854dbed3c7c0743ec1cfcc4843b2cb99eb78e1f2292427c0f26cf9560ee6dbe569689e54733a142ac06f78482402316f0360c1bcc74b |
C:\Users\Admin\AppData\Local\Temp\AoEi.exe
| MD5 | 1053668e49ed536bc805fd0b7a35efde |
| SHA1 | 1741ff43769c5793e7e478f1430a1ae9599137a2 |
| SHA256 | 87adf85dfe40840a0d8d70ea9d9b0c660afe76ff9664e3a62f5cceb5f29f8480 |
| SHA512 | 4f90bce322a0401a4b08d948367eabd8fce60cbc1c404307e1996296adcfc51a55ec64af44972b0981700a729787bd0ca3bda9bee41cd17a17041973035c829b |
C:\Users\Admin\AppData\Local\Temp\MMgw.exe
| MD5 | 5a91e26497baa6e0c37eaaaf26236c3b |
| SHA1 | 3f33cea67869dd4d7dbd2106444c85946fdd1a00 |
| SHA256 | a33d3c4e0ad9a29582b9e8e76b5d78688ca90150c7435a2b62445e6987c52d21 |
| SHA512 | e68bc3f8b3c7698e1f2e9a0131418be1fc5ba023d46311ddfe6081155dc1cff77312ce4c9321a30afd0c711691c15362854deb325aea052b614dbaa80b3a8022 |
C:\Users\Admin\AppData\Local\Temp\qUws.exe
| MD5 | ad6a97f861493b3d4f25bb27749823e8 |
| SHA1 | 1815ee5e275c31d4de8db1fc0a54a61a1b17c7ce |
| SHA256 | 5a6797507896245f61ad97f4f91e4fdef5a0b885f3f1a9184a7a5cd2e94404c6 |
| SHA512 | 12f1a06b1be324f80dad8b0232975f5d7e10274de3438a9cdc5864635c8b5366e9420f23dc6391e3e2b7ada7ef6db72214426accf490bf9a33f8201df23caa92 |
C:\Users\Admin\AppData\Local\Temp\MIEq.exe
| MD5 | a8c1b69eacb89d9f26cca439bf37841b |
| SHA1 | 5a3e6cf8632964e4a595db031f80beb33db87559 |
| SHA256 | 3bb0c7f32ebef851613f179d343d87192e6ed17d05d1753bd2fb98e1e2fa47cf |
| SHA512 | b094fab6666245f491aa550f391fdb5ab5050cce7d2090af921a7492d68dd00f71f3c842f66c78cb6a042fbd27a973b451a490ceca7b0c69651ae1a3a2d66688 |
C:\Users\Admin\AppData\Local\Temp\wWAooIcw.bat
| MD5 | e71273ea1e0424f00e5245cc094f0f55 |
| SHA1 | c069363a197a75e5b4f8ecf7761ecb7c19d0aea1 |
| SHA256 | 23b08d4df23c100a23843020d7f55e4c40bc735215b77c99b44775c632cbc645 |
| SHA512 | c2226ae1f2ab11bfb4d1bcd8ce049caf2b3f87559286d2fa2851a9ab6c35beed2eb4d636c7b861fb5556fd0ad41de3ba67acc33e1ef95bb3935b562085df0ba6 |
C:\Users\Admin\AppData\Local\Temp\WwIu.exe
| MD5 | 4d7cd4e86d042ae6ff33bbf4a2ff5373 |
| SHA1 | 7bf04a8a4930bbd8d8ef54aa7a5bd5c7c631dd25 |
| SHA256 | 58c39945b40fbbd609636c66ae76cc94fc15bad5265d64ae2d922b978b14227d |
| SHA512 | 52cc1b920e50dbc5cca06c85bee8334c14fb5d21316000f73c03798c1f382afb628fc2985582189a829d3c20c2aceb2ed1974ebb787d9e48d07d6092d8f7e379 |
C:\Users\Admin\AppData\Local\Temp\GEIS.exe
| MD5 | 5e2e6b44485fc840d3a6eec443dc7297 |
| SHA1 | 9f8b4f7663606b2778a4a0cab28b43a8385b02da |
| SHA256 | 985eb29158e95b57a777317f87ed48e18a0b52959d3cdbf5874a95c08e510b37 |
| SHA512 | c7b0fea1bdd682f11891d4816088d072e630a685126c66465481ce460a0f6184e7126a88413f51fd073fe023b892945323b0e7492c8b0d8e9b829c8d032a6277 |
C:\Users\Admin\AppData\Local\Temp\ewES.exe
| MD5 | 7d3441968cfc9801fa94ddabbdfdb7bf |
| SHA1 | cdc392b6b9dd22ba934a0804e81ff2547f06d966 |
| SHA256 | 622ce093ee6154dc01a78d361b0ba1010ed1dd39fd6321d5142db37c57c3fa32 |
| SHA512 | df766d8765e2a560b5b152b1ba01ac0491e3ade0127abdd86939ae188f41d680a69c369cfdb5fa076a7ea695c01b894b6ccbf39cd5d17eca9ebb41619095414d |
C:\Users\Admin\AppData\Local\Temp\MkAE.exe
| MD5 | 1476a7b6dbbf8933e7b772f2f261a610 |
| SHA1 | eb20c9449f3072db64dc55003eb00a5fd0eb5ad0 |
| SHA256 | e63ea8306ce6cc8c1c188d28fc1d55048af07c9b8a197e02bdc02bb23cbca1a4 |
| SHA512 | da71a5c4a7286ea3aef5c0e1b99a9be40cfdf1de3941706cd1c9c3de981d322a3a23fac70c95e1bd490ac7d84d9506d4760e9df6e3a0af9d080aa9097c3b86ed |
C:\Users\Admin\AppData\Local\Temp\McgQ.exe
| MD5 | b104e630bcacf791c31a9580f188229f |
| SHA1 | af1437372b233f5315d251d648f24e55cb0e77ae |
| SHA256 | ef46e50a98ec186e05681cb474c1d0030525a97c67ac601e608c8501642a9657 |
| SHA512 | 9aee92e811c133095a7c46089d3b266daca8170605adc349d7355376f384ca00e9161074fec12b159054f8cf7620081aad2573e7e5887fb97fbca244436de679 |
C:\Users\Admin\AppData\Local\Temp\YeYswQMU.bat
| MD5 | f12889b6f2549a106cf2c44023bca82c |
| SHA1 | 2b263c38113d4862188ecb8b02cd0e2ae61859d4 |
| SHA256 | af70f8972446c25a4fcb75de42ce7c4a692217480b70b7f60e34ed5b0be42caf |
| SHA512 | 97b7d274a3b70eb084f064dd0cdd1d9e85c8f873c1b57c2e885b9eb4320a3efe2c1f0d33eef15169a1a3e612d01865c9ba5f28e42df983612088088334e16b33 |
C:\Users\Admin\AppData\Local\Temp\ycUggAMs.bat
| MD5 | 8b2df9b698c9684cfa661e231184d645 |
| SHA1 | 4e5f76171d5919ebd5a87e98cd1cb874faf5f2f8 |
| SHA256 | 59afeec3ca8f654259048dc1df51b466dc86afed00c029a64c262f8dc155123b |
| SHA512 | b69d9db7aedc1a6dc82cc09bd47eeb8db41b70e15b18753c3b5ec026fd366fc14b82864305c7e94dfb57d2fb9cc21979bf8e986d5f911d306cafb93156f088df |
C:\Users\Admin\AppData\Local\Temp\bWUUckYE.bat
| MD5 | 0e8449435f235b6a4e9217cdc50f380a |
| SHA1 | 4f0295de8354bd0d00dcc4ba3a290c2727129ed8 |
| SHA256 | 910f7fe7759038fbf8e1d9659839fb37ec614b814df492f7c64906acba1a3923 |
| SHA512 | ef3dd66c3ba967631b3d911f907dc0c0bac90054afbd552fd455d9bf484be153c3c785f42c5c6a1c41dacadbb7edb9acf8ad974db579e5cc8253f8addd3e4b8f |
C:\Users\Admin\AppData\Local\Temp\roYEgkkY.bat
| MD5 | 2f01733dbff50333b57dbe3c5c5dff45 |
| SHA1 | 9450bb76af2b40b816497821c47a517eb552eeec |
| SHA256 | daf1325ed2a22f9b460eb0d00ba31bdf49f36beb90ac4d920e4c5cbd84c88305 |
| SHA512 | b5e57eb325460bb3c29d5f66ee613b74de229a05f57738f01a96dbe771b9ae09310e9cd102e8fc14cdb0bb9daa5e41cc103e56902605db23a61d479392411754 |
C:\Users\Admin\AppData\Local\Temp\tAMgosAA.bat
| MD5 | f80b4137848ea22fa7f82530be236cb4 |
| SHA1 | 099e5d105d027e8cc296e5644b6fd4316b0aaa2f |
| SHA256 | 20a54598358594c7b6c52d21c3c0d7a220ca64cea55c0790560a0ea793f59ac2 |
| SHA512 | 5b4a7d827af1c3736d0f770da4c51b47cfd79f705e128b0051934f44fa285bd9bcabdf055b2658d6ceeba20e2291c464daaacb52526db27f35a85e888f0adfad |
C:\Users\Admin\AppData\Local\Temp\NCAAAEgw.bat
| MD5 | e914c312469c9d712fc7be0527c1683e |
| SHA1 | 86c316b1722b60215f642bce102294a2a06c9adc |
| SHA256 | 50ff0445d8d64bea7528579c0615fa6d7b97881f6293e350719240767d75230e |
| SHA512 | cb2a5c9977150dec974ef0d730e2ea7b9f0c8e7d84dbf59dd12826900c23e02f962a5b0a934f608de4087838bf77f791869bd0dcc102f36d6dbd8db3ecb45d25 |
C:\Users\Admin\AppData\Local\Temp\RCYAgcAY.bat
| MD5 | 6efe7d5702fa7c39261d1494c6815831 |
| SHA1 | e154da4d546b841d62014c228588a46326e8c034 |
| SHA256 | 4b5de434383a88635c8bb5d1a87e1b24ce1c3b202c8a7325f748488d2058b3df |
| SHA512 | 79d21d4c9a7bdaa319762b84ee0580416ed690c91987a7bc68332e0e8174bd65c6c23666ff7f93b0708b7f5679d248154bead069faec8c70f21aed458c0addfd |
C:\Users\Admin\AppData\Local\Temp\kIMQMYUI.bat
| MD5 | ea0466da624e13acdb9877ab663873c8 |
| SHA1 | ffcea22067ddff4c9ce2111a1762a9dff2a5cb0a |
| SHA256 | 2c7d38f2f6bddb754dc7c92ff7ded335a1867c4f83546adbad29715b8d81c8e9 |
| SHA512 | 2636049377818920ddbf8716b118233b5b34e70dffc67f2aea37ccf0ba80f353df140f355efc97808d822ba4390520e4680a10176d0f75b7b1ec5d8841df488c |
C:\Users\Admin\AppData\Local\Temp\CIkgAsEc.bat
| MD5 | 0ef2e8a7a694b7bc6203142f4c846717 |
| SHA1 | 9b8f4c432e3551dfd8506ed968a552ced118762e |
| SHA256 | fec9dd7cd760302adee52c0c721b891cc20f4c8822af9faea85bb6668499a782 |
| SHA512 | 5df04a054ba547e702f7c538c7532c30238c0a356c16d197a6444d5e09c518f90e5f09384c02dbb699861e28056d0e70f0e5b06024dba353d5fee9a87f925bd1 |
C:\Users\Admin\AppData\Local\Temp\akgkkEIo.bat
| MD5 | 17852890553f6c017a860489de4cd96d |
| SHA1 | 68fe3d091f654f2a0e74564c87eb0b882ec8dbe5 |
| SHA256 | 4437a5e3ec7c862cc18a35bf48ba2230fb2a53be6a853ff4a994db6d3f14d8cf |
| SHA512 | 7f162f3037c8a30f9a10cff4911cc5ac02a6c74537921798d52e51cf3dbcc821ee0ab15d55e2531fa4560a2cc7a6f61e32ac2edd4253e3b5821d615ea354bbe7 |
C:\Users\Admin\AppData\Local\Temp\XWQsQwYo.bat
| MD5 | e81900423206f534be4dc78256e35458 |
| SHA1 | 26e2bbb25307742111155405ca9463983c289c5a |
| SHA256 | 4a81fb3035fbd6b73f80c0a9f3fb46a0bd67fbfb2785549598b0c85f1a5b1f1d |
| SHA512 | 923dfff695242891d1b12164c36500d62526d59c8e863fa101a6b53703e760feb3284da11188cd0d8ecabbfa60cba704655f93af1ba06dd4bd8110a8362a1ca2 |
C:\Users\Admin\AppData\Local\Temp\BgkUwAsg.bat
| MD5 | df7e21ccc59d2e723aee2184a2259571 |
| SHA1 | d54623bd3513fcb19b1597d46916cac90654e708 |
| SHA256 | e34d64f8b78937f73ccd9dedf3aafce9c7f6700cba2a58a1cb1eaebfda8930d4 |
| SHA512 | 41c8d08d932f288662888d2c8949605cb39a5b3255a99c1b56f169da15fadf40432311419f864a099bf198e06bebea5b86e8d66959b9a46357b09a93bdd843c8 |
C:\Users\Admin\AppData\Local\Temp\xUcYUsgw.bat
| MD5 | 8c89c2a40ca1c2aa9a599d1be1ac839a |
| SHA1 | 31cac98f7b5604adae9050afd340d18288bd35e8 |
| SHA256 | 7f8fbae3ad2e92a1d56f55378ebb0a814146adcda535208ab2d84b0c968e36ea |
| SHA512 | 8f642c38a4a1e819cbf4f14c517085dc4b0dc171efc6ba5ac62a8283782ae0664e7149ff3337bcc0a48d2ac78375ddac001ac6525119dee9f752f09404b855fb |
C:\Users\Admin\AppData\Local\Temp\RYYAooIg.bat
| MD5 | 53930ecd42169c948ec325b57bd798d7 |
| SHA1 | 3286f4c1d2ee344fde3cda11394b8efdd262446d |
| SHA256 | b89914719833eabd93ea2b2e0909d8cd22d681b844f4066f91ce018316d63a3f |
| SHA512 | b2399ea0f3277ffecad4822dab7c61dae3bc1909d70ca561a2152e55da2b023eb7693f4c57df138515442d4e42075627d230dbab00298b66e3a02fedcefd03cf |
C:\Users\Admin\AppData\Local\Temp\rIIEUgQA.bat
| MD5 | d6a7d21e56d57ba3a515eda77414bc2a |
| SHA1 | 6857411c1d44fc5091200bb796d2bcc0475d605d |
| SHA256 | 8c2adff7815083c78591f16dca666f4bb0d843757e3542ce1c4ea9d5d4dd5071 |
| SHA512 | 6e0994112631766284fcb9eccecc0ff6557989ffe2173ac3e732d64d2a83eaa1522fae3e11b1b9dc6954413587530070f62c45665f6dc3296db6c9e6dbd554ae |
C:\Users\Admin\AppData\Local\Temp\UwskYkso.bat
| MD5 | 4269076daa7943e346731df7fdcd29c5 |
| SHA1 | c9bc6ea70d4a762e6b2483b53a2e864830910c78 |
| SHA256 | 73e2ed4ea68db8b3a39f7bbe17200cfe30336f7e1d743a9090279f8a712f302f |
| SHA512 | 001215c15126f03065e59432a9c8d60bfc170a2405fd0462a6c064c9551b96db44a23bf63ba5fd6edb6ca696250632b81040f1cc2df1c4358d8e2d585852ee71 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 18:46
Reported
2024-04-03 18:49
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (77) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\JwYAIAUI\EswMooow.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\JwYAIAUI\EswMooow.exe | N/A |
| N/A | N/A | C:\ProgramData\AKsogAcE\SsAIQAoQ.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SsAIQAoQ.exe = "C:\\ProgramData\\AKsogAcE\\SsAIQAoQ.exe" | C:\ProgramData\AKsogAcE\SsAIQAoQ.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EswMooow.exe = "C:\\Users\\Admin\\JwYAIAUI\\EswMooow.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SsAIQAoQ.exe = "C:\\ProgramData\\AKsogAcE\\SsAIQAoQ.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EswMooow.exe = "C:\\Users\\Admin\\JwYAIAUI\\EswMooow.exe" | C:\Users\Admin\JwYAIAUI\EswMooow.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\JwYAIAUI\EswMooow.exe | N/A |
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\JwYAIAUI\EswMooow.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe"
C:\Users\Admin\JwYAIAUI\EswMooow.exe
"C:\Users\Admin\JwYAIAUI\EswMooow.exe"
C:\ProgramData\AKsogAcE\SsAIQAoQ.exe
"C:\ProgramData\AKsogAcE\SsAIQAoQ.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruwkAgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAcEssMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGIwwIcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUoQksEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoAwosko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suEYwUcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEsMwckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYUwMcow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQscQkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUksMAck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAEEcQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECoIEAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEYMAowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YykgMogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myIcoIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYQMIckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSoAwgIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsAwQwss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQYQYkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWoQwwUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIIgAEkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUQQooYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYsgAYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWkUUQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSMIIEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWEIMoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auoEQsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAwAkYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIQwgsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMckQMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruwwoMcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcYcUYMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEgsEUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwIcQIIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuMwcQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICMsEgEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgMoQcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoAMIkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGMssAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kegoAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyYYYEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoMQIUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MacYoMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMwwUgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jysEsUUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmMgMcMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqQMwswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMgoUQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEcEgooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyMgMsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUkosUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqQEIUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqkUIYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYwMwEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeoIAIkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUsskwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgcIYYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoUcoswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGckUkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqMkUckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSQIAAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSUEIgcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkQcUIkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acgQgwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMAQUIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skocYsEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUMocoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcAIIcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYwEQkso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuMsokAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iocYwwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsYsgEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUIQMIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQIwgMMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcAIIQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSwoAQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAMswAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKYQgUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKEMwwYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGIocoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYQwAkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOckwwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raIsAwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TocMMAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEkgsAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igAEgsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCIUEgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSoAocsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYgocsAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuYUkkEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKkcYEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQcgsYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQcYAkcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkEAsgkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEwgAAAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VygYkgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUoAQMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsYcwQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaMEkQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOIcQkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 142.250.200.46:80 | google.com | tcp |
| GB | 142.250.200.46:80 | google.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.97.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.122.19.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 84.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4352-0-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\JwYAIAUI\EswMooow.exe
| MD5 | 4e0a3db204088f4484651968f8728ef5 |
| SHA1 | b0775ac72b7550ef0c5166bc52da30ef0eeaad23 |
| SHA256 | 0f50253980188611e33a534906c02e430a24864b7face66c566703fb1d658168 |
| SHA512 | 7f84f581361bb5f6fd1571fe01d76d7e880c919eff2de135b9f8ecfbfbb773fc3c015675064ac24e7404f4243632b4e477d81a9d02309b9972c4bfc6b54dd5df |
memory/3400-12-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\AKsogAcE\SsAIQAoQ.exe
| MD5 | 76d0ca46123a20e2bafd5c1c6f44e8b5 |
| SHA1 | 71198280401feaa722bb54122ff872b94bc1a380 |
| SHA256 | bd5d999dd28d8b96dd1a54472d5d3e634d70aff53d87b00aa8e977e0ea2a6a48 |
| SHA512 | 85a029ec5641c429a35f646fdd3734b4eec72d1fce37b677fe869a20298ba955ba3991d1904247d81cf3f3c3896454ad449ae338ebf575c1f57b879471d8803b |
memory/1800-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4412-17-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4352-20-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ruwkAgwU.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-04-03_9a09071140d404e8fad58688d42d888a_virlock
| MD5 | f2271fe569c058dc724d9b9e53811e31 |
| SHA1 | ea276fc14127875413ac387f017bd2291a987f4b |
| SHA256 | bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6 |
| SHA512 | c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d |
memory/4412-31-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/3756-43-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1988-39-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1332-50-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1988-54-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1332-66-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4244-67-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1780-76-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4244-79-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1780-89-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3260-90-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2744-99-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3260-103-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1844-111-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2744-115-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4956-124-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1844-127-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4956-139-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4280-138-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4280-150-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3592-161-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2404-162-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2404-173-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/844-176-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4304-182-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/844-186-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3688-197-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4304-198-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/876-209-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3688-210-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3680-221-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/876-222-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3680-233-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/548-234-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1528-242-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/548-246-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1528-258-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3836-255-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4428-266-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3836-267-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3920-273-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4428-276-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3920-284-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4860-292-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4912-293-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4912-301-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2976-302-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2976-310-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2944-311-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2944-319-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/4412-326-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1392-331-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/3336-335-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1392-343-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2976-344-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/2976-352-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1124-353-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1124-361-0x0000000000400000-0x00000000004B4000-memory.dmp
memory/1756-369-0x0000000000400000-0x00000000004B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\moAs.exe
| MD5 | 3ad2c74a39e89f0b3b110c5b95bd3e8c |
| SHA1 | 9767ea0e902bc4da9fb8415233a7d1e33142beaa |
| SHA256 | 078f2fb3766362f8f0fcb2a5deffc283993df9d402b584669950a9c95ed0ce75 |
| SHA512 | db995af69e6c16182cc24049c7dd637e8d22a5449b29b6300f62faab1dc7335be045593aee39a8ad7bb1c01dd6459b820a3c5e69972742b0da1f898b1e2aba14 |
C:\Users\Admin\AppData\Local\Temp\KkMO.exe
| MD5 | ff6ae2026af6da82199416b97c71a217 |
| SHA1 | 1fbfbf4506def384c606f82f386161ef31bdde4d |
| SHA256 | 09c99a9e7c204fd41df8e9a4e7ca4209cf786577f1c361e9070691d653c42d0e |
| SHA512 | f3237414d67417007bfddf5429c5760d6b8f2a4de1c8041fabc0f5cbb82a7a64e77847e3d9888b05d9e33a3114c5f6b63c962d1c72fb236a5749e1b059ee2d41 |
C:\Users\Admin\AppData\Local\Temp\EcMA.exe
| MD5 | 31fa25ac217a9edf020b5ad520913490 |
| SHA1 | 069b9cd916f49c8dafa73d429eddbd209ed265f8 |
| SHA256 | 463e5784e613e67a1d4402a169d8d0afd794cd986efff1880e8196ce5a79d20f |
| SHA512 | 30fee1f2e6fd62b99aa9e0ca9ebd5b80f0ba7f2430e86faac37f3e19d163304d5de7fc0f47b46c74a0d24eaada9ac7a156c05e990c12e392273cabcb03da7f64 |
C:\Users\Admin\AppData\Local\Temp\Cogc.exe
| MD5 | 5eff2683fd278a5434cc1dd2d4b6a2b8 |
| SHA1 | d63df523e61af066268a4ad146cc666af95d484c |
| SHA256 | a9aae6e682b9ce8a6c070f15184f1f289f3691d660f4ad95ec5472af568d5880 |
| SHA512 | 2e6d5ff0bce09db9730dcf58d17b468bc23516fcc9414d505b055b0cf7e0493c677920cb0d314c404954228f3a85dd5a736fb9fba5a4c2aaffb78d2134fbe3b9 |
C:\Users\Admin\AppData\Local\Temp\wQwW.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 3ed3e59c41cad4c7b5cbc0b22a7ec35f |
| SHA1 | e367c84e3886ea144491cf312cd8362799220e69 |
| SHA256 | 97534362e4f22351773d645223fc1f086a986ef25e5af194c54b7c9233c87f6b |
| SHA512 | ec49f153d8f2ce444a0a42b0e5e83b921d99fa8e59de60342142c7d26d053717a8073376f1c9ba757322d60e4940a0974b4a6350759860567c730991cbb174a9 |
C:\Users\Admin\AppData\Local\Temp\ScYc.exe
| MD5 | e52ce52af6fbc5a90d36bbf832754d26 |
| SHA1 | 6f04a3a531c1109beb38aa7c78cd3b0ddaf4c8fb |
| SHA256 | 505d13599bdaa4b572845611bcbda0ffc751ca17da5335dfd570a9a64ba071ee |
| SHA512 | 5f11d4e1a2233e10acde1ee8e6098464d42f1a641e856f367254294a810cd9e69d0c4561529ad629504368f556e39f7131a96b512e7d7fca4d04286ddce9ddfe |
C:\Users\Admin\AppData\Local\Temp\IgMS.exe
| MD5 | 922e81d3a6903b3c988a08eb1eeccf72 |
| SHA1 | 6e518866632ef21414853b1a9dfafdd55eb0ff81 |
| SHA256 | 65aaeca6e54b506ab92a466d3fc61c0f2f595f6b52ec8117d9247f289d24baf9 |
| SHA512 | 84952957547de62656de34f9ac6da4979c629f5c5073d1f35bd94de77dc6bde11ef0b16fa25633e5fbb04161c698c258375cb4365212afab27a49949f46e1357 |
C:\Users\Admin\AppData\Local\Temp\QQcs.exe
| MD5 | f1ba606773d53217a759cb5387eeb4b9 |
| SHA1 | 8190ed2cebdedd3197ece9a0152667a9b81997f4 |
| SHA256 | 80370cfeef9270b695b94131a4fa40f9595e4b56990f801634984919af63b3b1 |
| SHA512 | ead5048db9ded47ecc547559bc5048a12b0b4362f327369e0a7577b21841d9ffc727d4bf0e6030ce2868b892710cb96dd3c41b53fb5ae54cb77cafe7e1a58df9 |
C:\Users\Admin\AppData\Local\Temp\gMcI.exe
| MD5 | c91a45992784753f04bde47b5e211c03 |
| SHA1 | 133d99f60047a4c3ce8b1da64a01bb4202c7cc25 |
| SHA256 | 1056a02e9c3e99a8da364b371d14460a25f91b3d02ec4307c045b508fc63654f |
| SHA512 | 74768f5dde7526870218d17fd97f210275d3079282823bfbf2f356c1cc744c8a85f59f4357e06ddec9f10b4a5582928d8f82cce73d287beca5948f70209cee65 |
C:\Users\Admin\AppData\Local\Temp\OYsW.exe
| MD5 | 99c7243227df70cddd1a84cbdd0c1c1d |
| SHA1 | f9ab3311fbc32943583459d9600893c4346d01ef |
| SHA256 | e958b15e7140f35dc114a2adcdc54ee1612027fec84e7c85b84e5ce4a5a9a6f8 |
| SHA512 | 6e88c9325cffdfe29343bde72af7a83d235cbb88d518698c34486bd07410ae81cda95d67ab3d49eefe7cda44130f5815241fb63aa37ac7ab6f5728e4d089f8b1 |
C:\Users\Admin\AppData\Local\Temp\KskQ.exe
| MD5 | 61ad3d9bbaedfc6b0dd93c37585ba7e7 |
| SHA1 | 4a5457117187955a1e40cd4059cc35b85ed4df54 |
| SHA256 | f4eeca427361f28fa4752f0050cfcbda74ca95747b62e9785fe4d80dd7f38208 |
| SHA512 | 5ab60509424f34786fbd8e8f3e5063f1301ac9da79a89b865a8c3c430a7ff6860aaabf80402f3f3888c7ac48c423bebc1a017dfe4353a6b83f67a87bc89c18df |
C:\Users\Admin\AppData\Local\Temp\MoIC.exe
| MD5 | 44a972f453f535d603b87a3e86c25e83 |
| SHA1 | 317f9cc517b63f7644925f94bbaf0ac8734caca3 |
| SHA256 | 228e4438c235418ef32e8bd3b539aba737948dea2979ef1dfc927f34e94d1274 |
| SHA512 | cc78394a5839f5ead3757d3bebe5703f6b7ac7c024156706e7f6c8b7054cc1fb4905bd4719379303c1638470c9527b7ed50306636a01a0e77efbee00f47e4514 |
C:\Users\Admin\AppData\Local\Temp\soUO.exe
| MD5 | c60d22e69c27ab5444759e5ae6e0f882 |
| SHA1 | a8db83c2facd1d7ce5458d8be61deb623d549b6a |
| SHA256 | b10ecacdc537c8a6e60cb8a3f3336351faf130c8db75a350b154f6a1174da6a3 |
| SHA512 | 19b1e81551a3434f3b502d0dd43299913d4fc7adf2535d099450634b98bb2fef09a0283721d4a2f5a1acf53f06597befb0e53702fea51d2a4738ed840e6b9f93 |
C:\Users\Admin\AppData\Local\Temp\cwcW.exe
| MD5 | 0f4245fd63e292fba11050a7fd97b72c |
| SHA1 | 716f916ef208cf0503123e2d236959953316ca6d |
| SHA256 | 2a214913354da20296c68c08d1472ac09a19d6d60651a7e942fc8f9e88fd2156 |
| SHA512 | c6a80e33b017c56c8736934e1b3b4e42eea1edaf0e255a205739527cabb0e8df0715d7f10e6c4e4abd4297c3ce10cba3fd1bd779d0b3e3a5d95b47eb800c444b |
C:\Users\Admin\AppData\Local\Temp\aYIy.exe
| MD5 | f15b36902522e505ba93457d404a76cc |
| SHA1 | 08b0780beb4f42b533eece59c259f94ef3abb11a |
| SHA256 | 99ac5145e23c94451f0f32c7e29d880dced582ce6364d0c72db0e0fd99650e8c |
| SHA512 | 5b262bfcff09446eeb689f59a7af02313eb7b3f93422bc6aa4638d51313af0f138676a6b8a832b3c3df8ccc476827762e0a21c4994ef9fb0d926e643aed0c599 |
C:\Users\Admin\AppData\Local\Temp\QQsu.exe
| MD5 | c860ec447039b62ac25a6fab5eb9e9a9 |
| SHA1 | cf52710c9b0fc5ecc5b6d6ae2020c539397f0b5d |
| SHA256 | 55610755c2d77484d5fbf09cc660c5203bd2291bf20eb02ec7bf4bd21286d9a0 |
| SHA512 | b791fc61a12fb6dd591d9d345796069d5c8a26acd0e55cbb665bcb135652577deb697744858e67f0cb6728c493a134959351f82f126675bade9fbc172f082892 |
C:\Users\Admin\AppData\Local\Temp\MgEQ.exe
| MD5 | 15302646a3a734c9754ea2fb592d9855 |
| SHA1 | fb8678a2d8403e0eeaeeed9db5372c9b19fb9feb |
| SHA256 | fda361469978331d83e9fc7c1b4a945c2dde9545ebe361a81461de860c0fed76 |
| SHA512 | 91de34bd52f6f3b4ab93a46608c706d04a5e76f3b78bb5eec326b1494881c57059e2bb31289b4990cc86202cb36e5cf39327b8f95a326e62d6468cf9e1c8fa36 |
C:\Users\Admin\AppData\Local\Temp\EUMy.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\iQIW.exe
| MD5 | 9e737f663bddf9e856b15573bde43346 |
| SHA1 | 1415bd522a51ff021e5c6871538378181087c0b6 |
| SHA256 | fcbab3652be5dcc8f999cf46ceb552c988359da3a428052d3046b204f6c3d496 |
| SHA512 | 6728ecc88f1f55dcfe4dc3159afa146d4e6e45c45baf1eb7133d591fd9ba6521d52bf755eb5182ea72434d2dcfb0129ef76f7e882fa0852545634895d6548bdc |
C:\Users\Admin\AppData\Local\Temp\wMQA.exe
| MD5 | 35184b17ccb5bb8051d83dfeaa4335ba |
| SHA1 | 6ec36c9a219c5cdbf90e21923cab41e740e71db8 |
| SHA256 | 15954ff935f7d8c607c55cc09d5d52eaf9e4ca068303e2096ee786c8b5088046 |
| SHA512 | b69501fe1bfa57a523287e514af822bf7788975dddac9011cf7c08d910e4276c8f16b73f3bfacfa2dcb7d59e6c011e10ab02e5521ad21679747f7197b2669e68 |
C:\Users\Admin\AppData\Local\Temp\UscW.exe
| MD5 | ef5f192ae61fd13b762a76e03d4dd781 |
| SHA1 | 8475294ad8814d08b09a2d4bdd36f1f78178ebe6 |
| SHA256 | 036f8ee7f382c5d99e31e322100e13e79d5e1cd1621a66e67fd3b61d5389b1fd |
| SHA512 | 173dc74282e4e73fe8315828e5f7668e3faa68dc4624801b060cd10c4db21cc58c5a27a8c350e26658d549453b2514e479d590a69e725f43a9207200c255282a |
C:\Users\Admin\AppData\Local\Temp\KUki.exe
| MD5 | 6a3393ad77eddabb57b7dc0a0868f9af |
| SHA1 | ca2f962e9a01068464d98e080f21852bee244870 |
| SHA256 | ad5e4bbaf730be8cd382ff929de35b33022af7592b2e1147c201ef28f5194f11 |
| SHA512 | d18ca9856b44f5b106927725e1514dfb7860d99c690e7e55343eb3e8480c7dd7d184d2323c6a1498beb6f738415ba51b93e03a57ed692cf85308d631b60407aa |
C:\Users\Admin\AppData\Local\Temp\wksm.exe
| MD5 | c0cbaa32f72bb2b3834262c2723f85cb |
| SHA1 | ce6c67f77a4258e589b96ae22e4d63b27b2ad1ae |
| SHA256 | 252ec3309f55d1a4d1997fae63937c26f7efab94f4af64f9686d2e280758a4ba |
| SHA512 | 51464c3a1fe749245445c0be801b52a5ba9a76b3c09b20f635cc8081e9cb876c79c7b54466c15e87846cf1eb843a60228573aa8ee2c649fa468df7ee7137881a |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
| MD5 | cccf7efa276d014fa5ac0027b33f224a |
| SHA1 | 313f7f1333a6c6b223d69b26749c1c90ff3839ff |
| SHA256 | 53fc947f7d13e47f7396ced199be0f9df1d15d9e1eee09c1aa0ce8fb56155587 |
| SHA512 | f1a6f0ed5d8f6c5251a109ddfcb9e00b69072a2c60a1f6df33aa80a1b80eb148d41740f5a0405d0ebe670033a60af977c036a48dbb57cff624439d2a3418a839 |
C:\Users\Admin\AppData\Local\Temp\isIC.exe
| MD5 | 8651010d3303bd27e5a8d8e33f7796ac |
| SHA1 | 5cc05864b803cc7e0418c07199520c56d8f3db9f |
| SHA256 | 40d7ddbf1bd175b7892de2428653636d3d1ff903206ace6061a1da52722413ef |
| SHA512 | 8898054f11abd4f4754feca76393c79dc4ef889e0e314c691808b81eecb7ec15abd23065a8df8eab360452e26e823e8144e628e0bc5069c1c1f95c714255524c |
C:\Users\Admin\AppData\Local\Temp\GwMA.exe
| MD5 | 9f04c7b4bcbda773a4aaab33c7a11498 |
| SHA1 | d9fc0950751e27bb80e0c8a66db786de4151c838 |
| SHA256 | d629a622a10c33507b485ef3ebd952393c1b262ffe3d8aaea95586fb54ccc0da |
| SHA512 | fb9c9e6d8c2fb8d795fce6b8d638906c01b764f6c2b3cb44aefb0f993973b9748914df8148ed924f27ac11299fcdcf4f5d5ace145bbeb215afb091dd5ddbebd1 |
C:\Users\Admin\AppData\Local\Temp\gwMe.exe
| MD5 | 3f06a31c078d6b5cc68f04a5729f7e10 |
| SHA1 | 3751b9a3b3c756c957507de9f1c2717e46515f81 |
| SHA256 | 52f7af0bef48090f82153c823c8398591eeefd093edf1046aed54f7298fc8c3d |
| SHA512 | ac783c213b25cb8a699ab34909ef5a14471cfd935c2bcbb7baf07c038620792d63088755930099527e1d510708378bd8dd469e8578c969061fd314de88de412d |
C:\Users\Admin\AppData\Local\Temp\sgUM.exe
| MD5 | 9bceaa2d78ecbce83a95bb44e2216a56 |
| SHA1 | 6b096ea25c9765473f98e913afe5f421afb22eb7 |
| SHA256 | 8e710945cd579c3a1fa2b72fc9bbd50e36ccf535b1f3db90ff11c9c5961f4e2c |
| SHA512 | ff70c755fb36dadf5c39e49aad00b5039032abdfafdb320db7d3998b2a87337ed35c2934d9785e653846119abb88e962546d66244150998378ec8641a0188f90 |
C:\Users\Admin\AppData\Local\Temp\QAcg.exe
| MD5 | 51c9703ac4b6de9e91fc0656893254dc |
| SHA1 | 8fa480ef41831e9d6d9c51cfb7c61a9211164294 |
| SHA256 | 0127a46004a1a43db7f442f7b16927793e5be98d4911ab940ac06c21fb4523e6 |
| SHA512 | 74a1469361ce081a73bf45d08277642e9ff31c153e39bb1e1ea48d1899594afc6804c4e05323558401739a431eecb76ec8c3714985f867b75dbe6c04d702107e |
C:\Users\Admin\AppData\Local\Temp\IoUi.exe
| MD5 | 139915a138571e71865fb3193c9e9205 |
| SHA1 | 46d931fc5acf29ffd0b7f4199a1d1ec546d7d53b |
| SHA256 | f4b36fbf54213ce7033d0cabac6ed111fa7690f9211127e450c93a6944253a66 |
| SHA512 | 957084b4786fa65517dd2485927eea0affeb77ab908dd1aba48ee55cca5864e02fa22d4e33e8b38e4c99ac38c5d3967a1ee9c70266d9c3bed3724fc323984811 |
C:\Users\Admin\AppData\Local\Temp\EgoG.exe
| MD5 | 87069ea29d8626c19fd069e16af5fd34 |
| SHA1 | ec9198e3185d8d8b924692d1eb9d8105be3c5872 |
| SHA256 | 47e11e2ab3ec428004db0130c08a4475c32ccab35acae9a0ed39c87bd62de1dc |
| SHA512 | 8463a6c45e828176f13930624a9668a6480bbae1b4c5e63f1c8f83be815b21e73d97169e658ee60eaf2327bf4b21fcf0007b1c9792e540b7c987f60ef0b6ebd7 |
C:\Users\Admin\AppData\Local\Temp\WEcC.exe
| MD5 | d26b29b3acbad04ac72d92086dc0e5a7 |
| SHA1 | 2c463216f77e8902126976bbecd8f18c4130f124 |
| SHA256 | a4eaaf536ee30cd5974ec2fd6db6c3682e53b5dff7fe5703a3876283a3f4fd4d |
| SHA512 | 8ff799099b2b2036d101a6740ed57cdb90bdbd98c4259f270eade9f2490c5ccd3ada8e0359406eb1eba22ea92608432f3c20396b3f16a454a2e1d2b24325a695 |
C:\Users\Admin\AppData\Local\Temp\AIMo.exe
| MD5 | 09933e53047637aa3ca56899b6061414 |
| SHA1 | 4ec733cfd5f4e3877eac9f1f991e41e6b870fcff |
| SHA256 | 6c89a1d4b3a3f51b70b598cc149756e368ab817ba6afddb67617744eaa1baa2a |
| SHA512 | 721643f280d8b2215b987e31fd5cac43075a160b7155e697c65a674df5466041c604b7bd70ec66bc5dfa550093e5486089da811bb092c0f793db7c2de75e939d |
C:\Users\Admin\AppData\Local\Temp\sEsg.exe
| MD5 | 398671a3197f904858147df2c332e07a |
| SHA1 | 0be13f1d71c42cf7c1de5c3cac9ac012db1fa37c |
| SHA256 | 56950cf0823e6bf1841b0c08c7de9f0c0820338a92f23a32e9273a8a7da1f979 |
| SHA512 | 30d5e42682d4dc8635e66f4fdb4b2af367d489e9e5616a6574df01b566b3e29cb213c61c0488a325e0e64b72434be3a3d7343674dcf6005b7d67bd2d03a8ab7c |
C:\Users\Admin\AppData\Local\Temp\GYgM.exe
| MD5 | 9a6ef2d920aec83726473ffeb05ea844 |
| SHA1 | a917f28ed8d3c8fc8c26e607ef0dd23bc70d320a |
| SHA256 | 1d4854b813814bab96cbcc8cfb9ce228984172efe68796f1f5314d51620d9efb |
| SHA512 | 66c1ea7cfb7eedddfe602ab97e692ae66e66430d496602b8974fac23b64f066132ac89a577feb1b71302a2df15c85ec744b093cda1de1080f342653c27477ec3 |
C:\Users\Admin\AppData\Local\Temp\IYQi.exe
| MD5 | 617b82f30380a603414a277a0e575731 |
| SHA1 | 004243563704cf54c1360f544cfdbd0b6cf66c4a |
| SHA256 | 72c4267f75acab0e025a1607f3a2804bd760352435cab1b3249cc84b4ae48707 |
| SHA512 | 28625c66ce7f780910e5def064b87fda379c3143205d27657c43002fdd7ff00c7fe1f2a22a1d86b823f9af3d7246d2a67ac4e4f17b790e9d913c9ae02e9d268f |
C:\Users\Admin\AppData\Local\Temp\EcMU.exe
| MD5 | 97a384c62f02940221af3bd770d642e7 |
| SHA1 | a31b0b4e3b1eb81943cd5f69d702a053db8e2aa0 |
| SHA256 | 6961f4596e8b291a1630ed7b3287cb4f8c4d86ca3c282f1c38d4c77b0e7a7b9f |
| SHA512 | 3e747abdedcb6f45db8169c0aed28cf0080bcb2a55f431589a191a0cc615e1ed3b778d802e8407c963b79d2b58676f2852d510182702289c92f11247eb0ef658 |
C:\Users\Admin\AppData\Local\Temp\qoEk.exe
| MD5 | 1d2e9e730f6ccee24e0f62db8ac7410b |
| SHA1 | 8373ab65e85f56e283f6000594228d988dddc4ab |
| SHA256 | ec8b57df8200b35b8c0eaa8a20361101504daed3d721837918f3a31bccd2ee59 |
| SHA512 | 076875f65dc36d7f1076c0ebc413cd6fcae8f6c060b6ee4d4db8c27c0670d287a72edd16dbb09c3ed3962dec60bbc2d903b6cd200ab6e3d8b9e37b08bd493dd6 |
C:\Users\Admin\AppData\Local\Temp\sgsI.exe
| MD5 | 9e33a9647dc441cb367b979f1dc01e1e |
| SHA1 | c811a534201b6fe912520afec43acb511c4f7b17 |
| SHA256 | f5897631da1f2f32600be3d1ee00e33b6c17662777b34aa6b945d9add461f711 |
| SHA512 | 84b9153442ca8cd09fa8add4cf7c8aee6ce410c5986240ae260d8e2e2ea743c35d9e54f3916a858c89a679009c89c098fb29960ff84c456456d0fa7a41858a27 |
C:\Users\Admin\AppData\Local\Temp\KgIW.exe
| MD5 | 63d164ad7cf55591c8c4cd6107d25778 |
| SHA1 | 2f79ce7ad00027166dd1fad6cc0adc651ed065e2 |
| SHA256 | 9f3b46cc0a21056c5ac89466968dda506214aa71d4ffdd4c5e2e17252787ee31 |
| SHA512 | 6781439212f4de9cde5b9ce576abcc096556544fc1c819d8e8cd0c133055a44eed0291aa22c4ec8e0ca1ab91b1971257443382856ca1c6daffebd47c08184bec |
C:\Users\Admin\AppData\Local\Temp\qkgo.exe
| MD5 | 05449a23022bebe379b92e8e1c6f1f5b |
| SHA1 | 60000b53539aa9ff0c6e49486fc31ef622fac7e5 |
| SHA256 | c61c56f2fca2434fde48e0350522e291b8cefa7ad10be85bd23f2caa08d4ee34 |
| SHA512 | d5209a76a64998e2fe5c43a68d24dd67ef673c2a6ea31f7064b8c4c0fbc83cf2616a3eea6a58ae96f76a704e538f733dace843b4450087c5571c7604b8104555 |
C:\Users\Admin\AppData\Local\Temp\AIkq.exe
| MD5 | a1ed7b4aa1207ca02eeba39c7f26cb13 |
| SHA1 | e3ce92e06caad16d8faa75e9d0b9bdf98ecdeed9 |
| SHA256 | 45ca5ecddd8440aa58fc14ed231a136d08209ae72ddc6a8419113dee6eea2713 |
| SHA512 | 755bdfbd5614455f9fee64d4433057cf1463ab8fc9ba0fd0aefe184648bda216e59bc42d7213dba78fdcdad84130d13b2215a47d2d755e945256a7747e305f50 |
C:\Users\Admin\AppData\Local\Temp\iYAE.exe
| MD5 | 3e1e6f0b6971dc9b7f25cbb0620f80c6 |
| SHA1 | 867a880545290bab501b21fae3fd0b111afaaa29 |
| SHA256 | d312f7182fdc9d22bf68bffade199a772fa8b6691de96fb51c96e02269865c93 |
| SHA512 | 3da8fb2655d3ade123d84d791f882235a006e40432f8385b268214da85f81b45664e6c600e513165691fb33c17e128611a175a2fe0d4dc4c10ddb4f8f953c1fd |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
| MD5 | dc1b45ca947200dbc444e9c42f3d8f57 |
| SHA1 | 46291042ff959e7cfdf5f348e9ec94d9a00371f2 |
| SHA256 | d7b86e72518f13ffd4751da4173b1bcdb3294f51509a1e124d249b4b9d23703a |
| SHA512 | c322bd0cb4b16697bf95078a3ca96cf7d42f2cbd74c84bdc0a78ae6fa94651ab63c50891218e2b5d4258d9f6224a6eef4238357c59b80aa26d1efd67a929986e |
C:\Users\Admin\AppData\Local\Temp\UYIo.exe
| MD5 | a997bde0ef9b9d11216cbc581e06f991 |
| SHA1 | 4be24825a9d7b8713012c5c599f83d107e85c815 |
| SHA256 | 8496974c04e087db6215743ac7f330c93426905db7d54e78baaed0c88e992172 |
| SHA512 | 9f7de12e41904c0d14ebb29202d2215e0fa64967c407cff5fd028231ff561603272137ba316721fb3362b0344cd29c857c3fd5ffdf1f021183231afc9fec4ab4 |
C:\Users\Admin\AppData\Local\Temp\GQky.exe
| MD5 | 273591f7d049fade4ae9776bba833728 |
| SHA1 | 716d33b9a45d0f445ebe64ee07fc63406affbbc7 |
| SHA256 | 7d31dc1596d4913d2761fabbffc5f8ddca5bd7abb846bda5b0b1a4f9c112d276 |
| SHA512 | ffe974a416b699b4d69178d099cfd90347715a7edd4b03f0582c8fac24c8213273b7d3e86f51da97e9336754e00bbc0b70f98c86f33e871982e9f88937fa4653 |
C:\Users\Admin\AppData\Local\Temp\YIkA.exe
| MD5 | 30996bcd24c972810e1d263d323530d0 |
| SHA1 | 4b5d90ee56b05c68af3a04ff9d94deb6e3149e5c |
| SHA256 | 75321f0da39198182350b4fbdfa73bffe9650f9c3cd0be993920c462f5c1b6f9 |
| SHA512 | 5578be86e3329f16f8ed1553531fd3dff7bf3b8ffa06aec73820dad647cb34233dd7a082940918d0e46f8c4f8e001edc03f046b02bf8465e3de31cfa8f482655 |
C:\Users\Admin\AppData\Local\Temp\ccIu.exe
| MD5 | a69ecc6d868fc0bd558960b4e616d7ce |
| SHA1 | ea1cebace780355679e65ba2cd48521ebc60f4de |
| SHA256 | 1d6fa47ffbe5dd13f2852d47a4c15d6fe37a252559767a190e11ff08ad58b860 |
| SHA512 | 1a19d498f193cdbaa187c096bb43bbcd8257a8250ac42a543b8d5b7746aa1746e705fe920aff9849c95cfbc854db87a0a1eb032526a3e84528ba5b9657d30aae |
C:\Users\Admin\AppData\Local\Temp\AUoe.exe
| MD5 | 547f69163dab5f5886b5d0898e026ad7 |
| SHA1 | dbdb783accaa2ec63d36fc9b83b6038bc5d3faa0 |
| SHA256 | c401a104fc93f26871be9b96e7d1ee1a6b3924597a9c17fda6f114b9a2141297 |
| SHA512 | dc7995da6c78409d4e0000a4b772bdc1ea302c1f33a2b90668331b7c6ad54ec1338d8093ce137bc4f2bfc6e25a7e4f50cf2ce8f27605791e2ce6315551b73efa |
C:\Users\Admin\AppData\Local\Temp\OEku.exe
| MD5 | 0618d8189b5685f02b2e4d6356197d04 |
| SHA1 | 28b5dabe5e45bbedd2859e564a4e540ff9802f33 |
| SHA256 | f70f96731caa8135dde9c80d006bb5a2cc3757522eff414193a31a45b2230240 |
| SHA512 | a39e1f26335af222749c526be2684f7fbef62660ffbd9b6615b34c995d9a2960d071fa8f76df6468b1b4eb2c9d1769f27b602efad8170b18177ac0433795a2d8 |
C:\Users\Admin\AppData\Local\Temp\ucQa.exe
| MD5 | 45da77e86011015a571f70915b148ba9 |
| SHA1 | 948d0929a0830a9fb40d2ac1ce025b36514c374e |
| SHA256 | bf8f650f61d691f9546ed8f2ab3a0b2a8e3f5ed4bdbe38d29cbf06e0a4f2918d |
| SHA512 | f90ef7505938fd55418c213f924bbf9500586fc7fcbfb003d7fbdc7d4987550338e9117e64636bdb1f39bfc572aaafe6b50b399b542f7b4b433d53ad2f381ceb |
C:\Users\Admin\AppData\Local\Temp\YUMC.exe
| MD5 | 749a6628a0b55e089185f294def27090 |
| SHA1 | f68c5eede458117bdf7e11702dd376bc6f834f79 |
| SHA256 | aff151325cbbcb55f78bcc1fc5fe71c866f674833991224c8606823db9bdb83c |
| SHA512 | 54b03715e9c40c6c16c429d6f15836e6a16b80d515b5837a531f86114017e7c05f480732b231f35f9443b57ba68cefd6582301501c233b47eb1c077a6b7823f3 |
C:\Users\Admin\AppData\Local\Temp\Koky.exe
| MD5 | 100609f1d18eaf310a1a613c2281fdf1 |
| SHA1 | 4005b2e06e95cf95e3c8a11f0bc76a2d24bdb0ff |
| SHA256 | d1e5fc6402524185972f5d862525df63f12dd5d996aeeb6dd72232c2f26a1e18 |
| SHA512 | 278570c3fdfad88aebd501f54bff1ad3c10a567de520214769f8c5bd2be6c2be1c901f78aee3e2aa02d6d01b475389a6edd6acb917f464e9c99935c0ecadd889 |
C:\Users\Admin\AppData\Local\Temp\UIwo.exe
| MD5 | dbb46c5b7f1e73dd1eaa80f9d7957012 |
| SHA1 | 47aa124534d9a5a96ca5ecd8e97ab173f7fef45a |
| SHA256 | b8e9b658af8eecbf9c4569a50955e0f67ead9f5bc3b8b8723d656417278d0d6e |
| SHA512 | 0ff52d2f845dbac5cb4b6af639dd0c4faf100edd7f0038e3b934760848a413b66980caf3f1660d89eed8210a79803c94ae65a1aeb43b2f61ed7c42037c3ea663 |
C:\Users\Admin\AppData\Local\Temp\mYQy.exe
| MD5 | 3e55c7fdff36ed168a15a325474a859b |
| SHA1 | 1ee747837e6b61230f49e28deb0e602bf20f65ff |
| SHA256 | befa93e0d7f1d41e11cfff7ed285219b7d918eab753bcd8343bf9a9d9cb1b773 |
| SHA512 | 74f67e1a0550296a4f26c5eded1c9b678b3936d365bc0423bd8dccbc38e5aa5f6469177e616df5d27936e1c73cdaf0d5afc6ba2a95ee4ad58d8cb1bb1cf4dd04 |
C:\Users\Admin\AppData\Local\Temp\SAAo.exe
| MD5 | e62f428d239067f6529e0a697009db85 |
| SHA1 | fecda0082674981005ac9aa27e7f32bb409796a5 |
| SHA256 | cb92565f862fc7d76ea4b7fc0c841f0b42f7436cd5d01eb05131fb8300c90d74 |
| SHA512 | 51de0766aafb34e46770d08407bae7f8790914bbab6e34569e7615d2e6794e519b7804d165a906b91fc80f9d0e01a0cb3ed439e5a112e5e54f42d1a06435e200 |
C:\Users\Admin\AppData\Local\Temp\Qwwk.exe
| MD5 | f98534ce7e60b418777cc30107135079 |
| SHA1 | ae76660fd260f5f13c60f651c477ce7a85d9c6a9 |
| SHA256 | e28c4cbd654d10af2aa2f93dce9ff7962933a37056cf083151ddbc5eea8aa60e |
| SHA512 | a6e4c6de78597a8cafc6e94c3beb30a5f974b33337ba684ab34c9e77270ffb08262a7d41811eef2e5b6dead17108cdd8f0233becaf1a9afdd8ca7199d2a20958 |
C:\Users\Admin\AppData\Local\Temp\WIAK.exe
| MD5 | ff3c02841c946fc37215b68e9a271c24 |
| SHA1 | 60b324105e6400b4012277ba316fc8c979cffc69 |
| SHA256 | c8e26a2848765698bd8144b87230f556936a84cb7fc4a384f7747f4c126c1c08 |
| SHA512 | 69a3e620c7247d64b975b3a134b70a3ffa9703ebbda66e885371e9b2fc2c341dcfb4df9892813a185686c5dfe1f57a04d2c1ac54dca47064c996e064be7d075f |
C:\Users\Admin\AppData\Local\Temp\cgYs.exe
| MD5 | 4848efe6fba3c11700c138062651c1f8 |
| SHA1 | 7002a72f6fe194a36e8de01daf3539715dec8376 |
| SHA256 | 67c287cade094e369f857a5952997428baab2e2cea99e9d69593757ed6c02a6a |
| SHA512 | c00245350ac0905637256471787ef1a1c6f326f7f146fd860b7815aad3b3a98315ec60b9a83c05ed92fe8f8ded6e0a83cfdf647ca048249171b4aa0c8d291d84 |
C:\Users\Admin\AppData\Local\Temp\uIEy.exe
| MD5 | 8f22d0700774c616797a16df7c063724 |
| SHA1 | e57083a88a6f42af7ea62a7ead6e87b106ef27be |
| SHA256 | c7ec03d131ac739b45d4146f7987585a384078071584c3145809e795b431adf2 |
| SHA512 | 05a7d251c9ae69822ca784b484a649ee6e18e174828f4070d573c9495d02e8724c3ce7828aabe9708f5ee96f4e7a5b90eaf36d0e065d10fe6db9501c3fb89b36 |
C:\Users\Admin\AppData\Local\Temp\CIkC.exe
| MD5 | 33a329813fb34ba1d714f1bf009fa3e6 |
| SHA1 | 18aead942dfe6974b96b37038e1f56596aa0f3b4 |
| SHA256 | 7ad677e53bf4d37b9e6bab701a7c8624fa28bb3bc3b69d9f387065676087e456 |
| SHA512 | 8ef29eee32d4c906c4edb36da3566125bf7869bbfa2f54f85aede98858fbd83c3fcc7c602be40fd1db67a300f31e012cc0d5cfed576f28b6927a0d662f3ef53d |
C:\Users\Admin\AppData\Local\Temp\sAMc.exe
| MD5 | a3f7fb58fe8a55568667088dda38803d |
| SHA1 | cae7a510e18e305031b84ba6a1ab5651b48f3cf1 |
| SHA256 | 7917adc60946cb7fbe328c5f065486d86d0a3d82c2ded3181e476ccc84d916b0 |
| SHA512 | fb7074f8be4fc63ac02d657c39b4b736874abeca86fa95fd6a11ed814c71d57fe3bfeb27b4afaadbeb32f7621758987e90b9cd11e1ae8ec82aec3532b108eb9d |
C:\Users\Admin\AppData\Local\Temp\ekUI.exe
| MD5 | e1260f679097de245a100ce31da77642 |
| SHA1 | cb37f2a59f61c17af6f540046e1de3017ff3c136 |
| SHA256 | 3def8831a888169b19b9e03873cf78f949bdfa6a43f868db03ae10285ceab1c6 |
| SHA512 | 52dbabad1efd2abd1c88d8b573c95d4bfee9a5b6e4cc237b86f5d7c356794a62966e0ce180d7f71a535055c9edcc701c22ce25c5a9376ccc8e36c0d8f0ead20f |
C:\Users\Admin\AppData\Local\Temp\Qwoq.exe
| MD5 | 7f67e67144b47b94b53140d60c8fc4ec |
| SHA1 | d0728ee9d8ec983f66b4a154090092f1f75507bd |
| SHA256 | ae5a1f34d6291c57982b6163396d688b7b318336b816f541f0a932231536690f |
| SHA512 | 599b412125116066bb4c858495f10a727dcaf680761a67535b7828b63ca06e9e6b1eb9dac84a41854949224af01fe9204dd678048cce87a702bf59b676d5ee17 |
C:\Users\Admin\AppData\Local\Temp\oIEc.exe
| MD5 | fc679689a802d2d22fd8565ee443119e |
| SHA1 | 90d36749c74d8b1f7102ed77a4deb388fde15f94 |
| SHA256 | aa77b986c9fbcd25de7c529f7c7c508dedb493a73ff109aee39b1c3510826a53 |
| SHA512 | 898d7c427e07453833f91274d5bde80413fb7233c77e74382bcf84b659399383b361763f3b565948cc9fd17bd6770d4d6da4a0d89b2f3f7285373b75bc73c4a0 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
| MD5 | 0b7827e2748a6a536e17f6a4743bf9bf |
| SHA1 | 1402e0fe50af49d9890881b565a01052072cde47 |
| SHA256 | f96cf0c20523bd107824b478ac55f715b69fbe14cb6fc71e147341ea7138d1b0 |
| SHA512 | 9423a77b4cf248fd6ddd198ea24b65df4979e0400b98de39c9ec20dd9b907f1a8e800908a9046106e8ebf11053fc161237756c2736ecf0fe02e66f94a9249608 |
C:\Users\Admin\AppData\Local\Temp\mIMq.exe
| MD5 | df361e8280637258b46c44c1391c3720 |
| SHA1 | 6a6fc887a7bed6fa7ab6ad1fafe8b201f259315e |
| SHA256 | b17603a7326697b5ff9d9e937ccb00d2a00831e54e0f1a36c321331065aac852 |
| SHA512 | 2064a7a45ee45174c766a03ddd94ffa141d9f01630ead3333e6143bcdaf11da4d13923aed561068521067045f0b3730b09b1fc82ada7b53db880ca928e1eb96f |
C:\Users\Admin\AppData\Local\Temp\aQwU.exe
| MD5 | 1c460e276fd8df3bcf616f94738c6c0d |
| SHA1 | 6610fec432da7129f1bfeeffd816c232f4e26e85 |
| SHA256 | 69cf941b132a754130809e77df72e52e6832fb7876ee1aec373fbf247a1cbba6 |
| SHA512 | 4ad739ec463ede3ebfa5508684029f7735577a86f8ce938a9de7d0f6eb0a16fc956bbbd6b47627cc6711b092c40ae472abeb3677dc86db0e837166db62504761 |
C:\Users\Admin\AppData\Local\Temp\AgYg.exe
| MD5 | 68075f328542b589178114e41ae18aa5 |
| SHA1 | 328b9fa3e451954ed639c05bc68930261c2cecd1 |
| SHA256 | 8731b94615bf0000f8dc490246a3559a0af1f95e4bd91eb4aee9d2fbb3072c23 |
| SHA512 | 29d28b919bd63278d8473c0eaf437127fbbe1a4289d8dc663be4c7fb67e05ac8709865df5da42943c0b3060f3012fc04f53a1f4ac1caf655efa250058e83e6f3 |
C:\Users\Admin\AppData\Local\Temp\cQQa.exe
| MD5 | fc76288c55a94d58b983e505c56b8a45 |
| SHA1 | 11766a1703c2db474079ba9c774ade8d4946b4a9 |
| SHA256 | 72998635eee08aeaa66cb9d3318afe34d0815f219f92370d9db36ea3cc64a954 |
| SHA512 | b20a616e322f5c51937c73b5bc59b556b4b519881992834f2f365a0f647ec5f583747d15ba78b80d1f89a4bc3146716f3af8d5bc29fe8f9f5eb694baa934fdcd |
C:\Users\Admin\AppData\Local\Temp\sgQO.exe
| MD5 | d01c10ea6aed83e842f6fbad07ef5c50 |
| SHA1 | 8b420478123721ff18d78cabbff9300f8e4f9e9b |
| SHA256 | 3b89ceccba85fb2fc1d61b70e28ad54cc1d01321be71c243910544cf2c736b97 |
| SHA512 | 96e5adff52c2975aa816ba9b6e50c4f913f621eaebd8e614f908acc7dcdb6e58ef5428127165c7f72e87638f78738525a6117c833721acd6b1f781595f25d35a |
C:\Users\Admin\AppData\Local\Temp\kMAw.exe
| MD5 | dbe7ebf26ee01ef5e2593522192875ad |
| SHA1 | 487614152a247e3170d939ecc8b3a13201ff8c2f |
| SHA256 | 372ee74ae54f6e400dada57b7734dc33045cc687d6ddcdb95a2e27272ea1e366 |
| SHA512 | 5c544921e172e7c30973f9ea1e43dfce42d5d89b9bb21bd5be19c920862cb3a97da7d8dbd57b140d35b1d711588a6cd9108313ad8b93d0b6a1fd06997656ffd5 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe
| MD5 | ca9dbc78f4dc0e3d3e4e4af4f3368e5f |
| SHA1 | 8466cc1c30058e93ebac57e59cf551bdc104a361 |
| SHA256 | 09055973d8d9ab1f03d184d7a9830b8e9e4dbeafad41abfd6cad90a54fad4845 |
| SHA512 | cb2fe970bf9c0bdcf1bb528ac188d68c4cc2d6bebea1a65472352038d7896feebd2bcfdc6b099e59b9e70cc3b364f0b1831ba32a5a4493f97f05812698c5c92f |
C:\Users\Admin\AppData\Local\Temp\gQoE.exe
| MD5 | 848cab107f95df9844cccace09f15554 |
| SHA1 | d859977ee300851ea6ff6ead5d435d49f84e32d5 |
| SHA256 | cfea7285f1505e7dbae21036572bfa11fdf2423d3c8f03aac1e60c55a6845b4d |
| SHA512 | c18f28a623ec68207f1077b2ebc3bcb5ace61268d0aef8588fc99a08243c5ab62061d76535cd97b10805bd50c6052c438992d3951611ef6514a8cc58bb33f156 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe
| MD5 | 0438b45d98653fdc3fe8ad43597e03fe |
| SHA1 | bedc2e63ea35921dc1aff7c8302fd64cd562e447 |
| SHA256 | f0e5b3e9dc508ba47663b25cd3ec8e605da4f3588ffc2754d72e759590a94cdf |
| SHA512 | 509a45b2d8851ae26cbec3ae73c553af70f36b97144c2ee58e96ccf24070ad0df91eb21cef4a04806b0f8ce067e0b526a0bc6e5f3a6686638413f86695f8963c |
C:\Users\Admin\AppData\Local\Temp\ecgc.exe
| MD5 | 29fa76b94782b415a97efe6a6ee280e9 |
| SHA1 | 8f37f2b9db26069d6d55b45c8cf5caba687bb00c |
| SHA256 | b2dfede1b11f8bd2f7bdb2b401387fe1ad21182d4e361e68234911288bce780f |
| SHA512 | 13055c6515cd08de146af4a402fa4e3dcdd4ccbc5c515185f842d8cf429a913e9707ab0c41fd1c9479b7f7bdbf225245ac8dc48ec74a41300eb59575fbfdac63 |
C:\Users\Admin\AppData\Local\Temp\GIkS.exe
| MD5 | 4ee73cb502972cacb244d4552759e519 |
| SHA1 | 9e842e78a409bd3b223e309353a48c26b656fafe |
| SHA256 | ebb22845e8c3369ee3b116a4d09ce6648cc845cf42b224e2653402b074a2d5d5 |
| SHA512 | d0e61435c95d1cae24297e0f0ef5e378313d81022cc5d5d95cc6a5f369a39375a085b7913fc012c754c7331e94d77305e14a000c1756666fc0847c805f1e7ef9 |
C:\Users\Admin\AppData\Local\Temp\oEkq.exe
| MD5 | c0ee9224d368dd6105a348843e4b2f73 |
| SHA1 | f6873d347f4b109d697defde8fd29909f999e403 |
| SHA256 | 307da79b40527e0ad812e50fa43cdcec59fc850ce771eeae995f19e2fe5d83eb |
| SHA512 | 9f1875be7f287b12e39af2a5235d28bc1205b603d134a943896f4be5d676e47568cc02777357593ca2fe16f24bb3b3a474a683e1f45f5e4706db131128ee72fc |
C:\Users\Admin\AppData\Local\Temp\SwQC.exe
| MD5 | a440a34d1114ea6ae1792a544a46d773 |
| SHA1 | 061ce1831e2e688a9edb1deb6aedd3e552f9ec45 |
| SHA256 | 0412a283e1d3a8e94c42ff86d92c95d7325c2a7be99fad02ebf4054d17df9369 |
| SHA512 | f04d9b9f1fa35983d0d89be3f07bddfdf52429564a3d85aec977363d8e0da06629c527ad02cdc24a4993a51e3c9cf8e39dfbb3d267999ca72430b3635cd98243 |
C:\Users\Admin\AppData\Local\Temp\QkYy.exe
| MD5 | b0a74f16bf8d74bb64e5f61274fbba39 |
| SHA1 | 847205b164918ad3acfdc8647685c660290106b3 |
| SHA256 | 0b4fb861672caca58dd0e8310753805f775ad6b0ed072785abfcb14e73de5e98 |
| SHA512 | 908f196f628c809c4753c2f8674153f26233c2ab3acd96c5e0374999ed2805864c828b36b0a30a1e17050c5e97839a32aa7f8f692b3f7ddbcf6a112afcc18b02 |
C:\Users\Admin\AppData\Local\Temp\UQYW.exe
| MD5 | f931333756cddfd00432e308b12aae0e |
| SHA1 | fa8365f933312a1665b4bad3f04bbb6d2114c46b |
| SHA256 | 765a03e87c6740c29ddcd598d6a87a66c5450796adc3290d3bdf0c9d18542248 |
| SHA512 | 589bcb5ffdc5ef00783fdf05717c73619c78e18e0ee2ddb194f14a7e5206b9fbf338c8e580a7adade6a7e1ab19bc90faff31198759863c95de33cbde37b9bc8b |
C:\Users\Admin\AppData\Local\Temp\ckoI.exe
| MD5 | aa1a1b143a8f199670940a050d9043d3 |
| SHA1 | e42b5638f6a1f450a923650558ccf089cde54ceb |
| SHA256 | f420dd17bb34ac73f230f02621926dc2a79dbe798cff25135c757381260e2264 |
| SHA512 | 600c99dab76116d71a03e423e7c41b9ac3693a0861f4b8dda45ed407cf881c40e4fe6e6303c975eef3507211df4102c68c6e41c4dec6dd6a3ac164c1a3baab7e |
C:\Users\Admin\AppData\Local\Temp\SAEu.exe
| MD5 | f7e808cca68081d86a5d402e40ff23e1 |
| SHA1 | cf8e7829a14d58117985023b6fe3d3012afc8202 |
| SHA256 | 310d4ab4f15613464d9d4dc8df11f9514d164020f417a2fa3a7221c35c1359b7 |
| SHA512 | baabe5d28922854215eb5a38f9d22a673a7b269424592cc10a486526b931743ba0ec7ee506d5a80165167b849a046b02ded21daca9ed3f8756393b71c127e09e |
C:\Users\Admin\AppData\Local\Temp\WYoM.exe
| MD5 | 3bc6bc9d524d82d50a6309ca95cbfb9f |
| SHA1 | e64d25f0c4ac929cc464b550d3ed08dac833bcf0 |
| SHA256 | fac020ef1f784d2df617a265adfcbc6120ce340b9a3c7f5a0baa1f35e0e0460c |
| SHA512 | 02ef3b3c427be1bd41d78600339849b1f9c2572aec44bc8a10ff0bbcece84edb55bbc6de7d313faec74371f83d4a6e079970098ebe7455e33f56663226e58194 |
C:\Users\Admin\AppData\Local\Temp\QIAG.exe
| MD5 | d912589ee04474cd01182cb14c649ffb |
| SHA1 | dfa6ae2eac7e4eb9bdd965fead9e71489df58a1d |
| SHA256 | 8fefe3579d74c6d347581b52922673bc03b9baf983c3360d463539167934b17c |
| SHA512 | ac7ca82e14f0f86cecf0249fd9a5db955ae1ba366cade0584719a5ef4721de00896371f1aac395eb51866b877e66b23065e2464045f48002813fe10d485cdd42 |
C:\Users\Admin\AppData\Local\Temp\ogky.exe
| MD5 | 8e74a482165ac064521bad439c046865 |
| SHA1 | 88c06daf03ae14701b396781de751a251be8a14e |
| SHA256 | fb0753b2c1f228daabee3e823dcd82f5f5180c4cdf8ab1e1a2c31ebc50f73ac9 |
| SHA512 | d7040484d6433b5917a8c1a852e02a92f27c0c07dc758565156b97dbc5c0ab0a1060a2ddecdc60eec7b028f604d0c771c8625634d393b06ae0f7ca5cda711126 |
C:\Users\Admin\AppData\Roaming\UnlockUnblock.exe
| MD5 | ebe726d83633999ef34aff3006ecfe18 |
| SHA1 | 34bfab904f74d860a279c33673232cad228ac1ab |
| SHA256 | 59e5891a40d1c1d0c4bd0bf31167e31251e89fd593b70754d1c14114e62271e5 |
| SHA512 | b2fa9293326cd6c40b313de60a54103330876b8212fb5623f020839fd2b2a4111a219c8ecc08a6b1bd8b7814ede7b345b6f08b3a12f28a48fde5281b5f67fa7f |
C:\Users\Admin\AppData\Local\Temp\mwAg.exe
| MD5 | bbed05afdda6863146418ef673045c0c |
| SHA1 | fed20fca0e9eb6338cfcb08f91e71ae9d052a912 |
| SHA256 | 96f44e0b395c2d4171bdb7d0e3a6d1395af88c29067885a0a1f338ddcba4b42f |
| SHA512 | c1b71f318eb382ed40ab6c9c9a676747c74e52aadf9d2bde4627531356284308753e52736fb0dc98ed8b0035f5516ccf9133804bab1212a19c8f8a858346c03b |
C:\Users\Admin\AppData\Local\Temp\WQQe.exe
| MD5 | 58f6a361b91c3b9eef33ac2418756ad8 |
| SHA1 | 828b80a6568e058be388f72116a3fd038cc92c0f |
| SHA256 | 7f9db442eb480944f73ca5bec907ef0530f71db20de4cc8277f27619dbbd00ca |
| SHA512 | 98540b09cd8dd3e4fb8559cb1e2bc2a3562eceb8c5b0f01a1288f8a5507699c0f711b34ae761298da5035968c236f6beae7d6fe36efbd426f8752f66b6968b69 |
C:\Users\Admin\AppData\Local\Temp\qYQw.exe
| MD5 | 6f25d993254c3d51472fa9064494b591 |
| SHA1 | 389b98c7d7ee2575ee6476b034a4b61123f6e764 |
| SHA256 | 9d15426c842c3b15e5e5418906e46fff3b1d5a577e814c38f8032ff0bb5e8dbf |
| SHA512 | 94d06bd22a6a07a6a310217c1cecf7dbfceafc98e01b184af2a1714e7aa4a14163e2525d8e341751f53615be0183638e3d8343780bea22a6ba13ed767b03000c |
C:\Users\Admin\AppData\Local\Temp\CcUG.exe
| MD5 | a47b5a22017e8b39429d815869434541 |
| SHA1 | 9c94045b26cf84e374f841b9f72e978f2e6f1479 |
| SHA256 | ce2467c1c7088b309c09f02b919026e645c24fe3d5bbd4f0bcedcd678ee5fe56 |
| SHA512 | cf30ae777513650d516973dc51df0fbd0e5ddede333da666e4799ac6893e330f3d4bbcd7d15f1df3c5f13219d464fa9a9541078c1918f2cc42337106f367da81 |
C:\Users\Admin\AppData\Local\Temp\wsYU.exe
| MD5 | c56f1348bd3f15e86afffa54103d8b47 |
| SHA1 | 8a59c940f243abf4bfcf521d26b21ab8084358e0 |
| SHA256 | e7209a1884177dac0b7c691743fd5ee920620737b57ada8d92aad22bf8154b4a |
| SHA512 | 15535957122565fdf4a3671252e8bf229b697d5a3059f1eebc00cb7acf37c49839ff5cc8cf507690b12877314d61637016c4f634f27eecf554f9dbce5274cbcc |
C:\Users\Admin\AppData\Local\Temp\cgAQ.exe
| MD5 | c9e02e5935e81b2b2ea6d82d4f17f4bf |
| SHA1 | 9a7b0ba2ec8ee53960708d34cdf0fb9e6f25a64c |
| SHA256 | 60772913a160b93c70de449b8d4a326bdea1b3f74a97f1073ae4eef1f75db957 |
| SHA512 | 3c8ed43a093fd9d7e2d2059a50a3055c2ae950221fb505f6b243e6e799c435bb996c898c8e61c1b6c58de50e78ea581c79415e0bce2c61b610d5f08b788d721a |
C:\Users\Admin\AppData\Local\Temp\yoce.exe
| MD5 | b4370a00a85a860bf6e3f1153e0d7c28 |
| SHA1 | 0d9b895229b043bf604dda21cd68c0f888857249 |
| SHA256 | 6ae743590d7d8d93012e34f410dfffe32925c271df7722932483f6869651fe63 |
| SHA512 | f67953b6c8e134ca1bf8e403e9558223cde56d975481b1c4c1a6e7318404eafd3c3325447cbb911072197b1be1ab08315cfd994946351b624f5ea9f332e79388 |
C:\Users\Admin\AppData\Local\Temp\YAoG.exe
| MD5 | 90fc1237a38a97ced6eca2396d323502 |
| SHA1 | 1d222cec068f2e91cf9ed5acd11d29bac00185bc |
| SHA256 | 691eba3629406805c042e381ac271107ece533198bdfb7926164573a01656da9 |
| SHA512 | e5472aa823882cae02d203b35fbc14b3e6180e497bb6569109363195608931c8cc2a18912510c69590cd5b2d629dad7764a5de52215828d5d84e66be6ca68b7f |
C:\Users\Admin\AppData\Local\Temp\mgIU.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\WwEa.exe
| MD5 | 139242b8c79e5aa56c986a2a7fba4eb4 |
| SHA1 | f21e96822f2a26426a1eb32746b00c80f4bdaafc |
| SHA256 | 4b1c2b521e32d02a332e04247f022d5b622ecfb7f98329df4d0c09980f7d63a5 |
| SHA512 | bed5fbbf5bb6fcd1f58daf08c36e5528c9e3b3105237dd672b1ca1635ec6791fad4380dbcee231eb69153f4a18d1ba21df1296c141974671085e68c8bf0b752e |
C:\Users\Admin\AppData\Local\Temp\Uoko.exe
| MD5 | 722d53d3670bdd4fd9d7cf6389ac27e5 |
| SHA1 | aab8c7861ae4d1924e5f1af872bbc43fe29ff8a3 |
| SHA256 | 5386a640343243143b3e06befb04ef99339e9434be375a907de42ce4566c4d22 |
| SHA512 | 1490aabb0a4fca8d18aff603368e314621fd435b7267db0336edd07d6cd60b7bd0a510369e109e2278010b7bf25cc8d9197787104661a667799448e235eb05db |
C:\Users\Admin\AppData\Local\Temp\QMsg.exe
| MD5 | a9162856e88ef1969ca7f31a00b940e2 |
| SHA1 | e433113f9b8609e87f435974c86499ab164a774f |
| SHA256 | d52c1ce2633b801576b9fd3b6261a84b37d000201658a61de9d4fa56ed87a77e |
| SHA512 | 0c16928890d4cdada5ce3cfbd0001397e745243944c6448b268a48917357ae327c98541e88488c4e4a3e32d80e68908a40ea4149d8a3ad895ed2d7659b22f6eb |
C:\Users\Admin\AppData\Local\Temp\QYgS.exe
| MD5 | 39f22776a25cff8e07bf33dde7c23cfa |
| SHA1 | a2676cb61301862d84d6d48488690d39d21f7244 |
| SHA256 | 6692ae4dad240b87e7d99fa842e3f3280ab7ef7c251b9b57d4e798eea1fb1e67 |
| SHA512 | 6abc5c436b53aaff67ab765825b491247b23a806eec43f7f598a34bd705b98a3ab4d6a36f240a3ae56b95240125631b434f137558df2bca3140acd9a359c1ed7 |
C:\Users\Admin\AppData\Local\Temp\wIIO.exe
| MD5 | c31afa9df8fe9aad262865818e578fa9 |
| SHA1 | 5ac60b3b649d0c341402df78817254c29a5f08ef |
| SHA256 | 77618d78639f8df44023e56b8f1866f1e5ea0cd581c7d295681f004dad01804c |
| SHA512 | 670929220d040f77274e736ee672f534fe696033496f7f9fd7623bb8789da08219103cd8643cfc424406f9fcea997803464cc5462eebd3082e69f2bd76b6292f |
C:\Users\Admin\AppData\Local\Temp\QQQy.exe
| MD5 | 50528c6c7e250fb0b7f837303fddf477 |
| SHA1 | 760ba55739f72fe88533643c3b342faad291bab8 |
| SHA256 | 34ffb2e0fffa0be698c824f6a52472284a94b073899ba9126654980f06cdcb7a |
| SHA512 | ea87e3371861b81a170fc7a10786b75e7ee799af07a5809b7891b95b3bc5013342d1ccdb7781fb77dc76329b827af69f3e2de920e88aafbea42882ebccfe166d |
C:\Users\Admin\AppData\Local\Temp\AsMq.exe
| MD5 | 8df6191842d61e3d833d1d98d3dd8c2c |
| SHA1 | cba3d10e1070ff2735a3e566579e037490ac9e23 |
| SHA256 | 3686c860152fa517ebaeeba6358c249c73e61e9cec2a2edb1d072972d9ab54ca |
| SHA512 | 6d57b8690b3582815de6844b352caf0d7b5919e67d83ea1cb5dbe4dea38b7df936684fea1bf2698552e79aa1221e475b92bb7ba18f6aa05b992ea2413bd28ef8 |
C:\Users\Admin\AppData\Local\Temp\okkQ.exe
| MD5 | 7b4ba51318e57c4051feb8d8eebe7f98 |
| SHA1 | c53e77b4679ee5c266e6e6a13a13f3a9f7069237 |
| SHA256 | 328f5771920a4089c7169ce41fceec8ad42900fb612b5785f535ea13fb4d74f0 |
| SHA512 | e19d906b01feb48031af03fbee61fe795e3b387c1daba355d0d17babe3b396e66aef1f4019e70cac39c6af3f5480d0ccb1881f7fbf1df61413b090c9ee1132f1 |
C:\Users\Admin\AppData\Local\Temp\eYoo.exe
| MD5 | e4f1c61aabd62f6681996d763c60b54c |
| SHA1 | 2b9366be8bfd15119accaf5646508ed673dbf197 |
| SHA256 | c3c7adbff92ecde1e32516ee879185e8d46850bbfc976d0f79527d16b73b749b |
| SHA512 | 7e34157ad328c580f1043c10785ebdde183cc2f204b95d5869afca29e7a678da4ff8bba16d3eaad230faedbfa44491a2cf3196ed6fb263e6bdf595a9fe8da2ad |