Analysis Overview
SHA256
be2a06101382c105d31982aad11e308d36f5e110099b0e78a2ec22ba486c98d9
Threat Level: Known bad
The file 2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (82) files with added filename extension
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 18:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 18:56
Reported
2024-04-03 18:59
Platform
win7-20240221-en
Max time kernel
150s
Max time network
130s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe | N/A |
| N/A | N/A | C:\ProgramData\XUUUEccc\LEwwEsYE.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LEwwEsYE.exe = "C:\\ProgramData\\XUUUEccc\\LEwwEsYE.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\iYsEgEUQ.exe = "C:\\Users\\Admin\\JScEcAIc\\iYsEgEUQ.exe" | C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LEwwEsYE.exe = "C:\\ProgramData\\XUUUEccc\\LEwwEsYE.exe" | C:\ProgramData\XUUUEccc\LEwwEsYE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\iYsEgEUQ.exe = "C:\\Users\\Admin\\JScEcAIc\\iYsEgEUQ.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe | N/A |
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe"
C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe
"C:\Users\Admin\JScEcAIc\iYsEgEUQ.exe"
C:\ProgramData\XUUUEccc\LEwwEsYE.exe
"C:\ProgramData\XUUUEccc\LEwwEsYE.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JOoooEoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAEscsAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EeccEMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuYwckwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CMgwsYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmcoYwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuAAsMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bEMYsIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zikAkkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19016647871411765071642134900-1990356475-205644906119313152571436516607213190269"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GogkcsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OgQgwskM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1166439062-390228499-1361611887518257106-132370356718649190272520514561837732879"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wqMsoMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NMYQgAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "177146349-14549744891679885651-5678678051021140122-389320975974591631-1477607323"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UiMIEgos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ecMYAMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmcIAksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-396405081-98191379-1226618541545550430-1092536418-846828467-606940561108595453"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWQUggMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15659469731870647865788898542-225698813705838744-15135811511629666484-348160722"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tcQkkYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQckUQYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccAEYggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SyAcYMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-100644747216760160461049864712-1755854973418115491544597734-1118521542-585405029"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWAwsgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4998837781259837717-75217556-19091964061684724726708411850-20814058272105578236"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEMgwEso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gocAoQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10521060637576218491611803287-1054698350-313516841-959896621-2057203392-109327889"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImgAMYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgQggoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-779086462-196130179116837610371399316214-2073679672-667756273747566131937225589"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOYUoMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17533438261679105680-610666741-441790464351273505396356969-3330153092104946228"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkEYowEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1798214191-1249833491-721282064-13643999954773964152095572895629439694851232496"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1575020946-1073459849-8631657851283857393-1096263712-2052923181-1947461357486972172"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-389273630-224558514-415459834427380856-38183642993745294-1847662173-1249461181"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\POMsAgck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "24614146819254453591875800004-1003925573-550171167-1309689614-1377807417-36640531"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.200.46:80 | google.com | tcp |
| GB | 142.250.200.46:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/460-0-0x0000000000400000-0x000000000041F000-memory.dmp
\Users\Admin\JScEcAIc\iYsEgEUQ.exe
| MD5 | 70b46227cf68e5023f2ab4f0f3180290 |
| SHA1 | 7d0e76cf0b684f4961925059fd1c2fe3c2a613eb |
| SHA256 | 372e29b3c0b02ff7e6fcd7b850b371a0fbfaf8eaf56210bea541ea0eaac037e0 |
| SHA512 | 26a7f9a3ec83e25265514ce19b25363759fcd617b27ab58f9f4e7f22990e54f4e30923d6ef60ae8ef0763a099d899d5c8cec12d3ce779e9eecd1cf3fb1debf1f |
memory/460-5-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/460-13-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/460-30-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/460-32-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/2972-31-0x0000000000400000-0x000000000041D000-memory.dmp
\ProgramData\XUUUEccc\LEwwEsYE.exe
| MD5 | fc678edd1e91bddb631cb18b9fe897a1 |
| SHA1 | 6f8f538b50c668c30dabdc63bb37026e28b5a607 |
| SHA256 | 46f6270ddf5f5b1657a8f7da7edfd40a244826abef482ec6c619b1eb87dc73bf |
| SHA512 | dc170c74f1d707df417b02445774ca7b0ce6cbc6f5817c201cca90bd521d9e4f144dfc41921cc9af15886d93f3147006fb2154ac1d7cde0ebb43b103ba99b603 |
C:\Users\Admin\AppData\Local\Temp\AQgQMwAk.bat
| MD5 | ad45d04e8662423f489dde5903edf9bc |
| SHA1 | f070c07f9fe5fa81049d270370180c507fbf5c8d |
| SHA256 | df0c0aefb0dc07fafdac0eb94d9f29f4aae9c61ad54781816ac0977536a6a37f |
| SHA512 | f27a0411cb64e0886f15acc5187995dc63bdc4936ef0ad1a0981604ab7b4c5b1a3a97747465735a4bb8ba190e0cb3af6e14ddd3f15d9392cfff4749ed462a1d7 |
memory/1752-15-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2580-35-0x0000000000120000-0x000000000013F000-memory.dmp
memory/2732-36-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2580-34-0x0000000000120000-0x000000000013F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JOoooEoY.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/460-44-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
| MD5 | 5f6870e505406f5a8e8fa594b6d5bafb |
| SHA1 | 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb |
| SHA256 | f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a |
| SHA512 | b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf |
C:\Users\Admin\AppData\Local\Temp\UyEIYQgU.bat
| MD5 | 5ee7a9f45f53a050c8e91167692eb6e3 |
| SHA1 | d550119d7db25eb0407358b63679dff6e9154f0a |
| SHA256 | 4a815cf4f634688b1e961a2b7a2cd49cecca7555efeeae582996ac3fc0f3e57d |
| SHA512 | 7f0677af562ba96ec775087879ffdaa46191271c54521e64d831d5f99e7ccc4bdabbed8a8db3d450de9b7a8766eded7ddf240945e6129290ff1d2a3f2818637a |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/2328-57-0x00000000000B0000-0x00000000000CF000-memory.dmp
memory/2328-58-0x00000000000B0000-0x00000000000CF000-memory.dmp
memory/2732-68-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2764-60-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rCsgIAMs.bat
| MD5 | 87028faf3261d2d4eb039375aaf73ea1 |
| SHA1 | 994e262340e4e45c480c6db84d65f60a77d81a1d |
| SHA256 | 8f142e067092be339bff53aac6258747932ba6384f477a8ad776b920c5dbe7d3 |
| SHA512 | 19aeb31cf14fabb5b6f3c5b7950c7c43522068f120f974f03f52fe6771decd119727480c4098514346bd50345fd2cada36db6b396c875e039eeaa34e32824f75 |
memory/616-80-0x00000000000F0000-0x000000000010F000-memory.dmp
memory/616-79-0x00000000000F0000-0x000000000010F000-memory.dmp
memory/2008-81-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2764-90-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wsUMoYEI.bat
| MD5 | 3b0143bf0e6bd3cb032169a062f168fb |
| SHA1 | b3b116ce5c1f9100532ec9816337a29489dbf431 |
| SHA256 | 9fbc48686191bec812ac080a92d0a428dcb6015335ba70a04828c7ff9e54e209 |
| SHA512 | 8fda81bdafe3e2c7a97530de72ee0d44ae84f9c3ce0e7144b980b31ab45de0292abbf6dfa1fa6652fe4d3e53647399eaf5d50d01e919b1e63e9500062e49b6af |
memory/2300-112-0x0000000000180000-0x000000000019F000-memory.dmp
memory/2300-113-0x0000000000180000-0x000000000019F000-memory.dmp
memory/2316-114-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2008-111-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eEUoEgwg.bat
| MD5 | 0b16f4dd0a5fe6ad6b57d5d508f523af |
| SHA1 | 6dcbc0fbf5d54b78610613a57f3de2588c9e4982 |
| SHA256 | db775b23f80d17d1361d35de16143350dac17dd1da8fc36e7cf7ba74e8ed30cb |
| SHA512 | 3af827b59e8138fe4c91ed40c94e05fb3a78d988d4c0f7c29470b16271bff8189ef168a3dca40e5e87ac1b63077d17e40552a6e5082ddfb50333313a22059232 |
memory/1524-135-0x0000000000120000-0x000000000013F000-memory.dmp
memory/2256-137-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2316-136-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FKEQkEEw.bat
| MD5 | 977d118e0b2e2b606a67db1258c470c1 |
| SHA1 | 9599b3e2595c65c5fed8313a1adbc683d5a4f84e |
| SHA256 | 3a5a91b5f2ed384acf5cbb176ef1e7bfde04764a88a68729c1a47ddbd62dbd20 |
| SHA512 | 008a2a14a1d03bff17fb8397bca369ccb1ce5b665b5b7146d2b214db1e6ad20df560eaa3f3334ff9da90d12d8cf80497f09527235f9842c1a0423fcf4d40af1e |
memory/2256-159-0x0000000000400000-0x000000000041F000-memory.dmp
memory/844-160-0x0000000000120000-0x000000000013F000-memory.dmp
memory/844-151-0x0000000000120000-0x000000000013F000-memory.dmp
memory/2116-161-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FAEcEAEw.bat
| MD5 | 042a7a324152ddad62251232ea34176d |
| SHA1 | 6f69e1991e470641e1fed740857261ab254036da |
| SHA256 | d025967acf535fc2ccb05b59d01644e6ac241e05138ed96c9dd599fe000da6d7 |
| SHA512 | b29a968502b035f44ab1378a1731691c901b86964f5b1a1cd9172691eb4d02dfc2196282d5970815135c4fadcbaa1068e7691c4d4882a0ddc7dbb56d7925c403 |
memory/2644-175-0x0000000000160000-0x000000000017F000-memory.dmp
memory/2116-183-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2644-184-0x0000000000160000-0x000000000017F000-memory.dmp
memory/2624-185-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EWAUccsM.bat
| MD5 | c205b5b15577f264c7712d9aee7ceb80 |
| SHA1 | 627c6e17477d867d63958ebf36f3bf45554dc3ee |
| SHA256 | 934aa4b7eb505824695bcd4ffcf3196a3d0e4fa6bc469f36e563dcb4f4dfece5 |
| SHA512 | 3fbd46b399fb6dd5cda1dd6230b9b3746d1e27d9f96f5fc51e39805e04122a6718ec7c7d6343b043c64d8a196326050d4f625da3bbd802e52e3b814572ae087c |
memory/660-208-0x0000000000360000-0x000000000037F000-memory.dmp
memory/2624-207-0x0000000000400000-0x000000000041F000-memory.dmp
memory/660-199-0x0000000000360000-0x000000000037F000-memory.dmp
memory/548-209-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cMIYUowY.bat
| MD5 | e32299495662cd0089a42e34fc5f887c |
| SHA1 | 593480b0d1eb87fa21b5106454c3139c034f65e1 |
| SHA256 | f116c5deafb4f6956184dea65c1d9aa509d3ab17a7a6e8c43caa0209448ba3b2 |
| SHA512 | 2a3e1e0ff380d9c68f9d04f3aaeb846c9f9fd652215e262da763967f4ec2695d757e1789bc40b5dbd846f9c6698a32e31a897d11bcad4dcc5d8f2737fe83d35e |
memory/1924-222-0x0000000000270000-0x000000000028F000-memory.dmp
memory/548-231-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1084-233-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1924-232-0x0000000000270000-0x000000000028F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lwMAcgAA.bat
| MD5 | 56097b6308c9d6a44efd03b3a9e21c74 |
| SHA1 | 5b555455b1043c9c8b4e6bd874f2133a21463996 |
| SHA256 | 0fcddecea53382d1d17a30c8624dfeb8b6d3dcbd49c48a5a78644709588ae541 |
| SHA512 | f416a526f5300c9654d351a7ed5bd43c47968da529531447cd846521dcd9fc0c3ece7d38e01eb9465f8fda57278305b480c56354cc8948f04c0f4eba8abc2ba9 |
memory/2284-257-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1084-255-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1120-256-0x00000000000B0000-0x00000000000CF000-memory.dmp
memory/1120-247-0x00000000000B0000-0x00000000000CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vacAkMMc.bat
| MD5 | fa8b966a75a368cddf5460056f013a71 |
| SHA1 | 1bb1ccc7ab74f77bf3854c37f3384b9b6f16e972 |
| SHA256 | a7cea38da3f89696ebdea6654285a6e2854924c9df4bb8d3d7c6cefb607e7ec4 |
| SHA512 | 4139636f9a28725c8dc7c546531195a1bf8831637a53e5a22927ddb4e57e84d09c76350b5c51db06f328a77de12d83e644805fa2a92d1f62049725832086f39d |
memory/832-271-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1692-270-0x0000000000270000-0x000000000028F000-memory.dmp
memory/2284-280-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VQAMMEUk.bat
| MD5 | 7c8989920a36385dd262585f085e6370 |
| SHA1 | ad6e45a1d8f518f39100c77cb3f0149f0cbe9341 |
| SHA256 | feb6ca26b9485bcfc296bcf46ab25c07a9fa479a91273dbce269190be9da1302 |
| SHA512 | 7fdaed678aa2ad061fb7ac890ee08721c47dee21de8627b32a20e87ced39e26edf5ce6626c332c76e8c8fbb0f257b2834a62c257ef18e19c4c644c0a1d91b700 |
memory/832-301-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2384-302-0x0000000000370000-0x000000000038F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KsoIYgME.bat
| MD5 | 9b0e0a841a4e5e6e318d183bef0f0f85 |
| SHA1 | 3403163389583ae2fdd03e828e7c1f585fd63a5f |
| SHA256 | b8f3d370f6223d2c0ccfe5d1bc3c6ef1a634f10dac53e78ec5cc6550371a58b9 |
| SHA512 | 14a657b263788249a169bf8b9bab80b3e8798551d628d6a1fcb2eeccd8eedb8ff5aa3036765b599c53b3c9e22407b0f83ee1ec08f644998ad3d16d1a4da624cc |
memory/812-327-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1152-326-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2532-317-0x0000000000160000-0x000000000017F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rioYwgQM.bat
| MD5 | ccea3ca9095c1920a7e01675dfdc7df9 |
| SHA1 | 14d10174daa2fcfc4e42db1bd6ea53e45f4c58c4 |
| SHA256 | 8674002dfc02d3c754ae8a15be4056f284c5cae77365a101cf975516996816e2 |
| SHA512 | e76b7866a1ce378a470f7ac81dfc997ebb833a241d0cff1bf401b64ccfd0ab956791984d305212798bdbc29d81584da0c86482bb56662ea1e5f2c4217e5a624c |
memory/2600-342-0x0000000000400000-0x000000000041F000-memory.dmp
memory/268-343-0x0000000000400000-0x000000000041F000-memory.dmp
memory/812-353-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nygEYMIk.bat
| MD5 | 40c3a984f88ad095e7dd31387bc5eba2 |
| SHA1 | 7aa92b8977cb4fb9f04e6fb9f613d8d8acaa35cd |
| SHA256 | 57f1c2de7375dccf90ea419cda2cbf4a2f2ada6c93ce702dd3235dd5fd6c2c4b |
| SHA512 | cd936dba128cf4898f0addb0b84b46e8307a6d229e561fd1ba496a766687422d125f2ee7571df76fc8052f83d749c30c53ee199666d2c715b701312d94eba3bf |
memory/268-375-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2652-376-0x0000000000400000-0x000000000041F000-memory.dmp
memory/604-367-0x00000000000B0000-0x00000000000CF000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
C:\Users\Admin\AppData\Local\Temp\dGwAokcM.bat
| MD5 | 1f2aee8d159cbfd2c50d15ce6ef4fac2 |
| SHA1 | 67e10296d18540a149307d982e12fe72985c95f6 |
| SHA256 | 44073905de313d5203f419e1e62f2afbf384e1acdb4fe2d9db94904123844487 |
| SHA512 | 684b780e7e255bb3eb39382565d7a97131aa5c766a121d7bd30f98ee8feaeaca344ed8cde698c6988d95545bcff0fa8e10a5fb273002bb01ea42801dadf9e1f2 |
memory/2652-400-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1520-401-0x0000000000400000-0x000000000041F000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
C:\Users\Admin\AppData\Local\Temp\vYUa.exe
| MD5 | 6a325d265cbeffa8ad347298dd065d18 |
| SHA1 | cc623b4d274c14bc4267822292d7047763db311e |
| SHA256 | 6668ca15782f47f92ce0ac444a679f3f483a0c75b65b3527a4cfa4b227bd94d7 |
| SHA512 | 1006e0ee21ceb13e0f67f0c9225f5f20e77363e18159aa9d32538a9c99d88c2fb547da17c5d907dfb2ad19d96018b1cab819e50668bfaac2b2e650a40ab08d87 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\MWswsUEs.bat
| MD5 | 910cc02360fb81e2a681b194e4135dbe |
| SHA1 | 498ff44b32bceaf976d963834edc709277d5ffea |
| SHA256 | 63443850c4bcaa30061e3c198b199abecb435e80ebf0e6402f6677ead531d304 |
| SHA512 | 1e3e07166e8bba07a7fe2e05eecc54f03240693589891cf800fb249199aa4ae5a14f6acecf85b1bb3286d25afac83d3ed53f525f9dd89a9c6a75469177e8fa3a |
memory/2144-438-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1520-437-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zcgksQEA.bat
| MD5 | e3a29e0f34d1f17e9eb496043854f03b |
| SHA1 | 55be793ffc26c5a5d8dc6dadf07400cbb3ece998 |
| SHA256 | 628837212633f8ec633886f89e9338084d10866b846cd42756239e7479e1c0ff |
| SHA512 | 950a553494f2211e045032c09c5dadd704446e3726dad4d0e5bc944cddacb719f6f2dc917a11f082c6b329e6d5329524eeb363d9099babc29a64f7543ceefef2 |
C:\Users\Admin\AppData\Local\Temp\TcYg.exe
| MD5 | c77d305efd2245e73a696db34fc31bf0 |
| SHA1 | 3262558f34e04cafbf49f379b1c063cf06634de4 |
| SHA256 | d6683349055bc1c2cdfaca5f5d3f0fdda6ada0ddeae50bc5b950e62fee1e841d |
| SHA512 | e6d8d59410207a1a6854e1437bc109bc2cf53ca5d161be9568d64110d2adb50df04110fa06f10f7174c9ee4410977eb900e89fb8f430c6d87ae95e28eedb7493 |
C:\Users\Admin\AppData\Local\Temp\pMAs.exe
| MD5 | d2be62aa309d45c785b8b6e3133f33ad |
| SHA1 | fc3e3d41b399c036100096208b3e6d568668c7ce |
| SHA256 | c8162e3daff470631b035a98eebc77a0bc832733d79fe863040230610fa56efd |
| SHA512 | af593ab9cea6bd0fa1a99de4c1aa4324b5d97fc4ad65b6219365a7f6a18eecf25f00c2ce74ac98a2b0385abb103b6290aa413ca4004412225533516f1650f56b |
C:\Users\Admin\AppData\Local\Temp\lsUW.exe
| MD5 | e5cd0f14eba2d9658fa63d5f291cebb7 |
| SHA1 | ec2f65179b78f016849899e8fb106dda3f785ebd |
| SHA256 | 80c84a534d6692e2e47860e3318075469e64ee0933afce5cbc0fe07c1673731e |
| SHA512 | 8937a2975de96bd8639d9dd57f40fda537ddd153c00540341c44cb11d06302f6157ddc794b4bbf9d78ce2a71a28b38ce65712e99491434085a8b822131b2432e |
C:\Users\Admin\AppData\Local\Temp\dkAu.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\kUIE.exe
| MD5 | 21f20272a4bbfbdbb2835c349af5fcda |
| SHA1 | 05aad0ffa37f9e1ea2bba089bb97ac15b4942f74 |
| SHA256 | be14942eba4281cf5cd8414d8939f8de7dafa48ba2d0d9cde8c2aee273c62af4 |
| SHA512 | f545bf31d0675ef4bdf98090330a443010dcee155c65991d7aacfd97941e5c06ca88ecebcd024d7b4b33a31160486655699b1d729eb958c8154f513e52911d31 |
C:\Users\Admin\AppData\Local\Temp\soYQIgsY.bat
| MD5 | 7e4cce11b0db0d3d43055b7bdc8e5367 |
| SHA1 | a8ddd650409830323390007079f3df5909551765 |
| SHA256 | 0afeae2ba3c24ba8663cc8cfc71f6f325965ef84dead0a74b1a398542c14605e |
| SHA512 | f3af6e4ec74bcb85ba5b9c212ba2d903a616cbc55900a60a5302f18a1ba6753d8eb6c1489eaabcc436aebadf45890cb0e2870c7b27afc289178f008925c02a8b |
C:\Users\Admin\AppData\Local\Temp\JYgs.exe
| MD5 | 700257b974c65692cd9872910a0b4e43 |
| SHA1 | 3bf7cfddffa846cf8304cea366639b39d9157b8c |
| SHA256 | 1732cebc20589fb12f39d0b24386afcc1f676314a3c1ded082bd56290c44d6a9 |
| SHA512 | f1455701c51a88c014eb6128fae58b46470dfa04e1de554eeb9bd73f2b0e18bf29bd9c312bde2beed46e6db06e0462013f8e97f99f24fe4a972833b4262f437b |
C:\Users\Admin\AppData\Local\Temp\QoIU.exe
| MD5 | 7849ec49399a1afee6d8578c9e137f18 |
| SHA1 | ec26a8b603ac5d4a1356f8894b816fc183bed9ee |
| SHA256 | d392e2f83b2663cfadd6a9797f7e0d85cc252b547db34757b9c93f049700ee98 |
| SHA512 | 80d316c47ace12c3dccd85da0f441285e99d02e7061088720d0d855e45d1f3baab180e4f09dbc8215f82efa19507c70b9565470e8fba4e64b286baf43afa46c2 |
C:\Users\Admin\AppData\Local\Temp\hgMA.exe
| MD5 | 331982db5b5bd9442f90c2dcb32add20 |
| SHA1 | 6bf0424bfebb43a9b03560f69400b033180123c1 |
| SHA256 | f0838b6c42959aa085ce7648994cd0be5451e970ad7402c5a4f44a27d52f4ffa |
| SHA512 | 255d08fabec4d5cb6d7470f3d94275f045f17a5865d3ebc59007a655bebc676d93756a9734447ae16929ccf844f525364f801cb51891eb8a13095616f2014fbc |
C:\Users\Admin\AppData\Local\Temp\wIoO.exe
| MD5 | e950aefb49754fb5acb79f8f26dcd438 |
| SHA1 | a8cd75965a39d6b3f231ee050109853a1d9566c7 |
| SHA256 | 184c1bf62d0c0e2fd8ba38878cb5a8f0b358337972e984b2e41a85d5039a51f9 |
| SHA512 | 5ec89835096f788c58ae5c443bb37fd964d365af05597cb119a11615e0ac49dbb4accbd3360997b87fe252083f1c5bb325ba280a3c0823b479a2b558fe0149d3 |
C:\Users\Admin\AppData\Local\Temp\owEUEgYc.bat
| MD5 | 605fac3bf93a62fc028b611162b20adb |
| SHA1 | 4878d27c39428210864681f573643fe201062aa3 |
| SHA256 | 2fe83c386d8b86b666698b12f824ac30b0b65eaa6fc69c524ef33c00a4e68f2b |
| SHA512 | 578287bfd622e5b85a006835957baa3a2fbcdc3110ba66c1892a3fc598f53960e49008b978c9086fff29f71b50de5b02e47f1a91415d4acadb8d02aad5d6ce74 |
C:\Users\Admin\AppData\Local\Temp\hMMe.exe
| MD5 | 9ecf3a4899debb56beaabeb873f7e45d |
| SHA1 | 5c1a37afb042769afaafee3cdb6fcd8e68d0eb7e |
| SHA256 | 253861d82f10a5d5f68067b7f99cfda020809c8250b2e6a55fe160cde93d4659 |
| SHA512 | 2af86e742f5597faa019fadd32f170574a42a7bd74b9119ec255ef769db0dab565e75cf08fee0312a52c80629c3062212765783a1388c6b3101a9dd005b1c39b |
C:\Users\Admin\AppData\Local\Temp\nwEs.exe
| MD5 | 780c2ccee16215b7f1020f5786d43fe7 |
| SHA1 | 002c1cb43cf9da6d0fdaf88ec7cf357008965a5d |
| SHA256 | 2c1e489579d3fd8c85aa65eedbc3e14d9094f982ffc042b643dd05ca3e748520 |
| SHA512 | bf4a1ceb710d187159c2292f9680c7fba3f7c6335c8fcbb73bea8105d9cdc821f0a4c436f6582aed5628a811808043b251db2adfef040182e2700ad232c69168 |
C:\Users\Admin\AppData\Local\Temp\lYMC.exe
| MD5 | 6d19f55fa58018fe9e534aa13c87bb2a |
| SHA1 | bbbedb0299e4dc6a800bb1b1b5c8ba5ae0d5b15e |
| SHA256 | ccd5f8b155aa3e404b041a12c5400e974941dd68ed21af4b94332a094b78021f |
| SHA512 | cd4c141afd4a9f1f003762085cb78cbdf0d4765382a8b5cb8c5e89f8d55144d8da7f6932f1dc7f086fb1f04612ae6deafe7fc96855c2ab4e423ac11151f29628 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
| MD5 | 5cc5dbc34902a524ee716ef1dc0483bb |
| SHA1 | 65081693489296c75f49e1d5be734599cfae4db0 |
| SHA256 | bc26c782dd1210fbca7c9ece2d92fa819b6614580b4121b5dad089c6f6a8f510 |
| SHA512 | a115e05410a645010475faa5a13e7524d46dda03dd039fe8cea96c965a5c8dff27365ea91e2ee4f273773334a62654879698aa536ab60527a9c0485aaded7d4f |
C:\Users\Admin\AppData\Local\Temp\PosK.exe
| MD5 | a1274ddfbdeaea724b34ff3e972b1754 |
| SHA1 | ddf6e3083ff36649e723c389e476ff404c391394 |
| SHA256 | 7f915e77fee8d716b8fc98ae92398ff28d21c900029fe534af775b4b768b9ae4 |
| SHA512 | cdb7b1c6f14a82a6fce42e84b16727aebc65cd0433a1f6c2bb9b04c190ad46a532966b89ccbff3b5dc6a8c936d9c7a99afb1e5ff27b1d3aa4f08e055e4b67afb |
C:\Users\Admin\AppData\Local\Temp\ZmUgMocE.bat
| MD5 | 0ec380ef8126fd4ced4557121a561699 |
| SHA1 | 0accde645661722da1ce973ab5f63a4eb355e648 |
| SHA256 | 7f403faa3a008bce71984c3a3ae2836c539d6c7874211d3266180c9a752bc5aa |
| SHA512 | 692c6471692c7b4ff2e2458361fb593996adbe987d75d03324f9599aab6ef91daefa19f7f3bd674182e6f7214227a847b72f4d40baab9b41acf4d5fe09247f61 |
C:\Users\Admin\AppData\Local\Temp\gsEC.exe
| MD5 | 8276a2c1153ac7c34b1219fcc70fe5e9 |
| SHA1 | b44ad7b5ab359c39445257abea81f6c924504172 |
| SHA256 | a816ac5de7317f1dca861d19ac6ab425de2c97daa866d5c6238a49bb3c2b1af8 |
| SHA512 | be8096c794963a09c4ffab78ecc7ec57da0558045c3e73c96b12aa89cc39291f3199fa63503818b42b7ad1476dc35d0a4475ae90ea9a351a608fdf0e0d768f05 |
C:\Users\Admin\AppData\Local\Temp\Jkgk.exe
| MD5 | 3d6b8f8be52bebd156464e4ab08034b5 |
| SHA1 | 87e463439c37b7f71c31d802fbd9a94befd404a2 |
| SHA256 | 1e6d0117d63a68fea8613c3d8e9df63771bd56c789f07f9038f7ed3c333cc02f |
| SHA512 | 99c67a44574d2f3d1bafaade70020be80da33b20012836d848865130b6681b5ee7f748325fa9b83ba8cd195da9698c4ab32f5fb814080fb413af7a8b879b18b5 |
C:\Users\Admin\AppData\Local\Temp\HYkG.exe
| MD5 | 0cfe43cb8a325ef834bfb23a76d9dbe2 |
| SHA1 | 19a6b6f4e28b0e4c3c0c597d7fb251c99c41d01f |
| SHA256 | 9f01f1340ed6f9b285c1a880b511c89754dd22383a68b30ced09b36dfcf47042 |
| SHA512 | 1cdc67453cfc65f1425db6ce5158f4f1d30c692d7efea53ba567f7b7a2227dedba1dd6cf8194d483e272c64360753ad88f8282d7d870284be0e212daff931991 |
C:\Users\Admin\AppData\Local\Temp\wAEA.exe
| MD5 | 731f1ffa5c8026f80490d2de3b5ecf7e |
| SHA1 | 273ce7040de07a740f75491e03f50860eb76c0b6 |
| SHA256 | 60ed5774d69f4e1aa7f7756e9e41759b9b2f0f0a4c8892c612153eb95360f276 |
| SHA512 | 9e4111d3e598443ce0a4ef3500db917fcecedc29eb50bdee8316ded24d2405e640b100c2cd7e33c12c47cd9908163c859c5618bb82bfceb6023f1e365635efad |
C:\Users\Admin\AppData\Local\Temp\gkgq.exe
| MD5 | c7e75b6dbb53db1ee8a356b5887ecb73 |
| SHA1 | 63e565f8ee5fdc0421a31c4089fe673e85dff4e0 |
| SHA256 | 372ba3c483a4d0dd5a33e22281372d9d15eceb38a87af53c816f7b44b06c9577 |
| SHA512 | b4575c3648aa6f806997594a1a6e8d8a6dcfd425bcacc9f54e111c515901c06e47f5f12fb7bf487a28f418707a3c4d5604531a99d9908def5a9e18d8480010ef |
C:\Users\Admin\AppData\Local\Temp\FycwgcoA.bat
| MD5 | d779a29f88481a0d759454af24f87085 |
| SHA1 | cc5c2af335f9f63a69c5b130358d3e5cd8dd1dfd |
| SHA256 | cdf3d2f75001a056a9fae6aa114a32705f90dcb6ae897bef4ad2d8e5c10ad831 |
| SHA512 | 93d365186e6218d8f946d9c588d72b11ed5cf884ed0fe325bc0c869773fb77f229d9c9ac4423591f9b10aa0e88ce96bf3759536b97763f5d6ab0795193bb39ff |
C:\Users\Admin\AppData\Local\Temp\LUUc.exe
| MD5 | cfc9776faddc2cb1ac7d613f14e09a66 |
| SHA1 | 2d2230017eab79d09fd227a4ce518702f26c0c34 |
| SHA256 | 839dc24a75bffc9971b4bd9cb201f2b99778608f297da02ed8b2f4427c3ccec1 |
| SHA512 | 8387cf1e9992487d1974f5ffcd4822867e89dfe614f839630bcfc11da0120fd6f2169da744d81f2d631908ca533251bc935731b852f8a39e9934bd4c12a7b7de |
C:\Users\Admin\AppData\Local\Temp\RoIk.exe
| MD5 | 04424e49249de523c607289a4d71e00a |
| SHA1 | de0838ab91f20a2eb6bcdb328eb96195b68420d8 |
| SHA256 | c6c0cdb31f698c3fe662e79e6b45d72d07f546ffa27916a23286b198d5a7b2cd |
| SHA512 | b9be0b8b6a9f9d80367a2d0c58187f4ffdf6c0b3d4195904565de8bdc0ad852a5755bfa484819df8770849afe215b10be8b8f24dfe5689818bcb401f593f79a4 |
C:\Users\Admin\AppData\Local\Temp\VUEq.exe
| MD5 | 464161dddb1b0ca6d1b6921fe7cc32ca |
| SHA1 | e28c8bbf63fa58e13fa5db61a4b21e18abf62f22 |
| SHA256 | cca4d4dc8048b60be6944db7df122fd7a67a7ed931649feeb317e1e28c04fe26 |
| SHA512 | 1d999ec70f3d414afa4550a9ace5c319e2c8b6578752c1408a972d16f684422c20d7a72fb253817df2eed6fc54012dbadd361f99d8e9c5c795460f913f8761f5 |
C:\Users\Admin\AppData\Local\Temp\ssIm.exe
| MD5 | b739927c5e465f2eb98d2471b9382108 |
| SHA1 | 5589623f84986494be6a974abd8b905a586a5605 |
| SHA256 | d19458cb37aebbf6c984b591fe3f6e9d52799293e0f3ec7db91ed42f3c0e2e58 |
| SHA512 | 9c258b0fd7a9aee22a3e14b6973da32cd9eab4dbe2d9de4a4bbdc4cb3c42195d54cfbbe88785aed5e400402a745be704352499c8cadea37cb60112de100048c8 |
C:\Users\Admin\AppData\Local\Temp\RIEW.exe
| MD5 | 8ed2ade5ee5686347b50bbd36cb19a13 |
| SHA1 | d27c4b6d825463883bd5fcac9178c8e238c79c43 |
| SHA256 | cb240346637f31381dd90527611e4b80775c33baef73794ff31ada50fdcfa3a0 |
| SHA512 | 25331afd87521f23297e35286cb8e448d5801cee326df46c8f85556cf5a176295dc2454a4fd52d64e07352128d07ee983596774053a7081ec584c6e9447229f7 |
C:\Users\Admin\AppData\Local\Temp\NogIMYQM.bat
| MD5 | f4cc26788539469a642fc78dba35d5e8 |
| SHA1 | 843da7f8df20384cf94ae42e6106ebbc87314bac |
| SHA256 | d0cf0620e4809c7a2f11ca897fbb10406e6517431bfb1d16ce4fcfddd0bd82da |
| SHA512 | 178b5a2eab70c328056676e1afe9868bc66cd6a49f7d19140eb546f4c40c9bc6506b0c03c5b083aae4f346574ae41a3f11a0d2c76a193f4a1fe3d855787ec32e |
C:\Users\Admin\AppData\Local\Temp\BAYe.exe
| MD5 | 48e90e64a7c9362878c62129e99ee980 |
| SHA1 | b71b6fbd5ee99f143e26c7e07fe447ef41831582 |
| SHA256 | 6e076797c5b180b2a58032602c95324c14df169f4d227e26c7bf5dab6448ce07 |
| SHA512 | b60750c119223a8416f9b35d9e3189fe6ec2def9cf665585784f295ba3b6c24fa6d9290288f579e6e6c416cd0bd54c518bee2187742ff81a25d2d4b9a1e3af43 |
C:\Users\Admin\AppData\Local\Temp\VEos.exe
| MD5 | 91562ee497602b6c30ffd267ab2e4951 |
| SHA1 | 28724b3bef74558e13dd8cd260f6b9ede14f3a06 |
| SHA256 | 82509030372b2f9babcaab569811d48907acd5c857c0313810f42d2c70cad30e |
| SHA512 | 40f52ae5ccc9e618c5fc3d9f3bd06daa53493f72c86d2f6efc4efc3a33fad9ba02a0f2307f95d94ef52265701961194e18c3d5b4fdebee6f6da353690d4199ba |
C:\Users\Admin\AppData\Local\Temp\EEoM.exe
| MD5 | 94527dbfaaa41092b5d99cb9f866af81 |
| SHA1 | 535e94c0fe7a99faf4b49a234b27609fe9af9ad9 |
| SHA256 | 4f3276542f46cbb1898d3de3829de4277f87dbf9d269901dc22809100a1dde41 |
| SHA512 | 396e3694fb56442717a00c4cc29bc3408189eb148ffb8b13d6d544407eb7f22bd562d9cb3bdd41dcc20087313c7d05e5d9fa85e2e1769ff6cde5a408ace78e58 |
C:\Users\Admin\AppData\Local\Temp\KQEk.exe
| MD5 | 5a520e6f18babdd7ea5d2078c43dd244 |
| SHA1 | 09defa0aece229c3a56f0ebaa966c55cad16f35c |
| SHA256 | d80d3d866d9bca613deeb44f1753bab8d79950dd2e6d396ce0ca58525b5bcbc7 |
| SHA512 | 215d63a0be1c7dbf7b41957973422bb22bbde9fd1c225cc9d7ef8163ff4e68535d1b12dd8fab166c6edc3ea1215b372acd3cde872f4e838579a02d433c9c6457 |
C:\Users\Admin\AppData\Local\Temp\lMsy.exe
| MD5 | fb9b7494b338c8545ebba7e0a3419e58 |
| SHA1 | d788de72e9f614bf4e80959d1cc730eee1bf0d5f |
| SHA256 | f2fdec182a06cbecf6b8a6977ffb15809bddbfaad786fe1c4dbe72f70ddc3d41 |
| SHA512 | 83597fc9b63ca772b0dd8e121ccdb918074baac9a0c3c5c3a0d6e25bf3cffa817e3fe2c154cc1df464a3b15b14e86a2b39e60304684432d066565da71a3ce2b3 |
C:\Users\Admin\AppData\Local\Temp\lasEYooE.bat
| MD5 | 7cd476a2d9806778e050cd142636340b |
| SHA1 | 1ec4e02dc3979df3fbdda5b8372f35727d5d50b0 |
| SHA256 | 4fb5f2a25f756fc1912b39b4e13515d0c9e22e9c01023a3f4555a93118a74b48 |
| SHA512 | c991253b91d5ad6cbe3839046a5d6fa78f86193261b83aa99eef56829954d44ffdc4606c4634363baa191cd2ca607fe19c0b2e7f42312ed1b4745dc41e5fccc8 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
| MD5 | a156af2494e9c51d6fb96d78c3018899 |
| SHA1 | a9d0ddf98b1f22c73493e99f8d85da96f740708e |
| SHA256 | e19444018c5f7b02ebe6a3608e3c881725915040691615ca4beb7291184fe5f8 |
| SHA512 | 008b20ff7a3ae79f6317c65614b426776a9911dd6ecfe77e907c514aff9ceee0a851557f6dd335bac1c4bb4b56b009664821733b0ccc5be42dd2f2b687e21a8a |
C:\Users\Admin\AppData\Local\Temp\kUkC.exe
| MD5 | 354339b866f3357dea3c95a7825763c9 |
| SHA1 | 0970398631dae165e1690db739ec6a6a2fc9aea9 |
| SHA256 | 58cc8fe50df70517565775d5d181e71461782a8117412ebf723f7c12e6017de3 |
| SHA512 | f79d1d2225741a1030678d488199293e9f10840e3bafac690e224c3be2570b99d4941cd51b44e274d6ed0239a0ab1cabaee784c021b6117635a8af0d9047325f |
C:\Users\Admin\AppData\Local\Temp\KgQq.exe
| MD5 | ce6c0756dd716dfebd9581fc60c7ac45 |
| SHA1 | cd38f7cba1600449b0ee984b7a410b182b6b7cb1 |
| SHA256 | df22be5f9027b4e7aa5c770de91b3683904d9a894c93374759619780a5210600 |
| SHA512 | 67b7de6ea7d938067ec6cd5312ff132ed863e29e7d4358221c827dad09ac2f7ce39d278a7221a1b1e602c7411d052bbde191873153e094a7384afeec397f3fb8 |
C:\Users\Admin\AppData\Local\Temp\JsUk.exe
| MD5 | eed0cab7e3928293a327c1f4f5d1f28f |
| SHA1 | a52f77d837f40460a49c74c288546244ab9581b2 |
| SHA256 | 939b9c68cb1ec045307aa7e5c9175859640c33014918ea0d97c962cae4f53254 |
| SHA512 | a76f8c0c65b4fa97f64f392c8a8a2547740d29c4e3b758720954005df26020ac13b7b178f25d644e3ccf19d8ebb4ba1d2c9aa53b34f5409185e4c2168beb42cf |
C:\Users\Admin\AppData\Local\Temp\vUkq.exe
| MD5 | 2fe9932a915a52a01100a18c1ff0b5a9 |
| SHA1 | 6ebc216ad0b7b6ff6c571d90085f569abe62860a |
| SHA256 | 59dd9122fa1c95309c3ea0b3ac0b9fa90e1d2ca5d2a77a7638cada9704198c01 |
| SHA512 | f1c6a466bb07d0ed0d30be2b7c7775091b225684ae29ce20a65ee498a7da8e64f06faeecef5ea3de6e50473c54f90a4d4710a3752a7dd653d6527b9b4befb7b2 |
C:\Users\Admin\AppData\Local\Temp\pmAccsQQ.bat
| MD5 | ce6657709e1aeddb66234bd984214308 |
| SHA1 | 9dd97beec55dfa4907b33aec73f49a6b08972167 |
| SHA256 | b17811790d874e0b2fe0dbdf24ed05ce64e5d95f28c7b74262df240c83f94e31 |
| SHA512 | ab811f397446d30a2b4ad777065c3091aff138db722b078432f572a92bbb2edaa020a2866d5ec93b7014b1e5685a2a511ed4fb9e00b82b73bf8b241756141359 |
C:\Users\Admin\AppData\Local\Temp\zwYy.exe
| MD5 | 2db9820eb386876f9fa5a801cbce88d8 |
| SHA1 | cc946830fe187eae8797fb479d409711d901a135 |
| SHA256 | 94ef38d6a206b6278249698e3194c92f2ce5156736c335cb7fa8c4b921bdabc7 |
| SHA512 | 7ea2a99d60414552808505a174550e2043d8dabd87b752e484b543f58917e8eb138f14f3c582115219de98abedff94633b6c39befef1cff83255324021652dc9 |
C:\Users\Admin\AppData\Local\Temp\vkAo.exe
| MD5 | a87746498dea8ee8dd9b563f86a9f58b |
| SHA1 | 7cd7434950378d56439d33c9ef80f20ab3a0dba7 |
| SHA256 | b2c39bd5abe06779f636c2d7701d98000157ea34617caa52cfcb4284fd92cdc2 |
| SHA512 | 62dd5b287ced14873c4ad12c5cc7486eefebb77f06211eb29b6991e6f9d8c347c047e2858604e598c6b4589e03c4280605298b52a134e1692ecbfe79285fa803 |
C:\Users\Admin\AppData\Local\Temp\dIEe.exe
| MD5 | 224da11a63b097c4a499c782955c6464 |
| SHA1 | ec5d2004aa913c2f0abe868a61940e33020e2087 |
| SHA256 | 0e00202f69a85b22e25af2c8691ffb35f1a5ebfc53e82762563687ac06089988 |
| SHA512 | de3318655dd0292cb4e37946ac6938948b309efe42b5434c0f2cf6a59e9db3422f2641683ac6902e6f7bf147576907d931adb564d7e4842dd500b5a8f65779ab |
C:\Users\Admin\AppData\Local\Temp\cIMk.exe
| MD5 | a3aad2ff2378bc842bb8f0d0d3fa5f1a |
| SHA1 | c71501adc841c328df13f19b874b0ed9f80681d2 |
| SHA256 | 358447a1b6b0c79a28d17dfc5e1b61a85dbb3833b1743b25d59201af92a1e2d0 |
| SHA512 | 4569b6461e1bbcfef16d2f0b7ceae10f8d161837d4934fe2315c491a03c4d8ac4d5e7c52579c4342c56c3f7135267f28eb467cc665b6553f447c38de15a5936c |
C:\Users\Admin\AppData\Local\Temp\PQYwUIYM.bat
| MD5 | ea167a13a7c62a1e85f5eacd8d2c7330 |
| SHA1 | daef8829b0f0dff6961eede372cf94fb5d6a1fab |
| SHA256 | 445f428d4180a587e966607a5d0c5353cde9cfa9297a8a43b4c94503ebe2f050 |
| SHA512 | dd25be590ab4c2ac6f22313dcf23f269e6e2e39d04569dd621f8eeca4fd0377a877c55e4f709df5ff320c19b758bb536987f8d7a3a4bd9123cb401e62d40dbf9 |
C:\Users\Admin\AppData\Local\Temp\tIwu.exe
| MD5 | 52e491a9d628df2f1e352ba7530d3fc6 |
| SHA1 | fd9a01b5fdcc7e56587c2a73e8b60eff034e3b18 |
| SHA256 | 0251277c83126040265884e1e12de0b6c1cbe7805ca3a4aac22ea6605cd4e3d6 |
| SHA512 | 90beb55545df71ca8872c5ace9d3df8308e525dbd95e69ea93e47ae046218ee7319ee76cbdd01d6ed3f40ba1b3b58c455fbe872fb2ba2f156de245ffd3410a01 |
C:\Users\Admin\AppData\Local\Temp\jAkA.exe
| MD5 | 4020601afd8b20aad880520ad5053ab6 |
| SHA1 | 158fce992e777cd08f07140cd625574dacf6ef8d |
| SHA256 | d48833c84c89bcc88b79f17319703700d6ca241e7645c5d81a647c25153e1e8f |
| SHA512 | cc2375b67375e349413916bd83f50e1e71bf3b3880fa8886a652e8cea6af39908044edabe043c9aafe3dce4f312f77beed2e46fc3ebbb1d903fb438b8c85251e |
C:\Users\Admin\AppData\Local\Temp\pYAc.exe
| MD5 | aa648719d2c5ed18456486eb237b25e4 |
| SHA1 | 5c384922e9095b58504e83b5c66faee353eccca1 |
| SHA256 | 7863d33a294f62192c7a2eb67d05670558016c4ef0af96fbbe340fc71c677aef |
| SHA512 | 089c8dd00dbe3c7a5d110cb90a3e8ce8c8e0210ace7cf596c46c65abbe87941b51b7fb3b70b9cda150adf05a5e58df24b949ed971dd179f69fe7c5be998adadb |
C:\Users\Admin\AppData\Local\Temp\ZMoQwEYs.bat
| MD5 | 218741e5dd3b7fd35b675cc9add41d73 |
| SHA1 | 61f82c821ecb9c776d166b1af5547c6131e964e0 |
| SHA256 | b62640984c8d00ed844c7b18d54d4ac784a5d1b010405a18d757a7d3d987a362 |
| SHA512 | 1a411fd1e2c9b81e9badc872c5aff39bd3524482f038966fa330a9a8673047fcf597b58a145b6fa9438d3b27173a57623daec6f2a6bf4aaf61928f421344c15a |
C:\Users\Admin\AppData\Local\Temp\XwQO.exe
| MD5 | 7c7d8b1a911c887bf99f14177e3edd7a |
| SHA1 | 73bee54dbcd6a15e6d6140e3f13347f14a502ec6 |
| SHA256 | 72d8b632d84342c6968622e38142d703895676c5d71bd3ffae9d4a5248b5c882 |
| SHA512 | 12f98872425a08bfd28a4e241a006d33d6e7a7a1a01010758293404a65e44643f536e3eb122c356e8aded8d18924658ca36e085b46fbcaa11a281f824e0a1d4b |
C:\Users\Admin\AppData\Local\Temp\UUAA.exe
| MD5 | dd96dfe37bc1c8688d9cca3785d79d80 |
| SHA1 | 2521c28d47c258af294a1ae20e58ab5e8ef4d630 |
| SHA256 | db2cfa1ac3ec3948b343651d205d1a6824ea399a05fed14fdc40b540aca12a88 |
| SHA512 | 222ccf81d7cd3ac6fede8fa4c017de9bb4e23c7b093eaaa28305898355cbce63d8210c7ac6bee5d77232174456834beddca2b3bc4860bed1af8905c2b5523eec |
C:\Users\Admin\AppData\Local\Temp\zwMm.exe
| MD5 | 604662c90bc0419f4d5337076de23ea3 |
| SHA1 | 598c91bc6643c7c89fb204b46b7fbe47708d4089 |
| SHA256 | 58ccd7967935b4838beebcc2b6f06a442212cc3c06cb22a8a259c68ae9eec101 |
| SHA512 | 262735326561d7c50621b6f0eaf1b465ffc53ec340b56726e96ac21db19738c1bec6aa2cee51fd2d4580c43cdb9d67d3ed4a1112a72618cad6f1d71ad9674668 |
C:\Users\Admin\AppData\Local\Temp\SIsG.exe
| MD5 | cb7de37b8c1fb1fb1d12535ca4a0cedc |
| SHA1 | f33bfaac6f3ea5577b33f1655a04636a4c7053ff |
| SHA256 | f97373b32a1f37a4a2730b7c32a1b3c9b8be098d7a0af41e6e781f33adc183be |
| SHA512 | 207d4dbc05650de55e8a1f3e198ebfc4e0e1d29809369ceed916ed8a4b65b95329a349e259860ad424ff14f8f7458c33218676b8720956c3ca3ef77477ced466 |
C:\Users\Admin\AppData\Local\Temp\rSowIUMs.bat
| MD5 | 657b63c927e5941a0423b5a3db4e0fa0 |
| SHA1 | 3182daf0fe18f59282f5f153a9b1c427cff42c14 |
| SHA256 | fbdfa4307fea03107bc7fb4e63be3e8d2751e55a60dee8d7733c82157d9632ec |
| SHA512 | 21d5f38862f5d362382ed5a5693b2127fb37e063014c517c3417d0190b717deb5d318117f9e184e43a95e08cd6f85d90561e9dfdfec4ccab7236b47d8e7aea3f |
C:\Users\Admin\AppData\Local\Temp\pEsG.exe
| MD5 | e51bd40fd9c61442d7013597203792b6 |
| SHA1 | ac2bbcdb3d529c6084ac8e730cf53e1e16ddf12b |
| SHA256 | 3b5a941f3f50aa9bf2d680acd0817fd0cc70c55a4b3c9f1c17d93e621e67ff61 |
| SHA512 | 3f181cd44145ab75c18b9e241744a5a2f9475d33e6e3b291b3dcf04dc8f3fcad0f4947916b573fdf4df91fbdaca7eaeb27a4e65cf2d836ed58416cf1ae6383b8 |
C:\Users\Admin\AppData\Local\Temp\MAsI.exe
| MD5 | 87c05a5e8f389a0e112e6008ab145b6b |
| SHA1 | a4f983d54e675b22eaf78cf3e92131553bc2eaf6 |
| SHA256 | 8d4e95a0a52fdf19a034da0b8511697d4f11d903dce773d265283df9f300fd86 |
| SHA512 | d51beec2d277ed05058ceca663165604e7dc7066a40543ffce6a3d032f228a53eafa6068e3bdbb858fec3ba469105f16dd6a321d90b8a25e29a8388819f86a7d |
C:\Users\Admin\AppData\Local\Temp\ZYIq.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\BooA.exe
| MD5 | 3fab7d53dba6330b0e591797adf04016 |
| SHA1 | 63499f979bd27c1183bd87daef4de52fb6a49466 |
| SHA256 | a6d038c77aaaafd7a6deeeb99c666bffb680786d74837a9fda9e14cd1c32e864 |
| SHA512 | faa4232d390feb1f15d743747182ef79b443ba347f4472dbe5bdde7937ba15b8101dcb4821de17f5fdd4dedfd502a9620a4653a9a7b3740b1c06e1733dcfe40a |
C:\Users\Admin\AppData\Local\Temp\iAIA.exe
| MD5 | 2b997e1cfcc0f5d4cee7d180513fc42f |
| SHA1 | 8b2dcdc5d324aeb32aba4d518874d373048cf041 |
| SHA256 | de87e9be3b0ed91922129208f9f65918825bb6a6e909ae144c20824b02c90c14 |
| SHA512 | 61a07ba922ed858df04238d839f0637428dc99da858ceb82a535a4d30e242e4834e8c784606320e2e013c943bacc1ae2bc2d8d96905cf2b3cb7af65f5874541a |
C:\Users\Admin\AppData\Local\Temp\OEoAQQII.bat
| MD5 | 0ec96f7c439d0adf3ac4814dfadac45c |
| SHA1 | 2f2a72dfa88b3849b646dfa100b250696952d4f4 |
| SHA256 | cb2e96d88c9c7119176d654472cfeff8fd3d27ea7c4f5bc448a3ab333d265531 |
| SHA512 | 3642f09cf3b8e975f0d87cdc1ec5eb9afbd5495d8ff6161c3b25b173db2ce913ada17fa2f7f3ab738287cc2be08ca548f95caa6b2ea21cdecff9a83003c7c78c |
C:\Users\Admin\AppData\Local\Temp\SEEm.exe
| MD5 | 6b68df9900e848c706d570d9c1b82049 |
| SHA1 | b665b51155ce9ae67ed09cb09bb1587e51fcb1f7 |
| SHA256 | 30e74477c26cd0f8d5879421f01c3f9debbf8fa008e6a97e7b729d32fbec2ae5 |
| SHA512 | 6a99736e5ea65c9e6f93c45f44dd605e98e22f9313e8249ca047f7bd5c4baa1dd52de10e0db88c8d2f92836c6dbd77231992964910a7e11a7abe5a3c8247d720 |
C:\Users\Admin\AppData\Local\Temp\lckI.exe
| MD5 | 656e299a70fd8bc6ab78f38e2434b0f5 |
| SHA1 | 5cccbe7f2f0c45ad3b4b39a3201613f0490759e6 |
| SHA256 | 7a7c70dffbc8513867fb17ba599a7ce53cd923c3ada4625a622723ea22326bab |
| SHA512 | ba6a28b15f4b900d9d48f73555f924b8bfe0bcd5cc195c8c626415951c2c16456223a6243ab19ea9ac750af6b7895fd21e5238fff1835498995956a0d90d7787 |
C:\Users\Admin\AppData\Local\Temp\hsAw.exe
| MD5 | abc4710687724e7a757fc5c07947707f |
| SHA1 | c6e395e2884891f6a05bdc93d7f8bf2adf5f5e66 |
| SHA256 | 62f5e926a84f14c9b0d010f377110a1d56871ff1eeb3d55912ca82f377eb7c73 |
| SHA512 | 3144c542322da9e69ca603e58513c7df3aaffa7fa4a0ac4ba1800dd8bb7ce25c63e0aa96fc86e5253153437c7346d1df5e59598beb889c9f8f1df8531185b713 |
C:\Users\Admin\AppData\Local\Temp\pMsi.exe
| MD5 | fbd14adf17ffe324382524ac3802eb66 |
| SHA1 | 043b99bdca95f974f5b96fc81acd0a6d25368127 |
| SHA256 | f34c88e35ff05ec3e7c8303d342ca45267a3b6d260ec2b9e0c7f1f61daee73ac |
| SHA512 | 883227285d85b1e183d4365deabf33acf1f6bb7cc59c22121522ac0700b6d9a659618f577a043e1954d7dd061f6364583c4bd1f56eedee7821b642e746b886b6 |
C:\Users\Admin\AppData\Local\Temp\xwMe.exe
| MD5 | 2836ea6f82aa52a042a2690af834a5f5 |
| SHA1 | fed1d7e426b4ece3e251a8044b5f14aa2926e1aa |
| SHA256 | 972de222a24913e3a0184ba263486933327a3929549643f68b5ce5283ab4c0af |
| SHA512 | 11a09668261f1ebc7976ced4cfeb56b5857e0fb447b57c5f22b141144a05865da1d9881a51f61895472216b22c950d28a22fc2c15e6d4f78ed3e8749974ef6ee |
C:\Users\Admin\AppData\Local\Temp\ekMk.exe
| MD5 | 0c97d36e65ffbff7738ec3e4871e8a96 |
| SHA1 | 32a9219ff2192916713a01ade8c1ae94eeae21ab |
| SHA256 | a3d8f570ad6d2302dccea7105d3ae11407088fb30857b94090c88226cf3b52de |
| SHA512 | fb0fe9c71004f96b77d9ccd07e55c49a1fd1751013a8016dce372fd991f0a9f5eafe3059035fd2cb5fe3f23e6eacd8259322527d62b674e7a8448601ca665c39 |
C:\Users\Admin\AppData\Local\Temp\JswM.exe
| MD5 | 354b7c91bd0845391ba172791aabaf7a |
| SHA1 | e92a8b385ef38474ad41d2d63b40484c653c555d |
| SHA256 | e5dee4346292b2f2c9f6c9b5b7df5a32179c0eb81d6cfe58dc3e26294050463a |
| SHA512 | c84f634329cfabb7173dc8020bbda192c2b3273f6135b9f1b58c1d8eccd2be19e6294d09967136c8ace666dc84aad04150f3902e8add5c2c21ccd5ac29e9a31d |
C:\Users\Admin\AppData\Local\Temp\NooO.exe
| MD5 | a71b82326a507972690f8debbe03b634 |
| SHA1 | 3383a37b58becccee1a5849d6d0d731d52a6dec5 |
| SHA256 | c91c68fab9aab9cfcffe7e2030155f359b2e3c49927c331d2921047081ab6280 |
| SHA512 | 4ea7a89127922179fbed4458f3f0718791c41b0104314f810200fc359bebd2d618adadd665b133143c8c4df367f9e0655e739d1dcf5e01883ebeb32b29666d73 |
C:\Users\Admin\AppData\Local\Temp\xgYk.exe
| MD5 | 8c2295a9c24870d27aab7ed3a3fd0d78 |
| SHA1 | aa11c98649ad975672f5c56eaa632bdf152627c1 |
| SHA256 | f9ec1c3a58a288909930944d4eddefc1c75d8782a69030cc26755c4113227d3b |
| SHA512 | 91cace4b6268c060386765c936b177bafd741c7679e996647bf561bdac91971492cf21bab2d275d9ae9a9f49afea1e73a9a3d1565781fe4ef00edd51f9f66f8a |
C:\Users\Admin\AppData\Local\Temp\nckA.exe
| MD5 | bafb7f1b585b77a0bcc3774ac24aae57 |
| SHA1 | 8c83ed7fd8c852cdd11e51c4f8ed3c372199f7e7 |
| SHA256 | 679d4517d206258b5ce4030ef2dfa349ef2ee14840a3a156db9740bd6078806c |
| SHA512 | e610e3ce685bc04498bfb258c19d2af2fd2f7b58382578945072ea38cbbc5703e903ad1f9a74a980dadf9ddf132da1690eaabbdc92f4f79525f4ea2ff697e4c9 |
C:\Users\Admin\AppData\Local\Temp\MowQ.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\BIsm.exe
| MD5 | da2b360e951c6e7784f7baed891a12f9 |
| SHA1 | d12306f78f51a21eaa96c2fe26659c7a2b108c9a |
| SHA256 | a45b60691a0ac9a84d5d59442410fd766d33744c0612077079d7d2e29d08f4ad |
| SHA512 | 809ceb04eaa13ad08960e0a0f012c0af8be77a01aa9eeafe46075799e7b5f4e01f656a7fc09a173ce7a21299dc278900044e9cff77481c143ffe125561f6d8eb |
C:\Users\Admin\AppData\Local\Temp\SMgK.exe
| MD5 | cc6914ab4cfc42878a91966ad90c88df |
| SHA1 | c6432812ec321ca7af7cc45de7476ebf4e2186ee |
| SHA256 | a3524a75f1baad87b66f19e2ac46d7c191070e10950e57a7aacca6b03c65bbb6 |
| SHA512 | cfe52cb5ba486b4ac313b976b787fc3b6617657ad799282630d8b376c91e9dd3661e41b860899cd848600e776f9ea4d75654086e0fb3810553ed3ad2ad2d1c7a |
C:\Users\Admin\AppData\Local\Temp\tIMg.exe
| MD5 | 5d78c27e92d8057c87b657b5c9e534bb |
| SHA1 | 96aa0c6e191ba0d29648b81137a7c115ea5a3181 |
| SHA256 | e802d2dcfc2bcf8d113d6cbc8f26a8f5f57bd6ad1e1ba3500b077e3236793d6a |
| SHA512 | 22a1bf4bf26b45a327651f28d8ef6b8e9930ab88b54b51e1db95914e4f0e0e85e068e1ee4b85be2dba13c2e44b41dc71d93f2deea34a39eecc163bb11e12b309 |
C:\Users\Admin\AppData\Local\Temp\lgAK.exe
| MD5 | 372dfd4671053dc326409113ea306512 |
| SHA1 | f84bf3e5cc0b37906995841960cedba055cb6f0c |
| SHA256 | 5a5382f70ba9b4cd81bef5c30f4228254e9d75d659667820551aa27cfdc7891c |
| SHA512 | 21f0af6a954792daea7f65ef183ddf2739eb1754b10b25b46af8a66de674c59d0a744986178e3cecc6c480bd88b67b1769f909f9218998f7e0dc3653bfbf978c |
C:\Users\Admin\AppData\Local\Temp\wwMe.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\ywIg.exe
| MD5 | d155801f4b4de1b1efd7aab1ea08ee60 |
| SHA1 | 70987f789d7e5249c3954d40baea1bb056b6b942 |
| SHA256 | 9f511af337d2bad0caae08cb9540da51da78d38715f5d0a94765a7bdbdb429bb |
| SHA512 | 6257ec984c5dcd011b032ba51c1c660466fc5d5743c2b3bf6a0c7371f2cafba9e544749c8e4eac853106de78805c1b9cb6f68bdffb6b2c5ac6d0ef20d42fdf6d |
C:\Users\Admin\Pictures\DisableInitialize.jpg.exe
| MD5 | bec15382f4c2ce4dc24657c40554cd22 |
| SHA1 | 52981718b0432d131a59ea805781d40059219f73 |
| SHA256 | 1bd6e5ff2672b7c9fb5f98c88b1310eb32b98888598f698e56a3be4405367827 |
| SHA512 | 0e62adf6c12f8f74fc2eb900fbbd2698087c8e48fcb07fdb1e64ece73cc5eaa65b6facc0d2a6b534a738e3d64024ac10e537df79178800156d2f885e3d3ce998 |
C:\Users\Admin\AppData\Local\Temp\ZYUg.exe
| MD5 | 382e54a770b4c32cfc9680ee41dbf498 |
| SHA1 | b2ffc6eb1d2e8e7e9796b0c46cc8fa910fbe1f79 |
| SHA256 | 1d853e4a7cb1fdb748f38d719eb87adf3e2a35e663e416523055f054e49be50e |
| SHA512 | 948506c3ed85cbec9a8a686a9061c54e8647935adfb9433b46bee2022904f237cb1c902578b54d8c6bc3ee799728b07e830d9f8205c1df440f0685f93472ebba |
C:\Users\Admin\AppData\Local\Temp\lEUq.exe
| MD5 | 43a6da623d46b2925852140758295e30 |
| SHA1 | d2145d4fe5742d0ec5deb4570a2e75f37054ead6 |
| SHA256 | c2e203d0dd89a0339053d827cd3097c18102e0ac09dc2dda9de7b8e8e9e276eb |
| SHA512 | a4a049d9363b94948068c5a55c9feb070df4c893634efd11547b0259e45c019e337a7a56746bf4859c0c5f19c1147c18b9ed393e039ff16b7391ec8148743e66 |
C:\Users\Admin\AppData\Local\Temp\LAgu.exe
| MD5 | b280133cbfdba31d95461c03bc1143e6 |
| SHA1 | 46ae131fb69de5f60e2f25b9f675b19544012bc6 |
| SHA256 | e93e9744345541e4d8ac1b781ae4965550c16f7a87873207ac13979404460050 |
| SHA512 | 468c2e751f50d5a7953f928527e012cc1d7f9cbc358892ed79e2f1641f6c6d36d2e07aa157f744ead9afb9a35f92103ad95a90bf6b2f9594a35d554e1461b323 |
C:\Users\Admin\AppData\Local\Temp\eUsy.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\AppData\Local\Temp\iUgK.exe
| MD5 | 27029a9ad94430e453ae63b36d762677 |
| SHA1 | 0b5f5f6360052babd2c857f546379c94d90bef45 |
| SHA256 | a90d87d14223d06c69d948bfccf8ac670888a6a47712f9b7c6cab964df7c76e8 |
| SHA512 | c51dc25132f5c4c73607cd402126a522f430f427996a34a9c752f326a39fe04593d73e6b267f1fda45d3b0342ed0deaf7a5f2325f5b792ec1edddd9fbb87d9be |
C:\Users\Admin\AppData\Local\Temp\usks.exe
| MD5 | 8ab7ca97229559290d77b8748e9cd2f4 |
| SHA1 | b35b5e0361e937eb88ac14fe279cc97d41009d10 |
| SHA256 | 4a3c6047452284930b7fe7387ea041d9c85dfba7a10fe0e7d54cb8d340318432 |
| SHA512 | eec8e17e8c92255180c94a36b577c62c632eda4bc761f19a9e9bcbb95c82f0501c285fc8c9688de9f174f52517e1a71a60fb13c736af23db0fb27686d9ab185f |
C:\Users\Admin\AppData\Local\Temp\qQgQ.exe
| MD5 | facb1f6e49e83d6bdae7156d5f9d3fa5 |
| SHA1 | a717a5ae8f322ddde9f0f10227cd821443745ed6 |
| SHA256 | c808e5417c30e1ce831c61fcc4dfb2ee3658e7b1a5339a1cd745c43f1f3c7f71 |
| SHA512 | 5ab8dfaf985ebde52c10153d8cdfab5769ce933affc42f91d3e512dc579bf4240adbca15113afee4e3c90f042c3a2f111d7d9d23ac195aa60bf769b687472518 |
C:\Users\Admin\AppData\Local\Temp\AcMS.exe
| MD5 | 233d35e874aee095a1261875748abae3 |
| SHA1 | 63b259c4b3d8a2389833c8858ff3b7407ee8e394 |
| SHA256 | 1760953e97bc2116ac51b6a9f09425c8e7284fcd991f4332b1cd290af939c984 |
| SHA512 | 5f1a57349ca540e226c008f03a0feb38e2b41004dc6368e8cb87f72a4f765b92a57b6c30f8c7c2240071d0090328fa931840d32b1f597cfbf9346fb8d5442ab2 |
C:\Users\Admin\AppData\Local\Temp\lMgW.exe
| MD5 | 1a5557a020626028a8867afcde3b1518 |
| SHA1 | c92fd1b39167abba015b2fcd7a46bd2220c4cbd8 |
| SHA256 | a0ca4bd2bf49ca27700ae4226115ed3c9cb20b6b270c54e670c2abb8433f759c |
| SHA512 | ea3be8201f69eef53134e31ba9e38ef7e07a209c6316b0ee0d29fc01674c9b2cb410703dbd440d875f4501d81d31c871f6f032b978fbbd6b3d85cf6a8dfa9352 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 1600d6138a436b69768c606e8bbde66f |
| SHA1 | 41654a75df307e99837aad00a22c994393033f8a |
| SHA256 | 8da1ac092a0da360c66cfa6a9e5eaeedcc17d379a278a47b53a99dc06e0f9fd7 |
| SHA512 | f24f5734e17d88b4e5f43fd838af6413ab7af27bef4143bd6d3e7a06fb22af92667bdbb70d743f6c49f386d6a0219e4ee55cbe69e4c0f88cb4346febfcc58d08 |
C:\Users\Admin\AppData\Local\Temp\mUcC.exe
| MD5 | e4a895f54b532d2c78326f51637db822 |
| SHA1 | e01a72671228180b98996cc8bc0646639b0f5608 |
| SHA256 | 54d9c36c2b8a93f9d580af0d50fe7c88cb5b6357331ab014d6cb955bede24ce3 |
| SHA512 | 50ee635a2ba07937a67fc2cf03bc1a73bfc72726d47a23042866cf36fb62665894e3b1ed0c7afe96597a8f684c68188633b610e7d6bb924af1c7f5532c8db18a |
C:\Users\Admin\AppData\Local\Temp\UYgo.exe
| MD5 | 22685db933cd31969c76d8fa255de110 |
| SHA1 | e08aa610ec4842cbe842e91acdb83dff8a3d308e |
| SHA256 | be3c326bea636f697c2865bde120b002617fd2df6245f47877661b70c78be63e |
| SHA512 | c97b7881379056c2c61e7ee8afe751d33ff653e5f50e5d000f56bba57cd27a55dc18b26b1ed7b2622ebee4efe42819181ddad380840fe27c4d938ef0b6148c1e |
C:\Users\Admin\AppData\Local\Temp\oEIc.exe
| MD5 | ca2c9d1b22991ace3cad43eca7d0884d |
| SHA1 | 9248641dc64c80d68ea76f3078764a3ffe5e11af |
| SHA256 | 9a4d26a10098883eacf670b25356de33efbc5ad2de5c057823131c9f109565b5 |
| SHA512 | b882e137b40bce73937ced7df38d7b6d7bce5562c54abc643db23a849c15c7feaf5961f9c1b42bd424b3a0ef9d158ab163561f4d4bf0ee8c799bf0bd21036b5d |
C:\Users\Admin\AppData\Local\Temp\Nowk.exe
| MD5 | 1868d354803846229ddf607ecc337c1c |
| SHA1 | 62673a214a901e121224e4d8b20eb43276ea143f |
| SHA256 | d8a8e3c6101935ac430567026ce049dd4dff0ee33a7609c98d0c4cbbe1aabb71 |
| SHA512 | 0e00838e95d91d9ef1089ff80528697d532c9efca78942bd3c0d536d68843271675dc1a8873ce62b6330abcea8049dfe68a6683839e747aef5aa926f7aa4e16b |
C:\Users\Admin\AppData\Local\Temp\HwgW.exe
| MD5 | 09a60568cd526567d34abe1bd68a03d8 |
| SHA1 | de396922c40c7f3fae859e77fcf2652aa04d77bf |
| SHA256 | 62f06b2368e56c99c407f2e1a0ea4ea607d602d8f21ed2237d696548d411f203 |
| SHA512 | 68281cf0cef9638ed3b52f71b7d99c48fe1e59d1cc802a0e520460e023b37430fef4364cdfc3a25289f5602fd8afde8bc27e1d073c59c49efc5d931f04e0e8bf |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe
| MD5 | 51c5b7e51fd652c11c146d6bfb99dc4b |
| SHA1 | 21288dc28cbfc0852f6af9007ced906652a3ec81 |
| SHA256 | 463df88a03da40e41240ed939976111e74a17467c12a021d6f5b59f35afded58 |
| SHA512 | c77944c24cbee0846157ef612f65e41b023cf87d25c87725d99d8dce03e2d87bf446098aa0b1dffc8affe575ce18a6b7095ac73eb0e2c4d544db040428a917ac |
C:\Users\Admin\AppData\Local\Temp\FIgG.exe
| MD5 | b90554c5187789fac188404075782192 |
| SHA1 | 85905d8615f36df772ad8926951db8e573e357dd |
| SHA256 | 4b06a7bb95eba00231a5a39f5dec7821aea78e5877e328328658eda5ea868b59 |
| SHA512 | e2c39b8cf833ebbbaa6870d4dc1e1a92888d251b6c4bc75b426ff82d7e5cdd69f2fc5a08bcb111f577076dc9f14e83430be6ca9a88b9c5e8205fa684a051bf7a |
C:\Users\Admin\AppData\Local\Temp\nUsI.exe
| MD5 | af343ad3bec63cd15e0e7c022a9ec737 |
| SHA1 | 14000df073dc57e55a5844071a9ccb745ac51e81 |
| SHA256 | 0a61a18b47657f1aedebed985bed9db302c6e16b77f6df3786a842b2e5d27902 |
| SHA512 | 88eb47732dcb5d367ec363193eb53d33185c29b35604a5e7dc526d446cfe25c1a159b52c4c6caca937bbb11ee87257bcb871b0e87c95a9905261a81a844dc4cb |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
| MD5 | 72a7f1689f51f9924120f02f512a9ee6 |
| SHA1 | 189728b08bbad4dff9a9fe7509ede0dd5ffd99c6 |
| SHA256 | 374c5036d115f44856418c44d253ca3eb9285a2f74c21d7bb262ae27ca8325dd |
| SHA512 | 6f5e5938c43320fad6393042751c97ed3abb465b6e89e9fde9c4d56be0d63b5a94370a7d0bacf3a9f24ddf2d2ffd2a27dc2b9fd9bf28208c95ab0a452cec0714 |
C:\Users\Admin\AppData\Local\Temp\NYEI.exe
| MD5 | 18caf70281d6f586a836994b7d50319b |
| SHA1 | 0911c81b6b807cae9fd3ff513d121e658050f35c |
| SHA256 | 74737ca06be475d79ed41ea448cd2ebb13bb46b66713d88a32fa4f779da1567e |
| SHA512 | 1926a711c897ee1255069f16bc213dcdd899bb9e9d1f7574b65ce0eaceab3beaaf038c5131a3421d839f2d0a3b582d2a37f3075d0b5edd4ffa5923a2b540fb61 |
C:\Users\Admin\AppData\Local\Temp\Pssm.exe
| MD5 | a92adde99c967743c876b33a6b5b7ddd |
| SHA1 | 3e52f7c6ecf9982fe9adb3bcee3982ed79c28143 |
| SHA256 | 731092918c07b5343c49c9b0b0e54e953e5c3a14fba0279941db398fa93fdac0 |
| SHA512 | 24f7385614ec4baf1f6c97318b613599f0b53c3218518a5e60b8560b807bffb38909d852ce1f9cd226957f946d123afe822b2a797c4f6fecf6c4661780127a25 |
C:\Users\Admin\AppData\Local\Temp\GMMk.exe
| MD5 | fc48274ad35478a717a80fb08e6149cd |
| SHA1 | af917a0111b51ad2eafacbaa065846502b36a388 |
| SHA256 | 69dfa9ce9ef0c7ec59fd2e8391c831122426e322d8bed1dfbcff204d33020c96 |
| SHA512 | 3bd6dda1011a486529cc0133f0feabdfbbe02d640f19a3f45da392194a621fb8e807006004d5a83671b4b4fa3910a3f68dc45cc991d047f18b31e9938caef62c |
C:\Users\Admin\AppData\Local\Temp\ToEg.exe
| MD5 | 7839fced6c2d325b5f00bba5429250db |
| SHA1 | c13b06393e2585a6cdb4e13c4cb742abef45a6e6 |
| SHA256 | 35b5a951bd95db3fafc3201f873ff50db9d34a7ef30bcf5f1fa26e25a5d231dc |
| SHA512 | a6cead3a035d42eed14460dd9335da0eeca0d5f4e0d115fb4c1ef51a2f86b220f33c441cad5e0129b3dd3c3c186548e0d4814f3e3f7ca3318719c64760987f94 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe
| MD5 | 8feae2b393d469aab74cd263352677fe |
| SHA1 | 2160b779881350cb303fbfd23580df3aed504b30 |
| SHA256 | c7570e0a8aaeb5e974546efcda467d45c2bffe6e72561f6d7371ce3f8e5ff7a1 |
| SHA512 | 5e54539cb05ef67ad7718bc6c88dca0242d3965ba1c498560608b1ad9ee92d41f94cc135a3363c31f6c94a45f0212d7dfedee5390057d1407d3d0e9f4042c397 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.exe
| MD5 | 06a271cce4816ba548340b947bbd5513 |
| SHA1 | d44c389383bbe9a58cd07bd20ef79d25a73260db |
| SHA256 | 1f3d5f888dad47dab59dbfe9e25f1a3ae51986fc26ca33e6a238c4a144f472a5 |
| SHA512 | f59dc96bd6728964e0a004c9b74862faf2ded88cb9aa9bf3392e0033fc7b01879ec2f8764fc470637320a90406b9b83dfec40a5a7aa28bdabb7f34f37cb75b8d |
C:\Users\Admin\AppData\Local\Temp\Skgy.exe
| MD5 | ab82b59c00bb02c620e80adc46762dfd |
| SHA1 | d436e1b72a388d62675d3f3326d31dcf50d75b37 |
| SHA256 | 730bba3a9a4b1f580d09f3d205745839fdcfbddebac78a5ba274b784976c50df |
| SHA512 | 25cc94c595e3203fcf602bbf1de54d1a6ba3c452872131c88d31d7c9633945a696210564744288177e50bbba3b0ad3bec1c943905494b0d8a4a33e1fdf0d162a |
C:\Users\Admin\AppData\Local\Temp\cQYM.exe
| MD5 | 5cc934dc858cb0937696a27976c13ab8 |
| SHA1 | b0cfb52fd45d9c89779dae56007ccf376e915900 |
| SHA256 | 28f6400bbb6d0a42795acad117ebce5128a293235b3b85c51ccad2c6f29de74e |
| SHA512 | 3b2f025803b9911ae2bfc40d7050100a539e75da6ee177551d017a11bda464b487e63feeca4ac0e942549892f15b8be77feacab6db708daa5a7a79ddc7a2b8d3 |
C:\Users\Admin\AppData\Local\Temp\jsUK.exe
| MD5 | 681d52ff12b23fbe8882a26dd434f474 |
| SHA1 | b901cf01616e6afd9afc72ec7ff67ef77ba91666 |
| SHA256 | 7559b5cc63998d466583ab0d168159b7a2b4a67602242b04ddff0fcf7a9ca6b6 |
| SHA512 | e8fc409b2e3d3e371074309da583744e01a89bd761bc9cec541502c8812e70a056cb05b1d1b5a08c2c89c7f426a450e237004dbf5cc88aded5b119cce82f479b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe
| MD5 | 5732bca4170e052609d7c79444a01010 |
| SHA1 | 1f16d2bfb72e0c2792b215ea53ccffede9c3ef54 |
| SHA256 | 3d77e902f8954d0aefb3c1c76cd04c8b9748507b4fd20e73b287e472a2e6b570 |
| SHA512 | 5805a77924808d724a47130bc6312c7dffd6932d5c42d11aacb92f669eae2d2097df61bc4f7fbf940f586b2334cf624321ecad1c500ec4506263df35743ab272 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe
| MD5 | 54b33df04bb1dc02fb0dafce045656ba |
| SHA1 | e01f20deae8bef111f9b0b9d58def4bd196adcd1 |
| SHA256 | 1e16273285d9811b7e9cf7ca2021d301c2ae095a0e6e04a3efba73fc269213d2 |
| SHA512 | 4140e3dde452455340eb8ee5062fcb0db2a60ca43d06e85e5284f270ef4d9b90d1c03886874826b095fc3d077453648beaf5bb0fc398a4436f35ab46ff0c6d95 |
C:\Users\Admin\AppData\Local\Temp\sUMw.exe
| MD5 | 2bbdfaf536e16e6c84d74e95f0535fdc |
| SHA1 | c81b718b23bb3c48d35163d12f24d33b6a9f6555 |
| SHA256 | 69752bf85befec5f37178ed41a70af6977082206bd9bbe36f8d521e901e0a830 |
| SHA512 | 1340d02bea79b73244777709ee9f490cca172f4622e700838d2bd09d3871c74be9c198f2636df958d15907dcc6001a9cb2638dbd4c8296287a29de90ed1bcd31 |
C:\Users\Admin\AppData\Local\Temp\iQcS.exe
| MD5 | 7a81361c1f3027e5a0daaea7cd511746 |
| SHA1 | 3b83eadfa447d18c05fad441b061e69bbfa46551 |
| SHA256 | 2478d37d8e534f4b896c7973ec47b1983f36940a463f1dc5e143a720fc0ba87e |
| SHA512 | eb3384e37037a92c382a7ff7cae9beb89e6349fae4e828ec407162fd56332e838b0f0dd2f3181ddcfa0ff1058bfaf3a2ff36bb77ba205978b900f6da5b03f68d |
C:\Users\Admin\AppData\Local\Temp\zIww.exe
| MD5 | dbb37b3e4f480c6e1baa8d2969e7e1bb |
| SHA1 | dac146afc51b5b4a479743cadeec3a51e8d0c315 |
| SHA256 | 539771f817b2df95b31938bc7d656bffaf5e3c7b6af56c18ca6e325b796e5758 |
| SHA512 | eb3389134980a48b464da96b2e4dd34557b9bbf3b70995d74195fb67d96664f67d7cc5193821657d65f272eaba105807a4c00a4791f072414135dffa29b93a29 |
C:\Users\Admin\AppData\Local\Temp\IcAY.exe
| MD5 | 041f581d37a3ddf0f1d68f5ded863dd6 |
| SHA1 | abbc98781f9e1f9baa7daca2095eefe215f2be7f |
| SHA256 | c14c388e694f6cfc048c35774f0ee5f7cb3d83a2e9dadec598d0daabf924ca5b |
| SHA512 | 40e209966aa72c21eb21cab55010d7e35ef3e803ac46ec1ef6969d058048a4ca5199aa3d5a965bcd445c1b4952e947b1f166a9e659b6682f2bd50036ca915cc0 |
C:\Users\Admin\AppData\Local\Temp\rwsE.exe
| MD5 | 443225af7f984c57e0e30dc63e34eb8c |
| SHA1 | 249305692e9d1a4ede11c1ed6e3b5b2582dd52a4 |
| SHA256 | 2b96e0ddeffb942ad5d01bae76f79a1f186738e0473e109ff63c3f7de144dab0 |
| SHA512 | 9bccbddf020ec0b5e486d03c92a105106fb8b579bb18c69cfcccfcb70be174059850d1232a789e89874eb504c17727e5faee37441a6e7fbfe2a1ae0369c6a07c |
C:\Users\Admin\AppData\Local\Temp\vsQS.exe
| MD5 | 0276de040a526cb3b5cacdd3cf6ee69e |
| SHA1 | f4bbfef9dc47c42a23dd0ee5f2964ddf7b872f83 |
| SHA256 | 19f040c345202978ca2890ca0641d4be027389e114d2a88156829f4fc22f80de |
| SHA512 | 43436384b85b94516d0a472a4763ad623542daff1af6391878903ccbdf8b72f6e4398801fec6e0fcbb89aa3889f3db54f3a25ec7cedaa3d514b4253c6b2bd9a7 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
| MD5 | b0d5100557b9558a2f962b4004118af9 |
| SHA1 | 44479625e3165244d7433afc5909f372c6585343 |
| SHA256 | 6e7741f2fad4f240b4ad5eff53a48f49011bedc211e52a73f5c1f0055d90ed9b |
| SHA512 | db12c61803fb4f18ba9d0b67aedc1809f8124873e2c1e4d804a17e9f94388f686a1903e05d134196632798396990e401adc69a0d28028cdd0412793d6f69185e |
C:\Users\Admin\AppData\Local\Temp\XYYw.exe
| MD5 | 12c704998a4f71f40e87de8b930419ce |
| SHA1 | 833e77123c7ae457baf44b62d333f28dbda035a1 |
| SHA256 | e322ef2c25717a6d478ab314873b47737d72e0734a6066365e7a295ad4d45f90 |
| SHA512 | cc63b987147308e6a2ad520f286e836d03989fd011b14d5b3c9ac099bd8f72b1f808386f29f7d44928ad98a69af1a188fdd0b2ed9d6112b7adb3d7365733a0e2 |
C:\Users\Admin\AppData\Local\Temp\HocG.exe
| MD5 | edd1373c99d277b5c2511188225e58c5 |
| SHA1 | f02084aa17a693690a79293e9861c7c08f780134 |
| SHA256 | cf1e6902489371bba348051ec8d495ddd7bbbbcae8f7ee2452be513ed654ca66 |
| SHA512 | 90ba37c97cdb1c72c0e0725c01b32ecd346d30eb6d31b441778c739e1213505751e7d580e8e46f5dab89e646d3c642aa38bdb544dfd9740447336c42dccae979 |
C:\Users\Admin\AppData\Local\Temp\vsso.exe
| MD5 | 67948cc0a467a92d0858f0497baea95b |
| SHA1 | 343af7888b788b8d2f39a4f86b47b5b6166004a5 |
| SHA256 | b1a52af254b86d505b0eb122d9181d97f5409da81831751313fa7641e882fcb2 |
| SHA512 | 60686b864c059eeaf8bdad78bf9f9b37d0b0003a071622180febccac03def8bc02721d2e52c5c0b0d04155113019f4ccee33b59b8c8ea6fa36d1739e8864c9eb |
C:\Users\Admin\AppData\Local\Temp\okEU.exe
| MD5 | e34c09b58fc140b52b1192f505406105 |
| SHA1 | 75b354f4d6afb892900633b24c7bad11ec2d096a |
| SHA256 | f3f530259260727efcb6b6228b17eaaf270f162a2567d3e92d6e11eccb948c80 |
| SHA512 | 274de3668dc8e381eb6b2ba8d2f65fb83b86e39c1439f7fc36cc146b3f7846cc00c730bf5fca76b9ede0d5f66a17f5889d08b944cf41ed5f35344089aa60d62e |
C:\Users\Admin\AppData\Local\Temp\ZMgo.exe
| MD5 | d26cb435df503c4f3660244dda1eaafd |
| SHA1 | 609116c41d9def88c5f03401548d9c02763ff992 |
| SHA256 | fbbb3c2c34cbe963b706cde155a454a6604980bdcd3bf3e879e329a1534cb55c |
| SHA512 | 48bb0e3e0210fba8f86c3985bb3a687075704efe405673af3d37940ea4a1ed55ebdf4386146e249ad11bcbcbbe9f467b773548b245845b51d916fef41300a338 |
C:\Users\Admin\AppData\Local\Temp\OgMe.exe
| MD5 | fffe9527544868975092599c18cc24d9 |
| SHA1 | b4447b516765b839a494806ad98e8635d8e48fc7 |
| SHA256 | 5e8b51d3326e64b876494f16b894d6bc98e6718d642616c35acdfafc962e119e |
| SHA512 | 4752385f896e5cb134d189cfda1644088ebd0cbe5269606c8583115fafa0380c6c69bb52b8b8854f4c92442ea8fb5297f7476a44e2e72e6bc839323e81fe795d |
C:\Users\Admin\AppData\Local\Temp\mQAw.exe
| MD5 | 35210fc9732d64641ddd1bcef5028ab5 |
| SHA1 | 3c1e69c36c880cf84effb661e2449fa68cce0dd1 |
| SHA256 | 09a2f0a3649bd37f25837c3a42626f41eef04c6e4f93e5ab9d68393964aba87e |
| SHA512 | a6e654cee3bc7185b4adc4dbd650917259eb2290a81c5567c92c2c8cae7c8cd6c1f431460145df52cb0d114fb7982f8d5ab173edd93fa826a8b1fb431f7a9867 |
C:\Users\Admin\AppData\Local\Temp\JUgy.exe
| MD5 | 5422f7983bf4496806f4101c968b9b08 |
| SHA1 | f678a48d2e03bab903e5a4e0a7000b3347c86e05 |
| SHA256 | cd6d89802efe09d4c592ccf948655cc485500f7b5f2c51b4bbbe951912c68e9a |
| SHA512 | 8c79e6b9970de26d26f320ad00218ce62e6276cac7aaba196d089f3cb87b84757c4bd557ed17617f7063a0e077b4bfb6310c7d3132abc313d7c53eea7875d60f |
C:\Users\Admin\AppData\Local\Temp\GYco.exe
| MD5 | 1e59f592384e62c4581513129108e0ae |
| SHA1 | d682b16ea3e2279bd30cb48f6cb0ca7eac210445 |
| SHA256 | 489fd736f6bbacf270c2016c1523c36946d853be24d6bc84c972840f2d682024 |
| SHA512 | 6115c09662efcdf05c5a9514c3cf9ef652c0bba56bc28dc5084f9f19a8508b45034c7ea751d38414aaf4795cd6cfb928d9fa0830d3e2ba55b803983c37356418 |
C:\Users\Admin\AppData\Local\Temp\EggW.exe
| MD5 | 613c0b48475934821221e1a63a8b9241 |
| SHA1 | 3b673f0c4195775b5a3aa962eb091f3709065038 |
| SHA256 | e7123ff2cdb1481ae243ec837ec9db6a89da79f5eaf184772629f0afb1ae780b |
| SHA512 | ce26bd2b282e0b785441a1947a3bde73945d608ee90c9861d9c42d1e952e47e5180e2d194954e1d49716887f039981762b36e2b107c04ec02113cac4bf42bc02 |
C:\Users\Admin\AppData\Local\Temp\voIc.exe
| MD5 | 51c99e980122dbb4e3f4e1d460be1c27 |
| SHA1 | 0292e896fb6fc6775c8c87538c0f2446dd8260fb |
| SHA256 | 03db430919ca94408035985c5d4320e2c1b87c4b14cdf8fa76e6ffed2192143f |
| SHA512 | 75fdefdc424b43c3f0f26e0f79b6836b583f1803d7da31314e014f8dc19c95bcc32a50d0f79349b884b629d228625ad0638ff01fedb85e919514ad06bed8dcbf |
C:\Users\Admin\AppData\Local\Temp\awQg.exe
| MD5 | 7b8be6e8525ba3e053eb27ef18bb8543 |
| SHA1 | 4d8cb5df0b850a94715321c665c1d40cacc2d124 |
| SHA256 | 77c4f63177961af550c584112a9dfd80bf13937f96538726d0a1a9c35e31742c |
| SHA512 | ea6af5b243c0e7cbbac7ba5e657d30d51580fe51bac5e0833050bebe048f027de00014cf013aa65025d4c6c9005483aeb093b6425809fa75662162f9fd7ce2f3 |
C:\Users\Admin\AppData\Local\Temp\IsUe.exe
| MD5 | 62590e7702d18919a1551b545368c34b |
| SHA1 | 681aaa59e2cad52b5ad7a2a40e95a83fec403118 |
| SHA256 | 338c90279d7bbe2117f734e47e85e073184babfefb71b5fd272a897169c79b98 |
| SHA512 | becdfb3b86324c86775fb25a61e137feb0dc2468f827ca68225dc94fb823f7ea44e038771ffa8c034db473c6007652ea62649f8489b461695b8f632f0672865c |
C:\Users\Admin\AppData\Local\Temp\UYQO.exe
| MD5 | ef4db9b42130302bee1e581d0ff4a13c |
| SHA1 | edf2162519cac0fc4107be557ffb6153377951a4 |
| SHA256 | 93e28b78fe1835de6fc94529c9b6f5e687ae717878e9c6c66fc8ae2307bb52ef |
| SHA512 | 048fa0a2866226cfff83c03c3599a997cb58976cfa278a0ad0d830b6ed5ad7cc4122b8f1cd3e2ba039de3f234351d191b7dc1a4791fb072f25eef0de7657dcba |
C:\Users\Admin\AppData\Local\Temp\Jkki.exe
| MD5 | 781a216b41068f14550f5edad4ce73ad |
| SHA1 | f6969f190be19e8ec414edde87f26758dbe180f8 |
| SHA256 | 4cef06481735c2016cd0c129c46dad9bc587094e74dd47f8b7fcb1eda123157f |
| SHA512 | bc668d7be795409cd62850921f4f36be653dc7c927fb1258f5389b025b08593992662119f77377d19a8dade4fcba39f749a64fc209e5742e0dc49611141998ae |
C:\Users\Admin\AppData\Local\Temp\vEgC.exe
| MD5 | c02044ab8cdabc2a2b782d941080f7e3 |
| SHA1 | cbe3022b9fdd547e92c0f7609d30905b62e031d2 |
| SHA256 | 5a2c584d0d7091369e1e6cd894ec4a25098905a6604b086ed2a883807882a5e1 |
| SHA512 | 20da3472d2f55a14fdf9f889c313bec3f948db45f6ae6eec2668777422da1d4ac26ef3d2244cbf2b3ae7c86caad77d024f469ecc9135d9feed82ea32d89bb0bd |
C:\Users\Admin\AppData\Local\Temp\sgse.exe
| MD5 | b951c36741e3e86fae6e81aaea2f1505 |
| SHA1 | 14dcf8d29b95acdbcf68db8f8cce76e904c313aa |
| SHA256 | 782b52c0174dca868a7a22efcfa2505a4301f202823a8693e6ecacc469c1ee41 |
| SHA512 | 24902c1b77956ff0d292e306bdb781161c3d71a395b3ac1d3d46ebade5d94be82ac43a29abcfc500e388b6ca8f6676df6e9cfd3b92f419b0b83d783cc4bc7696 |
C:\Users\Admin\AppData\Local\Temp\yUEe.exe
| MD5 | 03d0f02b855b36274982a5b9103c840c |
| SHA1 | 6e7c9b02b7a3d63bc24770deafaafbfe55119bbd |
| SHA256 | c6dbab09f3564b379600c6e054c296cc71461cd17f84bea7cbb2fd2d038a88f8 |
| SHA512 | db88a327413f70726fe8421895baccb55abcdb5fda81eae0eb13b317f20dea966934645730962afc49ced0cf6b53f5a82b7665a412acbad961632511fd51f27d |
C:\Users\Admin\AppData\Local\Temp\xMgs.exe
| MD5 | aadf92e4b89ac6c3965aa7bdd2e3293c |
| SHA1 | 532cdcb24ddcc034cda3ff2149989369dbfd9d07 |
| SHA256 | 93a62c8989f08f253b51fd74c2af3bcc2abc6b337a807ad6b903d1393c85cda8 |
| SHA512 | f3f25059946505aad089fe51c720489db5e53b5f60b5dff3a68e462aab8bdcf3b632d844fc1c755350afe7918cfc0e3705e2db37ee336450f861565190999a06 |
C:\Users\Admin\AppData\Local\Temp\rQcO.exe
| MD5 | 50fd4997109f711a025c36f108c59f22 |
| SHA1 | 5d650247e4b8bf3b6128a91603d82ac1b6674940 |
| SHA256 | 9e17318df40ff8edf9023725d865c464ea89fc20d4487f53a1ab4a9d1cd5c7c8 |
| SHA512 | cd42990b16d52e68b113c116c57d1fb7a67fea87c16b736fcfb9eadd59fe5382cf61233d2df83c0d5c469dc74faa84d3d87830f6132f3a997d84b7d99a9910bf |
C:\Users\Admin\AppData\Local\Temp\qQME.exe
| MD5 | 23c1da9fe447926f112bf1fc54e0a6cb |
| SHA1 | f84f9477c24132a16cc4f4de20729fde5490d596 |
| SHA256 | eb8f39a2d6478e497795c7522be26b2529c0eca56e693988fa87d2c6d69e9bc5 |
| SHA512 | d4fe572d00e3b79185eebc6f20774684fd1fd8b1cfb2bf817414a40e7275370e4beb208382243390ab03a053f8b8cb39aaeb66e3bb531e42e723d9da5a9d0e1c |
C:\Users\Admin\AppData\Local\Temp\NsIq.exe
| MD5 | 1334b061c83c99e3302103d44848c05d |
| SHA1 | 9b9fb03c9c1e536b3f6f138877cf4c6523d3e7fb |
| SHA256 | 128dbd8a2949303931915b03bb34a9f1680f4656d48d6dc27b7804699969223d |
| SHA512 | a8d9c8015c02d363e30fb9aaff5c78376cb576ff1c9717230a59a84d2dd48b7a7426dd59d1ba78408bbdd662b2f28671ac342727e993ec976ab63c9a2989c3bd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 18:56
Reported
2024-04-03 18:59
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
100s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (82) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe | N/A |
| N/A | N/A | C:\ProgramData\XIUQsgkk\PuMogUIg.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PuMogUIg.exe = "C:\\ProgramData\\XIUQsgkk\\PuMogUIg.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YyQMkQkM.exe = "C:\\Users\\Admin\\VOAYAEAQ\\YyQMkQkM.exe" | C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PuMogUIg.exe = "C:\\ProgramData\\XIUQsgkk\\PuMogUIg.exe" | C:\ProgramData\XIUQsgkk\PuMogUIg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YyQMkQkM.exe = "C:\\Users\\Admin\\VOAYAEAQ\\YyQMkQkM.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe | N/A |
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe"
C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe
"C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe"
C:\ProgramData\XIUQsgkk\PuMogUIg.exe
"C:\ProgramData\XIUQsgkk\PuMogUIg.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQcIcUoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoQEUAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwwYkYUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYAsYUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGcwQEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMoUwsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeQAMYco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMEcsYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwgsUMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIIwUgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awYsgQoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogYgYsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkQwMwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCUwwoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUEYoccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqQcswgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkwAgYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSAoEQAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCEUIgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiUQocAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngAAEYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEAckQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOwkQAYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSwMogsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwsckEkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUsgsEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEIoMgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGEUAEkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOwUwMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUUcMIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeQwYUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESYsgcsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcIsMQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liYkkkMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCEQEgsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HakIYEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqEEUAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYsAEQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSoAssMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muYIEkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaYYEUYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYMoYcMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUEUokUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoMAEAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAQIEgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoIMAwsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCUkkIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heUckMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOAMMsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hckcAAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAsoQkEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwIsAMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScEYswos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQYEAEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKcEQIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKcMYIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcYAUcUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCsoEogk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCQQgUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osAUYQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSswAYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMgsoYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMQosswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twkgQIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKoUIwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwsAMsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAgkAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiYEIMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMkAUQAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgMsosIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqggEQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUowYYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMQQoUMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USYYgAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqksMcgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUoAEMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwYUksYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOsMQQMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcEggUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYwYcwws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWUIIwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWoowUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGQQYsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCQAIUQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcIwcgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkMkwooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cswUEAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGogAIwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgwAAIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIUUkIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xassEwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSosEkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYMcQMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAgscYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JoQUogIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIwQsIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 142.250.200.46:80 | google.com | tcp |
| GB | 142.250.200.46:80 | google.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.122.19.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3224-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\VOAYAEAQ\YyQMkQkM.exe
| MD5 | d60bc4fad8befe21dc6d79b7693bf90b |
| SHA1 | d0dce6f5dd37c7cb125f76d75a42459554f98a0d |
| SHA256 | 5375266368324668245888ebd139f192e282abb5a7e9d27ff6e0ab0aef3324ba |
| SHA512 | 0932b87b1da3dab23bdd1dc12d4f1443b1bd2397580576cfe87c4dc0cb5f65f1aa9bc0fd3716067f59abd486e8af850e3fbb0184c9a71dbcd3dabc77e1906343 |
memory/4340-12-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\XIUQsgkk\PuMogUIg.exe
| MD5 | 2517ba7f08b001d8833cb847e67a2c22 |
| SHA1 | 0e9c91d3fbaafe97af63b7c08437611292e7d833 |
| SHA256 | 7bbb19dc274205a2fcc900f6ed40fc608073c1be8be54e1cdf02f857aa6428e6 |
| SHA512 | e709c927c8ccdbcc8a6e5ff964a2be082fc9cb644b42e5e2689600b357892bd861018944f8bb8e0149cd942c878d78562ed7e561086ad369815ce9590ed72979 |
memory/2656-15-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3224-19-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gQcIcUoI.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e0d4f805362cc919b44ae474f88181ae_virlock
| MD5 | 5f6870e505406f5a8e8fa594b6d5bafb |
| SHA1 | 4da1f6c6440c1c32f6c9b3deffb9b5cc6c7707eb |
| SHA256 | f5003282e999e6d9704b53812e3713723b37838efdcf8102901c14baa174257a |
| SHA512 | b4a70f5f6a9c944eb08376010574134357cb5b1591f4df52411e789d5ddd33ba1091c06b956811f6b4fb89186c1470f85db0963ef58c14b6700307ee8ee65bdf |
memory/6064-27-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4544-31-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5080-42-0x0000000000400000-0x000000000041F000-memory.dmp
memory/6064-41-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3732-51-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5080-55-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1740-63-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3732-67-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2884-75-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1740-79-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2884-90-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3844-98-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4016-102-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3844-113-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2756-121-0x0000000000400000-0x000000000041F000-memory.dmp
memory/388-125-0x0000000000400000-0x000000000041F000-memory.dmp
memory/548-133-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2756-137-0x0000000000400000-0x000000000041F000-memory.dmp
memory/548-148-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5204-159-0x0000000000400000-0x000000000041F000-memory.dmp
memory/944-168-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3724-171-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4900-183-0x0000000000400000-0x000000000041F000-memory.dmp
memory/944-182-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5984-194-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4900-195-0x0000000000400000-0x000000000041F000-memory.dmp
memory/208-203-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5984-207-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3888-215-0x0000000000400000-0x000000000041F000-memory.dmp
memory/208-219-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4636-227-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3888-231-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4636-242-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5088-243-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5088-254-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5656-255-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5656-263-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3188-271-0x0000000000400000-0x000000000041F000-memory.dmp
memory/100-272-0x0000000000400000-0x000000000041F000-memory.dmp
memory/100-280-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3556-288-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1524-289-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1704-297-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1524-298-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1704-306-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4540-308-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4540-315-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5224-316-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5224-324-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3944-325-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3944-333-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1696-341-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4204-343-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4204-350-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4544-351-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1444-360-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4544-359-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1444-368-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3560-373-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2960-377-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iksg.exe
| MD5 | 21c38b83fa6fbc5dd3d31f33faafa8b8 |
| SHA1 | 7112ae4e9573ad0a8ac08dfcff1613b667157408 |
| SHA256 | 655cd92971cee3bc333bfb43419b3e45c85bcd9dc0ff7c38efc13742b939bc5a |
| SHA512 | 4365215326b025d330b1bebca0f6eab535d1ce5db0428ce09be0d542abad9391b003b86960b3ba28b7699ec4e5e532e5eacb4770e7dae334b40675819d7395c7 |
C:\Users\Admin\AppData\Local\Temp\swYw.exe
| MD5 | e8c1dce9b66700ea172f8052151a82a9 |
| SHA1 | 2fd6dda2a55825ca56d2dcd2078ab7b0c25fb916 |
| SHA256 | 9877578509a909864b300df97112c7681e3bbd4c3a21a58d2244c020d39b94a9 |
| SHA512 | 62955e42adce7647422e22a874b266e9dbf5c9fe35fb90e72c608d29d17cd19f4d79d3e333c89a58d95c9c7bda2df72f23c575af3b8667bfcfdbe5d9f7bcbcbc |
C:\Users\Admin\AppData\Local\Temp\gcsQ.exe
| MD5 | 9fcc00710c6298ae4bd051af660b6c82 |
| SHA1 | 323bb1902e0ea98726aed98bdfe9bbdb53dc0ad9 |
| SHA256 | fcde41481bf5029cf8f6ed7000a389f23132a257a4ca4a08017f5be7697d89d4 |
| SHA512 | d41d3fb6151f90d9788513fd12a1bf8e528a435cfbe22a1c0fd06085f5adcefcb4850881d231ba2c790614aeb1fd8ed257b6e5d0ebd75d690b6754ba2954a608 |
C:\Users\Admin\AppData\Local\Temp\asce.exe
| MD5 | 86714444cdf5addd2c8497d83c152c39 |
| SHA1 | 36b9c1bec24d94b01a56daa9c01ccc34c3d4347f |
| SHA256 | 469512c3f6c15df9c247d3d946ab6fe958bb86063310cf536626232967ac663c |
| SHA512 | 92025177c40a87c76c1b9a0bdfabe1314421f5530e0a9e8f0817f222b3d205dc6624b1c9ddd380783cad0050900c45feb553d32477ed10b7e14c910eb4642303 |
C:\Users\Admin\AppData\Local\Temp\IgUq.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\qwoe.exe
| MD5 | 24f511d54fb570d772e05bdc1e3c413b |
| SHA1 | df4d1e41cd79aeef5d044b477d9aecdbf59fe927 |
| SHA256 | 7398bf680640e433252d7e42623e84c0efbb473d29566aea71de4850f9a97ec7 |
| SHA512 | b53d4b6324c1534317ec1fd74b05bac97cdce84fc22a328455dc167dce9cd57effc69e19f4a7687ff8a6fbc4c1ab688b5dba47f0c45f88096ca348029dd885e0 |
C:\Users\Admin\AppData\Local\Temp\EksM.exe
| MD5 | bd310726ca93e9cfd4f855d829069739 |
| SHA1 | fb8dcdc11532c183d39f0d0d0214a645ca1cce0b |
| SHA256 | a6e9a5cee70361eca03191f23fec0cfe784ca1bf3b8f25b37d4d4b8e09379ec2 |
| SHA512 | 81e563c1b80ce768d8cd465a254b87b57bd50833503b9d095018cf3b04d65f9e3d950441d82ae7d31cc4f715de4152e38120d6962a79b6bfb17bda56b12c6243 |
C:\Users\Admin\AppData\Local\Temp\okYC.exe
| MD5 | 1d257c549528c50901fdaf8e2832dc0c |
| SHA1 | f749c789f0ebbe97688eee4405ae800b88c37d63 |
| SHA256 | d0134a0dd720ae876f0f07be16ba4220c601d1c6dfa7ce576c01f4dc37350537 |
| SHA512 | b5c0b1dd443ad29dd8303a4fc14b8cb9cad58e1ff88d9e0a6dd8276ea28b5325f48f19aa07875151811dce73bd267ac93afd477de986cb93f44639da34a9e16a |
C:\Users\Admin\AppData\Local\Temp\WUsI.exe
| MD5 | 0fc9d2ad54e6f49e4226d2a9e3a1fbdf |
| SHA1 | f7d083a349228475bd8dd2ebf68cfef889a73afc |
| SHA256 | 44667ccd3e643aea0ae8691296986b078b9895b62978798957744f3617856036 |
| SHA512 | 3382fec138e7ab4e0a55927fa64f7382ee5006884a0b3e0d54efdba1caaaae049909b359a6691c93b2c4059614f24b26706b7533bd753ae63b01897f217c4b1c |
C:\Users\Admin\AppData\Local\Temp\oQUy.exe
| MD5 | 1873bc17c6ff772fc82d8e28e11f9dbd |
| SHA1 | 187813118ad41ee85f455ba1c8e23a41c0281dc0 |
| SHA256 | c66962e895334099dfe1db8add42381503314b7a51ab0bf3237c660aeb103ef6 |
| SHA512 | 703792527e0f780b6e70d74fb5dadef24bb54dc282cea781c1941b4b86b9818259e9a16e41a54fae4b74a66ed67fa169f25251cbde8de3d3be6752d535560733 |
C:\Users\Admin\AppData\Local\Temp\cwkg.exe
| MD5 | 17f823a8e5b692ab75adf36cd56be8da |
| SHA1 | 8016e6b38200133739e7d6c96f8de4fd7232961f |
| SHA256 | 10a905cdd7c016003c830ddd343c7d269ce1b93ce7f8122bc5821e0c356ac610 |
| SHA512 | dde4db38f364149f3de4b9ee5faaea0a0cc2804f1cc71ed89dafaf7907202854f85d3e3b302c1e944498100c2a147a5c77d7ccd9345654710eb7c39e9ad1fc70 |
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe
| MD5 | 283185261b2a952f7c135f087265baf5 |
| SHA1 | 4ce9aee25b95277826c0eb74e81dcc7331bca0ec |
| SHA256 | 578c94d277205076c1d52d821fa4b2cd34ef60647f0056df12bfde9630ab6808 |
| SHA512 | e4525f6e4ec57946f620726fb3f4872e7be62a8b471d2b5de9e402058e6b8865c35d6fb7986b0b491e15253cc008178f32f32ef198ead6edea28f59c3a2dc8b6 |
C:\Users\Admin\AppData\Local\Temp\ecAk.exe
| MD5 | 38aa171fe4f3a5e9c26bfc9a89f62211 |
| SHA1 | 4dd50fd8b51dfbae87a01075f92917974a951e2e |
| SHA256 | 333c9e0f8e312b45cfd11441f043f7d6855487c23a591fbec41ae02a97fb1121 |
| SHA512 | ce82eeb00471048edb8c04eb23c8dc033fe450c4f7326de8ba4d6066375160bea77e880f0138b2cad222ad45e25cdf06b2b46a263388c1943508c968c61d1491 |
C:\Users\Admin\AppData\Local\Temp\EMwY.exe
| MD5 | 23af8fe3dfd8050346abe45fa65d7663 |
| SHA1 | 11ff0142572103ae1c353843cbc19d999bc1ba69 |
| SHA256 | 3f9a76dfff97e6d0fa64ecaadbffb7d76a0cabc4492be80a08e9d9892b7b18ff |
| SHA512 | 418d2a5ae389c4518c86f55169b0012245985de8a1e86511f5413f85274f629b58b4b3b4e538bf747066cec5293c351b24ecb44a2f0c2f6ac345c337471c7a55 |
C:\Users\Admin\AppData\Local\Temp\eAIG.exe
| MD5 | 18317952dcea806778ba991c4a5e1974 |
| SHA1 | b76455da239373e6baab7a76860ccb3d8c7aac17 |
| SHA256 | be6bdbc8f8709fb2b1ed597f47e5026d90cd3b6c2d78e8c9fc3ed147b6e097c3 |
| SHA512 | b72e7b98cf59e7a4ea7c070e49bd65e4218e672caae28084d1cf0e9e92cd1f2392b25a47d5193923b73b420c1ad2d5d3e9960dfd8a83227c7b26e2e0851946f0 |
C:\Users\Admin\AppData\Local\Temp\Gckw.exe
| MD5 | 6bb4beaecd95bd50fc5695eb4b57e982 |
| SHA1 | aa0e00aae6c6155ffc2fa560a317838661316775 |
| SHA256 | 34ae86e03d2dd4658ec9e3c1d0fe3741f93c6edb6ac5366af1e108a99a121320 |
| SHA512 | 05583d1ddb5b0dce419a7f2bbdb219d02f5e5a70ad981d0659a91f10e58923b08f31f45553c55af6d3f43085599f93dd9a8dabb4c19461a05ffc7262ae469f05 |
C:\Users\Admin\AppData\Local\Temp\yskU.exe
| MD5 | 9ff9b0d6d8f250d73eede172d92c0d05 |
| SHA1 | 4cb59dd5fb4569cd18b6cb4185fe31467ebc98e3 |
| SHA256 | 9d9d5f9ee1726eb0a27819fe166cfff3c6e6c5a51deeb0bb913d14fd7d90db91 |
| SHA512 | 4b1af33fda40567e2acd22457699d267750ee5160c88072b30dfdba1ae84d4d3b1452955595e1c3b02f902d3edd1a2f71d635f61076d19309f365b436fcf2e38 |
C:\Users\Admin\AppData\Local\Temp\coEc.exe
| MD5 | a9cd4cfc3df7e488605ed5f6071846f1 |
| SHA1 | 2d3c0f63ba391893cbe034a16afc6848e422d42c |
| SHA256 | 74fc78677d908c60a90f089d2209ddc76ba9b2815124b724b6fc64dbb025d563 |
| SHA512 | 24071ef1feab8495a82e48c7acfc105d4ef634b360fe70c9e8559e479cafb7bba5c43da85b9bdc1b5647474eafd53c16d22425114e890ce76165e5ef272cfca9 |
C:\Users\Admin\AppData\Local\Temp\ckIw.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\EkkM.exe
| MD5 | baf8bb1ba9af3735b3e4843987db295c |
| SHA1 | 9ff3096d719542c89f3156f42a0d7659e0d57b5d |
| SHA256 | 2de69245d4f3926f9d70a982de047d1a6b009b75b48d8a6018b843f7ea185738 |
| SHA512 | 6d565bf31bcac11f39f9880bd75907db9bf38fc740cb45165afd9fdf50c6be8510d0b622e43dff69c5c00dabfacc882b5e094713c30683dc795b5898b2febe37 |
C:\Users\Admin\AppData\Local\Temp\WgkE.exe
| MD5 | 06dab3566816c3c7037a68d951eef7c7 |
| SHA1 | efe7008ca43e44b1b9ee7141418a11d651963908 |
| SHA256 | 42d00d2dfee04f33eeeeadcb34ed8d6b305391757dea1fc6fc80352f2274d956 |
| SHA512 | 29e78581056b7f9f77a3b66de43a33fabce0f8731383121c3e67878f65cd794ae3a573028d690cf1ab9b1ff47bbf468046b4c366e702baea9a7d0b876106d2ef |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
| MD5 | 14547ef05b946bfdcd9051815b5e07d4 |
| SHA1 | b2731ea201fa5e32e5a01774537f9232c037415f |
| SHA256 | e2aad2703298a546f2c7e35275622d163ebdf5230dd12d1ef1d0ae422fd62552 |
| SHA512 | c224f1edd5df255889f1d1a59cbb4fae2492c70ce83a98c41b5c3bb6fef38ed4c1d465042ad6d657bc60555213c97c5e92698f57bf151c81428a773a237a13cc |
C:\Users\Admin\AppData\Local\Temp\msYE.exe
| MD5 | de618e14965c82dbf966da99726afadc |
| SHA1 | 63e75e2b16c6827531ad8e8c3904a03518d68749 |
| SHA256 | d3d918bb26ea8feb6f8dbea6e1774dc2b2e81602385ae39029acdc304ed391a3 |
| SHA512 | 83bc20001deefa659184ccda4e00bbbe1352e0bb03d4e64ffea7ac2d111cd48dc7a92467fbbf82b6fdb6cbf77dfbd64ea62efbdfc12b57b032c89c83606c4876 |
C:\Users\Admin\AppData\Local\Temp\AIUi.exe
| MD5 | a5a8d8564a663aecdded5a50e18f197f |
| SHA1 | ff4ab2726ee400989621930c5bcd586d06358b19 |
| SHA256 | d8f7a25853bc4fcd2de8e5d0804e5613a4c1c45d16ba5f5fede8ffee8f5dd7aa |
| SHA512 | 308c2951f5da23b1a34a17f0ab4c27e7e1a92bb170da43d3d4ba23a96b1362a7fd74377679aceff1498e7714e2717cfd0310d71fa8a3b2228af9c1cbebd8e0c7 |
C:\Users\Admin\AppData\Local\Temp\kYkq.exe
| MD5 | c12273f0c045a4b41893d989c51358e3 |
| SHA1 | 9db5ab444a4b8033b2df6041a3583287e2506b65 |
| SHA256 | 7dd30d1c00eb576242ea1eafd67e8d32c42089f4ad1352e1e46229b3ad58d78e |
| SHA512 | 7c18b046d68de7c358a49b88ca1b115511780550c9ff99cf036af2893dc6710c6108f59e2737e5d0a2d2f2599befb309bb9e3930ae952ec7b1107c43c277c2aa |
C:\Users\Admin\AppData\Local\Temp\oIEU.exe
| MD5 | 691e276d496c509f52fe390ae80752bd |
| SHA1 | e9a543ce140633347b3fdf4d1451eee2eb21b905 |
| SHA256 | 24c08285e3d6f06e96e606f0591a56910bd6de6668ccccd9e57fca04fe530086 |
| SHA512 | baa4b8778259ad7277d801d4b01d89fcc97c76151bec6f1351e0e8c6de70e196fff4d6beef344b99562ef73685cdbd41bebeaf662f91e82c2210dce503341cda |
C:\Users\Admin\AppData\Local\Temp\ekkm.exe
| MD5 | 920d3485209b4b404669233fe008f4da |
| SHA1 | bdc2fbb910ce664e55ba5e55a5c26b89d3eaa2d1 |
| SHA256 | a5dfa6258b24e566a7ff17c7c6e11975af884cb8b6d83e217d093d5ea693c7c1 |
| SHA512 | e3cc57980f2740dbf6d03e172c2e7711507c24c63b5bd85c5d5c5087ffc8fee40a1ecf62e5e6d4d316beaff2bb7df350c46178f6fa5d930a35e54458d106a51d |
C:\Users\Admin\AppData\Local\Temp\CQEY.exe
| MD5 | 0603cf55e90216fcf8d8747800714f9b |
| SHA1 | 9d8768c6da619996734e454b737fcc03d0802537 |
| SHA256 | 5547e69875abc9d767a000ef93029e1466cc49a1f0c6452529ef6ce6a7cb791a |
| SHA512 | 94b74aacad5599115ee0b7631e0e95cb7a369437360802856c23776d5e4fbd185b738dccdde9b864d043e2afa5723c7b86a93222db1ce4a7fd9d2aba6f8c0405 |
C:\Users\Admin\AppData\Local\Temp\KYIQ.exe
| MD5 | f0f250d16e5a9d0d1aa15fd0dbf7f770 |
| SHA1 | e2206e9e1b3eee77f701f363997445c6de2f6a71 |
| SHA256 | 74267017092d10aca356fe91d0b70a314a90d1f1119ee28700a698a92bd5d0f1 |
| SHA512 | da61fea117c2487b39e6f779b90ae64f9b4aaf356583d03494de632084445cedee69bbc12c63b604cf4ae967f9611f38a18497a71679f4c300f6acd5aab91282 |
C:\Users\Admin\AppData\Local\Temp\CQQe.exe
| MD5 | 7ae629b22cfaa72b922d62faa7e621a4 |
| SHA1 | 42322afc0f0c59be5741f52b9c22df1e63d5874c |
| SHA256 | 0a51a08c9153a9c41525fd864813bd39cf44ab2497c95840179de1ff1c9c1282 |
| SHA512 | d538acdb89de63524f149de41b28f8a6e5bcfdb0af137fc00ab8fd0c1ce1afcbfbdd970de09268b88e78584565231aa2b4f152a0bfe1586afe8dbd1d1db114f0 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe
| MD5 | 8da6c096e9060cb4c007ab5236993217 |
| SHA1 | 361a0f3cb4160232ca673b8b1f5dc84df3acaf1b |
| SHA256 | f3ef757d97a3dad9fd59410924139b49dc1189bfaf99105fb5f6c82a9d912e60 |
| SHA512 | c9e2bf38b38a1dbb4da9e385675b14dbc425b77268f94885de5112b8721522f83f4e220edd5e865cd3a1b09a9387252ecf1f4887fa3667e82799af8f8438d8ac |
C:\Users\Admin\AppData\Local\Temp\SMUa.exe
| MD5 | 19ac04cdde7cb641a2a9e30b83a27335 |
| SHA1 | 3bb4d058fe5e35fbfe1205461df3aa7bd4f552a0 |
| SHA256 | 7f72e30b3bd64fa8afd4d6a05ef28e15563d8515ee048e0ca12596230ec4ff5d |
| SHA512 | 47407e00346f88e08ce815ec561ce961700c217f0364172b055cafe981bca7783806c0e5321b972de9db6be59914a0d8fad14332807e53070bb13cf998cd30a0 |
C:\Users\Admin\AppData\Local\Temp\ykMI.exe
| MD5 | e97d194b3ef0086fc30bb2834bd5f855 |
| SHA1 | 70abc56df7f8c5a2aee40b0bec3d9213952ff0e4 |
| SHA256 | cb13eecc40ccc7560b04f169a5d7662d127ea5ec682a410c2d1db1617a2b4b71 |
| SHA512 | fb11cf8d9237468b206da77677828fd2afd9ab4723c5f62a47a88ff2a26922fda89bca05df2c10b0d9a336f25ebb54281a9f61ce4cc2e1f5b5942ad633dbd353 |
C:\Users\Admin\AppData\Local\Temp\Yosw.exe
| MD5 | 178bb0f8d2ffbccc88e9b0752f3b1785 |
| SHA1 | b633370fef9b50c691a411e8473c0a929b8a0028 |
| SHA256 | cef33b18cb70cb53a53d7d4a42db8a3dd10ac341c7e0e9cdd5471ad0328e99bd |
| SHA512 | d7fe23830e8d172d0e3cbfe6fd26b03ea115638345b0cfa3eb6a74cc43e91de2eb41f4594c1dc1b01fed194fcaed8668bcd8226e4d528d0c3a0b0f2b54e250cc |
C:\Users\Admin\AppData\Local\Temp\iccI.exe
| MD5 | e05ce9adb5614236ef2a5e92902feffa |
| SHA1 | 9bc375abdfe776cbe3ed886884c3cc13cb2e6703 |
| SHA256 | e6f5efdff2e8359099e9ba18804f8372e183ffa6f8b16b5bed23f7faf54c4325 |
| SHA512 | 8079d926333cbf46ed028b578ca1c91fbf3de637c5e8d641a08dce938bd64680fe7dca601cb69dc323760dac35aebb6ed9d858bcbc34096ffa21d82acff01be4 |
C:\Users\Admin\AppData\Local\Temp\ewcI.exe
| MD5 | 5e6cff7d881432c006306390dd578c96 |
| SHA1 | 5aad639866f00ec9cc81e5c9f11fe5a811dc836c |
| SHA256 | e8fe4c0269251672bec43edd27f69d65e9a07c39d89e0523bbb76098ee1db42c |
| SHA512 | 39d7e30321940ca69c317b84d146cd18ae2e772e1605d32958ee175be0caf3a45a7429cd8cd68cbae8d1db334d9a07e520dd8304bc28adc70956783104a8d270 |
C:\Users\Admin\AppData\Local\Temp\CEgq.exe
| MD5 | 3b6ae9866bd984374c76c63053cf8c86 |
| SHA1 | 22caa8296e23a30dc42a332aacd89726d9da0649 |
| SHA256 | b0b26bb649d1436f4228fccd27a65291cc449d230fb7ff5612d4fbe8ab679905 |
| SHA512 | e096837027c3acefb79e5238ec71cd5d79ff78f8e250dbff0f35a04dfb38b77fb7e2a832d70566b97622284c3c06283fc4bd359f9656911c5d5685a1b754ac6f |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe
| MD5 | e5f155ffba76bd6183ad699256ad3ab9 |
| SHA1 | 4ead500fc0a8078ee46c063c84ae2ac3d2570ba8 |
| SHA256 | c413d4cdc53c0416e96278ffa2e614b17c60e46ad12915db52a7cd2390c63d01 |
| SHA512 | 41e7b253747612c392f6895c726ff93543be5448320f5a28444e2fa6c3fb25f2b4fd2d137d0fd0938f9c531d34bee56953e3ac8b23791e12f54e11f0e2430bc8 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
| MD5 | 5fde43b25637e07739be301f079efc37 |
| SHA1 | 159b1b68234c29f9fa86e74a9204ab69dafcfcaa |
| SHA256 | ad76478cd6318a953b6d3811329aa941aab7e9758fc98a487cdd3d52a20ceeb2 |
| SHA512 | 6383d0343f8b9caab3b5950989e89a8f8ccebcddc5dae68c58349dbd92a3ebd0ed9b91cf81ac56c7eb7b0e9555ca37f46e7133797ff63820c87f54b17d8e6393 |
C:\Users\Admin\AppData\Local\Temp\cgwg.exe
| MD5 | 54fff0d3aa9fbf74d83635f77026bf57 |
| SHA1 | d64f2a245008b4b78203958cae4cdec3e2728428 |
| SHA256 | 42b28e95387482483b462de1785cd01d8903ce3b2e69c1e2366ce680c26dc34f |
| SHA512 | 7686782d3f824c5b9fcf7ba0379ecf275d05c9e94cee71b06db7d203809d99e0d64515de4a66690ffa5c0ef2ef9bcf3f6c4de42ef6e0eca5a2adacb2a62ef4ab |
C:\Users\Admin\AppData\Local\Temp\Ksow.exe
| MD5 | cf0ef2cc68c6abeda1fbb45395e58fae |
| SHA1 | 97e2c2b0a1c9c80d1e58bd72dc1af4154b86e688 |
| SHA256 | 274d6a0e9e2f55a2c21e0b7d064ea27ae013d1d646afea1bddc49877c712800b |
| SHA512 | 9a245323b53ab4dfd696b52ee092be5e34c5214ff1cfb203428c3e8b4af163feede55a67d441a819408925ef0eff4318c808b268aaed0936bab9d9c2362d0201 |
C:\Users\Admin\AppData\Local\Temp\eosG.exe
| MD5 | 4819808ae1c3b41b7f0d2e472ba61838 |
| SHA1 | 661e4b2bddfecd8e6640b607244176d0a89ba252 |
| SHA256 | d503e78a0f0d89f0d98d7527a942e4ab34ff079e95184a6526c4e61625458f45 |
| SHA512 | f087ee77fd5bfc3a2323b1283ba7711cc79619f06ba4579bcc6184294b99978ed4720377b426339e6031299b6100194251159d029b7962ad5f041424907489a2 |
C:\Users\Admin\AppData\Local\Temp\KcIi.exe
| MD5 | 1c57a180287f598341a654db2071ecd7 |
| SHA1 | 4db13754814f3df0901aac04a386426121ebe017 |
| SHA256 | 7a70170beaf6bf3acd8957db1290caa603bc6cf86e0359e034b1ea998bd81bc5 |
| SHA512 | a7e97100b5d388ee7d2f061d66b1c4578e0ce185a328da8e331b610a05a7d326697f26980d8cb38f755720fab5f5a4dbc4b7a59dca687fb70e52fc980a2382b9 |
C:\Users\Admin\AppData\Local\Temp\woAy.exe
| MD5 | 31a492a3f8dcdcade4273f34879d8ef9 |
| SHA1 | 16784f62c0e1f302644e2b34af862510d032f956 |
| SHA256 | bcf20850d4457b6c9cd406b752c999a84e4729bb7273513828005418c75bf2b7 |
| SHA512 | 29e8ba09dfe5a9d9754f51534cbc5d6139f2a60a016cbd65dd92522d59d4f88618850ea7d712f0cd6ecec65d8dc4ccadeccdfbf20a83b39a583cbf84fa74fb85 |
C:\Users\Admin\AppData\Local\Temp\QQAW.exe
| MD5 | 16bc2004f21e54663ae50121785fd720 |
| SHA1 | 54bc3530f083cc4aa799d859fa9149698c6e84ca |
| SHA256 | b70fd1adf39fa75f74dfa4e7726ebd514b63e7d4359fccf23782e00030e689bb |
| SHA512 | f3f9008cdbd2a9590c88640db7e829c3b78d0276fefe2697458b098913211a1767bdad66440b91be56c81ec0729eef7003ef915b3465d36253436b5697ec28ae |
C:\Users\Admin\AppData\Local\Temp\oAUS.exe
| MD5 | f71cc34b0ffd6b79cc68d42951cf0b30 |
| SHA1 | d42dd0c9820084a1f6ccd6c3ac74399acf27198a |
| SHA256 | b948c37584dd9fbf1be5d765acfafb7b8ca7c8e4ae3053f6276debc502c3284b |
| SHA512 | 4e3453e95e4852646f5cda56332d741fba54f40f4ab913df4885f04bfe2adc06f94edf06cc9ac529aaff294f6b7b9866ee832653a15bde724413febaf52fefec |
C:\Users\Admin\AppData\Local\Temp\IAAW.exe
| MD5 | d5e0d6cc7e7782346874d82cd20cc85a |
| SHA1 | b4bcaa2d879d5ae7a2c41292643ed88eb6269f4f |
| SHA256 | 6d38cf0b845f8fe6106f6ea66d31ab3340ed49f8b002fbff1b0a9c0bb9bbda7c |
| SHA512 | e3580e1fda85a0dad74a1f603f77543115c6aa67b82e3bbc60dea90f8b06c15f080adba82c4c813eeb1e474bdc846d021a2c23d0b10fbf4a78f5eddddd4d7c06 |
C:\Users\Admin\AppData\Local\Temp\uIUM.exe
| MD5 | c4d90bebbf21aa546eeb2549a05e2e94 |
| SHA1 | 97653c2a2d69da5cffd0c506c6ece9d4fda4ac00 |
| SHA256 | 05106c8b3c379b6c8c186a876a6d4e47c3c3343c02a475525fadb76a436ec8ba |
| SHA512 | a4fc67e8d55622756e6276fcf8b9305cd530cb3a5703642f2d9eb2b049d912c955eff3319c1ead5e15d57feb9ed974694c0302f58e130a8981af9dbd115d28e8 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.exe
| MD5 | 95823319c42a3fb0e55a132c0afdd4fd |
| SHA1 | afefe08e82bf9cb604276f7e6f66803b5b2dc3c5 |
| SHA256 | 09d1efab4e6fa0aef5eaf139ecb1e9b1bad0b336b8d9e6d511c50aa97c120c18 |
| SHA512 | f0e10a8dbe1875c303c6342058fa2f115111eff9980e95b64e16359e1fe6a007e851c7d3cfa822c620da3715d9b5c0189939046e8942f8d20102d59d269f9668 |
C:\Users\Admin\AppData\Local\Temp\KYIo.exe
| MD5 | a9930fe04299c6db1565ba4068caa7f5 |
| SHA1 | 5fafa0dba78c41377ef1ff07782d5e79c3b95e2f |
| SHA256 | cb9af1e1675a5d71a3884f35054faf260be1252c6e675ea7d59b1eaa4d44d42a |
| SHA512 | 8af74c8eea0027f6266b108e72251c0778c5ef0fa4d0b415bac7ce58bdd04f740b30c3a6790fab194d73e998ad1994a12df63df2e139e59683f376c16c5fd79e |
C:\Users\Admin\AppData\Local\Temp\KswK.exe
| MD5 | c17096d5a46aceb6d1528cb2deeb08c9 |
| SHA1 | 6330e1d998a28f460d54310199723ab9dc5b0376 |
| SHA256 | e86c7aa7000f262f29aabc52dc3a7ef59adbf48d485fa1bdd422dca963875c12 |
| SHA512 | a76a67ae88721a58de2ea2eaa8b54ab42a3498cb771601165eb3e238dadec317521708cd11d0be7764236a759e876283e57a1c475144128884cc2df8ddd4d753 |
C:\Users\Admin\AppData\Local\Temp\KgIG.exe
| MD5 | da6c2986de3e38967a6208c52464afe9 |
| SHA1 | 68748fbe98cb9d2b6a1e43395f35cad10bb63eae |
| SHA256 | 1462548a12801b82528440c0504a4edb44b4517a1f49c9c9372c3081aa0f5266 |
| SHA512 | 4eae6942de1f961c75ab2a5452204120e023e9833f41e9418d9ad49c9e706f024c116d649f0b639e6151538a6a1a0c9eca8562aacfb285026399024a3cc82205 |
C:\Users\Admin\AppData\Local\Temp\ysUa.exe
| MD5 | e401047a2cab7de5711b442e2ea3bfa8 |
| SHA1 | eed83a51fb5ccedf21bd194464c0707557cc4459 |
| SHA256 | aec8809ab82e19803eb79f41eb0a2717bf93f91c3f5a153a8a3276c903a33188 |
| SHA512 | ec7587d700d0208960ab176a0989e25db06ad80d47b61d0a82819fb81899c3d0688c2bc83be83f6da6adc9fb9d5a7fb914295d783f48b5a8efe4b7020f39aaa0 |
C:\Users\Admin\AppData\Local\Temp\qMMM.exe
| MD5 | f678e4b662ea18c489abe896e00a87b5 |
| SHA1 | c5386fb74bc0403fa633a41a8354df8004b9e5e1 |
| SHA256 | 141d8e03278c59b8cbb0afe5c9170881056160c31bb5cee5b2022763018b5594 |
| SHA512 | f998c1765ea822b4f216af3c825733064df13fcf42bbbe00d1ae15804d73aa578a63b4d8e868eeb53b4db255a727d90947bba4ebeb24cd1a325279c1de82a36f |
C:\Users\Admin\AppData\Local\Temp\cAgO.exe
| MD5 | 0858d6bed8c05e08fdba7dd9a038a0af |
| SHA1 | 3a7b02b68b99c12c07c38292b03db3a0a033b471 |
| SHA256 | d246df69a24af270b7334ca6c28a032fc8bd401cd349cd1b9b1d8d239e0e2dae |
| SHA512 | 4d4c5cad4e4039e5e33a13853dc75ec8b0f0365aa6937b29958fae563e717ff50f906d9286bd48fb79f163ebda5350280d9487dfded90756e8a96531705bfc86 |
C:\Users\Admin\AppData\Local\Temp\WAEw.exe
| MD5 | 2247a489a4ddfe93507738e376ad9d89 |
| SHA1 | cd62f31cea0fde4772a1479c40b0d00a5cceea6d |
| SHA256 | 6e0781a6e2bc7332dd097e23d0a732526e192c9c3ffb830818ebf3c5234e0f68 |
| SHA512 | c02d2a8ba300f042261d07b524ca7e9c2ce7682c6a64b62ccb20d66263d9e550225b67c12f4dc9a596f84990e1a73ddaef7e0708551cbddfcc8ec3d2b70f9dc7 |
C:\Users\Admin\AppData\Local\Temp\WAQg.exe
| MD5 | 7361838ec825e968a8dd962c445013ea |
| SHA1 | a462e92ffd6656141e6ad9ac3a35c4c1e031b4e1 |
| SHA256 | 178d751197b82513d03e6e319ef38bb658d6952f5847a54706950be9e58514a0 |
| SHA512 | 16b41ceb5adc8014904b2296070619bcaac5cce398f492eec7fd76550d7883b8b3cf7f154c68e136f87d2ca8c560644a38cc8ad511d984b435551fca78d26762 |
C:\Users\Admin\AppData\Local\Temp\Okgy.exe
| MD5 | 868feeb7d7e21a6680739299780acd2a |
| SHA1 | 8b9f9c5cc689b98abd494bbbb00174cf5410a1bf |
| SHA256 | 62668f06a7ea6abf616fa6a315d8421c53682c1867f706acb64c07f00acbda05 |
| SHA512 | 0f8bd57d97a7ac70eba499b364145a50d804b551cc171909eeb311940e62723498d2a041076541d60ee5d1ad9b75f4c11ae6c02f0cd5847bb9dc8ab7933e6b51 |
C:\Users\Admin\AppData\Local\Temp\AkEe.exe
| MD5 | b369bfb5d09b2d86d1ad510516ad54b3 |
| SHA1 | f87b3b1a67242f941f653539005dec1b289be1db |
| SHA256 | 5bde5ee676d7b87c311706b554a8e09f68dcea5d28870ad5d1028554d84f159a |
| SHA512 | e7d8dc15186d61c3298a3f7150a579635939fee463c3788c84a0b522e5f5e09e53740f2e1115447423767188e1fc801e7e7e2e35cbb5f86a8b75f210b63d9269 |
C:\Users\Admin\AppData\Local\Temp\qYUy.exe
| MD5 | a0f461d6a0ec361b96c54619001b541c |
| SHA1 | 41d2a0207f2bbf85869f3dfd99597dfdf172583b |
| SHA256 | 61dd3162cd7ef08f4ccc3076bc19a7c928de34d77d55b5c1d0ca31b276bbbf98 |
| SHA512 | 5451394e1a8dc489041849cbfe894343c4c9468a8c1913f9e3f9ac3617fd4c222f5caed3df2e05eec7a683db345233c042566a8825bb1884eb558ef2815af9ff |
C:\Users\Admin\AppData\Local\Temp\wAMk.exe
| MD5 | d046d0e6aab5774f0863fe8a27816581 |
| SHA1 | af225e8bd22d533d4c2dbcd506d17ad337bb2f21 |
| SHA256 | c3fb6fb54a4b8423644ba2b1ffe2380b100f76e00c5115e22d950bd15a51b9b0 |
| SHA512 | d6fbbdcfeb56071d192b1eb32ae6766e3892f86b54a4867875646015d690e2c91a59b2d6d26711471c7edfa284b1d628ca3d7a5b72a21513ee7228427fea947e |
C:\Users\Admin\AppData\Local\Temp\kYYK.exe
| MD5 | 76e3bf33030889becb2351062f214e4b |
| SHA1 | effbde665332e5452336fd38c46fac75d68fb432 |
| SHA256 | 5d078d130773e81dad7fb14cf001766dae11acccbbdf0be45bc7b4ce101c061a |
| SHA512 | 221076fcb9299d3d753f466f2b528b7a9662358440ea579cd6062c1fcc4e9a652038103c98c692bb81af956f1a346f40fab1c6d2901ee8e6ec460a4298ecce8d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe
| MD5 | 60ad345a11e1af3900f39293784392b1 |
| SHA1 | c978d0d29c8e5e40dc5a8814b10ccc85463ad024 |
| SHA256 | 43e4eb6a9ccc1a9c65e18b87fb2b63e3dcd8ab1d7ff111ff631f5d62a0a6d215 |
| SHA512 | 75d01bf0b03eda3ad95f120d30472b754a478636e2480556e98720cfdb3458912b26e668274fab6c437ff7ab4f430d4eed1d153d8751718d3ebc9e9b8f2a3c9c |
C:\Users\Admin\AppData\Local\Temp\ckIw.exe
| MD5 | 14dc4cff9834cdbed0bacafd1060357a |
| SHA1 | 89c9d817797dee6fdb31d350459875fe3694402d |
| SHA256 | b4ea7bf35bc4eba03aca3b5feb48894d99c3f112e5e342cd3e9591334563922e |
| SHA512 | ea80735b208566b486074953d70a6a441ba0647efb463e0d8dbe2272b824c7dcfc396771617e8e5921d1544305d84d95bd1562ba78d31667b9a1f549a1cbb654 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe
| MD5 | 498039137d5d8208fcfd29e58c092a13 |
| SHA1 | 29f58db04abf39eee9fce4c3ddf113a81396e07c |
| SHA256 | c586254881dda4dba84edf8db711bce4871e67013981f3c48291b68e42cf6a47 |
| SHA512 | 4c6d9686443a1359355cb945cee41ba6674882c7f06f5e66fd8fd19ab2f8c556a084b0c4833498d636d059947232f58dd9094d9a4a4321eec61967288364a253 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe
| MD5 | ccda9524541a92ac762f17856fe9fb84 |
| SHA1 | 0b64fec5b9b20ed0fbee018f81292a0ece154396 |
| SHA256 | 6f3a705a137c9325b17d1e19d242f5c6059db38e7b0f016fe85456f5b6e9c3dc |
| SHA512 | 4a321a25a94a79275415d0d5abb61f5bf34222d94ffee3d0ffc47576d35e03d193fb88c55372c9e1705348510267e6232bd83cf70cc575d9d42113445db97643 |
C:\Users\Admin\AppData\Local\Temp\Gcsc.exe
| MD5 | 2a2e0f6af81b9bbaebac740042d135ff |
| SHA1 | 10c7c49ed7c33d4b3db6c00a412420b1da40fa95 |
| SHA256 | f5a493a6b980123d2a31640c2ee367a49aa001623e12a8113b10e66254167949 |
| SHA512 | 60ee225de1c6edb293874ef459fa3e28ede49a619cc2029722357f09fe7da6c004e67b21b1b6bdf3eec919fb6c787a6fcdd34318d49c4ca01d6c205e18c6074c |
C:\Users\Admin\AppData\Local\Temp\wMEu.exe
| MD5 | a519837aa0795c7aa07f7639f1ec902f |
| SHA1 | e609d2a238811b0a5a93d80c69df6005f95cd091 |
| SHA256 | 75adec302057b2da564110e1ac7077caf8d58d279e8bdefe2e7dfdd54d7bd638 |
| SHA512 | 668289ee7a82c280cad8a309ea629bbde26f6de2b222554fa72f481d9268953edece716a2067f266c2685a4927e32fc2c44030e17f45a6b6b3218f47738ff068 |
C:\Users\Admin\AppData\Local\Temp\EsMQ.exe
| MD5 | f4406198dc09fa186ce6078a6ad78475 |
| SHA1 | b5c5ea3c1d2cf7a20cd487c2745be1211c38366e |
| SHA256 | ff338d24d3bd32e18acafc8db32b5eb4b87cef8519af2122f70010281ec790a7 |
| SHA512 | bd70e7f1bfd47b6f88262047a0c864eda57ff42e80d20756ccb626c79920c14cc619d15e2663d844aa1c9f2e2f5975c5d06c50bcf68ac2d680fdd7be18129f18 |
C:\Users\Admin\AppData\Local\Temp\ksYi.exe
| MD5 | 726f1dd768c67058957c09af99b3abff |
| SHA1 | dd8a730d9b4fa2158392caa5745da1c146ba3619 |
| SHA256 | 1dbda91257af929d205be821d0814481c198df0eb146d62c33530a70b0af836c |
| SHA512 | 10f84142e846fe39d13125ba2bd45066b861f20cb47f366ea9d8c59b735c21c1d3514f75d20ccbcee5b125a41f7737e34d588597281fd02236a2b4efe346e37e |
C:\Users\Admin\AppData\Local\Temp\CAgo.exe
| MD5 | 4e4e93fd5fbc1a638c5e0f4221aa8788 |
| SHA1 | a03913bc99b3b6ec4f7382b69e1e906167a89781 |
| SHA256 | 1d84d727856ffa2046293440359144e0f0d31da2e3123569044ce849af9700f8 |
| SHA512 | ed7f39c89146569d0a382d4a152eddb164df25f4d27b892cd65236311471de840524028c8c5bc7a6c3f0dfb8989d3c70868f6d31aed59d7428722128d93469c2 |
C:\Users\Admin\AppData\Local\Temp\EYAO.exe
| MD5 | 07bbec4f03b28e03963377b8055e9d0d |
| SHA1 | 9c5d193cca8c43ac2aa537a62cbdc5e1e8948a1d |
| SHA256 | d8e5aa9bdce68bc00ff76e5459ee36288f5b0b3cd79022f34da3edbc5f2bc745 |
| SHA512 | 3df9a3d2ea87e8ff89fa60526c9ecec0b3dbd89b8c3a7db8381184cb343d85d62d1d396ff91986572bd9ba87288a50ef8f22461f99c8a8f5239e6d826e93599b |
C:\Users\Admin\AppData\Local\Temp\sEoy.exe
| MD5 | 9f78bd4c02ec8f595e6038d07f60b946 |
| SHA1 | 23209c21e77a6c2d4227070c4538f5dbbff84d88 |
| SHA256 | 914c064ba557c9d82adebb0f4bf8a6605cd7ba76b729214e9c3238b4d5bcbe8d |
| SHA512 | b7ee267f6346959e2e6308f5f4002cdc1d950cdffebdfe8d64a1432073837f999e9fc347bab977934c84f41bfca39ebc2028ca6879a12dd1fd6ce0ac616e72ff |
C:\Users\Admin\AppData\Local\Temp\qckC.exe
| MD5 | cfed052893aaf55b958573fe365fa109 |
| SHA1 | e4925c7bc5587e214db1aa2046f4b4771cd9af87 |
| SHA256 | 23cd94525c207702cf44bfbfb296e0db826009d2086ae3c701906a41c27c7daa |
| SHA512 | 47564fe3e04524dfb2ef1eeeef2baf51f09557cee1adc803b000740a0f80dd65bb616919e15c4b81752d585c7a110eeab75acc464d11c0cc333618464a3d1ed4 |
C:\Users\Admin\AppData\Local\Temp\wYgI.exe
| MD5 | ca47bbf55caa08296fba7a01e24b2df0 |
| SHA1 | 0fed3e0690335b31846397e4b9ebe2bc3999926d |
| SHA256 | 77d0c7f3751c817d7ebf1848d7b4dab44732ec94cda69043c0e5dc59238aa7e7 |
| SHA512 | 866465218205b4710d6b5c5cc3812e8972771250c32f59191731daf70483b95f0f88e201925f9c66f1b10a86574bfd311b3ccbfe6d99bf166729b290a155ffee |
C:\Users\Admin\AppData\Local\Temp\EMsM.exe
| MD5 | 217d0bbc475bd3bdca9050850992c4ea |
| SHA1 | 84693551b25e70f2aa8ef763495d97300a72b28f |
| SHA256 | 5f221bceee39d43c1b0833a6313f287a3655430c43c2ae4d7dcfddc4134d0d52 |
| SHA512 | 87236b77231e0c8e4ab758fc7e2fbf998207667a598ccdc10526156189250e906ebdbcd693edf89b68f75788121e49a64c0181eb25d0e6eee2cf4118462d6c17 |
C:\Users\Admin\AppData\Local\Temp\UoUg.exe
| MD5 | 5a9b3dbe4b5c441ffe99386902992dc4 |
| SHA1 | f1affc85984ce3872b2c7fb86d1ea51f6c5a463e |
| SHA256 | 9d222e1e7b63f3cb529d07eeef278bd6c121f057da0a5705a9f94bb3d70ec842 |
| SHA512 | f65f51745df07ef793d3be7ffa7f995a0ef6bebe9103ab562db403293cb729272961e90e791ebc2298aa27fd672aec12bdf2d91e6bc9905be72a10d0576ce20c |
C:\Users\Admin\AppData\Local\Temp\kwoE.exe
| MD5 | da57e727d49aed0672e18206ea4726f4 |
| SHA1 | 860427c89c83e569418e3ae695ba0993b774ff73 |
| SHA256 | df8304f069bb8bace90ee34cf63ce5aef25eff6e75142d053d85fbec72dc21b3 |
| SHA512 | 487ea64a10b6692e0b1452ca1a7066d24164830a35700dbb754d85fc5fd54c7fbcf76a29cd50a3549b3454989af8a1d90037e3a237bd647e2ff48750c1c9f5f3 |
C:\Users\Admin\AppData\Local\Temp\ygEy.exe
| MD5 | 1c60f50bcc7ea345e161066fd69751d8 |
| SHA1 | a2d8ff32bae7f60c8b4be36ebd47a3fe5111f506 |
| SHA256 | e4bd06fe148f37c3d2256e4b4eb6fca6d0f8a3af49b4124d9e499738486b2892 |
| SHA512 | 5532cabb31a47b13c7c22a34630cd512aa6f747a58774a68c86e779252ba807568c6b27554731cb3cb57ffa5bb91e439e579493d9cb7df6ba8290a9989a95bd8 |
C:\Users\Admin\AppData\Local\Temp\iUom.exe
| MD5 | a6b281de132596ef8f5cfdfd7e83e0ae |
| SHA1 | 31a89243bf61e87661f01e177e7aaee870b034ba |
| SHA256 | 65e0fa142ef68da4bbead574e775281f9276b4ad4a993746d6838f81cbe38b58 |
| SHA512 | 9804303864b452a0c0a7dcebb22751704d2a8cc3a8b196d45c7a344678ade03f987461bf7268e4e394eea6e59dd5b7b73d951b3f51aa96772a207e772eadf371 |
C:\Users\Admin\AppData\Local\Temp\yokm.exe
| MD5 | 9842504e1b222ba4079fbc0450cb40ff |
| SHA1 | cba5d795ea02f152bdc34d9871fefb2e963e7676 |
| SHA256 | 91c078932c1c4af2366fce9d5a23b749e1f70dde72f33ce4001ed8c5b47f85c4 |
| SHA512 | 888709205b305fd04f736977b3cc88b12a53ba45950ad7f2840f0d1044ce872148334842d22606c72a717f93b95667e8cad55b3e0ddeecbe923a88b044a95657 |
C:\Users\Admin\AppData\Local\Temp\UEUk.exe
| MD5 | d849cfb31a5aa6e1184274be647290a4 |
| SHA1 | 7c03f7b441610064dbacbed9f6902418510787f9 |
| SHA256 | 5d79bcba82c58864459c1d90fcfe0ad2b0fa49e29f744fe91ecad6f867bc8b73 |
| SHA512 | 3506a27b7b139e4113b0030400ed28b9eed87e4ac5b71db2fe8d883984afccb54d5b730d28c43ddd705313cf6fa8d92057c9b72553091e5df69bc12e70f831bd |
C:\Users\Admin\AppData\Local\Temp\QcUs.exe
| MD5 | 6c9fa1c586d1b56fa9e0e413fdbc6d54 |
| SHA1 | 9f28767e955ad3243c2521244b6bb3ead4423c1a |
| SHA256 | c0735f9d021d677a6829d91538b3154043f2740bf86d54b5c9c48db0fbf1406b |
| SHA512 | 71a1939ac8d2f660990c7eb160fcd8fcd54d3672649fc89270a33ac31c3c60b40327902e867cb71e67f01494253219b34d70313d314280ed332908a6e9428454 |
C:\Users\Admin\AppData\Local\Temp\mcAi.exe
| MD5 | 585909d533bcff11b7459101b501369c |
| SHA1 | 5070ef88ff054f9b45cbaaa1999522ec45a8ca62 |
| SHA256 | de1bd21ad4e15121c3fffcccd2202f25b02a56385c2e52fd5ace6b17fb52535d |
| SHA512 | 237f746e7449f4ffcfce3cb8deed0c862a80609c7d8381f047892a886f70755d87b9a10398d9c29af3d22e9078e4d848dedaef30b0e38ff316f3a502d185da03 |
C:\Users\Admin\AppData\Local\Temp\gkgG.exe
| MD5 | 2394dd1ccb02584cc97c551a9d8d8519 |
| SHA1 | 1e38123a7a14074cf7ee7871cdfbc0131b88f7b7 |
| SHA256 | fb017ebed8fe835793b8eea5d8b2104a8cebcdf739d619e3b5ffc78e1c3f1d1e |
| SHA512 | 7ae7cc5b14e41b84f6ecaee19f811d13ac6068e72ad5c0979d0c0c16105cecbcb44bf8fd20c99268006942e8bb774c693364d4ce547e4981dbfa526df8716720 |
C:\Users\Admin\AppData\Local\Temp\kkoA.exe
| MD5 | 0ec17cbd3ab84d58c724726ede0f2920 |
| SHA1 | 98442c56fdd01e4c63362bb4416fd8d58f05c343 |
| SHA256 | c031666e63e1cfd19b2c4f0fcf7d741d7f838c060fb414d6c5b12047def21cf9 |
| SHA512 | f92d2fbbcfbaec9f1db81a05bde7fa770e49fa40194776f0c46a038c6dfab8232a277ea4b608918f27c5fc7f65a555a315f0786c4ebeb494d183da15edfd2be1 |
C:\Users\Admin\AppData\Local\Temp\MIcO.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\WsgE.exe
| MD5 | b48c5571d418edb108d13be396af8edf |
| SHA1 | 30922a828c44d8095ae4718acef45fd07355b7e7 |
| SHA256 | cdd95be17549f5c70bd13c05c9d72414e5b15f9d0c09c618309cca0afff9f79e |
| SHA512 | bdcbf9d40bfa1129b5287b139aeca3f93acba257d7130fa1fa15199814011171ef6486a92b1dc3f040f9489d2a904af700a41300b6df846135a2d8a50a56966b |
C:\Users\Admin\AppData\Local\Temp\IoAw.exe
| MD5 | 4d4fd566c592049ee3f5f1fea69472f5 |
| SHA1 | 4a1413a489414d7d1e54378c32ebb91b8e1a12e6 |
| SHA256 | a5be8bbad1834057e38810ccb54b3d4ed057f4990f13a3aa66f5a020df01fdc2 |
| SHA512 | eb6326e6334eb51ecfef59f14a03939bd8d5ba41369e4288ddb36d016980efae6837329ec10c52d6a36519623ebfe985bbc11d6ec192a717d22aafa92fcf9723 |
C:\Users\Admin\AppData\Local\Temp\SMYc.exe
| MD5 | 95fd180a7130d17aa1ea4b77bf6ba6db |
| SHA1 | dc5a9cee0ec72b07999b8b2b1f62ad2f3e99956e |
| SHA256 | 8dd77cd65b21313e100797158d351554a9b04caf17fa94257c112773adb09af5 |
| SHA512 | 86339a6f4ed8d149d32db79d9570638688d71b20aa3f27c434944873f89af0414e1c6f3614285149604eb23de667362b7d5834e3c9e67897788394e5ae6c6d6c |
C:\Users\Admin\AppData\Local\Temp\GUMS.exe
| MD5 | 39001f045d9a30043d84cd3dc0b5b73f |
| SHA1 | 965e3f10f9c8e6aed3f4a409dec36c8bb1be0684 |
| SHA256 | 5462f6b66c5128a6ef47a3a3182571d0dd0fbaff0ec076187284fb83146d9eac |
| SHA512 | 04836f7ab60b82421c2edb7580ae71f08eb057ff8da2a029df3296ff0da8217d8167d550733cec52e314458dc7149bb117d860a55ecec85afddba6d7368345eb |
C:\Users\Admin\AppData\Local\Temp\IYwk.exe
| MD5 | 2758e0e6addd60781e7094b18085cd77 |
| SHA1 | 50841f71ffe1c64656fec2186e44f601391bf4d9 |
| SHA256 | 8616468eecde39334701171c4385332fb166865becfa488ee12073ed84dcf398 |
| SHA512 | f33cb81f295b8a6a5415ece02598d8c0ebfa072aebd5b1cd2e7eab47e168e7fcbcd63c13bf4d2236d76b2a37941c73dcb4e8a1ce1d8387138133b175001da3ca |
C:\Users\Admin\AppData\Local\Temp\Ewoo.exe
| MD5 | 021daccb2bc98d6b25638ca35b430d92 |
| SHA1 | 1eafce56bb78cbe68f95bfc9d2f4958470a9c199 |
| SHA256 | 5c64d99f4953b2a9cc12d5692810ebca775a92fb71edd55a62dc8ae7d313123d |
| SHA512 | 583d08a9100b39991c05e1f1dfa82691f1191efccc155df3254e953b61c2c596aa722b7ff44d0dcc0aa9a1c62c7d14bdb8a03fdd7f3ca495e8478b0d23413993 |
C:\Users\Admin\AppData\Local\Temp\qUko.exe
| MD5 | ce786f8b54478d18410afdc3c0096f9f |
| SHA1 | 852e88d81e4409bce67c8a74ebf879d74d44f1ca |
| SHA256 | 8bd5ac5c6d21c0f27992074cd698c8b4aba85798691bf26db8293f1323272e70 |
| SHA512 | 807f1c6a07e8a735dfa8d2e32a4fc39ed59ff02e49263853a9ae23977786b77d7aff219d0d6d222f7b88ab1fcb201b1604537c3329efeac405db4e116faf9dde |
C:\Users\Admin\AppData\Local\Temp\KccK.exe
| MD5 | b4c2ae4e6cc687c66c0230c04826e881 |
| SHA1 | defe61acc55265d040dc00a11c5cd4f162dffceb |
| SHA256 | 807a4fbdeae5e13ea22486e0762f55913f6298700a7310fe167c10ddfd614a81 |
| SHA512 | 0ce60f3ab8441d9ece74b7b7da3c499c032b602dc9614e26d3e04bf37a3878c73431217618edce5ee24b5af89680a4e4a57a4cf53175ff5fe52e22bd40d296d3 |
C:\Users\Admin\AppData\Local\Temp\uAgA.exe
| MD5 | f358bc4499ae7be6c84378a610d5fd06 |
| SHA1 | 9676b64b0c6f113ebb5418215eee0dcde6f78148 |
| SHA256 | 0b14ce139945cd5824e9d4d40972cc4a28a082af2a02f1791e2911a84cec96c1 |
| SHA512 | f9ce8d683a26428cf3b36be3c3812e44ff8f0b38943e1183b137e27c416d48b774c659e762501cc2b88a572279240335ebf6d523043de8010a5442092b132839 |
C:\Users\Admin\AppData\Local\Temp\uMcQ.exe
| MD5 | 2fc154e7fc2e83fe7e3321a511db3def |
| SHA1 | 7d96fb9f0502f4be02478361f829c8ab5ba91342 |
| SHA256 | e49790c65348b0d24820da141a9462419ef7968e7d154e04b71daa45b940ac17 |
| SHA512 | d1af87b4513be82b89c193b1dbdd39b31d57227cd84c6583dc6ee17f0aac33c1f133b51778ab18aa3b21264791abd9b0a380bc0bde756f7bcafc95c2ff003991 |
C:\Users\Admin\AppData\Local\Temp\ecEM.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\gUYy.exe
| MD5 | d03b29308d70e41324c4474e254e1a80 |
| SHA1 | 3cc8dc73a393e34cd6a36182038cefc80a373817 |
| SHA256 | 95c7d6742c84b19a8b6dbcf63bd9f78b67fd650f7de26247c73b854ae41938b2 |
| SHA512 | 8ebb65c273506948d8cd4a1e8b9c5fd5ebd44337855e8c0581e4c465cb0d263fa054f5aa4d35df0b05dc6cc50477c428820ff4d65aee381cd7de586c4e4c3ddd |
C:\Users\Admin\AppData\Local\Temp\OkwU.exe
| MD5 | 956a687e39cfd27e1f0d99923040f6e6 |
| SHA1 | e9010e16b1a39e0785c4b3965831cc4735648c12 |
| SHA256 | 9558014a174b6121961b4198eb3fea57fe102b53e8456a1f7d0dfa8abd063728 |
| SHA512 | fe3b9703c38f3b63712bf1a47189534ee11359e42052572b078bdd6588657c4af7cbfb789a1b6b6add50cc34cd036e44250bac80e0ffc89150db5e8917587be4 |
C:\Users\Admin\Pictures\CompressConfirm.jpg.exe
| MD5 | 99422726b2ef0bcf2fdf1e10a34464fe |
| SHA1 | 7fdea86255fb46e9354f67a30967947c0a4acb68 |
| SHA256 | 31dc292c5efffac1bf72310f3b4d3b3fea4cd8f89755e5ebcea859528f3ec2e6 |
| SHA512 | eaa15efc19c6d95ecdadc1b88d3e875df168debac4e998da78f4018e282fa8acdc46993473d9bb4db6e2bf29c4bb73542fb79394548d4730f4cf330e5cd1b0cd |
C:\Users\Admin\AppData\Local\Temp\OAwM.exe
| MD5 | 382810c4f90c8ed8a49102889f120802 |
| SHA1 | 467d1adc3140ffe19aba4aff8fef302608c69025 |
| SHA256 | 8b24e120e3b67702761248c063eaa09823f974893480b96c2f146889bb53c6c4 |
| SHA512 | 74625bb37481e862c0b77326252bf5b154db9cbccce07eb70bc2272f4d7a02912f73e056dd3b2c27200c8c6621f7ed91ee21101cca8e00d320e4e55121650f76 |
C:\Users\Admin\AppData\Local\Temp\SogA.exe
| MD5 | afddf7da012f0869d6929eff5d425ef1 |
| SHA1 | 863be60f0bd39a4f91ec7f4ad9945677c26e022c |
| SHA256 | 6f1049555d6a85f86980625e85988c12d2c071427ebb55e1d11d0dc229e264a7 |
| SHA512 | 178a32399408004aebb53d747d23c194675d97b4d23072a43b6f51c97c964fd5dee1ed9a1470055c7c6a93b9a56821bc6e3ade0ce0fe4164ae1e97915f755f54 |
C:\Users\Admin\AppData\Local\Temp\KMgI.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\swII.exe
| MD5 | 9e40c85eb84a5dd926bb895c0f043da5 |
| SHA1 | 4c6d5580648234b9ee8e3dab5d6f30e0e1d6444a |
| SHA256 | 7e3c8118ba40fcac16318b6db5b5518ef3df5642edfe592d6b576fdd41067721 |
| SHA512 | a14aa91b45419766efd7f262cbd03347a4bb2ee1b1e0e33a9e87c416c1b341e1404a0d343f03ed81e38e5b1cfd9ea5194c5c80e5e6381b21b9a0c3b8dd5c9578 |
C:\Users\Admin\AppData\Local\Temp\swII.exe
| MD5 | d6d343f5f014420b840a079bfd65cadf |
| SHA1 | ea83fdff8d83792729c6b8c17124677dbb6f91e9 |
| SHA256 | db41b870c0b8d3bd79b570c82434b986e72cdfca068f62889e129bae9b5dc21c |
| SHA512 | c0869a05d7149ae7df6a07b1833d88cb033b1b0be9a466baba357608893cfa274883864ed2b201d34434abf96ab8c5ffcdd2621028062e230c3ab870724e32f4 |
C:\Users\Admin\AppData\Local\Temp\YgYU.exe
| MD5 | 3d40533464327bfda6ddefc8e65eb6db |
| SHA1 | 695c2ea8c4496280d3470f13e88d917943fff7fd |
| SHA256 | 8fb6d648bb346972aae87114498974450704ff63ed9103585b0a83e48fbe550e |
| SHA512 | d9a1c45a155180f6c7a7b8ee72ebd95432e6e1dd032ddf3d1bbf9900dfedc2d9949fed40bef241a2a354ea9638a4c0c3899c628d73684a37d13cf3bada236687 |
C:\Users\Admin\AppData\Local\Temp\kQoC.ico
| MD5 | 7ebb1c3b3f5ee39434e36aeb4c07ee8b |
| SHA1 | 7b4e7562e3a12b37862e0d5ecf94581ec130658f |
| SHA256 | be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742 |
| SHA512 | 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6 |
C:\Users\Admin\AppData\Local\Temp\aQIy.exe
| MD5 | fb26b0cfe06f8c484a90130171d48489 |
| SHA1 | a2a501b740281b92eae0303460480f16a70da547 |
| SHA256 | dc533c85f87f55d42d465c8270e950fe680fe2ba2c3be3e26724056e75366b7d |
| SHA512 | a106a5a1eba26a5a56aef68cce914c5506a437a9ce68c259332650b6297ddd354770c60d021d2fe30ff7482ebd8ccbf8ead4bb01bdf63195b6eb91890de6de8f |
C:\Users\Admin\AppData\Local\Temp\Mggu.exe
| MD5 | 6ad041b450e85dbf587f1e40c20daccb |
| SHA1 | 9e61cce80f7aba4f80b2b2c7c00a25b86bf987f1 |
| SHA256 | 936084846c106ae59ad2dfa5c3d18dd218ca715025d635bde0302ef09c2ea976 |
| SHA512 | 2d69a829f2d8876ebfc823d3370f45fe439b718b911adf13c2aea564d1354fbb3ce7677e84dd77d8b268be6ace5fe15581cb7b4b49f6f5ba039fb0f5aca8e3aa |
C:\Users\Admin\AppData\Local\Temp\GEoc.exe
| MD5 | 1ed82f42162336e5052409574e1f8c3c |
| SHA1 | 1f693a4cfe672c056e1eb4b013c873d98f2939ce |
| SHA256 | 557813a8d9f0b66de40da08d78e4b46f17eee490b364e5f67275f37bcd69ee70 |
| SHA512 | 3267c156e2394a87e00196a040dfa1b32e69b299daa2353f1a6862a436bc0bfe5873b8e07217a1502d44ab2a7cb463c2edc11996f265f66109895187581fdcda |
C:\Users\Admin\AppData\Local\Temp\qgoG.exe
| MD5 | a77511598cb804b77fd43eccc4d333ad |
| SHA1 | 37076c6f7d649406c820e6a8df2ac0dafcbfe936 |
| SHA256 | b491a822eefe159e46ffb0d9112b456b431920c68cdae5483532780a7df67b02 |
| SHA512 | a71254a3938f0f1e3975f18db1af4e2f3d05c0e33ff57e71be7a081ae005f811a0324062c2ce428de1e2ec7d128e49d78e63e81145fb4dc6dec32b939404f312 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 3e82707b47ae587288ad08226b1cb575 |
| SHA1 | 4bbeab9a82140dee466a1124703309afac430e5b |
| SHA256 | 24c7693247206110ff0101b37e4b21241f5d84bd2c7bf2ac6d8040fcd05c8a76 |
| SHA512 | be85a9ef914ef516baa3024c0698270c4143b39bb09e1b1a68a8c51a0b126587dc2db5c9a4abd2eb49fa8fe6cd11253a51b309dd15a4fd9b5d668daccc03c6e2 |
C:\Users\Admin\AppData\Local\Temp\AgMQ.exe
| MD5 | ff0d4fa7bb545f3292879cd1edb07b5f |
| SHA1 | 7a9867ab9d8f4a43732038e843391fda8f442194 |
| SHA256 | 46f2878d49e997ad572cd010460b11ec19f099d383f7cbc7067f3d8da1f14da7 |
| SHA512 | cc091e96ad5dcdcd42333d80cef756a20af4ecf3183ad452d8239eb0ba8f9a62fcecc4d78380409baef44b5aa0e11be0f9f4b90e4f39e8d10534b1fa345361a9 |