Analysis Overview
SHA256
9088d6a1546ddfe83f0ddd30995a7fac08ee96ead9cb948761e272ee80ec260c
Threat Level: Known bad
The file 2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (88) files with added filename extension
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:22
Reported
2024-04-07 23:24
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe | N/A |
| N/A | N/A | C:\ProgramData\ZeQookMg\mIUkEMcE.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kkkIogQU.exe = "C:\\ProgramData\\ViAssEMI\\kkkIogQU.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAIgUMUk.exe = "C:\\Users\\Admin\\bQcEkQIQ\\BAIgUMUk.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mIUkEMcE.exe = "C:\\ProgramData\\ZeQookMg\\mIUkEMcE.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mIUkEMcE.exe = "C:\\ProgramData\\ZeQookMg\\mIUkEMcE.exe" | C:\ProgramData\ZeQookMg\mIUkEMcE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAIgUMUk.exe = "C:\\Users\\Admin\\bQcEkQIQ\\BAIgUMUk.exe" | C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiUAkssw.exe = "C:\\Users\\Admin\\SSsAUQIk\\jiUAkssw.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\ViAssEMI\kkkIogQU.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\SSsAUQIk\jiUAkssw.exe |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe"
C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe
"C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe"
C:\ProgramData\ZeQookMg\mIUkEMcE.exe
"C:\ProgramData\ZeQookMg\mIUkEMcE.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ekcgsIQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TWgEQEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\koksoUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIogsUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aIUYAEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCUsAEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\SSsAUQIk\jiUAkssw.exe
"C:\Users\Admin\SSsAUQIk\jiUAkssw.exe"
C:\ProgramData\ViAssEMI\kkkIogQU.exe
"C:\ProgramData\ViAssEMI\kkkIogQU.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 36
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 36
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMYwogsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ceIYQggQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGIsEMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nAMsUoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmkMAckQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYYkIIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkcoksEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcgsMYUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMEYAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQoowAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeEUQYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSwQcsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| DE | 142.250.186.46:80 | google.com | tcp |
| DE | 142.250.186.46:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2088-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\ProgramData\ZeQookMg\mIUkEMcE.exe
| MD5 | 90800834fd22a9d08e2bfe162d0bf32c |
| SHA1 | 485985d18ec86124af8c4701752c6dbbaecab027 |
| SHA256 | 3cac47a93df604c121b2e5c6d9deb9f39bb64d6b89a02fdd9bb8f39b96d35497 |
| SHA512 | 2a0744cda8d6d9deb477e5b9f10dbed4fceee3fad1178197fd00baeb245f5de770560a86e1cf3a9f08d9b9ca530a81d5f49fa334184ecfedb8a4afca721cfb94 |
memory/2088-12-0x0000000000390000-0x00000000003AD000-memory.dmp
C:\Users\Admin\bQcEkQIQ\BAIgUMUk.exe
| MD5 | a18f8204f1f0fa4b1cff965a664d0c84 |
| SHA1 | d58c7134bbe1a97cbaa0d2d536a58121cfd8c5d5 |
| SHA256 | 4b148017b7a78cbcdd5dc586366311fbffafb64b14ca99283bdcd43082fd8753 |
| SHA512 | f11da6c88c208fcc76f4420e5155eeff817dcba3fd7ba6d4f0180a5866411874f7d8bf4361cecea9e8b7744e9990e6c4f6ad97b6a52f815a29c3740c8a482575 |
C:\Users\Admin\AppData\Local\Temp\NYUUgEEE.bat
| MD5 | aee081586535b3a078927e9db8042ac3 |
| SHA1 | bd1ad1de6b32d695067aa05a3d4018c097228a1c |
| SHA256 | b8d7c8e2116f460884c4f62d7cb419d8883ce3601246fb1b019ae05f6f64cc44 |
| SHA512 | b9a9161b18d07797101181138405b5769e191f0d16ce142a39a769a15a26763825fb8f7efe36eb8dcbb3a1e6f883e782f48d3597a8a964d8e038d845e9bc69d2 |
memory/2088-29-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/1724-30-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2744-32-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2088-31-0x0000000000390000-0x00000000003AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ekcgsIQA.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2088-41-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2656-33-0x00000000002E0000-0x000000000030A000-memory.dmp
memory/2656-42-0x00000000002E0000-0x000000000030A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
| MD5 | 8069e690a23c6c533e7209fc672f9b23 |
| SHA1 | 7c4c896dd84d8cf02eac5f74282a18323a0304e3 |
| SHA256 | e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0 |
| SHA512 | 6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a |
C:\Users\Admin\AppData\Local\Temp\NkcoAIkk.bat
| MD5 | 561c74155c8911327a4440738bbaef24 |
| SHA1 | c43354347eaad53e53e52b27c382175ae64c05d0 |
| SHA256 | 18b94c903b79f841b86dc6849a482485a2fd2172d0eb940161383e818a507331 |
| SHA512 | 9e111b82549a07c1baecf88d0c74011a802f1a6f1dcf5903263920b60960a94cda196b2fc877a7924c32ac7be1b419e0f6a8fa83ee6387fd2885171e9554061c |
memory/2588-64-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2244-56-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2244-65-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2768-66-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oGQocAIo.bat
| MD5 | 22c8de4ef1c173048bd3067a267ac4a9 |
| SHA1 | 68d739b18c1c962c585162d4c2442f8f452166d2 |
| SHA256 | d1fc6fdeb0f838597a040cd424165e1b4b0f4982c0c7435f7d8b4d934e87bcd7 |
| SHA512 | 0546db212826d364e86441522f783bfb800672cdabfd91c703c86a34274c26800f04d0ef7f6c9bd97ab1fc558d4e1884bb600565465cf873e28141aec07aabc2 |
memory/2684-79-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2684-80-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2248-81-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2768-90-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fKowwAoo.bat
| MD5 | 47323687b2541bb6ee1b450815b1b7c2 |
| SHA1 | e5d480d57bd013955a5bc1b02c530099c1135d67 |
| SHA256 | 84eb9a4b13ac429ca882fdc2dc24c0565076b54b841f4612fc791931422c91fe |
| SHA512 | 681e29303109859ac0eba7da000aa8c91ee56143da6b06bf03751a6e916f0835a57e08200e1326049eb65cb8a7c5d5612f96dc6f637fb238618b00bdb6b9bfaf |
memory/2248-111-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1284-112-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1284-113-0x0000000000400000-0x000000000042A000-memory.dmp
memory/756-114-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VOAMYMME.bat
| MD5 | 49a619b3f6b43011e72b1176c66671ca |
| SHA1 | 84a038b5e7ab19cd01ddbee9897fab8357f30683 |
| SHA256 | 14c929b99b559e69f5a0da4d37c770cf42a63fe41fd154fb9fe1e58add1bd933 |
| SHA512 | e0ad6fe3a105f4f0c8c6011655f59415bdf7bebf1c3c7bd4b179b8db079d8a03ac3441a63e971094e646038e7a298ad791857bc1ba98427f05552e1c8eaaa2cb |
memory/756-136-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1084-128-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1084-145-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jWAEkEsw.bat
| MD5 | 99f62e28bf513b5091a4487161d800e5 |
| SHA1 | 3ca8096380d321de600e9386c1b3033df0c2c0c8 |
| SHA256 | 6fe4040173b57e0d3d94b0c50c66e061cda98f138b4cbe8ae552fb248624adfd |
| SHA512 | 864c0508113284e98e2b619e656a85a4044c4210c16673b98eacadec23bdaba98543a712244527d75d10f4b44eee8bdc08d53e16786034ec609296b31480bf02 |
memory/308-147-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1528-161-0x00000000000B0000-0x00000000000DA000-memory.dmp
memory/3060-162-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3060-164-0x0000000001BF0000-0x0000000001C0D000-memory.dmp
memory/3060-171-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1684-172-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2184-173-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3060-165-0x0000000001BF0000-0x0000000001C0D000-memory.dmp
memory/2716-174-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2896-175-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2716-176-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kSskQYEI.bat
| MD5 | 7f9bd27178aea3c23e7e824275d3d172 |
| SHA1 | 55998423b1b8fa233b7423784b2b5531c74ae036 |
| SHA256 | 30201111d3962548f23f4cc4afc8b4baf97ce09db393a199aa10174873755a26 |
| SHA512 | c191953dbd173d5ed050063e5c2193520f11f6fe758b61b2cad2c27a0c52edc912d2913527d2a1b8dbda565eeba57a631d17537008833095b13b7b31c01645f7 |
memory/2896-197-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2868-196-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yUkQUYYM.bat
| MD5 | 55fb7e57cf9bd635e32e933dce3d9d23 |
| SHA1 | aacb49a45a8dadf12c5cece3b0a69033e97059cb |
| SHA256 | fb3c0076a6da6725acc62a80b32bd88cea4985c772043d4b29a80bb49020c30d |
| SHA512 | c241990c7b6d33feaaa2b3d68e4a4594bcbbb80f06de52c3749f5c1a39567f159a07d42b31c359a034c55f49b1e1962a08618e761c418ee221b97efd0efa8b34 |
memory/676-211-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2868-219-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fMUcIEMA.bat
| MD5 | 23f11d9010cab312f161681203b130f4 |
| SHA1 | 5108e43c622459a29ed9f328e4caf99b5cc5d0af |
| SHA256 | 962ff7db4aabf228edd0ddc3428207124ef59277ce1d27e5ef8ecb36c5b738ff |
| SHA512 | 5786f905ffaa0a225c712f4f8c3e1668869d62d8864950506c5748add5b1d9fc30e102387242343517e752fea00995262c37ab2b4926d7711611c962474026da |
memory/1100-232-0x0000000000170000-0x000000000019A000-memory.dmp
memory/1100-233-0x0000000000170000-0x000000000019A000-memory.dmp
memory/676-243-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xAUMwkQE.bat
| MD5 | a4be4eb7399aae478258ad8b1d931597 |
| SHA1 | d3f6c1cd1af6283a6780af5bb6bbb3716d388929 |
| SHA256 | cdcdbe89b7b62fa1c25da39ccbee183c650f523a819b09fd139aa7be408be3d5 |
| SHA512 | 75f2c6fa3e47ea7a8def1db731d0754ed4a83f23dd5ed8cd36452399a8cde63c495ba6cc87d0426256bcd9250f548198db5aefb0c57e80f2ae66d00a3c8ccbb1 |
memory/904-234-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2028-255-0x0000000000160000-0x000000000018A000-memory.dmp
memory/1388-258-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2028-256-0x0000000000160000-0x000000000018A000-memory.dmp
memory/904-266-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DSgswkkg.bat
| MD5 | 3f87458209e229a513ad2535411af96b |
| SHA1 | a9ddaca706961d0ed61425ef49ac50fc0a136f1a |
| SHA256 | f8d0b6acb099a116a90384cbf9deaa4d6d28a9b6b77f14b6220f0aae10778932 |
| SHA512 | c27526d9cc8d4ddc1bfcf17e9ce408035b49cb52d8276873ac7fc68f890d97c47773cff5550be8d274fd1654280d96ab6b032fe8228a2649aa3718d54f86bb73 |
memory/1388-288-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsEcgEkM.bat
| MD5 | 05e497951d51455a50415b30e5ce7480 |
| SHA1 | 4cbe658ea701e201e37b5f2f85104d8d4a64825c |
| SHA256 | 8a18ead161ba78a9e9062f6b1fca2963a08702bcf0999c37b353242f12dc36d2 |
| SHA512 | 8117d7ce48369c553409573f4e097c64f3a82d3a042a8c4ff25e2d61097274084a8ac6394d9e4434a0727a9a18adeae57f6cce49d5d3ff074966cdf93e48ff1f |
memory/2732-301-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2928-303-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2144-311-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IWwgYMMQ.bat
| MD5 | f34d2ee2ccae54302fad652e6e2ba467 |
| SHA1 | 2449755b1d4bfb29b820580503b64ba84d92203b |
| SHA256 | f2f9b5a6901ef4bbb03661823ee57739da7744a480c47ebabd7bf9fe7512e3d6 |
| SHA512 | b2e741f420bd0d279fa19e781eb46c3901585403f0cf49feeb14e10f65064a4dd4504fcee92e3e0785c539aa7005aee5e30873b07c5829bc969c4e2aff9866cc |
memory/2800-323-0x0000000000300000-0x000000000032A000-memory.dmp
memory/2800-324-0x0000000000300000-0x000000000032A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bOAIoMgI.bat
| MD5 | 4a17d3cb8078713adf5759694eabeb58 |
| SHA1 | d81db22d16c78f374f816d46a9e3bf41c0d0fc61 |
| SHA256 | 0407e9feb15cfeecd7d75e14e17ca048f080020f4badbab75518b3ef8385928e |
| SHA512 | fddf72ff59298da80f7a873e471d9c4931cb996fa2db147aa5d438dbb4cc5e2a2ad652262e50f56d6bfa6b3bec8fd6d3d6735b25b9c71fc3c6bcdd7ad8d2d9d8 |
memory/2928-334-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1672-326-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1672-352-0x0000000000400000-0x000000000042A000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
memory/2504-357-0x00000000002E0000-0x000000000030A000-memory.dmp
memory/1328-358-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LIIe.exe
| MD5 | e6db382d60a99dcb38e882155c966c2a |
| SHA1 | e76fec3e7af82419b47fa0dd441754c7876a260b |
| SHA256 | 93b32f6b77c2600837212f9dc9a7735ef6707ad7496c20f547a717c992b0542b |
| SHA512 | ed6262ad66d6c0cb03a81689813018e1ecca718d8690bfb24407e612ff03e32acedaa76ee77bd3680af9d99e8e1979db714af558ed345ea732c9343ccf7c759c |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\BMYQwEgo.bat
| MD5 | 30f562db4996b162dc5e523dda5a3b15 |
| SHA1 | 7d97eac8fe9b6386091ebae606465080504410f8 |
| SHA256 | c0ce1d56b01e0c3bbdabcc2e915d893bcfabaea9ef72dfd2833a4990fdc6f36e |
| SHA512 | ffa37da535453810ed79e32988b0a8a2256334c4b6e01af89c2e9a8f3bacfd76eb492d90dd8e885063646d82c19b1715cbfabfea9aba71d0e9eb81ce9a8bb425 |
memory/412-387-0x00000000022B0000-0x00000000022DA000-memory.dmp
memory/2248-398-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GwwYYcoo.bat
| MD5 | 34364b73bb78f22268400d8aa5e2ec9a |
| SHA1 | 3112e059189120e1a42324140f8431b32fe1225e |
| SHA256 | 6127634954c0b0e74973c206d00ba933ae66e7c1ea0263df3380efa600c4f94d |
| SHA512 | c01af30f1d3578cdead56cebdf26e02a3240b77b3ac1694165c49b22f72461a73d27cb33ef27ad4a80142ce3235ea698c2d64158cd70bab7589aca3f1301af72 |
memory/1328-397-0x0000000000400000-0x000000000042A000-memory.dmp
memory/412-395-0x00000000022B0000-0x00000000022DA000-memory.dmp
memory/1792-432-0x0000000000160000-0x000000000018A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jMMI.exe
| MD5 | 35eb1ee81a380371ffec40fe78442b55 |
| SHA1 | 3ecd324a3dc8247aa684c13e4f018cdf84e2fb82 |
| SHA256 | 99b76a1734d5f4c987fb44a52c896af4c0d0f0e8188247ae9b13d8aee1fb078a |
| SHA512 | dae84e19d9b5c6849bcb8848fb525c6a630ff7f4b3cc16945cf0a5c338890d2ceaf8ecaf4311dee6c384a64bc07a368e99a88f6fa4784095e7dfb3547f510ad6 |
memory/2248-418-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aEoQUcUo.bat
| MD5 | 27e2b3a302a84eac8d631fcd4e364cfa |
| SHA1 | eb303ba90424eee6aa075b20c503d308179122bf |
| SHA256 | 3af9c42b39d0ae641f0093c254f2a3ceaa807fdcd869be33a122738891213bc9 |
| SHA512 | 7a9099c386567dbbf53707ef9b5023d5d469de6df68924f418b0f3714aa6ca3053dc922eb0a78e4fbfc5b0e3a2e349e60ec18c80099533ce072631e92f272230 |
C:\Users\Admin\AppData\Local\Temp\SoQk.exe
| MD5 | 721960775d0bea31429dc376845d300f |
| SHA1 | cc38f111e774639e703f84e3c0ad2b914447cd0b |
| SHA256 | b983284824ed9fcc0a6e224fb0bbb51fac0a29e0899e1b4320ae464af7aabd62 |
| SHA512 | b34099a9c4479a57e30f0fa05d9fc1c2844478ac0f526f923511929c06254d2b28027fb49d9427b7d10f3fffa085502a69a04d4befd3d2ae980b13740471872b |
C:\Users\Admin\AppData\Local\Temp\SocY.exe
| MD5 | 7081e639add1d2903492fe38f913d600 |
| SHA1 | 6930eafb83bc487623b63c2020458bf97b3a5d64 |
| SHA256 | aa2c5067100bbc85705091fda59f267ffd4274ccc837b41339e480fea6a1c280 |
| SHA512 | cbfcc2d1bb391ca9c3261faa8fff7e458c595388335313ef0c6c6335fc37cead34e6acf011e392aef42d06276ca55fd5c37d88e020c27b6206a29ef679f561d2 |
C:\Users\Admin\AppData\Local\Temp\PQkE.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\pIYQ.exe
| MD5 | 23c6f8fe166be2639903c55f31ca4ee0 |
| SHA1 | c8219481572a714f66e6838fde0561808c94d049 |
| SHA256 | 8e0212f3292ea673f6def88900cc90277ca64fd9d72f81332c02f733773c90dc |
| SHA512 | 750a05cc5f77e8c9a46a4e7244d3a772b67c27afe98988165b0cddd7588d6304e9722df8d58149eff870aba5ca46fdee72ba4e8feeee2bf6fc857d52d7651301 |
C:\Users\Admin\AppData\Local\Temp\cwAK.exe
| MD5 | 225e716f7f9df71914efd51e3ae218b0 |
| SHA1 | 7505f62635c5662da0f0a620d2e7b2f4ec09f9d6 |
| SHA256 | 9b33687335ebe467ff0c004552472af8d530895855bd866cdf9c281607a90180 |
| SHA512 | be748445634b4c06389a89e60dcd3ce56dedc53eee3f1e597c1b26f6a69fc04e755bbb7a4256a0e065695087fd9f4990e7efc0432ec949f3b9fe27b049dad075 |
C:\Users\Admin\AppData\Local\Temp\QsMw.exe
| MD5 | 8be6c02fc04cb72911a6bdf6c5787938 |
| SHA1 | 152385013696a62296b49825d919ddbcd4e1a292 |
| SHA256 | 172a14851b78b83d2fbbe697965da99c9830d0fb7be86b6f35d5667689501227 |
| SHA512 | 7bfd6172987c83f81c12dd8c99be89c5fa49ed1f71f869df4156a496301d36ba6a0de55a6931d43e83e12c4605404b5364274210aacf1e144abace133372f904 |
C:\Users\Admin\AppData\Local\Temp\EIoY.exe
| MD5 | 11ff6a1cb039c4625207cdc3e20ce413 |
| SHA1 | 61378598ff98c07767a6916371f2e14390d7f0c7 |
| SHA256 | 20e34f300046c78545df466d7c72d3db8c39f5cdd0b06dee5915959b7b6ff5af |
| SHA512 | 05285931f848914234a358a878293864d6b58e629254441b6ea0a76a5f420febf760c886620677daad96785bd4ef97ca15921f4a5cabb6d38bccce81816b78da |
C:\Users\Admin\AppData\Local\Temp\UkYI.exe
| MD5 | 091b7e873dbc541835abab34713192d4 |
| SHA1 | 9037c03abefc177febbe0848004536b1d4182ef9 |
| SHA256 | c14bbfc42049faab63d7d59d0e54862d529f0acbfda54fa535ed36c7e03fdafd |
| SHA512 | d03d4c211f426bf14203e4efd3f17f74860d63fe21990860c3e73beed59674e0369f2cf27a034d434adb2f260e52009590324a2250fc8293020304970201c7f6 |
C:\Users\Admin\AppData\Local\Temp\uUAe.exe
| MD5 | 22bd8562179f07765d75b69f6b460a23 |
| SHA1 | e290efc509b25a83c727b7a84c5b1fdf4f319404 |
| SHA256 | 93c19dee7d009f119f5635e98a6cd172be580d9e2791b1cf308c70a8ae515450 |
| SHA512 | a01992653bf398d4535aa01337b8ead56c5bce5bcf1f39b3f05e5b5faac0a24f94d4f7e2ab0e7337f81fd1c705622a7993760e51f1707b41a36e3b7842a28c51 |
C:\Users\Admin\AppData\Local\Temp\nAAI.exe
| MD5 | 48c4ce8b85e944ce12bd88cf7df7688a |
| SHA1 | bb596645e1fa99039e40c587beb26200bcb93005 |
| SHA256 | 6a8a0cc45ae7c956d63d6e00c9a3455c0aa0420d66e617dbd19167f740ce9542 |
| SHA512 | f812169a683380d44666e5aeb5cdcd9adef9a76b3b218e527b0a5cdf1d5c62798ad66945ffa15ea4901ea2041ebe800cd9d81b3d689d238ac7a91c4dc6864453 |
C:\Users\Admin\AppData\Local\Temp\vEAQ.exe
| MD5 | d9524081220df57c69e89d128705dbf1 |
| SHA1 | b3f80c5de7bb9a959c9bd50faaa77212a0f481c0 |
| SHA256 | 9cd3f573f2c3df45f25049424f48ee237397fa9167b6ed03b126e6ed9b97cc31 |
| SHA512 | 44fd053a6fe1a83a2fb823da6333adb1b386ba7dd86798c50d14f3aad141256401ee2bd8bb8a09c8c306b13b3277e61586133a475411c80f8ae1cd25c48d4aab |
C:\Users\Admin\AppData\Local\Temp\HMIw.exe
| MD5 | c24beca7273675f206549b57787e7caf |
| SHA1 | 199795d3ab4ae47edffccf891ad135a08c43f9d5 |
| SHA256 | 79b04490fd6a63e9f8cd3704254cffb1bb3e503234eec69665f8e95e58018f31 |
| SHA512 | 7a9cc57d6b21ce9f402c28ffc707920c910862a446055ee0d7d9be44d6e3199f0232dbee7bac9d673c1f7fd99f5382e5abaf2fea1eff85e5445ab15dacf890cc |
C:\Users\Admin\AppData\Local\Temp\ucgo.exe
| MD5 | f9013602881add9019458fd22c5c3251 |
| SHA1 | 5301f64cf924f71aeb0e49eebc611b9a54bbc76a |
| SHA256 | a907ad01bff6356a1776474e84c56c3472c84d1f455250bf6f0750b20712031d |
| SHA512 | 5825a15e207831ba895d1dedc2d4029e8d89e37040471f50eb45f2c6173857f337a53c2dc498d09a7deb8723c0331d3e92c40eccb6fb40da70478ce09392dc45 |
C:\Users\Admin\AppData\Local\Temp\TsMS.exe
| MD5 | 671349995a0548e4c65e78a4667176cb |
| SHA1 | 7939ebc578e10bd214d87d17ba7c33cb1491c577 |
| SHA256 | 8f7131b416836de67fb9214ff6c22b127af196fc25c139718cce3ed1ba12792c |
| SHA512 | 97f71273cdb1a62872efaf2ceb25a14f96e0870cdaba168667a91916788ede95364fa33c94710873e0d73712372df16cb049ad59e7dc3997857181929f83f58c |
C:\Users\Admin\AppData\Local\Temp\rYME.exe
| MD5 | ee4357813ed6020becd52c3bd3a381e3 |
| SHA1 | 32748e3b4e9a64af770eba38f6d1a7510ce701a0 |
| SHA256 | 605aa54d44c93310b91a05c45350a168e4908c4ed90cc6378b9b774d141ca164 |
| SHA512 | 4a35dcce7075d2f6f9e20eaf32f13c5d6cb969bff58cd8ecb085598321b3209d7cd884b8f2a0626574ec00a3584ee82766445d0a5e21dc054906860dafbc4645 |
C:\Users\Admin\AppData\Local\Temp\XwYS.exe
| MD5 | 118d116446ec4785f02c0b81c78cd1d5 |
| SHA1 | 0376209042d3d7c3f1983c4880320ce555f5e903 |
| SHA256 | 37b458dfe7c8db2d91529af4f27ae26c84087e1a17358bb2e798dfa784f7f5a3 |
| SHA512 | ab28f5ccfc16742d0eccc720d8983f596c5e8413aeac32999debb49b80624b7160d700770ce195a614bf0e2d79038c9e7d50859591830f0fc57086bba787556a |
C:\Users\Admin\AppData\Local\Temp\aIgm.exe
| MD5 | 2de0bb81783d019ab84afd2e128323b7 |
| SHA1 | 97579f19d32e8759fc9e08cd584d044dc4341517 |
| SHA256 | 51433d00c3a318fa99eb496db2e10160c89c25ed7fac83e55b9fc275669572ef |
| SHA512 | fc473c54d61ad047db98775a384158548f9e4d60d332504616bbc505a076c20525edc4dd64a0f2dc480b7320cfd34baff7a4ad006ffa45d84ce31a68d9cae178 |
C:\Users\Admin\AppData\Local\Temp\Jkwa.exe
| MD5 | e076ccbe5c3f45eea8cc738a84326d89 |
| SHA1 | 4923e19e0f32d29f01364101282f4cf5555b3dd7 |
| SHA256 | d9469c5ad01fe5481b860a38fe689c96a7b3af2deea5101af637a27d7d62e765 |
| SHA512 | f62ad0d379ef6f5b86a703017f9705ed7792e10d27c09ab51597e2ef142eab7e3315a7be5f1a0a916df2e3bcb5162440e46bc55f8c4f43a25ce1017c6d86b64b |
C:\Users\Admin\AppData\Local\Temp\OQAk.exe
| MD5 | 5ecc522bf1b4825695a259e455ffa4fe |
| SHA1 | 738d81442b3d2c525d575ee9464bff58a4cc8f74 |
| SHA256 | e15d858cd3ed1b8a8eb952cd1f0f66cef1d5a0a78bd01d0c4f63b1202a81f9c1 |
| SHA512 | d8163760cfbb5be19324fa4aea7d79b599769e3dececcaa9efbd6cb1013ecc0dfaeb716c2e2692ceaedfd5d75741346e8e6e8f486c19ba9c1cc7f5339c1520d1 |
C:\Users\Admin\AppData\Local\Temp\sEwq.exe
| MD5 | d11f55fa98dd6f7bb3c7479768472547 |
| SHA1 | db1778de943e4ae98f3de5554c89aa0cd85bbba6 |
| SHA256 | 9e821d32ca88651bf7a52a668efca84962a84ba7914c76ae4f572b10ee228387 |
| SHA512 | 342cb5d8a8c0dd4d6b8c684d0deff0a937a9dc737fe0e6d3389623a031e4babadcd49289b6e187693d4ba88fda3d377cf12b70c0e053da4680eb8e7300a0e193 |
C:\Users\Admin\AppData\Local\Temp\MEog.exe
| MD5 | fd8ddd6e12c58a6be153583a585077c8 |
| SHA1 | 40dd778f92fbb4649c1449c9b21fb477c0aa054a |
| SHA256 | d032cc5b427a81b54d45b75ab70a5c192262c43145ddaeee24c219701d47c764 |
| SHA512 | 888018cc252dc007fc72354908813d704a396e7b6d706346a3968549f0ce855d9e00c491a4b581871f53c4b9c7ec0c2511d95aac122eabe6954324cd55e35802 |
C:\Users\Admin\AppData\Local\Temp\fMYU.exe
| MD5 | 5194e4cb79432644970abba9cb80d043 |
| SHA1 | 26d5507a5aca6117d0040a069648bd48c766c3c6 |
| SHA256 | e16e90dd3753ef8e8bfdff9bb0814c7b2988b2d5cc3c8e385048c453063fd3bc |
| SHA512 | e720beb9e505decc4178b2aefef5d8b6a0bbde2c551244b0e689b8d599c28e29eaf3cdc97884a7bfcd44be183c6150c1cdd442badcfd05f500757b9b7c0c80f5 |
C:\Users\Admin\AppData\Local\Temp\Hksa.exe
| MD5 | ba7e1bea0828af3290223458756d8fa3 |
| SHA1 | c02c34cf1102c875a6599fd28645b70f9909ad92 |
| SHA256 | e59eb4a9719163953d6a4d125c0b36a492471f5916bac10ba050f15d9f2d46fe |
| SHA512 | 46cf3fd5eb5dc1c7e8aa31cd144d57b9ea4be6f299ae4ba7f3995e281288019f4113dd6ea5eae1fffe17e87e3cb4efeea88dc2927987956fdaa84167ebb1dd91 |
C:\Users\Admin\AppData\Local\Temp\TYAk.exe
| MD5 | e7edf35c2acce78e36c20c8a0294f0cf |
| SHA1 | 7b67de0b8f805366560d3d1a43b54d80fee286c7 |
| SHA256 | 75357eb6ae51eca6dcce7ec58d2c3eb7ed283f68128c2dca22d41ad94dd9b7ec |
| SHA512 | eee6f9ecca10cf03694ca1830dfb344bb6d00789dd0f8f24320fee88ee1531eac992ec7146ed4dc4f01d626ee731917f651d24cafc7456074916fbfde5c479ca |
C:\Users\Admin\AppData\Local\Temp\gksU.exe
| MD5 | 5fa02074594a3f2b86daaf2fbf19c021 |
| SHA1 | b079178d215c7b692dba077b97aa7c5c72be7481 |
| SHA256 | 8ac48cc8bcccb95ea8c67052ba25e877fa2771158b4144d204f4af9ed96a427b |
| SHA512 | 5e7679150e083c19d15c362e40e59835a26b0e38caef9e9d54632beeadb4cced771d669334c4a98f5bdcaa1b449bacd656ec69a02cf109df87e141bed415436f |
C:\Users\Admin\AppData\Local\Temp\cUAW.exe
| MD5 | 39828c92ce90bc4d1cf03fcd503136da |
| SHA1 | fbbe8bbbbd0b653a00812e67040ddfee1fcaee12 |
| SHA256 | 2c6c0c43cc1b4724978ff6094100754367d9f5c1548cf7f970292ea59aa8244a |
| SHA512 | bfe59c35155f3073c03b3f54aca23a347bc96f931345149ce05bb53038e05f871e2e6db5af1a7e5c7eee04e733a1ff9683eb2851b9cd0050f2e27eb45e342f84 |
C:\Users\Admin\AppData\Local\Temp\fkwc.exe
| MD5 | 5002cb189117e41b16efb5e1b803a3e3 |
| SHA1 | 769c5f2ffa29e6de01b6f42fb15748a71ea1baf8 |
| SHA256 | e9de62088b9846a540fdfbb5018ab06f5ce03e698abaf07b035ae6410018a2e7 |
| SHA512 | a5aeafbc206b786413a1f7497b276efc2580f8a18cabc2adc173e4abe1f95059f1bcc6f8d7b5f0cfd8ed77ae85bd21871ee8ce6cd8efc649e8552c5ddbf28c49 |
C:\Users\Admin\AppData\Local\Temp\ygYY.exe
| MD5 | c8dfe65d53697b98c0dda434a7814dfc |
| SHA1 | c6e5d53b7a5a9f0ed1df73d0b746a86c5b2ac6e5 |
| SHA256 | 42485f9350c468380bf6b67d9e710241470eb2ded6e8f59da28bfc92bf627f18 |
| SHA512 | d875a14b217da15e539102eb3ea086744914626d3271f9348c0cd08cbefbcb5c527dcd51fa0314606b404a68aa2a673e2eb516b62ace37167d70adc1bfaaf9f0 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
| MD5 | 819e8aa83b5f499919e6ada08fc5cf5e |
| SHA1 | 455342e159fc4dcae10b19ad1c86b34e9ea847ec |
| SHA256 | cb4d205a7f19afbc9ea65d2bf8a8483b5d03a62cbfeb99711519261492ee0a1f |
| SHA512 | 30fb09e8c70a35973360cbaf65a73a5557edf81dd5179ff7853ed540f5bda634bf401a76596a4d386fb821e508ac48e3933931a697d5a27535eb217ece805f20 |
C:\Users\Admin\AppData\Local\Temp\VskC.exe
| MD5 | 6882162d36cf87550030d3b9411bb4d1 |
| SHA1 | 4c986dd2b35ac6233a00581c5c4c2e9c18100cef |
| SHA256 | 721eb05652c192985cb8af3ccc6f4e6654979417fe2c6f8bb91bfbf7530203be |
| SHA512 | a688a50f280bcf79a504f5eeb752247071bacd1e46b785f5d92f58e737d612c22b77853d35da9b39d554fa2a69352112b7f1f091d5c7cf886926ea2793d653d3 |
C:\Users\Admin\AppData\Local\Temp\bkoE.exe
| MD5 | af33531d3a938795532431dae96a079c |
| SHA1 | 975778a0bbc601adefdeaa7fbb3058cf04017076 |
| SHA256 | 8c2b66b97350b31932bbac753b939a39a4ce7509aea56f1def3802e1d68b5075 |
| SHA512 | 2b9ad9a744e73aa92cd52b2c1505d6bb0b0499f191d4528a396d61872ae67968c92b73c884461c3982601a8019e464a4c5775fede3c99b43369e3d18acc193b7 |
C:\Users\Admin\AppData\Local\Temp\hsUu.exe
| MD5 | 5c22efaf0d8723d0f0b50560881139df |
| SHA1 | 4a124c21b34e428a35df0355b7adb6bb38385d4d |
| SHA256 | cb0fc3c1f74ab1dc40e2a26cec23039ed870f98db9129da2aa2d2531249a4f56 |
| SHA512 | c20bf9dc03d3445d68b099047cd9632d349d879272e350eec627f3c0f91e35bf6bee444d33aab2446b0d4fb48ea1ad164975003cdd3eb3471fde1fd9fd8917d9 |
C:\Users\Admin\AppData\Local\Temp\TkgC.exe
| MD5 | 89f77dd2a26e7128f9e745c9546fdf8e |
| SHA1 | e2cb3d45294127d12e7ca29bafa22397c2035ad1 |
| SHA256 | e163307d984ecd69adbf6b3ec01d938f62db53d4a71b67881dcdc657e691d06e |
| SHA512 | 6eab03248031cef75dac9e1f439c7eb2d6df2cbe1f4b7a22330687585dc936342857188e9f508a51fa903e286adfca4ce85a292194ef0770596573a612737e43 |
C:\Users\Admin\AppData\Local\Temp\Ogse.exe
| MD5 | 50ea412ae78a26319fa52f59f56b4372 |
| SHA1 | 276aa5c064b6dcfe098e8138afd43770adb90e3b |
| SHA256 | 97b56c87d6170ba0c583ad05a160f5ff5c705da8958e55a14d947e36959e1b9e |
| SHA512 | 04e05471fc3044f32375ee748829115b8f7897062c0e219bb55344e2697f200db46d717698ac60ef3307805757d6aa92d8fd6c0e79cdea78e150b42572226aa9 |
C:\Users\Admin\AppData\Local\Temp\Iwgo.exe
| MD5 | 25c18c577a59dd3f9078bb0ba78d097c |
| SHA1 | 93c84bfed97224f64318d010f25425b095550dab |
| SHA256 | 699db47dc11a7ead03ead46a6e02004184a5b6e150fbc532f495d72efcb0cab6 |
| SHA512 | 13d7551006b2029637acc746a37d7d5b0e4404dd35ca26f218d755a4467976532f5b2c98eb6f37c62696c58de62b7503206202082be7be9b61dd99ac8d5c881d |
C:\Users\Admin\AppData\Local\Temp\dUgg.exe
| MD5 | b7fb6198c460c4448dc32ea316f842fd |
| SHA1 | f73ce6d633c24f6c06d9ef3e81e4b559afb059d8 |
| SHA256 | 9a01c8bb04eafdb2eb118b632734f07ff36ba954984c830aa255d72b0a4ca613 |
| SHA512 | 45127715e3b8711331c686e79dd152f7a1c84925a3bddaff2d0453fcc2307cffa639b3d354c1a08bf6c376981e226fe876f66163a5a52f4a192b5dcf5fda0eac |
C:\Users\Admin\AppData\Local\Temp\EQwI.exe
| MD5 | c49c6928c7e7140aa96cfafc3ad84e79 |
| SHA1 | 189ca4e49dad7687b6d1dc3eb887c2a35d287e6c |
| SHA256 | af3709ec19b0b24eb7244429c24aaa9d27e28569dcc5843a7853d0ad07908489 |
| SHA512 | f2085caf6b73e7379b6646df3c86814b9885f3e51a774bcfd952622a31b3857980f862014307dcc1d4d14e56b6d8465626636a097783a93c396baeaedf9e63d3 |
C:\Users\Admin\AppData\Local\Temp\YsMu.exe
| MD5 | 58284e7f1704d942efb5cba175bc4efb |
| SHA1 | b8745056ca34d7274862bceed64a88d02a72c9b7 |
| SHA256 | c6be0c023b2d8aac745800ed2a4f51d84c7fc786f17420499adf328b81eb2ffd |
| SHA512 | 71b5bbe4f1158f6d0453add3b88829c706cd622d2abc1cad4066ad5a92491eeda8d1d40f87be026e3334dbf4be9626b6a06c992ef78f76b699f36c1abd13e7dd |
C:\Users\Admin\AppData\Local\Temp\gYEq.exe
| MD5 | 4ac1689e350b1100c1b8f00b938c2073 |
| SHA1 | b9bfba123a68ee49df41fbc6c2ab73c7145243ac |
| SHA256 | 0b18c9b440df0f5b8537457bfe69c5ce22c77c0de70cf3e426232d071df1c335 |
| SHA512 | 668801eddfeea6d7f4209e22550e7b63a5d64401ad68adf03409f4af8af2bf10d65c1d28ce3e81877f1ca698bb9e203a860063a4275c77c87ddd0c7541b192de |
C:\Users\Admin\AppData\Local\Temp\wwIm.exe
| MD5 | 215f4ffe944b6cf1f23e6e8af5bbedf1 |
| SHA1 | 3e52492440c85bed9494e131b89660c8dbd3a035 |
| SHA256 | 0c0cb863121a7ffd627917ef22200aa54fcb826a6ee363b6dc829e748bd4b105 |
| SHA512 | 565e1174b9131d145d4b81dc35ba0d84659b32aaa650104156eb274a56e09868cde621e6d80f39c591e9b022242a63f8582e711c176f262eae8b5e03076798e7 |
C:\Users\Admin\AppData\Local\Temp\vYkK.exe
| MD5 | 392f11c071c407a8781072b7bdfb518d |
| SHA1 | 7837ff9fc38d39e2fbedc7418226d7651b4725fa |
| SHA256 | b056110f64fd692133d37475135913e064f6f30204bc9591357ee1bb92ed72d9 |
| SHA512 | 73d487b65331ecd5340cd337e349d6124b0d2332de53ed640eab80c31fd5d737036dfa5c882ad1685f897b17f984739b2ae0c1f6d9c7964dbb824769c919fbad |
C:\Users\Admin\AppData\Local\Temp\AAQu.exe
| MD5 | d71543b827485ddb1978e1212de4ef6e |
| SHA1 | 7a3930171a5e8120a74a5abeeaffeb11671fa18b |
| SHA256 | a0088bd716b4ac49556b87b611bacb0e6fd2344c7d7df0ea8c1ddd7fc682b210 |
| SHA512 | 81c7529e0a7d090ab613322599d0284faa5f271b296a0f227bfd0b3f635f3723c2f7c022d115e32fc19fab34fcd1477c18062bd57a6bd279d6b915e5cbe67688 |
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
| MD5 | 1191ba2a9908ee79c0220221233e850a |
| SHA1 | f2acd26b864b38821ba3637f8f701b8ba19c434f |
| SHA256 | 4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d |
| SHA512 | da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50 |
C:\Users\Admin\AppData\Local\Temp\xggQ.exe
| MD5 | 382b4c0d2834f2618825bc41979b2e74 |
| SHA1 | aca21dcf73ea7621f2d73ba4080b3d2848ce4428 |
| SHA256 | e8771dabfc08c67dd8ec39b78e61c91f14ab99b4d4464018e90898a8b4e26744 |
| SHA512 | 7764a446c80d48d7640a6e5b098c07bbb80e21f9a1d0a2ad430a3d0b9c47de008176804d99efa62e51c875a28fc56e989d26e69eca76d7f77eabf28b1be8110f |
C:\Users\Admin\AppData\Local\Temp\SIwG.exe
| MD5 | 6c1fa789b7f2f978b9a2430d7c432c92 |
| SHA1 | 2064b0f41f8ce546ce3596cb23449eb7b4be5ffa |
| SHA256 | f1247a0ad4049dc0dae06639c987cc9cb72f1695120c2f695166d395c0b94f9e |
| SHA512 | d6346c16dbf4d68a0e20a40688742ec61c1300f193a1170dec73503676e911934ae7dbbfad5e042a67ea4de09c7d7f831e5be064857c2a611d964c8f487384ed |
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
| MD5 | a9993e4a107abf84e456b796c65a9899 |
| SHA1 | 5852b1acacd33118bce4c46348ee6c5aa7ad12eb |
| SHA256 | dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc |
| SHA512 | d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9 |
C:\Users\Admin\AppData\Local\Temp\BIge.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\WsgS.exe
| MD5 | 5388e7fae8d4179ac0391c9416f8548a |
| SHA1 | da40d680ef09137ba3c5f1e593a36795ced3be42 |
| SHA256 | 30eaf57d0c63fca668fd18c394a81dadafab4467fb1984daa87308f9a0ba2cfe |
| SHA512 | 6cc367519c670fd8b920f310d3f2c68d0aafc30006c86399c1cb12b69233ef281d1e4dfa4c80d967dd0421a72d50f3347a7bc3a66f818a60670626cff8be4194 |
C:\Users\Admin\AppData\Local\Temp\tcoI.exe
| MD5 | 8b814b5a0c23b36005a0014091c1d80d |
| SHA1 | 0f8962d07fb4f91302cbffa7211a59a5eaf92346 |
| SHA256 | 1eb8b703cf93d455e18250d87eee50b51df2d0fb47348ae8673253fdd0934a3b |
| SHA512 | dfbf59857dab2ca3b25734a9795f67653119a4e4e89bbb222b9657e6aa425eefbce359d113cade36ac04dc2fb99599ad1bc7a883075ad660d4a6b848b5a7b334 |
C:\Users\Admin\AppData\Local\Temp\CowK.exe
| MD5 | 680790ba9f35c374061e1d7b7ac385b8 |
| SHA1 | b8e1aa451d4b00c228a06e44bd0b1ae67debf4ac |
| SHA256 | 4b431042750a745912564573631c85852f4298ddee1b83f6d2bddd5d2036ff2d |
| SHA512 | 93ce88e1d44280096ab4a852cc4711844f35fd4b82e90a3aa991dfab02192e669ba6fde7ee5dbc69bd4ac8bb1cdc70530fb54aa645c4037fc31de34e02398a1e |
C:\Users\Admin\AppData\Local\Temp\HAAw.exe
| MD5 | 7c0b8c7d3a14047aff4a98a87504670a |
| SHA1 | 5e13382d9bb04ca32928bbdb68d98a30fb25ed81 |
| SHA256 | 72cb6d031f1c35e961a8ed1565463c227afa97ede492447d65ec88bf8840d847 |
| SHA512 | 41d04ad106df4bba7ebca2f2cab551ef628bbb2af728f9397d7e9b9055ba7285533c61232ae6b06e42d94fdd2a91eb4186c5d7132028f361216a5ba15480aee2 |
C:\Users\Admin\Desktop\FormatUndo.bmp.exe
| MD5 | 9baeec01dde3a5d41cd1794d86bd3ef1 |
| SHA1 | ce7bc7a326c586b8ecae2cccd3d9b2a3536e9bc6 |
| SHA256 | 7361e79711f0bd797b934dc8b5958d073fe476312226b98faed60ef907e49bcd |
| SHA512 | b1fbfc7223f1ad76d2c9d53c6af14372b5b92784e5dc5d6c4ea0cc569c9be3bf3d022ca2a7b66ac19d20feb57ff188e41307c0df5cebeddf70ce9be7cbfd4dec |
C:\Users\Admin\AppData\Local\Temp\fwUU.exe
| MD5 | d523cd5703f6227f98ac8b464f9d0272 |
| SHA1 | 179b087d4cbc2149ed375acd42bf147c85460c86 |
| SHA256 | 62885205f4b4ada5e3b08d885703bbe0a98799ed0435bb034637cfe174ce0520 |
| SHA512 | cdfa0b3b6c1c3d684aea815f3d434d6ebe935f023e6ab4e3353e8a841a851679016af35cb16c7b2c4fba645bdb1a51e52d95d4da5c5df2c7b1418b3cae59598c |
C:\Users\Admin\Documents\WaitFormat.pdf.exe
| MD5 | 6256a784a7fe3aaf524fc09fe52e7003 |
| SHA1 | 7d9cea05a633d93c02e2685e471db44578a0de4b |
| SHA256 | 7325e39fb1de81a41e4545431d2764e2495d4c4617fbccebe586520c88d18713 |
| SHA512 | d6964cafc50c3f77eecd2f6b151aecca81eae7fabe0f4391e7c2395175ef905def5f93eee34e116c002a2324b53e7bb8720ce4298b98c7fb1cf1d50e45c3ffdf |
C:\Users\Admin\AppData\Local\Temp\oMQU.exe
| MD5 | ee0ba3da6fc8a3cbf62a33a68367c35f |
| SHA1 | 4523b9ee4380c087a19a3bb2b51b6bcbe1e96543 |
| SHA256 | 799e9e0c47ff7dd4f4f3c8810b0141a9728bdd744fe799f5f625ae0c357bcf17 |
| SHA512 | 2bd55194547a5734f2a2d1518ab566a0cd798fa3ba003c025671e37193e4ae16369e1e33c95d2ef56df29bb812861094f3ec5e32fa226e4848b0674adefcafe7 |
C:\Users\Admin\AppData\Local\Temp\KcMK.exe
| MD5 | 9f87a66a6d7aae9b6d1db166858406bc |
| SHA1 | b64bf96c7a4075b1225cf19b62bebf1e88c19f22 |
| SHA256 | 217ac485cf554aac486681a85306f53eac5c88d3124fadaee9ae0aa7c54c6dd8 |
| SHA512 | 0250cb10e5ee2667d3ecaa1c9a254a159c7d0ba80aca34273ef8cbe7619bf6117363b5c221dcf09c57e7040e87a0c7cb808104a976c1d1be657e7c91fb201e96 |
C:\Users\Admin\AppData\Local\Temp\sAcS.exe
| MD5 | 30b24f63d4aeb4bc0e3006f12d644341 |
| SHA1 | 79ff9e1043815cc780c4c2e132c81b9ba310b7b6 |
| SHA256 | 06ee33400ac0f3909dd858691f5c34478037b1e4223d5d4e4092b79dff28a6e8 |
| SHA512 | c6a8d8263150d1f00df484c6d125ce0c8f8291aa5d8a569fb204894b1667aaf7666a0014e5166532d4ce96a518739bd2b0c0c27d3bdbc972f9458829f7f414e9 |
C:\Users\Admin\AppData\Local\Temp\kUgy.exe
| MD5 | b9c7a1d74a533379acbff79683613767 |
| SHA1 | b2d990fc1cee37c277caff6f68f789e12ccbc8ea |
| SHA256 | a0fa33ad11e1d98fe4dfef031792af483d015d1e0909a504a1e782f89949c61a |
| SHA512 | 0f1106fd691024d3e9d0e18b968980c4f1c5e31d8f25af8a1cd118a13db4c0971c3e48afb283a13399fe9f853ffce519b49d5dd7ada23a24c03223fc422aa831 |
C:\Users\Admin\AppData\Local\Temp\LQQc.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\oEky.exe
| MD5 | b0a7e1543eac44636c97d7c8184695b1 |
| SHA1 | c42aad8ba2b3ce3173be12abc4d3db6611879455 |
| SHA256 | 96e338472692f2a573dd83edde24163b13815668cf5e8119c2fd5afee8e28ccf |
| SHA512 | d08e90a7790fb979b5c2d5e7733ac89ab4fddeafec7b2221449639a48d5b1a9915c852a255198af435da39c44eb39bda532605020540fe3e52e8549530f1608c |
C:\Users\Admin\AppData\Local\Temp\rwQe.exe
| MD5 | 839af0ce9a232d54eeee91790067d046 |
| SHA1 | e144420272dca9c34680eaf0d8dd20ded1fe37dd |
| SHA256 | ad25cfebbe7905f4b5321ddc1487d6d4551bba1ba796f13e35a9d6f46f264bd8 |
| SHA512 | 4254221e92ef39e871a081e4f44d1e230ac7cd161d7056ee01594fc0e0ca42e7df2c125cc8dcb9ac4b0a5c0740fb9846de1786b50e1959093b2b01a35761b237 |
C:\Users\Admin\AppData\Local\Temp\NMos.ico
| MD5 | e1ef4ce9101a2d621605c1804fa500f0 |
| SHA1 | 0cef22e54d5a2a576dd684c456ede63193dcb1dc |
| SHA256 | 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0 |
| SHA512 | f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32 |
C:\Users\Admin\AppData\Local\Temp\ksgi.exe
| MD5 | c672644fe15d6cd7b5d4bd59e1c92e5a |
| SHA1 | 7fa203637c8a58d6058637173b1c0f983ec970cf |
| SHA256 | 9eda63477880d61ededc60f8258868351b916ce53f94923e08c19b086785bb28 |
| SHA512 | 78c874152485e641cd89e3ef81a590ee9c6525f7c9ad77fdf0466fa37d25ae420aad0341900f554deffcde62e1ae8b8fbcb0b2265eebc4b5033d4d6407a22cf6 |
C:\Users\Admin\AppData\Local\Temp\zUcC.exe
| MD5 | 2e95f462ce3ca06735f67738f0ed201e |
| SHA1 | 461ae511c63c3aa6acf4a99a09c31214cedf926e |
| SHA256 | 855bc37d9af5f88e6cab9c405ebf938112b7e12729cd3c51f9c4e374e2e11e1e |
| SHA512 | 624014f533e063ae1ea3d3586c2f521b8ccb1f730976a738ea0b7bc041bca072ab9c5c52bb2bff56d3c209d118beb02252056d1e500b776ea89782bedbd5d644 |
C:\Users\Admin\AppData\Local\Temp\EYYQ.exe
| MD5 | d4ea98b8ddddffeb7786a74764f4fcbf |
| SHA1 | b8fd1fae783777a9ed79d838ecd88ba2e3184c24 |
| SHA256 | 0b70882f4433c9ecd9d106aa1e68d9266f4b4cac18e2537049582f7c2f697170 |
| SHA512 | 3b070de7f8bd7611fea9ee7fcfc68c1ac592297a06053f3524fe62cc676ac3bb77a322dfc4b6c2f345979436e4b5012173f030f6f827440543088f6a0989aeb3 |
C:\Users\Admin\AppData\Local\Temp\jgss.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\bUMM.exe
| MD5 | 2e53f021ece9071aa7cf855152a42dee |
| SHA1 | 97d8fd2741578bbe68045ca760578f3b006bc898 |
| SHA256 | f24d9d4784d4485e08ee83d4fef69d76e50399ddc8b2d7bbef26ab0af84d73fd |
| SHA512 | 52e1fdffe4f3523b89c1bee4461e593fcc869e5ac4f7587f2b9ee319570c8db6f93d0a982de69f47b1091b8eaa02083cf973fc98dafcbc8da551d216e7b036c0 |
C:\Users\Admin\AppData\Local\Temp\IUkE.exe
| MD5 | 8fd2ca5a72c17a7026650396a095fa44 |
| SHA1 | 4ba7485cdeac0859e191e7b848a6eb7111a599ed |
| SHA256 | 7e050ba28dbd986c61b05f0f76861096b691938878851706e612f3f9418395ff |
| SHA512 | 4cd74ecc151b1edbd6fd8543b1006784756c83cc084e5997bbdb27e881974cf0eb90f01ae2db606f25d073ae341707e3a97510db5c3a04387d8523dc4c165e77 |
C:\Users\Admin\AppData\Local\Temp\tksE.exe
| MD5 | 7c5eb4d91f72de231ebb748af7b2a512 |
| SHA1 | 48efa2e0063f2e7f59476132ef7fbca203d890c2 |
| SHA256 | cabc88e1f84d55274eb004c552759d215c54f8e03358340431eec62f3ef3e6bb |
| SHA512 | 06ac26de0ae75de576a9cb9911bb26474956a7c000e3cbaa946600a941e9072a6603f28d243421e6970c0677ab474df68d055f4b3788ee728b83f60b3a8c50bf |
C:\Users\Admin\AppData\Local\Temp\HgQa.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\AppData\Local\Temp\gggm.exe
| MD5 | 49854cf881d436440fb30e6b683d63eb |
| SHA1 | 3ff17b6f1ef3844ffbf4412b550d665208b65e8c |
| SHA256 | 2a353088a896439aafea59fc3455593927d005c9d9db666bf843b0459c386dfb |
| SHA512 | d73b918d901b0cf2d17c351071a0d337c41900635de3d848fb9b43eb3ee5a184e8d8face4602c495a3eaa8e8f0e69dced73c81dc445e15b64fa43039dd89c039 |
C:\Users\Admin\AppData\Local\Temp\EksO.exe
| MD5 | 51b33c16bff89cd5e295413a0baef2bf |
| SHA1 | f90f25e6e40b577957b62df1e795a40de541258b |
| SHA256 | 9478b4015119e1057615616cf9f3f76088d1d3b5f079aa2bd30b5d137e18b263 |
| SHA512 | 42a29e6b032226873e930bc35da319c43b276f9c21b1527cc529f0e94f75ba0b952053022e70a2d82f7d37b93f0c896bb51ab0b3180f9e4ae433362b4d7141bc |
C:\Users\Admin\AppData\Local\Temp\oEIE.exe
| MD5 | 59f2709df0b0e7b3a42d11b52fb2e27e |
| SHA1 | 06ed89b856a925cbf235232414bc4d50336ca8ef |
| SHA256 | e5a02c67940170bfd16ba73bbc7642551d67f9ef0e5a8e1ecdced241276b3770 |
| SHA512 | 6366643fd901c75e9eb201a6618ad43c25e3eee5beb1ba916755eaa146e1a251e4bf3736bb3aceaf3882b074dba08dae46c7f185b1ffc378176d622e2d946499 |
C:\Users\Admin\AppData\Local\Temp\xcIg.exe
| MD5 | f86f4caf8e631918dc5eaa6ca84794a1 |
| SHA1 | a0e373ce815103873740d37e32bec19fd1a9230c |
| SHA256 | 431dee897b4b83677334457463d68014486783956f31748638c9fa53a5bb8dd3 |
| SHA512 | 93bb55d6c4104ab78b0a632de86917f4b8ffd6ec71e143726f4056852c6254dd86797baae3e69658f6f68f2d0806cd6003f317626aed1cc162af278228bf1c35 |
C:\Users\Admin\AppData\Local\Temp\jcAm.exe
| MD5 | 90ca992503ef5d3325970361f722e33b |
| SHA1 | bf37eb8d143240efb30b5845c57d5c2a0db08d5e |
| SHA256 | 63b9a6904b59c7e3df052cb05963a8da477a9ffc47e96cf5d975a62eff1984b8 |
| SHA512 | 0bc99bf050a5933ca12d6704aba731447eeee6557923c572ecd8a18bc98272bb8f9b1bd30e29393580f78803694d040decd0e17a97fcfbc2371a78613ef6f588 |
C:\Users\Admin\AppData\Local\Temp\LIQy.exe
| MD5 | 34dd940e447b7b13eb78bd75089b308e |
| SHA1 | 319cfcbe6e697061eb6918589a7b070aa7e51a47 |
| SHA256 | f3af0dc9ad1dd940562010b17e436a5b98a64de95d897feb69af48c32c5c4f8d |
| SHA512 | fe9e65d6e0b88910cc2ac18a2a7476a1475a3f2a0ab075d10fc7f7465396c4835f8f05bcec63dfa2364a44b9fc543fbff6abc88a33b31bb4c59a796f8782fff8 |
C:\Users\Admin\AppData\Local\Temp\kAkM.exe
| MD5 | 9caa265e6ece6a60d9c780acf6044e45 |
| SHA1 | a0fa0e92d446b78963dc79cb100f75b4cb927848 |
| SHA256 | 7437989f6c68ba197214a595f4fcb34689c922063959f7106b4132a4428eee68 |
| SHA512 | 214748d946a5a4e595cea38df0f47e5462987ab4bcbd236d77ea3cf52f620e2de3a3024e6d70416ff377d2accb6a66cb939917847fc5f6385bd74eafbd601d62 |
C:\Users\Admin\AppData\Local\Temp\poQY.exe
| MD5 | 5d7898923937365eb27e82458c86b21f |
| SHA1 | 9e39d939e75ad420634395d8f3526a0d8d6766f2 |
| SHA256 | 2e3d747974afaba58f6ed00f072f966ac12c007ce3a9ab56c9d2eccdff8bae2c |
| SHA512 | 0a5f207ca90cc2eb35859e8c1a7a6ba00896b0411dd903682e96566e488a34e0ccfc9ff77ecce0e50d3f083eecd38bd6548c09f67ee3457cee181e812b275f9c |
C:\Users\Admin\AppData\Local\Temp\mgMU.exe
| MD5 | 9fd034f4983eaaa015f4e98b24cf6ac2 |
| SHA1 | 5d70e443f2dc2e42f886affe34b78f0f15b87ed2 |
| SHA256 | 2aba10f6ada29446b17fd9446adac322a3d0747dee3ef3fff44c06998036f917 |
| SHA512 | fd700ca22d1c246bc5ff3383ee00612875569b68990a1375a783dc6994e9c355486320606cd86e9dc60a283ea4e7924eb777d8b33c16dc4fae301a293510d28d |
C:\Users\Admin\AppData\Local\Temp\ucwi.exe
| MD5 | 99feb704f8b839f7b62c45f5dc6d6ae5 |
| SHA1 | 5b097fa850607a4b47d9b6b0b2081bc60089d282 |
| SHA256 | c2e61d4a3073d059e7105988c258c3499c860ab7c19d01248256dc093e690fff |
| SHA512 | dd0336e3f3a25f419062e3ed6a77a0a8d6ad32a2036d9912ccaeb25b763a2fcbf06e6902c3171f59caf1f01114d07b95746bb2317b47cab7e29c4da051e16929 |
C:\Users\Admin\AppData\Local\Temp\Akoi.exe
| MD5 | bc3ef8eec9048be62d8190311af66f62 |
| SHA1 | 88db331aece182a738f6ad38de819d9c61416e10 |
| SHA256 | 4a8bc885eedc1925bbf134e77957582c04cf40e17fb14a1b76e3b6e5f3a98b2a |
| SHA512 | 3d7963210c9a125732ddb64d811d01b1eb130a741cf7a88e4097235ffd3f80ea7258fb69e109e23cc4b78faec0a189d4cf1a09dea4fd5543dd77c96590021eae |
C:\Users\Admin\AppData\Local\Temp\gwUS.exe
| MD5 | 11881e26b734ef5d2a4fa8c126793a81 |
| SHA1 | 09cb44129c2e76edd9593135a93bd109d83fa9f9 |
| SHA256 | f066d84e6c78bab2e602770f86c70e695a520c208cc9860fec7a6897ec3c202c |
| SHA512 | cd7a20041e05266c1a9a947e08b6c74613691c50bd916691f72945a0c89e60aad5606112db4b36217348814915edabc240c62ad20b8d388fce82e76bcbd2c9be |
C:\Users\Admin\AppData\Local\Temp\wYUa.exe
| MD5 | 3f80eba34b80dd19e4555fac38f8e49d |
| SHA1 | 4a9923f5617926730248b0be560c03e11d7dd875 |
| SHA256 | 9230278e4653d5394cbbf03691637105eecb968f6ad1fc40f490e3b72faf3be6 |
| SHA512 | 62b13e5b88ffa7d9f5d1ad83082586a981660295c06cf0077d293abe9a98094840d6b79c70b4231ca9e2634d83ceee88acb6dd89ecede84c7eff761f95cd54dd |
C:\Users\Admin\AppData\Local\Temp\PYAi.exe
| MD5 | 51f1ae8139b44f9dad63e2fa52f5f6b1 |
| SHA1 | 8120a61e79a84477bf4f9c9cc8106f6ed4d16954 |
| SHA256 | 1d4231c2b3d7e1b3d50693bd6f47e7accde9583dbcfd9f02629dd47965bd2a43 |
| SHA512 | 0af5ef6c9f8a7bf152c4ed15ae385aa9b7578e5fb8cd76caa65d5ce88f9c36e5c9817b30d2501b0685a7adb5e36ab5fe018e9a2fc988f331144eb90c9427ae3e |
C:\Users\Admin\AppData\Local\Temp\SwIq.exe
| MD5 | aeee8278322d3f660cccff801e589ce6 |
| SHA1 | 4642727ad1fb5e6bf7eba109d201f5ab2ea8cd7d |
| SHA256 | 20b435b75a2410e99331f8061e96d50e67bdfedfdccdda0c25aca0043054e985 |
| SHA512 | cc3fb9ffd54a5aaebb4559ff9f3f07774fc6fed140818a3ea34140959ff537fed0f8c9c58e27caa0669b1a51cc689eab6c9029f6883ec7aee63eb62eefc5c0cc |
C:\Users\Admin\AppData\Local\Temp\JUEs.exe
| MD5 | 392fb2a3638e039785baece78106f072 |
| SHA1 | 32daca7f0309013a418333089b90fdd219af6572 |
| SHA256 | f19ffba8ccfbafbc8a6da20227caa8abcf07a65ab569fb43bd9e3244e51ebc49 |
| SHA512 | a1de0eb82705b16a89788875dbceec26b887e780f0f008af48a8906b39501067c3c20f9884cbba670b8da4ea4b5a021c0f18da83d1af37979bf337a819617ba6 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe
| MD5 | a65d1295a47f7105fb0984ac85b75632 |
| SHA1 | 2b9a662d0ca87f467175f5f241f271db78773312 |
| SHA256 | de229f5afe61849703759c6db5c915d68ef32bd04a5c3e89db57b7894f5d9d8e |
| SHA512 | 179ed56e590d6fe327cf9c0c3efd1ba9efa2273cb49dc241164361559984df46298fca054ca1c84ff89e05d0a5d5a2dcea41fc9ceb987259bd3bc459cf70a975 |
C:\Users\Admin\AppData\Local\Temp\pYAo.exe
| MD5 | e97bbaf7630f5a9f08000f64d59d12d1 |
| SHA1 | 82bf729199d730283adb72ffaab327f8b4ba23c9 |
| SHA256 | 81909368fbf24fbef2e8fbd9ece9124bbe2a8454a3b6be60fe0e04581f911c76 |
| SHA512 | 6b27ab35783af3d9314918f27bc85dc051a368b60bb044b6b846aa22d693ad68bc5c6bae1c975632861c7ca4ac35de7e506a3dafbb71ed30a7033c3e9dc61742 |
C:\Users\Admin\AppData\Local\Temp\zAka.exe
| MD5 | 9c36aa2e0aaf60b88e64d4164d4302f9 |
| SHA1 | 4faee585c0ac94656b486c9e7715496392b578cc |
| SHA256 | 481c6079a22cd7c41f3739533246e155888b74c9daef40a50a5ede78ef113c55 |
| SHA512 | 194bd5b13620000dd3d63b2b137021e350f4617b24fb315f0b5968512b726ed60239dcce50020d9c3dd140a00f92dc9661902c106fb988cb0df4d1d2771f7df9 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
| MD5 | f7d207d56e47f65d515bd6d98f4eaaff |
| SHA1 | 6969384a39b7a70f8f90c4d455ccc669d412896a |
| SHA256 | fe5ce5c49b2404b8ad1b86ea536ac79aca186f7705f62a2a18d70a2c0c9977af |
| SHA512 | 70eee81252da891ade8bc774ee65ef4c6279ea6b84408ccaaf830937e01f291419ebeb0ad37c4110de6175545f1f150da3cad9b66489774085d4d322173e6412 |
C:\Users\Admin\AppData\Local\Temp\zQEi.exe
| MD5 | 64b8789212d35b5987bdbee2e89d1c21 |
| SHA1 | 2b4765c17ee0cf6e6db898234a4953d1cddf949f |
| SHA256 | d40f0e69d8e81dd4188d8253013a4ef3015d6b5b895d07f124c6e263a6baab44 |
| SHA512 | f4444f2d54a1062a4e2607c2c8e137a2d10b1357fa9e9a4fd33744f7eb8f3d8c537510cc9465e0ea9371594442b3a0a92397f52cb69f23918a3b48c59223471d |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe
| MD5 | 8126e332de118f8dfc6f6df249e15973 |
| SHA1 | 03a6a253aadebfee38a4d0c32d5a7713d41b4232 |
| SHA256 | ef619c69a9588d2989c83abeeace43ef99590cf7bdce4cbbebd0c534d1bba608 |
| SHA512 | f1e03d5213ae68d74daee265fdb75cbb5124c7d07b55265134dc99e2a3508a956e6f7083747ad0d063b96c051f8ed60ea067333971b3aa9ca18bd14705a0eab0 |
C:\Users\Admin\AppData\Local\Temp\oQkC.exe
| MD5 | 6aa8d6804efe1d64ba805a6013dda3ea |
| SHA1 | c97ea1acef55c4aba1296a50fa8809c18da8b2a2 |
| SHA256 | 670671fce3d62b0f2980b183bdc5c7e3315ad83dca65261659d48a13f3b5d11f |
| SHA512 | 753ec1794d0417db41b34cd5388c80d105db2ff02a9fbac3ff5016ca54b560ee89dbf96e26527c8c267df76192a8b4bf4c90d0d7f8692d8933f65c587dfa055e |
C:\Users\Admin\AppData\Local\Temp\AsoE.exe
| MD5 | cd2d865c36acc210034c774d5a1ae79c |
| SHA1 | 954448b9ded7059cadb0a2ac553e8ed44012e591 |
| SHA256 | 5362af2eedbee6064274c2b3d6e65a3ad95588c9b4257bb66b3c934489c1e802 |
| SHA512 | 51da438785034d168600e66b556344649da8acff8f0011dda95c58bbde1338e7e5385f96d9207893d2e0e4fd4757e731a670fa6f0247f11112e7a612f88717cd |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe
| MD5 | 715939cd78d4e26016717b9cd1206b4e |
| SHA1 | 581e51cbd7dd04b1e7e78bca06e2ec78111b3e74 |
| SHA256 | 8daeae2f58e128e717f5041c2ce63f0fca18483f61cbd232f0dbd2bbdf9a847c |
| SHA512 | 662d47c6317867daec6f33a90d4e2d4cf3a8853c5b9966c11adcb4c6572a09036f203e2bfc08e1e1eb4b8d10468405f9449a7fe8a4f890a7f69415aaf169182c |
C:\Users\Admin\AppData\Local\Temp\hcsA.exe
| MD5 | 8832311d2e5f177525db888b889a9041 |
| SHA1 | 2cef63f4743d991425e6e431ef07424f449985d5 |
| SHA256 | 617b32877244269b3680b0dfe19fec2df54e67254b53195fc7ab168dd59db311 |
| SHA512 | f7f2213ab52ae6f07c7da864b7d7a769d40f39512e5fde52b57e6692a555094d77fff22731062f8781a97d565ea078ddb4066907bd03f09a005cde0db3369ac1 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe
| MD5 | 037309a46b49c54b414367e7c694cc81 |
| SHA1 | af969f3bb4fced9c41da4dbc430d2ffd582e9bfb |
| SHA256 | 88a8a3505ba856c5e383c87f6f222176d42d034a93337790915fbbbfc0a6c7bb |
| SHA512 | 22bba88772a3634916fd4175fc7c10ccdba496dd9e06d37603b10b1e34b7b527aa72df1f0af99f924bfb012af98c66d572e068bfdf64727e6a4f1859e1fd1dc9 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe
| MD5 | 62b77f96e735ee4107c16e208f131c0d |
| SHA1 | e4306cbbb4ed31154fd3202e4bdd1ee79b22ea02 |
| SHA256 | b1e594e52429236f6ea007c021f925d4391cc58065dedd70b6e99581c22bb49a |
| SHA512 | ffa5cf5bf09042b7acb81c57af05fc70fe110eca381c4c54d29c0ba378e344ea0c0e754b95719503747ae4ae0acd6f1bf7222691c492dd3dfb59f342a23f6a47 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
| MD5 | 034ed0a0364728381ada25feff44853b |
| SHA1 | 700f32bd750a2efef884aab905bc968c0a423441 |
| SHA256 | 5d3f4b32c44329a5866df07bf4e88688c40c7114fa464da8c8b09c7fb277096b |
| SHA512 | 6370da598bf37271a48d2a4aa3670481016200438ea022a0f69efde11f095a7313f4e17725458b2ce7a51d6219a25f134cf126f0c3227fb3f74c92d41b873a42 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe
| MD5 | a9a6a7e1b6665dd090fcf9a8037eaae3 |
| SHA1 | 6e9f9f1b5cf7ecda5d79285ad37ee1b866c907d0 |
| SHA256 | 8e27377e91da35477207d22cc8c6b55314112261eec3a1800c021771f3fdda26 |
| SHA512 | 0e7455f306c367d05a68971b0ac82d0e9b43e32d38d87c84336c84a1916f28f7b282bf555d871107342ed0dae2f87dc168186c4fba785d7048a211878c104f0a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe
| MD5 | 8e871bd449ffd59ee4caeaefad0afd81 |
| SHA1 | 7cdb3e172b2c8d42d0260175f8ebb1d333aac5ce |
| SHA256 | b3b7cc83a1f4205e58b8b0bbc3f3e0b16f7aad16a873d0d606934d22c07a0571 |
| SHA512 | 321746aa99b5979a8a755a5d041982340bf7eb012080ebb329a743a6c4b590521eef225d8f81821d255246cd18590acdc4f891c33af1139ca24da742ee734599 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe
| MD5 | 922781b0deb633d5ccfad6c00a67db79 |
| SHA1 | cbca930b8e5cde8ff5b63ee2a69619ed7483f2a1 |
| SHA256 | 18cd7bda9195d0aca938c158360b361b38826e6fc46645a6c9325fb09798de68 |
| SHA512 | 4123e326d7d37d65795e0a52b5b9d464cd385f4b8727d88decdfb9a0b273168d0d77f6ace2f1625cb6adfd187ae6c910c72e8d1e7eb56437b7776fb1f053f6e7 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe
| MD5 | 851ad6c6747ebc86f09474d570b54a01 |
| SHA1 | ef5fbf51c9d3eafc7dc4e811ba2b414dfb0c5ca5 |
| SHA256 | bd82dced2bdc5032ff700ab66c177c28ce91165a4a85b4c91b6d6aada50e6c7a |
| SHA512 | 35d1a5794ed090673830da183f320c1db1aa85085ec57a8e12694f9ad9a82ed4b2ac0469c8227b51d35c47c816eba92c681ab7429b3e391028063348847d5009 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
| MD5 | 1dff88ddc81c982682683ce91042d9c3 |
| SHA1 | 5bc49389543706ac39d71faf2631586e7919707a |
| SHA256 | 50bc662a15801ea2ac431b67c1a8dc707852ca6633e86ba813268c7796cc65bd |
| SHA512 | 004e3f779890b829c9f05bb85cf3f29c8d39dc94019525db2d698271557f19a82504a0597758818a215b46440249d6db130f1987011ea207678f705a79dffbbf |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe
| MD5 | 2c11d7bd36e0df22fc2bf6b64fbc183b |
| SHA1 | e48cc26b8cd408c14e4326b391a70c6a5dbb886a |
| SHA256 | 5791f2a8d043e88bb6e8b8486d43286c7765ab741eb2feaddda771e00011f5db |
| SHA512 | ad5994f8751895e52932c79d2da3d8b0088fa97e360b3a25ce1a0176f94e08f15c584d03aa91d2bb7cad4117939fc48e8b24ec800e1afc577964f5d8442fc1fe |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe
| MD5 | 4576b24266e94a43ff9e214beb8f5950 |
| SHA1 | affb563ee72d89c08fa7581a67e18c28b8c8046b |
| SHA256 | 1a470290feba20f903a7672ab95399cfa12fc8090ef37633c0858ace7d76c484 |
| SHA512 | 62ed70d59e76ab1be3ce6be739b64c364fc04f1aedc4f482a020c0cfbd61abe9ab476c86e1cdc5dcccc256f686f92a6d32d4178619d78b0f6a9c4205b1b83373 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe
| MD5 | 4b398eb4a64000569845528f0d85f2f4 |
| SHA1 | 1964f74d517cc8ea86787418b71be06f0f3b216d |
| SHA256 | 1e849d6504a689a5bf33078de84a9500f75ff0f88e818fd03fb5112b077ed99a |
| SHA512 | 3140887b69732c2121c723963ce0e25d6acd64be46217d38bd7fd46bb8ccdeded8ff6940c276c665a99aee0c49796695b9212d4366b7bc8248eb0fd36a713ef6 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe
| MD5 | 7ba97385821d864897e8f5bf050f5ffd |
| SHA1 | ed12accb7f1ed8d2053723d65a8a1a7f80b203aa |
| SHA256 | de9f1f5241a3fcc61b18ce07d48a188f46549be00862a2c3a81ba21f9c25d734 |
| SHA512 | e6be4973ba5c0b8c6670a103895e30760e8d945ade621b2e6329d521a73aa6299a39bdae47f55ee6c5aff183cb2937606c2b127fda20624b0203709b854e4fd2 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe
| MD5 | 45d6617134b3e9288602a605cd1ee547 |
| SHA1 | e7c057141993bd196d9fc7db33b6c3614549961f |
| SHA256 | 88edee405e2d54ef31d5406afa8f8dd03efb292f2d78c10e8268547f515d9d66 |
| SHA512 | 7db4d105337a189aebcea655218b228e7d75fbbd29ecb4ab0286f0cc9b35df5287cc2a00b5ae2e0f3de420b916111ad3dc55ee688c78c663d534b51cf027f092 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe
| MD5 | 9f09ed6b9c97f20f86acb6c5020b2559 |
| SHA1 | 5e8b57b40ac3168b09a07c62df8009471c258c80 |
| SHA256 | e30bee97ff4b3f6cb7743d2e5bd4ce264bea2a4dc4a23958c2e05111b7114f4f |
| SHA512 | e133a7cc7c16f9f695d3da21e93f26d3f3b3acdab4aca075d7fc9c6cc150817de1ba742d2227458dd505eaf288863b2669a8995eed10d070a50a858e1ed1176d |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe
| MD5 | dc9e8a619dcd8c29e492a62398edb1ef |
| SHA1 | 0f874b1d649d7240ca6840a33e1fd881d0b096da |
| SHA256 | bc9d24ad32a9fab183a024c62d4c224980a30f83ba960e6649d41ba05afc27fa |
| SHA512 | 8e6ab14e761c22999ad3f8525dc3802c1e1d71cb53d276d395a8edfd7e95d35495c351711d9dffc128e96b5b966a8adac307eb7c7f3917cbedbe81cd734fd8b3 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe
| MD5 | 583ae06dae3893f442bb80c1fa6414b0 |
| SHA1 | eb4039854f3a88525a2736f8b9f0379b548ec6c9 |
| SHA256 | 5ecdfc34718bc504d5f3682daf030522fa1302483e14e70f24391bd8af48b6b6 |
| SHA512 | a83448ad562e2a77c3671853f397ea6103edde854f67b4ee571c6a96b38a8717cf1ed4cd9238102e33b7ceab54c2bc42173bdeb27d5647684097d65cabb60ffe |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe
| MD5 | 9c0e6b2464e9bc29f4342c00489ef59c |
| SHA1 | 68e237e8aa0d92a8bf6c920b7e870bee03683892 |
| SHA256 | 88e37311bf8a9af261d131d181cd05e31b52135081c6395022d86317095c5a3b |
| SHA512 | fa069c4a2c6b7ddedefe4bd30974d5dce3bf47d6ad60635a50a6759b6f06e1d0140403111e3747c97be0163add3d1e4ec9be83dc2cfab3520cf3ca5bcf7c6650 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
| MD5 | 34a849729a9704c692c4919582e69a06 |
| SHA1 | 56263aaff5ed829bba77ab42012a4e353ed04bdd |
| SHA256 | b93140c5a62a151f2c7e48bb37716a975ae3a91ad2105567b6000457b977d370 |
| SHA512 | d51b7f1921cd92448db69ac8a51c5bc5d20309de59260c65410384cfc5dd2a30ef4d76f059f291c110c55b1fbf94cd7dde45e51d85c17afc1fc495efbcfc4f4d |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe
| MD5 | f6241b53e2bea33f3393576eea4a4d6b |
| SHA1 | 9c36a2aa7b5c0293968fd7dcd03261513dc3c687 |
| SHA256 | 6bea10f3d1efbee17d31c22486f56c6d3e7efa086b823cf9e26a7468f21520c9 |
| SHA512 | e2666ace474d61d86c6f362244ac0444c7b22efed88393392c9b20c4f8e6098d985e86d939d3394493e3e46d449627602374dba13e1b63d7b73e2387ac019a0e |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
| MD5 | 463da6afd05833a1aba5b9db382c7cae |
| SHA1 | 52e909b3a5de42c011753f52a1e20fc69e0c9de1 |
| SHA256 | d561eeef76d6a8ccda754f8aa36c87988da28f06981c7f95e5de42fb516b3681 |
| SHA512 | e9e81d0399ccb51150cb8f94950162a42a97c8c2d909e66752cb2b5702f3ea5bd4d427ee26f32761868ab7d19465ca770f2f89f9deb94b73a2108c2e5e161f30 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe
| MD5 | a8a3fa615b01f2b83068d1f80337e897 |
| SHA1 | 494fd103873fbc1339aa566deccaff64d0bd2a9b |
| SHA256 | c10f1186b4a6c09560a23a34bbc792fca773fdeaf25ef8d3f28d3c94dcc58856 |
| SHA512 | 95d19e14b2e625a592fc777bbb2750d9c8b0aa7fcf7722acc29b4b07c69d864b6667838cb13b60246e72115543f5703b1c24bd07996456f5a3e52fd9a1b1605b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
| MD5 | 88286d1d132c6b5c27b1f3a877347f0a |
| SHA1 | 92b20aa86a781db67a4f191e7c2f9cce22af5afe |
| SHA256 | 068b92cdf676055a4f13780d899dad5522b40ce1412489a25977b2f5e730a339 |
| SHA512 | d5a337456871aeff0f5c6beb74b5d6afeb47a6a626cf00a061e8072ea173bfc874fd9d3d5c89ddebe73232f9f98726eebc4e17ed5e98b88cd8bca9936250092a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe
| MD5 | 5cf7f5f1b6d4da21afdbb24f081fb9af |
| SHA1 | fb3d17126b4d7b577fa4d1265adef799734fbaaa |
| SHA256 | d62a77756bb84b594c435fdfc45bccc928db4bf9d879049e6b8b41857cb82845 |
| SHA512 | 6fd3600e91cb2ea36a4ffeab529619400769e0bd981171ef56752f9e0717e0095da68a6c1030db23ecba51b2a0782f613b37f5b924dce321ebe096b233c989dd |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
| MD5 | a7976e6ce30172ac0102681dce809eaf |
| SHA1 | 856979d5bf0a98b262a7eafb706e0f17fd641a2b |
| SHA256 | d5acecadde9dc7fb4de0ba1a2562de4279a67a32d2c15629479151af93fc15db |
| SHA512 | e54daf9259fbd800e4759530056aee4a15a57735a1b43d8790e59fef712b0d621e76265c97120bc7e29f8eb8f1f20f5b296e0d6c0c53592aedf05c23a39b8c1f |
C:\Users\Public\Music\Sample Music\Kalimba.mp3.exe
| MD5 | c17975a7d1eaa92e7bb37a538c581f1a |
| SHA1 | 06a6030b706232483e7b073be01d8e4ef61b8f3a |
| SHA256 | 15a4a0cd4214685c7a23a430055c94e0c932edbd99e983c1b27e0afa593d37be |
| SHA512 | 2019ba772e2da27ec4a0fb0c427cb0df7f93fcf6e041fc85bfa55650075890e656cb2f12699ffb9fc54d2688d6587d550039d78ca5ed923479b6e528e5192029 |
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe
| MD5 | 2d03b2201294b2cd2162bda070509285 |
| SHA1 | 7661ec632d2ebfb1e1f7d73d67c13d28dd25f828 |
| SHA256 | 8ecc289fe0ba04a1be706af0c953804604855b06a473ac9af1eae7f17ea7b26b |
| SHA512 | 0bf138e2c400b267a7961247de84bb779f033e6fbd9baa6685a538a879ff63e8b334c06b85688a2819de05eedff050ae2e1434b484212809b00df016d64e371d |
C:\Users\Admin\AppData\Local\Temp\xMcM.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe
| MD5 | 802bc9d6f3f1792d20d183065738f11d |
| SHA1 | 5ecdff811e21841b3188b99e858c6c32223144c2 |
| SHA256 | b3abda15697e26ca3bb5e1691adcc5e6ed69030efe3d0ec14d0b11a5c643bc09 |
| SHA512 | 6425834f9aa0fded6ee39bd99b40b42710dc4b10414f6c2f98a1cec16996c550f23ae7221a7cc9e929596c599ed079179a5d0cab7961a494452029d2ca6d2696 |
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe
| MD5 | b12ba81cd39ae438d740cb7be76114c3 |
| SHA1 | 1f826ccf2911873efc200ae3f74f29fe0355fd30 |
| SHA256 | 4ac867e443aca8d2f17ebc1b7bed36604363ec0d4e74a0556b221e955e058739 |
| SHA512 | 0f66dbbe626914cc71e5e2effb8035fdd6fa83b3c7fda2f7f349eed00d2525c3a2536d0120a35c973b77bdf34a0c34bbbba872b09276fbdfac7b2bd6c7266e26 |
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.exe
| MD5 | f6aa4b762fce453ff3bec3e82aa9c81d |
| SHA1 | 94dc6e4de1416190d4186151e2f517e926aff292 |
| SHA256 | 89ea0cd6ed3afdc0d0e29166fe1192cd2df35282a60604a05a2a2b7ef19c3e46 |
| SHA512 | 6ab9d76b57eb0116d28a777fd3126e84cc966ceb1ba5f7df7aea08b694f37874a10b74fb1d53141dc1d23be1b1f70122119750fd8325379078d0e1076782d927 |
C:\Users\Admin\AppData\Local\Temp\RAUk.exe
| MD5 | 0d65f60115744c0a034bb973f64fd92a |
| SHA1 | c0f6a48e93cca2c51fd7e8fab43e4feeb005677d |
| SHA256 | d600f8f1496e4780dcdcc1394eec22891a5eb428d6ca8e88bc9d782e4c711ec9 |
| SHA512 | 66d44fa5e06e2d085b90ebaddd9138f033e0ebe11c4207f8afb0472d0d61a28a549f9c29b092404ac2bda0339ab96bc711473927165d0a9bec2248ce24e0e980 |
C:\Users\Admin\AppData\Local\Temp\FUYi.exe
| MD5 | afc96c589aa5e4b60ca5bbd08e088237 |
| SHA1 | 329828466ae299b8b32ba3b26d115f6b4cc67e4c |
| SHA256 | 245bb671be03c40c4dc0dfe52dd514c4f43214f0282c11e921728393607d2a89 |
| SHA512 | e6534895a8f94776829c8977444dd5dd76d8393e5faeffb0dac9861ef9cf234b71e41472da7c36ba42f26941131862017699846d48c04bb4316d5c959f6e51d4 |
C:\Users\Admin\AppData\Local\Temp\dEYG.exe
| MD5 | 608d396f44c76d20b74c0881f77a5a03 |
| SHA1 | 0aa0cee5152c324a7ad67b6ffef73a1007425bd7 |
| SHA256 | 9b3615f5b135d4292a5a90f5b01b55b34a160acd273909178dcc10d4babf5314 |
| SHA512 | cedcac985a1d80dea5b0f6419a2226ee5a007ccf729d3df0b84d70851f544cbe791decdd54a8005c46cf271f4a95b2e8eee400ce8942840e608095f7d04257de |
C:\Users\Admin\AppData\Local\Temp\Pcse.exe
| MD5 | 02cec0458c3030aa5666a52b0f293117 |
| SHA1 | 8c6b0835858549563de5736a14000d30949a2d7a |
| SHA256 | fe757b04da2040960ecdca125c1c8c53d35434c2227bf8a870f3d2bc7c9beb86 |
| SHA512 | ee6441fa158794f3404fc0a31e17c9ef007ac4ce1d7b2885d7aa526c3088c0817a47eb29d03c50be0c5a07acb65efcd0db49be9347cc821d99adb8f5a003d419 |
C:\Users\Admin\AppData\Local\Temp\WYES.exe
| MD5 | dc146308eae6553769570363957e0932 |
| SHA1 | 8a4340dff82b9103a6a2590083c79a2842e13075 |
| SHA256 | e13be386479c2129acc9c8880d7ac1f96326a47fff39d66fd64e240c8cbe9334 |
| SHA512 | 69e55d65b62b89b1622e572bb448b94d459dd6469dc27ff8e6aa07f8cde16f51e50e80c7f3457e26da318847ed3380688a12ceb17778dc813052b0bd70a4656f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:22
Reported
2024-04-07 23:24
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
96s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (88) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\aGckwEEs\nCooQcwM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\aGckwEEs\nCooQcwM.exe | N/A |
| N/A | N/A | C:\ProgramData\mOoYwMQM\tgsIYgcI.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nCooQcwM.exe = "C:\\Users\\Admin\\aGckwEEs\\nCooQcwM.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tgsIYgcI.exe = "C:\\ProgramData\\mOoYwMQM\\tgsIYgcI.exe" | C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nCooQcwM.exe = "C:\\Users\\Admin\\aGckwEEs\\nCooQcwM.exe" | C:\Users\Admin\aGckwEEs\nCooQcwM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tgsIYgcI.exe = "C:\\ProgramData\\mOoYwMQM\\tgsIYgcI.exe" | C:\ProgramData\mOoYwMQM\tgsIYgcI.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\aGckwEEs\nCooQcwM.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\aGckwEEs\nCooQcwM.exe | N/A |
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\aGckwEEs\nCooQcwM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe"
C:\Users\Admin\aGckwEEs\nCooQcwM.exe
"C:\Users\Admin\aGckwEEs\nCooQcwM.exe"
C:\ProgramData\mOoYwMQM\tgsIYgcI.exe
"C:\ProgramData\mOoYwMQM\tgsIYgcI.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOEEcoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYsIwIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcUUwsII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsYMcYQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyIUsUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKIEUkoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQwYAokg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeMsEUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyswEoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWwIssIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYQccAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsAUEoko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIsAkEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkQYogAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYsQIYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCAUMwoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkIYokAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKMksMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKUwQIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwwgYwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeUoEkwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkIEQMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYUcEIMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOUsAEYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAsMAsQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEEocAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQUsgwgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyAccsUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wioYoYwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JckYswgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOYsksQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwEwkkoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgQcUQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smgAgUkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUogYAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByYgEAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKcckscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCcwIkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWMYMUUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKsUYQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keoocIIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUkMgYAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiEIocQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeQkYMYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqkcQocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niEYsMsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYcIIoww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGwcwEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwcYEQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMUgsIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoAsUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeEIgscg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKwcYYYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgEkssgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOEookcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGQcYUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmUgcEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEAUAwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAQIAosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\basAocgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMMwIQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqYEoYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocwYkYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAYkEgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FykcAUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQAkMEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgAAkcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgwAIEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcswUggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoIQEkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKsYQIYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGssMAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqsAAUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuQcckIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYEIMsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkEoMEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIogUIcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgogQoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgcEoQkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vosIowQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKUIsQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEoEQcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWMkcEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\augYIUgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyEYAEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUwEYQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsIgUwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgUgckAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWQYwUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaMggkQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOMkIwsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUAYcQIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jowUEAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMQwYwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEkoQEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAMwkAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWYoksoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| DE | 142.250.186.46:80 | google.com | tcp |
| DE | 142.250.186.46:80 | google.com | tcp |
| US | 8.8.8.8:53 | 46.186.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3312-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\aGckwEEs\nCooQcwM.exe
| MD5 | b78022379fee86193ea793ce4e45caab |
| SHA1 | 765c695aa1adfed4227ab7d8fd502d28fca62212 |
| SHA256 | 9fb9be23e5364190c76e701eb193c259d506c11bb8273806ccff10b957ee48c7 |
| SHA512 | f14c7fa49645a2e7af3f6c54e8681959fca489ae2baf2dc07786b4eaf0257a88a797def5af2079ad8528b5cfbe2aec8372bcfec38f20a11dde4db381932a3b8c |
memory/3276-8-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\mOoYwMQM\tgsIYgcI.exe
| MD5 | 1c60c9ad61e00123998080270c0e31aa |
| SHA1 | ae9b7befda4e935f85843d986a631219f4173efd |
| SHA256 | 698d3a64c7f972f1095ebd34a50fba1bf4d74bd4a164e8180278cb7cd17ac76a |
| SHA512 | ab76e7175e459e8e738f9eeb7e1cf5821047c4ebfe3d1a881d470865618f5b5327e2fd80bee3b052ab9d22d4e888461bfcd35e848c32b721ee3a3bfc7847a240 |
memory/4248-15-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2840-19-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3312-20-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TOEEcoog.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-04-07_0c131b51e74f221161f6a59c1ea55ab9_virlock
| MD5 | 8069e690a23c6c533e7209fc672f9b23 |
| SHA1 | 7c4c896dd84d8cf02eac5f74282a18323a0304e3 |
| SHA256 | e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0 |
| SHA512 | 6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/3040-27-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2840-32-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4724-40-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3040-44-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2532-52-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4724-56-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2532-67-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2192-75-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2140-79-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3068-87-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2192-91-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3068-102-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4876-110-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4396-114-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3696-122-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4876-126-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1588-134-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3696-138-0x0000000000400000-0x000000000042A000-memory.dmp
memory/620-146-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1588-150-0x0000000000400000-0x000000000042A000-memory.dmp
memory/620-161-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1860-162-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1860-174-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3248-170-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3248-185-0x0000000000400000-0x000000000042A000-memory.dmp
memory/448-186-0x0000000000400000-0x000000000042A000-memory.dmp
memory/448-197-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1948-198-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1948-209-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1140-210-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1140-221-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3092-222-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2416-230-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3092-234-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3116-242-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2416-246-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2704-258-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3116-257-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2704-266-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1860-268-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2516-273-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1860-276-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2516-284-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2168-292-0x0000000000400000-0x000000000042A000-memory.dmp
memory/636-294-0x0000000000400000-0x000000000042A000-memory.dmp
memory/636-301-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2344-303-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2344-310-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4588-311-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4588-319-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1620-320-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1620-328-0x0000000000400000-0x000000000042A000-memory.dmp
memory/212-329-0x0000000000400000-0x000000000042A000-memory.dmp
memory/212-337-0x0000000000400000-0x000000000042A000-memory.dmp
memory/916-339-0x0000000000400000-0x000000000042A000-memory.dmp
memory/916-346-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4660-348-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4660-355-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4924-363-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Agki.exe
| MD5 | c589a06b2a9ab113977bf76a953e8751 |
| SHA1 | eaa8b051efb1d681f484377653078e88155aa417 |
| SHA256 | dbf2919ddc4a4dff9ed207fe936cc46973bf9f609d9d229aa6d6db0848e56e51 |
| SHA512 | accc0b2b04b0d67c519d0106ae095636512a8cd04f7ac70add7170ea0fcbb8b7d9060540da3e8078e255664d464bdaaee87bf51f978aab4c1df4c90c441bd519 |
C:\Users\Admin\AppData\Local\Temp\EAky.exe
| MD5 | c423a524002fddcc09cec01a4b66055b |
| SHA1 | f827709bb592b2d4c7ba6c0fa2823d7cab8fe256 |
| SHA256 | 79e4c21d0a38576755f6d5db5f9cfd50abe95a4a4448b862552294510b09f399 |
| SHA512 | 814e81000f027473fa9e38c8df20a6d07059b12547db9f55f9e1224a2036953e5268f623cbe6ecaa18b1529f6eb022058b0de0bb470187cdc3f0a770905ef5fe |
C:\Users\Admin\AppData\Local\Temp\ScAO.exe
| MD5 | e9be3f95723153c59d4649f919716b66 |
| SHA1 | 2d63087868ec3611c046c4f7179b4c62a6765691 |
| SHA256 | cbaf705204b35f156ccce70ce963a4bf0ff96e7aaa0af1fab741e1a54c6fbd10 |
| SHA512 | 7faec05c5be7af0a2033af9208fdb94a05f0d8c99904c4d177a874a4c81f9e0ff24f33906b804ed79d99c69411eb97e05470b9d72c9515450adadb36bc4c9b20 |
C:\Users\Admin\AppData\Local\Temp\oMwG.exe
| MD5 | 9ef4af824d39e66ac80a7315c8f61788 |
| SHA1 | 3aded817dfce97eb3c6049f82f5c1da25b63709d |
| SHA256 | 2f83fc0e93c21424c3517de125ccf1b5ddb3a155f89aa90a74d8174036b5a2a2 |
| SHA512 | 48eff5d777cd96a980574d32a039976a3fd2c4411b66c446c1bc075a42a153a5e417fa9becfe1e4891ad4a62a7a3b16bece62764fb3e40e6a1a36d33459a7f52 |
C:\Users\Admin\AppData\Local\Temp\WUEy.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\IMQm.exe
| MD5 | 5429b3af393fa7cb4e45be7b7ec9592c |
| SHA1 | 6dd1e6e87c9bb20906bd0f05b58e36e9616016d5 |
| SHA256 | 207019a29de150955aa44ae7a8f24c8f1040da39994bcc4b53c9e61affb48e51 |
| SHA512 | a3fc26bab81e6fa3ce0350523c171b09c8947ece7d1b4024e200ef42c966cd74f752ab302b0d5ef3f24a59ae2459d16f2ced87f45a4700134214f35ca5610359 |
C:\Users\Admin\AppData\Local\Temp\AswS.exe
| MD5 | 4e701a44d510e7e9a1d96dfe225423c6 |
| SHA1 | d36d70d4b3ead57ce63abb0c52663afefdb77389 |
| SHA256 | cda86499387afee15c64f58abb72bf8a0d68705b27cc754e90fc0880880fa8e4 |
| SHA512 | c0b7cbc05d421be58eb5ade338b2ae40637ffd63741ba283f3520db78c177a8f65d378b7d2c18a9a3c47efb400c0753238b0277eaa5519dd8c030f9378ea27f3 |
C:\Users\Admin\AppData\Local\Temp\SMUM.exe
| MD5 | 534649734b3151a86440f9ed1e16e91f |
| SHA1 | 61449794981a74881641cf3bec87f8e4d1e5b4b7 |
| SHA256 | a6eb14f80fdbd23220ab5d2c752f70ba04dc7edb3f253fba18f987305339cebf |
| SHA512 | ca6b33ed27b9012c4de1109e9bc1fde2ffd389bec2c09418eeafa66e4509c55e2b148ca1457436facc28938d0797193a331a605e437854f919aa7be439509431 |
C:\Users\Admin\AppData\Local\Temp\UsEK.exe
| MD5 | 670f691b40e1c4e56a02ae652c1d9d1e |
| SHA1 | ce2257bd45b6aa1c66c2cc973078d02d1d562a66 |
| SHA256 | c42e553429fd2c1597c103a6827b523ad48d2719b074d271d513aa5b32e775cd |
| SHA512 | 60d3adaf2b8220f72dd6e8305b528749ece462bc5686771cecbc3629ec6c476fedfdf103c96a77b4c03d0839a5563d54f91b968681e936beeacaf9e2e04510a5 |
C:\Users\Admin\AppData\Local\Temp\MwgY.exe
| MD5 | 6730eefab191bad5e451db36dce36896 |
| SHA1 | a707e40f78b60d0893517ccea75ccb3e2c288d2f |
| SHA256 | 4f64835ab5e9d73dc89f27162348d2b3519bc3210c36bf90be621fe0ce8b0683 |
| SHA512 | 7c2781d0d1353169f22d2eb85bbdad25d779e5db80fd07ec19b934929fd341c7ad3a133a072fd51a8dba55637d29128eb0b680ac812814e4f12045ac2b8f7e0e |
C:\Users\Admin\AppData\Local\Temp\uYsc.exe
| MD5 | 2fc38e0dca673875e1ad7544b34d26f0 |
| SHA1 | 0ef589d4638eb98c5a518892d5537bd2f3b9600b |
| SHA256 | bb60d7d054e88bdeef84afd6c8366f24d2ce694e7993aa53cb15b21ad445fc93 |
| SHA512 | 64bf1eca88afc60a806fd5d1cf8138e7a122940278cb8b926920c782e4cbf639098748421777a2cb38beb53757e310efd6705513319f80ad94f7bb0712fee3c9 |
C:\Users\Admin\AppData\Local\Temp\UEgW.exe
| MD5 | f9ec94326c281d9f6a1a3ebcb9cf90b9 |
| SHA1 | 1dff80fe7b78d244ba3222a9f4e4c4bd62875c9d |
| SHA256 | 986ec3728219ed34fc29a33fc40460e1d3c4014ddeac7818187373db1745112c |
| SHA512 | a99e15ef588bc3c01ce8151098392399c061d27e758f6615de3c367f812c2e9430772d2b6819b4c0596bee00e24123050921d9cc54519eae73baf790a9f06af8 |
C:\Users\Admin\AppData\Local\Temp\ksQY.exe
| MD5 | 7838936498b0c283f41d79d898e5891d |
| SHA1 | c3885b194559a19fa0916954b2d8fccc019d5e9f |
| SHA256 | 636d749132a08f1fe1122da8c030c0ed85cbaa2ce4d010bf152cace7e98885f6 |
| SHA512 | da89d935f6fcabdacfdc82f064e40bf0c127c848091fefbb30e8fa4dbeba65be3de7da954d02ed1b799b2dbe4bd038fd83b98c701020a598f5b39f5d72df9de7 |
C:\Users\Admin\AppData\Local\Temp\oMwU.exe
| MD5 | 44843618cabf9e1a1f43f91d0dae976c |
| SHA1 | a741e16e433fa1327fa68ae7b5a497e9f7ba8e48 |
| SHA256 | dd9595bcfbd7611f03f80a01dc66cb2464b0bceb7cd3b8c896596e999af4d85d |
| SHA512 | 1227fe9ca3e07054a395e5f556fae1e92ae0bebc4785cefda66343110d613960f8c745a22eac28a24d4035e762aa87da09fd98f3e48234c6920c2f20516b6618 |
C:\Users\Admin\AppData\Local\Temp\Ogog.exe
| MD5 | d185a8b59c2ade40eb4822d80fc64205 |
| SHA1 | 666034b68cd2d3c76f9a923e91d7d369c1a97fea |
| SHA256 | 86ed7b03f3f3d7b08ee2a924c5d7a604c5345c46529304a9587b166e3c090926 |
| SHA512 | c2c6fa9acf2322762c29d586626adde14791a3ac548c591fb9f92631557a88e5659966b8728b9d29834c9f2fc84e992363d9c1395d6f308c4cbd11a35ced4717 |
C:\Users\Admin\AppData\Local\Temp\aQYY.exe
| MD5 | 13544f041142f1ac52660d9e9179c035 |
| SHA1 | c09526ad1d5d8d67e2b33d9621e9e4ab8caa9034 |
| SHA256 | 1ff0f9d36a9e817e7021f8ec1f42534ecafe1bb15bfa6ede8cf97e59f72079f8 |
| SHA512 | 04e859fd1723febadf576e7396975afb4b0fa175315c438077fd5717bf9ef2aea72825bd1eff19f1b97425938a0261cfcfe34ee73539d2a3aee2d257053e8b5c |
C:\Users\Admin\AppData\Local\Temp\ScoY.exe
| MD5 | 047819fb8daef72f03a0539821445eb7 |
| SHA1 | 784aa0b489884fe70459d32f5dcb57c3e0415b10 |
| SHA256 | 95a3232ff60c42747a905284f11b20078c4a62e39a3d373e7b2ccbae1f2f88f9 |
| SHA512 | a9b3d84643ab40898c54fe2784afc0dc3f9cd16b7f64b680fea5687386bf0961b9fe6fff5c08b6fee609993ee06513fa7a0f96c450f06cea791fabfce19d3bcc |
C:\Users\Admin\AppData\Local\Temp\gwsq.exe
| MD5 | 99123033774e9aec14c07d1d7fec4f10 |
| SHA1 | 78021fdcf4c868c2aaaa725a6373245e998e71fd |
| SHA256 | de7fcdad00ad257a95d3bf39f96fc476ff47c028616e0efaceee2e3c152d5b01 |
| SHA512 | 1bde4c0a6b25f846932c12d8f7693539996a5f35646ce0454f8a73964737c5ec811a89711d25565327615be2e5f3623858f69565b8d3218c8510ab3d6f4b0aea |
C:\Users\Admin\AppData\Local\Temp\qowa.exe
| MD5 | af7525a3ce5f565cfda5da80a199c88e |
| SHA1 | e7eb1547b8652dd4b3f49f6715706d998a95abbd |
| SHA256 | c69f9646f3cea5d8707cd97dabbf10dd047722752a9934d7813a392f8bfa9fd8 |
| SHA512 | 0021f1ed4f7eb30818da3aed8d5ef1ca505690f0a1d169dde50e06f91bb4e86c070500898fcfd1b1b10ed632b5f4306a9a329d30ab0cdd676f7d08439efc1e03 |
C:\Users\Admin\AppData\Local\Temp\ekEQ.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\kEoS.exe
| MD5 | 97a273c92f441ebbb96bc07a23ecd6da |
| SHA1 | 8095b68c7225bab968ed8bd91fda78e8097941b9 |
| SHA256 | 93f45972affeb6dd2218d7c884d95929a29a5ca5e8e8f5f2ee28ea523c32c614 |
| SHA512 | 6c0a21e72e4366d4f0c3a538283a52f64b2eda94c02034e3ceb2f3c9147c6702ccc4c1b3599eafb919d61f24bb1db9675e1a05967d1ba6e0716608fbb01d1f16 |
C:\Users\Admin\AppData\Local\Temp\sQko.exe
| MD5 | f9c56b0d23bf4cc2924e206bf678c4b7 |
| SHA1 | 95a8d691ebb821641c2e20e646b3f133dca5b10f |
| SHA256 | 477ce63084992b3dca69a3c8be4f742fa15d4e77de2fec52a26b4d2255c4c367 |
| SHA512 | 28f8ff8f85ac654d193fd8da1733621a3b82958400b7a357a7d203d0b382e6a1bd93bb06ed0675c522f33597b0c823378cb87d1e6e70855245c46888fbb006db |
C:\Users\Admin\AppData\Local\Temp\MEUA.exe
| MD5 | 049fe1b61f6f769119e387a2cf62f06b |
| SHA1 | 0003235f424cd14158d49c2a6ef8b17d7da030b1 |
| SHA256 | 84f03478b226e056fddfffe1fe55f3e5dd9137719ea19a41bea405dc9024f3c5 |
| SHA512 | 0dfbcba5014695e282a75e274eb69a602868911712cba7a5ceb9756ba499c3bcf84dc50de2a685f20bd1cfb69f30a640af859a8b7ac4ccc3445491bbbb9acaa6 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | c7b24dadf8775fe7f7379fcc2eb84e09 |
| SHA1 | 25abe679510520f91be5c00ce0c5e4889b8ea218 |
| SHA256 | 8e634c192b51fdc2b84fe0df2db558b1264782108993873eb801366ddef647e3 |
| SHA512 | 8edb5fdfc791d42989bb14fd0c84a02d3e71d4510fa88ad9f089817f51793ebb526b79efb24a1e75d36c6cb2065cd1d3efe29307bc5d114fdac3cd7c88687795 |
C:\Users\Admin\AppData\Local\Temp\sAsK.exe
| MD5 | e055ed92d0389fd80aa04bbdae51443f |
| SHA1 | 5966aed77629b95ea1116a04e06612d57b00660f |
| SHA256 | b9ba76d65d949403a56626f12f6e10e75f6a525f98b0f63fe00de1ab8b07a236 |
| SHA512 | 5e18894b793334b284ef0d8d5a7f9ec2e5f7e3042b7e69a8938e4cb60da0515746b98e80c132610de0f0d58d15a4158523590894a38d0db540120b7bf53b56d9 |
C:\Users\Admin\AppData\Local\Temp\YoMi.exe
| MD5 | 3e6f0093c6789fb4c3d2c387cd4b80e1 |
| SHA1 | a69f13871f5370716c7c86d05317e0f4447221fa |
| SHA256 | cbc6e6b4a7258241039dbb3e0b2ddd3c85dad33efba523d7f0b90ae8172362ae |
| SHA512 | f563ed8301a7edd574ac43d1f4cc5b35ca1babe52d03183c10a7fdaa624eb63b5d68c94a76a727302fc2ae51c9de17c9dfdb6f8af77ebb349896e72d5eef9855 |
C:\Users\Admin\AppData\Local\Temp\swgO.exe
| MD5 | 86f6fbac85a25593f0789c87b2086640 |
| SHA1 | 870c06230ac3a080b49f106671bbe83aaca0b8ae |
| SHA256 | 0cd5e5d4581e34f76e04b65315a3653f358a3f79fc7e0c8c420e8a6110def001 |
| SHA512 | e3caf3b638b9bac8128445b358f571a20874efea41baf2b199dee8325682e8781bbf59163ec707d0c009292c12dec5541203dfa97c36bf21a66d4f1bab729691 |
C:\Users\Admin\AppData\Local\Temp\QMMG.exe
| MD5 | 66c775d04b1c0559fa6a267a631cd36e |
| SHA1 | 7075ec8a93521326eba99b44218331ab87793919 |
| SHA256 | 336aa111793e877ccc9e4280647251ac570156f4a2a5ee5dc34b5711e5dc915c |
| SHA512 | dc4418efb2166501d2beebe8449e21b0b216a90f3fe156fb4df3d56f6f10d3aa9973bc595fcd6733394327f46f44b3f98ddb22bc95ee28d82110820239ed88cc |
C:\Users\Admin\AppData\Local\Temp\EUoU.exe
| MD5 | 709482c83e0d5d5a7a37ae0c4fd2070a |
| SHA1 | 0bc791c9fcc887c690e26437fbcfdd137fb7b1d8 |
| SHA256 | d9bef30ef6c59677660fe824c99bd0981b7850a5222605d87abc1b4e29a51ff1 |
| SHA512 | 5e862064306c275ca3cf626f9c8ad2d8e5c7a1e80221fb9109dc80d10802b1f8ce3d8aea0202d23a8b804ff4db5aec4f97dde7669fa010fb85b5b6e0798a1ef0 |
C:\Users\Admin\AppData\Local\Temp\ScME.exe
| MD5 | 54fce53a5e15c551f0737a920f267097 |
| SHA1 | b4bc39369dcdeb6e7fe4c2f75b23846962b99fad |
| SHA256 | 8f5c3310a2c6bb0c8834b91ca734e6bfd96562cc6f0fcaa5f0554394e6fde2ff |
| SHA512 | 14685c19495d76cfbeb4b4d00d18eb663a8bb09861de1e0d129e56ec139d57c43e183295f3aa6dbe979e9a8ea9802785cda6c3c2d0e8edf582d1e306635bc3e5 |
C:\Users\Admin\AppData\Local\Temp\WUky.exe
| MD5 | ce11eac04e3d365a878d4ea28655f4b6 |
| SHA1 | ee028b5e8a8646dddff01c238b2789a1e7fde7cc |
| SHA256 | a30765de3fd337510d323f2ea571f48c840e507de1439d3239e0daa04bbd2f38 |
| SHA512 | 80b7a28e8e6fba088ba9e2630347ab350a1302dcd2d98f8aabde1bd4f1b6006bd8b72ab1481d605f7c7836a70e33b4ab47a0a0cf29a157e1d3e488a206a6e86a |
C:\Users\Admin\AppData\Local\Temp\KQQe.exe
| MD5 | b46192bd3306fba380bc5db41c89718f |
| SHA1 | 04bebbb45baf5063078fbc03b00af2f176ee6ffc |
| SHA256 | 135d093b733384da43fdb8776b3a43552e148d60e22e35c9cd0f6fe7d99c4949 |
| SHA512 | 5fca0c442f819ef8ed1609ce344dd50b64039d45b1c5fb184baa8b6f8b17a1bcf5f957730516810860e4da766d187d7a0c98c83165dc5cdf15b39750a8d804f9 |
C:\Users\Admin\AppData\Local\Temp\Qcsu.exe
| MD5 | 24eddfd52ca9132f806aa85c22fd3988 |
| SHA1 | 0dfdb043bebebaff4a0e4308494b64b33002f1fe |
| SHA256 | 24a9afa77c8acdec248238928843c7099021f1479e0e697829c4ebfaf97be297 |
| SHA512 | e54a87ec9e0c45876a0cfbcfb5829125c291e98a688813401ac5771dde81527e01f0c62b3d595c5530345b29537d3cea92e82b3cf17611c5edf38ef7d43b8364 |
C:\Users\Admin\AppData\Local\Temp\sQcC.exe
| MD5 | b27a9f48de4a07fc189be87efe94475a |
| SHA1 | cc01c61d2ee17c26636548df814b0f1089e5ca68 |
| SHA256 | 6d39cca57f61239b28293dfb9b6157d2700cafd879296c08119fa345700fa852 |
| SHA512 | 393c62a7ae8ba86a9f8722ce193f04320738838900d57ab1b6b04f53456a3817f80a7462adb3d476c948663c0e49f47ca258c89f1cc3668a37a6e221bf2d09a3 |
C:\Users\Admin\AppData\Local\Temp\qAsY.exe
| MD5 | 3dfd0c450775891527dd071eae23ed50 |
| SHA1 | 362ff739f6cf8bb1cac42be9bf6d1f310c9fca6b |
| SHA256 | 74a33180e2cf600147f713d1198a97c67168712ecad40577759985ff96261779 |
| SHA512 | 2b0fac82ec9f3cf16c07a346da923da7587473febe15f17ec246b2b9736b3fe8f4a760f6b08761341a404f355fb6099cd676fb052b970d55461ee10ebd1f51a2 |
C:\Users\Admin\AppData\Local\Temp\cIoQ.exe
| MD5 | d0ebfe6babfec84e8358d863b613d806 |
| SHA1 | d111100ed89e9d67b07e5f12dcc3696d3028a029 |
| SHA256 | 6f522ae3c2af825d3315c7474ce840466693a708db2e0f1a928d02d59de2838c |
| SHA512 | 99650a1f97e95d54a21e9b6c772b05ba5d15c8d3fae22b610b91327fd86775003015034c3111d1f20c4bf8de3b7a48012e8ca78f7179e5fe7529f3adc7b1b5fe |
C:\Users\Admin\AppData\Local\Temp\wogi.exe
| MD5 | 9875519e903f1b947cf842a3cda86252 |
| SHA1 | b5c22e786e3194fb2f53312f902020bf1acf31bf |
| SHA256 | d7950907459dcead0f2f9d96446e4492641f4cb6d45cb2abeb2d52dfe7c72289 |
| SHA512 | c2fde50feec543e9544b278f34996aa1b483871d0a59f8b71f421600499e029dd819b2133c5a0a6e5b6e0e634976e73f2928657bb8833614ae0a8e0f12b159c3 |
C:\Users\Admin\AppData\Local\Temp\AIcS.exe
| MD5 | a4f379d8e658d03716cfb65d2c1097e6 |
| SHA1 | ab50bbc5e85a9db808faf09c5cdab37a8a67939e |
| SHA256 | dad90a7a32317e1577955b9287b30448dc1ebd84f4ac1de2515ec037c6e0b58c |
| SHA512 | a392b3af79b65fd6d25c5999b39f4511bc0aac0df7fe0578fe32c19f7aaa3de01933b696dc1304b168b98a317e28eb70bd2a721f8edc52cfef4b1926fd4cbb99 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
| MD5 | aef7c3c1f75e636873333e74cbe3517a |
| SHA1 | 3d07100e1475ffa209fb1bc7ce5b9fc41e277759 |
| SHA256 | 76b3ade7abe71bf9f1a3f935cde7994b4c0e6a07b4e3905672e29596348bb8ce |
| SHA512 | 47e2fa7ab296426eec69614e2a6c209b30f6f58dbf45cc04c04256c41b863d06523f1c0d1fb6e6eb648e4ee73c1f513a6a258763e72cb82102222a93e4c6124d |
C:\Users\Admin\AppData\Local\Temp\UAMk.exe
| MD5 | 646a78789f79a9e89b3d448b2b390999 |
| SHA1 | aefb51846955209653bbbd5a82ec86a27195ea00 |
| SHA256 | df2afae1ed88d6b74f0a519ddb050b0971be95926e325bba8ebf2c260a2e5797 |
| SHA512 | 94a0ac68e140795cea8ee9bcf482ca656cc6797c46b7da31741ac111dd570bfde04b7492d91f0243f7589adfc82a25fb682f8ee4ab212861ad9580c0905e8653 |
C:\Users\Admin\AppData\Local\Temp\WQUG.exe
| MD5 | 173cd41af4b15961db333fd6416d0114 |
| SHA1 | 6c62230ace39ea37726f44b809c28f177e533520 |
| SHA256 | bca526610dd30aef414f8c4825e63f4a44101c49a5ec9a5d088a56a6e74ba3d5 |
| SHA512 | 67f6f7ad6e7985dcee9423c7b3b98367f44c0933769e91da91c2e209b282b1442f0ba7dec6ee81e3ce1b6f5103bcb4217e27636df2dc4d18e5c5b94bad66dbc6 |
C:\Users\Admin\AppData\Local\Temp\kEMe.exe
| MD5 | 15227211569d80486263ad61a0b5aacc |
| SHA1 | e24cffb301a8df062dfa5ae5e836bcd3aa562339 |
| SHA256 | cbc160d55f253200df0f16ec33f85bed82c862a306e70283326989f479800d88 |
| SHA512 | e9b29180ccbf410284abfa8ca1e0cc2554c648ee1e4dcbf055ec0d6f94e4330389997e83eaf97a871454abfbdaff5ab50c4ff9ca6d71ab435fa24a4bce8a33da |
C:\Users\Admin\AppData\Local\Temp\MYoy.exe
| MD5 | 7fbd5505ae1c85bbf655f7d930660350 |
| SHA1 | 87f430362a94a375822b95421c77b860c78b1fb0 |
| SHA256 | b6f67d4bb3ab0ceec53eb5865c2bc68a2766d2847af41940e7f3c17bc0957268 |
| SHA512 | 697f547a7de33f105b938a387125ede31e1a882f5f4fe8f85c343fc36a4037bedf340efcba5b0b37896eb2924e3cc7e68efc2128a0d9d4d10f871d1f19f20efe |
C:\Users\Admin\AppData\Local\Temp\GggW.exe
| MD5 | 2537f12130efb34a221f53a7c2d37685 |
| SHA1 | d1b9d6d05de848c8d31851e43a833fe9be5438a5 |
| SHA256 | 399ae761662ab6f719d0c82dac45b8ed5d96c07dad93761dac38dd1bd50b37bf |
| SHA512 | 8f2da8ffea02aaa0696d2f6df879f98bb88fefbc8e691d9451df8eaf209a140ff315138be016bc3829e25545aa0ae5c31ca1bace52d31735fb5d709a844bd4ed |
C:\Users\Admin\AppData\Local\Temp\oAwY.exe
| MD5 | e7aaaa98b9673743e8e15fe4aa75dc18 |
| SHA1 | 2ae9e58c1a377ce19e2632a9ce98deee2e23fd1a |
| SHA256 | 51bd99e5876afef1c44255156d50fb1cc039a5d9ef0afbdad874a66831f74bf5 |
| SHA512 | 72bd94d1bb9963d54e70e0885a80e9e02eb5f8d467d887612c8ca5a4d7b261c84f9d8bce962a90e642cc127bb608bb198ce9a6f03b981b99d258f2abbb72aba2 |
C:\Users\Admin\AppData\Local\Temp\kEMO.exe
| MD5 | a4b3539b9397b3b9750300775e49e29f |
| SHA1 | 1f73b0b2dc7c97743261bbecd9a6a30615c86f48 |
| SHA256 | 6f6cac2c00a8375df596c64d84bf152286e8f27afbe31be210f45baf55a28abc |
| SHA512 | ba8130db84b41dd932f172425b82d2fc9a4ed15ab6adf93e7db290434344f6cc0113681bc0b71ed0371bf76a6f9a2e826c20e8d883f9f58594ec41b40f58b26a |
C:\Users\Admin\AppData\Local\Temp\UsMC.exe
| MD5 | 621848d9d54d3ab330df2a3da47dc67a |
| SHA1 | 56d86458e71dc1cdc8adfa397fe8f9822f29aa6f |
| SHA256 | 999e4f517d3b013cdd1c2369e72d9f29c4ebb6b82ff038e943e7277b8b08b69a |
| SHA512 | 0a32c47cdb3a84987e97f8ee11c539fc21ab503a9bbb8b8df56126ae2f6a40831087fcf155568cf051fafd5ffe8b1092acbd9913918e9f1a2a9c9c4e9c4dfa6a |
C:\Users\Admin\AppData\Local\Temp\UMIy.exe
| MD5 | 62727d689c572fb7e86d49abb2a3ba04 |
| SHA1 | 79c88afbd9e39e28b2a5903da49b49857ee33ea2 |
| SHA256 | 75e50a1fbe98a2cbae2ce7e78c3dc3c4923b349d229e0b9c1f0e901825ed2cdc |
| SHA512 | fb0ba97a7b3a94800dd0e357b6068d08f4bb541137f4155b7031d5a9b4cdb558f3fc2ef0157dfe5b6ed1bb66d0e2b0eb5fd4e776ac3412184486ea92eca99443 |
C:\Users\Admin\AppData\Local\Temp\Koki.exe
| MD5 | 9b78570166ef2509f35d8e92f8c697b8 |
| SHA1 | d777aa8b24bddf6d70c101a99661be8ef082dcb0 |
| SHA256 | 068f8641ced5e377dfa01ce2487ccbb680071b254f32cd46429f1f36bcd49d46 |
| SHA512 | 7e6841fcce14326795a642f0796c418cc0754492e0154df9f3f28488a9052162880cc6884151e526e8e636a45ec3aec22d6c06868bda37e2abfefd5976f68519 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe
| MD5 | 5af4d3fea4b645f17a5a8c7f3710b156 |
| SHA1 | fe0034f882246d792f8226552735ad6e7d6b448f |
| SHA256 | b0228c03221f899342d97583970392b6d3514d3f11056b7e23eb538063dc6ac6 |
| SHA512 | 9496bd3b675a739d2b852ed8e763bdc68612ce75ce6a5f7b78c52082d9842f4a2ef484ce29042522615c4545e50bd3e9af79b46d646a397d338335b217bfb410 |
C:\Users\Admin\AppData\Local\Temp\EAcE.exe
| MD5 | b905ca04932089f36c176589d2b4b066 |
| SHA1 | d35ca8d96fa1a08d97a6e78e829dd5ea680739a6 |
| SHA256 | f4be6b561e99b20e62d0a497c90600b01db9ce84a9d3c5d5155a24ae0e2f009f |
| SHA512 | bd32394c74d30e630e84e92ba558f8ee2f24ee3cf8e1cac6d772685eccb6a32663f4236e0f2861884ff21338b85b8248fd8a0603792632fa6500012133596a7c |
C:\Users\Admin\AppData\Local\Temp\UwAy.exe
| MD5 | e4378025f6a2f79061a0d2e89519243f |
| SHA1 | 3c0876f943509904665466c258a277c48306f2a6 |
| SHA256 | 8bcbea92d5249c1ec33ee9d0b8f0cc379b5fdf8b24a1d149f1dcbfe328153963 |
| SHA512 | 2d7e986374f0299d233536903fae9040b029375194f8a7019c171e1a6b478c1c3e5114da91591313f87448755251940cc3e84b76157d919c9b261126e8583969 |
C:\Users\Admin\AppData\Local\Temp\Moci.exe
| MD5 | a2e9a0117b3afbb7ae7f13ed3fe6a008 |
| SHA1 | 9ba3d9be9a028f5779a585e169daf8648047732f |
| SHA256 | 660d47a98f100b0304d44b0cb4e9302aa90c997e6451ae4e55e5ab4f4d7b396f |
| SHA512 | 9e96cf01db5c80698b46f4caa7ec4789f874af027213eebb4702f9022c2cd41277bb1bdeb2e3b3a926fb19fcc4260754915b939032694e55b9678243e3b7fc65 |
C:\Users\Admin\AppData\Local\Temp\mEsU.exe
| MD5 | df79fe574815662b1f16d508eddb8bb8 |
| SHA1 | 9b7bc2c15edb0dabe7aa146143788e8173f11de4 |
| SHA256 | 14de7ba6d63b1409fb7e2802b7f507d6f6c2c73848987370a6f3a24ef6e89cab |
| SHA512 | 90479b72fb7cf615933ac23473b471531ae3f773b753509b61ad808fdd516df2390b252abedb37f05af9c03f8e8bc90cc5eab4253d28960686c86baa2aaab033 |
C:\Users\Admin\AppData\Local\Temp\sMQi.exe
| MD5 | b431f6f11c6b75bf6da469d24abca16e |
| SHA1 | bca3150b5ddd6c92d1ad34eafed40243eada0736 |
| SHA256 | 04187c33f2dd6640814931478245a7772d97e8d4789a37181a86096817e3e4df |
| SHA512 | 49be4186a80c04adef9eb226cc7a840e245ceb70b44eeef831e02c8a27e7bde0940892d046008e2a3e9f0da31d68c64e54f6e82978e700bec293e354a62b96e7 |
C:\Users\Admin\AppData\Local\Temp\YgAw.exe
| MD5 | 8ad8614d9bb65bb9b0832985bfdd5ba3 |
| SHA1 | 054d1785a9abc7c302ffcef9d072a9436863d56a |
| SHA256 | 9bcfa94ac017553de8781b3446daa8203abe7bdca823b06c94d15232f2b4dd79 |
| SHA512 | 08b51f95fea1a56b6187c7b5e84a7cd32a308f63d92cfb71a2181af3592cc9bf3cd72e92a1acbb10d4ed46c11e921398a00fe553f6ee9ecf1e30b58a75acc281 |
C:\Users\Admin\AppData\Local\Temp\qkEK.exe
| MD5 | bcb34b39f24c3d71ec5400b68164de72 |
| SHA1 | d5939287b9b9b425f98b09e73644f6301fa4e1dd |
| SHA256 | 9e60805ad35d88d3fd212a046d96d2e5068727a410231bd0c602a6cafaa6e463 |
| SHA512 | 3f90cfa52d14817386fa47b50e91f6dd001e5552b2afe3af1373e19a028a5b74bfa8725228f7c860427242c011775861ae2b3215dcc8f69bf2e0fba7d7107c7c |
C:\Users\Admin\AppData\Local\Temp\yUQg.exe
| MD5 | 2470b05977ddecfccd859bbded729c61 |
| SHA1 | ed97f9edbaff842c37a269aefed2fede0de9b630 |
| SHA256 | 272b7610dfb7e4c29d01e727c077680b97386b231c7740680a5f9485cf538806 |
| SHA512 | 01ddb67e470e58946c0129e388170bab916d27610eb870c9aa57be3a1a9df8d6bd8cc3329a137378b237a3ff2c8901dcf8b5044f6964f6bf0e7dba2951c35cce |
C:\Users\Admin\AppData\Local\Temp\swMM.exe
| MD5 | 1b3d7e7cfa28fe1c308cc969ef9e612a |
| SHA1 | 61bd6436c8c8e596f1fa8e1dec609a264d82d65c |
| SHA256 | 190f7ab2822d012083c38e9365d045e0e17373a558bedfe313eb05b3759423d3 |
| SHA512 | 27bc89fb13c457989bae4842b607fabff7cb23130f191bf246a8ff70174a3f10d3f56ec980ea8a2e332160fae3e2e19953146d0fca414a1c208906b12c2cb2bf |
C:\Users\Admin\AppData\Local\Temp\cwsw.exe
| MD5 | 7314363e3f32c8798dc47d4dc269aba7 |
| SHA1 | 1b06abe55a92d6e7304d9d9ee79d5ac23f826a6c |
| SHA256 | cbf82b1557e7132c3caf032b1d3433a7035e1b280b7f56e959bf4d7650875b40 |
| SHA512 | 9780c4aab19a27985588ec33c32f3726d6d7d04f974787282df4ec3a91eac498b0237d443023a4f6a7f424ecdaa0567ff08870339b92efe4c839dbaeb1e52b2b |
C:\Users\Admin\AppData\Local\Temp\moYW.exe
| MD5 | 05e053cde59135680d154cb2512f1151 |
| SHA1 | b0ee6dccdd0ee246bcdb655fd1704f307a19e5a2 |
| SHA256 | d04f3836bab90d25f2360c4eea033762508283c2186b2cd6cf25adeabc13c4b5 |
| SHA512 | 69d2ac97ef78892c4d41d6f7a5180dafb83ee24527e38e9019cc2ffb7f3bffe506aa18dbbafbedd161879487bd8ad0ff1801e399ce435c954e00141109383b54 |
C:\Users\Admin\AppData\Local\Temp\kwkI.exe
| MD5 | cf7019e37aa07b97dfd221f802b04287 |
| SHA1 | a09369971cf46c6d30fcc8e60ea47635830602a9 |
| SHA256 | e2052b4bbb950835cc2c9e3c830bc603b3254d8ae5d81ef3638b0d8da00c8a0a |
| SHA512 | b723c447b382e0c411487e0389037fbdee3580969ac1947cb4c6d1baf8656eff69cdaccb97c496a2f4557baa1cfeba54b0627bd0f74a018552ab0aa84ba81289 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe
| MD5 | d1d272ae2688cd0f6aeb6d9d666d5246 |
| SHA1 | ef3357c6900180fcf6bd1454efe14ab4e513e9e1 |
| SHA256 | f5d64f4019fd9990cfcee0cc0a2a62fa3550520db98966847a255f74699d1421 |
| SHA512 | 9117fec970075e9460305f3e1047cdfbef77432b180ac305a978fececf1797ad393c19446ca3939b85f38fd2eaa1fb3d760d5c132168d01921b3817a23b28f61 |
C:\Users\Admin\AppData\Local\Temp\iYsu.exe
| MD5 | 3b8f833f58e6b07adf600dd42d6242c8 |
| SHA1 | 329f2fd9371e13f8ac6db11ea40b79b19d9a5598 |
| SHA256 | b373155d799d5286af7f5047c62a0235fe3c2fa696f21974cbe98f7ed2f6575b |
| SHA512 | ab0b2d85cc10cd7712f266327a4351e65c01e8d4a844389d4bea1577aec4ee6be5f0e0f0aa5ae9c3ec5b5a92cc85212bedae9b002f353e17f4fea0f07673b8ad |
C:\Users\Admin\AppData\Local\Temp\YcYE.exe
| MD5 | 4a3bdbd0e94cac5e24301be527688c1c |
| SHA1 | c95ccfaf5ff1240863fbc48d3763fca0879067b8 |
| SHA256 | a5a8a4b8c9f3795d90f3758f85b34600c93fd9e997d00a7e586bdcde785b6095 |
| SHA512 | 87005a675a23d5cadad72455536121908ec256989484d081728037713d684490d2496e535bd2f890fe6523c11865ded001861b3213b35f874c3462037ef84726 |
C:\Users\Admin\AppData\Local\Temp\uAMO.exe
| MD5 | 7a844469450595b752d99c49402489ff |
| SHA1 | 1ccb3c756926011003386445a9b0cfe52de6d16b |
| SHA256 | 6b6f23ac25b029a749d9c268d2e81d6e46a67dae9c6834b70ead4f12ae84e70d |
| SHA512 | d8b09eac3af9daa465e9fa3ca82228a5179a70a3106b2167e537ca008eba13ce2668480bee8ed3d981cf50c0a1857061fcfebf2c0875c6af1e8a1726b7da40b6 |
C:\Users\Admin\AppData\Local\Temp\cAIo.exe
| MD5 | 1daf5e74e906cdefe735e05837dc611d |
| SHA1 | 5d91f0bf9f1257332a3865204c1623d1339d348f |
| SHA256 | 78d81742fc6943fa35f9098f039fe580b28f460721ff016520aa0a78ab11e5aa |
| SHA512 | 0d1e5483580cb739b05af8d5833eded8cfca967d46717805ef8caa09c0bf718d29ae8b522f02733c0640ed908091c072ffe57a58d0d575570508ea610780adcf |
C:\Users\Admin\AppData\Local\Temp\kMYe.exe
| MD5 | eafd205ad2f4f761e67c33a700cc910d |
| SHA1 | 81b0fba7dbd1b704f72fc362c0968dd267dd0123 |
| SHA256 | aa9131c22ae20d3812dc24b4ae1e359fb362bbe176ba27a4f78d9aecfb701d9c |
| SHA512 | bb2e5ce537834c770f5f6721ee3dba81f51fc23b8e46ffda61f55ce198c6a85a52d1a386b636bb492a1799e82c825281130a1484d95f36ba5563a45eacf58d9c |
C:\Users\Admin\AppData\Local\Temp\cEMq.exe
| MD5 | eb49eabca8de63e70c53080fb3c70c26 |
| SHA1 | b684e8c93fd4388557d0b65fe1d52ddd3c06b8d3 |
| SHA256 | 7d2a97d05e2417b6d998099b5d7b096a475de75476343d7bd399ca48a43416eb |
| SHA512 | 8bc6b03773850213b6401598e2b830a3e04ec4953647c9a4d7e98a9239dd9d2160b1f7c06a9522b1718fb7f59c7188c59352ea6c068492de910d9ad73ceb7c84 |
C:\Users\Admin\AppData\Local\Temp\eYMo.exe
| MD5 | 508011cb2e737096e722b2f611b9a062 |
| SHA1 | 7633aee1d6308132ca9ad3cf216f032ec9e2f4f9 |
| SHA256 | 81137221304ba7a287174e0a92ce7835f39bb6929865c8dd9c62c8a92a8ff528 |
| SHA512 | 94026db58a0e2f57ba2439e9988c1cd7643e024dd0488d7312ba8d39b6b73ee8fef82b240b00f5c78eae4c3c28f7c875ad55fe5d3d95de9462e186ad6a18577e |
C:\Users\Admin\AppData\Local\Temp\icUa.exe
| MD5 | 0c18c186716ad60665e6d458fe9ff089 |
| SHA1 | f1abcdb909c92d8d021e5843a52be186fc77eea3 |
| SHA256 | ae8eb8500d0cb8f30d053cff2da02c10de8c57b522c5e68ab93d1a04ea7a0786 |
| SHA512 | 586f2bf5c10f3458915f4b12f2b26c7061711a0c7a3c4fd0dbf2e77f066237fa6a66c31a69d6324fb6bcd49d46b02896c554e1098e1f2676c8820c54f94fbabf |
C:\Users\Admin\AppData\Local\Temp\kEMK.exe
| MD5 | 209a5a73a1850e10630362c728ba3ee9 |
| SHA1 | 264342baebeb942737d27d723317dd1eaf2c5e36 |
| SHA256 | b150dab396720a9b9b62ef171cc69f4a932ca7f91a610326384211e27613d0be |
| SHA512 | da7b6ddc771e5bcc91f4b514da31b383ec0176c9d52e99962676aadf14c526289189cb820775d299a3440d700b39491a8785a9d6f3db2942e88cb77e8aebb42a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png.exe
| MD5 | 96706a36d892a297951675b3da99bd2d |
| SHA1 | 21dbb2777c29daf612e9e8d31b19ed09c9ce5b12 |
| SHA256 | c141573452987a5a5c58acbf9430d5c898837a5dfab0aa91ae8c51f29e5d2f39 |
| SHA512 | 932bfb1aff9f4acab5b9746e2dfd9a93a55956cbbf61c744906fe3d3f2c46f7a5ed4cf15cb2208246f65dd461d4aed924e88e79475c3d5050838baec3af46563 |
C:\Users\Admin\AppData\Local\Temp\WIEO.exe
| MD5 | 75f5a4f4ad102b9a6d70718a6a34923e |
| SHA1 | d439a5e2738144967ce869be723f04705bc6cdaa |
| SHA256 | 255bf09f42d21fc9d2e746fcc14c9afe777fc6fa35ca88c87d4b1d38c65373cb |
| SHA512 | 2cc4d047a91b5c5ab28c74f744b54c8cf940684a79cc72f74fcb0dcf17f29ce1014e8a8543a252a9442e2b9eff0cd6fde9c63317452af645e60780575515be8f |
C:\Users\Admin\AppData\Local\Temp\uoIQ.exe
| MD5 | 7e9f4499bf6e787fed3cea08ec2ddb9a |
| SHA1 | 3cfd761db9e0087c47aace5f50a729ae339a5f14 |
| SHA256 | ff533fe25d1c7608984d6b5eae9ff8486e60f6d46b16e2384223ee89a873dbb8 |
| SHA512 | 435b31247fec2d9a7374e9452fa0c67459a9563bcf4229630613656e0d69036d9c0b78795c708179be644b15d124132b3a929115f9fca040a671aade345702cf |
C:\Users\Admin\AppData\Local\Temp\MQEs.exe
| MD5 | 872a21f4d96582b09fac1edd9cf9e633 |
| SHA1 | 6aaf460efcd70b4e6510d617d532a550e0eadc1e |
| SHA256 | c8613815bf79d04c1f5e4cf22332ba5b9c3b28c510d72b5233f3c6714f3ceadb |
| SHA512 | d9414afefd7c7a58889295e0d497c81b626f1e9caa6aa091cdf45cb2326857dddc9092d5c05d140e887a072a11ce6dff8ec15b06160e5e00b7d1ad4dde78dc6c |
C:\Users\Admin\AppData\Local\Temp\kcYW.exe
| MD5 | f80ecb35e32b441d2a3c4dab43302eed |
| SHA1 | 59f12efd39bdcbd76e7bf0d5a89b185e61eb0051 |
| SHA256 | fb695c25ea376ff1a1587fcac83f274b0778b011038c28f1697dfbff51443d0e |
| SHA512 | cf53863a141a7fe42a0c0bc02e62b872d11425d711ea88a7d799e2e8bd2106555af7cccaae56bc213d1d4172a1429fd391bacbde84d0b6715e4c1ecf32f347ce |
C:\Users\Admin\AppData\Local\Temp\EccG.exe
| MD5 | 5ec26070e397239eff8ea4d90baf8a63 |
| SHA1 | c3ccd98a8a896283798cb754465ee3e907daace5 |
| SHA256 | 64635f30a16c16b4df4408c07476020e9b1c5cce58cef1fe5b8bf89c8561262d |
| SHA512 | fec7841ec586c6e01382b66793d0b22874c8ac74800ade4a962e235e052b68a0c6cdc5dc1c0e929dc6f34ada6930b0ac1ff5a9b8c0a38dda7a6efd15b39982ae |
C:\Users\Admin\AppData\Local\Temp\ugAk.exe
| MD5 | 6cea9aa1eed6eb50224bb0d4d6444f58 |
| SHA1 | 67c8c0d836dd75763278396606472caf190ca202 |
| SHA256 | ed972cb60e5c8f4df220d5de52190bc3aa883a180a7e41f85491977d8e7fa435 |
| SHA512 | 33a6085fbc9c2674245551df44deca74d7683dd2c18d9393a2b6d6d1e469c26b0e48f2a28d7a903011c2964caffa4e7c9a036cf8270ebe4f15c6ca0f562597d3 |
C:\Users\Admin\AppData\Local\Temp\kYAy.exe
| MD5 | 327f800f8180968b248f9c170e33ff15 |
| SHA1 | 970a57d8ffc58707750e1a80d09323c1fbae603a |
| SHA256 | b3904fbeb01e3092bceb36f8550d09ea506249573facfbff7c863a1f611ffa57 |
| SHA512 | 6d14f81285ae3d3e33b79e313f3a24d8016ff48265ea4d45ed32492b65dc7a9a4ef9aeb13cbd4ab0638600a908973e4e30dc31693a1d36e095350de00edc3541 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe
| MD5 | bf37b6aff787722ca7b3f79622d4f41f |
| SHA1 | f63fd09668fa45c94837316168dc0eac2942177e |
| SHA256 | 8c1ed7d9fad718e1f84700862b99f2384ca2f676f35bfca58ec482e086506cf6 |
| SHA512 | 51ddc75e577dbe37bd9fead597cc838c5a1465e80e7ae78b99b7c5c844495226f1cb3f78fdf26f041c370b60e7828f40708f27016853e6dbc144bbbc86f81bce |
C:\Users\Admin\AppData\Local\Temp\kogE.exe
| MD5 | e41dae568fb1e903273eb1e01ea8257f |
| SHA1 | 0734522c7d8e22d039f3706d856e979b3ff8bf0f |
| SHA256 | d5ac55770c98bc1fed00a8433f0475e9c05f68edbe39a3bdbd34ff8eea042110 |
| SHA512 | f0d9552c56b79d738a08ea252cffe83dcaa0684841f6334da476bd3712b207b86f854b9375b449f518017635afd832fe3e2f1e05d16a731c806c4354f3445b43 |
C:\Users\Admin\AppData\Local\Temp\OUUC.exe
| MD5 | 05860a5aac54b4bbe3d8877be068d141 |
| SHA1 | 1defc19a808e24f9e4e8efdd61cdbe7caceeb39c |
| SHA256 | bc8c7dc9454b4fc347cd022fe61af6474d7354f0e24595e844d9e525cf50cc70 |
| SHA512 | 5dd6b27974f37e58089f1f8f2e0b6bcc545b94b768d7a0a9f9d54d9eddb41a035b2a0dc83d9a6e04ccb5db8f818a8ce79f6f31893253f37fede0d662a5c9e1e1 |
C:\Users\Admin\AppData\Local\Temp\UcEa.exe
| MD5 | b30a83082860591d963ce12dc5b31ceb |
| SHA1 | 8f6a4aed9b9458ebcabcfab15e0599395dfedbf1 |
| SHA256 | fd87f2c4916d6bde2a097c579faca7f7f62800663886831ae296e6e19cf46419 |
| SHA512 | 0fe9700b729ec17b97c81286e4558e4ac79adaed5b48829e63d1c6f9c3088941c842c44fe7e8198c845530795b8845318d5120531fc7cbc1a611946b501d487c |
C:\Users\Admin\AppData\Local\Temp\Msoy.exe
| MD5 | fae5b6d99be95ec40080db4c53231f7b |
| SHA1 | 5990e929e0f3eea6e0bb9604c3a747b701276844 |
| SHA256 | 231f3190c480af079ad29d85d70d18e0a45b3ff37f34f9cb106637d6eaa9b456 |
| SHA512 | 0e193f1676b8a4a50f9a0ffd28d1c2f86bcd1d08ae6f7ad9a0913020ed9c9444bc76a6a28a6201e5496e660b17b6c22f60c7d93bfabad78a50083e5a629ae447 |
C:\Users\Admin\AppData\Local\Temp\WMUi.exe
| MD5 | 209c6b461af144b17d9174d0b56e15be |
| SHA1 | eb312141f06ab8c8bebf5633537e2183e2a7094d |
| SHA256 | 315e4d995a28dad4a2286c0c3875e716b03539aeba652a7ba5fc0d365474314e |
| SHA512 | d21d08d5347ba49d5ce2d3a989920c245a449d068cfdc766670c1ddcd5fe9ef2259cd9336de08abeeb04036b3a0472e39fbc8aec9ab9164a793d00e0b119bff9 |
C:\Users\Admin\AppData\Local\Temp\cocW.exe
| MD5 | 55f535d41f60d902b8378a1e3124575f |
| SHA1 | b42a134afa857c45dc452dc21997dd760181205e |
| SHA256 | 8a64e20c297b761ccb2b17ead8d78c1a60f03c4eac0fda3660f2b1657d3c22fc |
| SHA512 | fc7acdbabb9711899704010827a087348f1247438cbc56d98d2bab4f570301b42ba735457a444b43e68afb3f4dbece3a7a0e47ac77298509bccfcc913d283508 |
C:\Users\Admin\AppData\Local\Temp\AAAS.exe
| MD5 | d1e55266b6c4764c7877931af0dd89e3 |
| SHA1 | e4b353c6234c6045f8a3582949d5eb36d905a7ed |
| SHA256 | d5c4fdcba92e3403ce0cde2da0c8d4ee8675c183cd76bf183000e5239d123bd6 |
| SHA512 | f4bcb04ddc430b65deb977ae4eddd10d08ec8a156e94167a1616c8c1f538e6d5f3c9c9085ffc8403cc2728653516039d3917d05f698b100fc29620a6a2a5b5ed |
C:\Users\Admin\AppData\Local\Temp\Wgcc.exe
| MD5 | 538005c2aeb8d46b3467c6265aff707a |
| SHA1 | df4a3b645dac69da8d367f082d191a657b24cc1f |
| SHA256 | d773463212e5285593ae3c016688030c48532636da4e3340fae508c41f8fa48a |
| SHA512 | bbf9e2b7e122ba4978b0317aa75ad46df6b9badc9a926cdd4a2098ea03c0de9a180013264c691e50dacc47e245e8615d5f19d027cef234c430d4a297023404aa |
C:\Users\Admin\AppData\Roaming\TraceWrite.pdf.exe
| MD5 | 3feb251993721e85cf06337e1d5224f5 |
| SHA1 | f4864e93507091b4a5f1483bdf882e753a313575 |
| SHA256 | 62c549d396004fc12f5c1a411c5439c7e37545310485c22df982bff4e042a3c2 |
| SHA512 | cbc6c4c36d24d23f2e1186c6117a499495e43ad8ba92c0590164b3fa16ae07430f24eaa17ee6ff627e5f343309439ec09c11cd45a7f0851cbbfe731f87f7b88b |
C:\Users\Admin\AppData\Local\Temp\EMUA.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\aAYM.exe
| MD5 | 92c2e4c58cd747112ce322ef00deb116 |
| SHA1 | 9527987f77c49ef6798938203eb68c6ee9887108 |
| SHA256 | 27ed6f6dab97dc53ddb499cfeae7199f3b9b0118cb451536ade62b7c29cfd432 |
| SHA512 | ce740a7c81f5fd13fc8a107faf70ab0e57bed9bf2f764be366cbc152c48511fc5f3c27d75f3ba56dacd43d624c61934c249d81b375e9b810100c342fda715313 |
C:\Users\Admin\AppData\Local\Temp\yIAe.exe
| MD5 | efe921b84b085ae1638bbfce05cf5914 |
| SHA1 | 8f31677abbe9bca2120149ee54c22b0e535d88d4 |
| SHA256 | ef03a0bc29d25ad5b564bd3479d9868a56fe845f7b77a45e7c6c5afb2614ce67 |
| SHA512 | aa2c79b1f4f048ad1e464f16dde5e4efd2d13f54b5b02c3b09c5749a568bfb52a899e77d8b7219998354a2704ebc4267de113da74e512474bb1fb7a1f8b8f01e |
C:\Users\Admin\AppData\Local\Temp\iEkQ.exe
| MD5 | 4ce21497709b91e49786b6b58b022338 |
| SHA1 | 84098020ff5af2914398834d9cb6de57fdb1e22a |
| SHA256 | f1cc2b919a7f63eee9bfb9309cd31d276aa553d50c3ffc25a989ea6710974586 |
| SHA512 | 0cae59e259b784e9f57fe83937bdf90d632ae088c25a294c19703bc3edc6f0a33f81369fc8b4b18529cf574b53d6436ed1c2e351dd92b0921caf10c49baebb69 |
C:\Windows\SysWOW64\shell32.dll.exe
| MD5 | f2eb6b91862ee1815f35141ebfbab850 |
| SHA1 | 5e94b1b1593d776684f516818e3924f31823a614 |
| SHA256 | 7ef7d5d94adb74a4c481786abd1c89f5c7e88ed4d2fe8a17d73a7b3c2ba8422d |
| SHA512 | ea95757cdf6c82cbaeb73e26b28487c705b885e896b1965fc6c79b0bcb07c22432d7be73c1112bcae89d848c796efbfc5e0f55c28d56fd84e580016478ef3257 |
C:\Users\Admin\AppData\Local\Temp\QYce.exe
| MD5 | a3a09192de6db3d41bde58ffee74fec6 |
| SHA1 | 551a633fee4b3db7685c0f036df1b918e999b161 |
| SHA256 | 74abb2c8decd655258c463938390b4b9701aab6c45965eb27c46e9a885f1b761 |
| SHA512 | 685257fb927e14942a46cf253816b66329ca353d84f2dcf5c2c24d9e54855052890f8f084886060d5c0439cdc6a91c42a6f051cec4afad7fa42dd7b7e4d8a4dc |
C:\Users\Admin\AppData\Local\Temp\ywYq.ico
| MD5 | 7b65672ac808bca7c81e0700562aae9c |
| SHA1 | e279f707d5f93cd0449443cf7f70d54a54763208 |
| SHA256 | e5798e3d8c1af62d997a27bc2fb7333639a4f20e9753cf7a5b0639cd93f96448 |
| SHA512 | 7592be8433d2044e21d2e67cc5905f1ca3d2c05884f99e4fdf4db1aebaabb735ca1d50f6397d02ef2c0ba6e4528ec5fdc4592ef35e0e6d451e0453d5491345b7 |
C:\Users\Admin\AppData\Local\Temp\KoQo.exe
| MD5 | 50e2ad9fa073c2664bbbc722d5eec268 |
| SHA1 | 101690691ab1ca295d81974b78e90303a53920fd |
| SHA256 | 5bfc09fdcc22d94c08dfeca0b0c5717608e6e5d4c1dfb3b4fef80f877b20d472 |
| SHA512 | fb694a9436853bc3f6aa30de32c17a9a1a6f9ef178b52447922a0bbd1bdcfde294bd0cdf656523c8ed3589a3bdc6aa6db5df40603f2c0c1ab637d46e9679b1a5 |
C:\Users\Admin\Documents\MoveComplete.ppt.exe
| MD5 | 8e6ca1afb3aeff069b07883db731912a |
| SHA1 | d0676506f2544572db56a29dab89d5e13e5e15df |
| SHA256 | 9b2ab8aa3cdb502afde0dd929844021b246b1561d1dda2de64cb225240782cdf |
| SHA512 | 0f4963d797976790a9f5b5f7420c6905b29b9f7c55b11f9494a11073769be0995b5d4413a7ea25d3bfb642f70c6d4dfab0bd1e69141c94a7c91c48a824ea81bf |
C:\Users\Admin\AppData\Local\Temp\uQgs.exe
| MD5 | 1cec223dca2aea2d0e176a47345087fb |
| SHA1 | 578180563e9d0f1c586e82d6c2a0e17f4db3e411 |
| SHA256 | 0b56719a7d57474683e36e98eb30b137a58bc7fdf015572a08012a3b6051d119 |
| SHA512 | c4871304b881e0bc7f032f4e2bc4a65eaba4603bc8e94d8556a57b0ae5f3aaddf3b6346ee040afd798456671b6c0cba6f55a7d156bb42f414efe36944f615ebf |
C:\Users\Admin\AppData\Local\Temp\ycMw.exe
| MD5 | f0c15031440ec0aa24500b8156db0906 |
| SHA1 | cfca7f2dae4b89e4188f59cdf35f3a7cf2746d89 |
| SHA256 | cd6c259baf238401e159cf95c74d8b84c90b3ba648c581e85277345dc1a3effa |
| SHA512 | c4a468598bb7a38aeab7235d34440b38484c31a70d4ca154e1fcc8302804b57f8f400ba77d31373d4c869559eed26c426aea74c5f526979495bb2031b7125eb5 |
C:\Users\Admin\AppData\Local\Temp\WMcq.exe
| MD5 | 531e4c06019ac454d6baf3709af16279 |
| SHA1 | d0245e500d1c2c44a709de18a8d84de430d788a5 |
| SHA256 | 7ce5438164b782c80716232399aa556f525836591986874aa5b5834e1d8c97b5 |
| SHA512 | 6ae924652a34bc0478c12d48e4a2faaddfc417f15f526eacbfc83237a88722677a47b9818c2826f9cacee5f77d06e2f544c703677b2b12e1e942a4f73c7f85b3 |
C:\Users\Admin\AppData\Local\Temp\UUgU.exe
| MD5 | 02ec7679f2fa4e614979cf87c0f0ed47 |
| SHA1 | 5151f158a11eda21c88507245d93e6bb81c1260b |
| SHA256 | 83051592c275a137a511b43089140faaff1bcb3dab1a5a4fb803282d7aa99ef8 |
| SHA512 | 21963deaa110faec9c2942fcc3735c6a3b0bb99a872c521e4638bd5913f3dcd43f7b82bd8b6dbc1b511f78e22eba23b54df109c892f91ab9dfaf8d162e337125 |
C:\Users\Admin\AppData\Local\Temp\gIgS.exe
| MD5 | fd6c0c484b6f10a049de6caf93f8174b |
| SHA1 | 7b7b486a0ec4f4045b4301e6447d43a2bc3bac96 |
| SHA256 | 6f84fb3fb9cef2bbbf9526abb2d0c2b96e0a50fa502f28dcb3b2d082e7342daf |
| SHA512 | 3c176a69deab63a426b790b188687c1166eed63182c11149620582936ba74079f1d5db80df2bd10268f0bba21c4ba0d485f84858ff6dc0c210b2d414aeb4e81c |
C:\Users\Admin\AppData\Local\Temp\cAQQ.exe
| MD5 | 3ef22a601d8d4f378c954cffcfc51449 |
| SHA1 | a7565d635e4feead94c64846677dcf4dc19d54aa |
| SHA256 | 722e44ee050b3bc748c9190b4ca0aa1330fdb6fdf36690cde29d58877f80ee66 |
| SHA512 | 06de42f815c2d27f19e2bd7814abc95f3d802368d23704068abfe57b001968025cee0a7cd1e55e15cfdff0083cf666acd116c01fe9ff042fdadd8369960451f8 |
C:\Users\Admin\AppData\Local\Temp\WooO.exe
| MD5 | dd383990384a9d3267f47bc3b0aa5e1f |
| SHA1 | f1f89c87a90d08f4b31c8877c45e40a3a3827315 |
| SHA256 | 2dd20fb551339541e9fe098591e4071a65fdec56a440c5e41c45f5927d7eaca7 |
| SHA512 | b578b5fe8be1f9feadcd96389f36de6d0b455eb18025b47032008333875c18361649187823abadc225e4b98616b2f3f2550b51ddf295c63692f87aaa6020094b |
C:\Users\Admin\AppData\Local\Temp\sMQI.exe
| MD5 | 50689113bc322b600c77fe9663ea99e0 |
| SHA1 | aebe2e8b13d4fd49cbcf28a81b722cf3ebd37fc0 |
| SHA256 | cb98df435c8a0048998978b770d6fe2c5f59f884296095808f319ded6d6154bf |
| SHA512 | 1abe7635dd3b82a69549a26ef79e2d3b74f64fbe5da8dca7e2da0cb7e5fa6d819eb837d229854c32eae2aedc51b9366dd09f7ac0662fa0fbc366f06e7eb0783a |
C:\Users\Admin\AppData\Local\Temp\IkYC.exe
| MD5 | 527c01a3bd96e7031b341531899fd306 |
| SHA1 | 5ea4f54b0fe4cc03ede191324828820f853c98ed |
| SHA256 | 42852081b3251ea18ca5246731fc46a1df817abc68f6499fd8d437c28e2f727e |
| SHA512 | 2127eede0f23a7730bee41b6c2b610127075090847a64e5297a0c8075921e357753ec6bf029734133b2ac948953acd6c5b865273426a964c256261afc0491287 |
C:\Users\Admin\AppData\Local\Temp\uIIe.exe
| MD5 | 85e786f07fecf27515f496f2c568fa42 |
| SHA1 | 474da97cb18a2e62f6ff71eb36e8713e734c3619 |
| SHA256 | 008a94d3c346a798b384c6e43e9e3c00efdde873d6ec716b68b0cb4004937bc6 |
| SHA512 | 26d92ba38c15c0483e94a9668f5055fa69887ca158052e006ae9faf6cecb46d152687c2e83ad9525c770be19a2e2784ee9063bc64fb5f1e829bca66bbb561388 |
C:\Users\Admin\AppData\Local\Temp\SIIe.exe
| MD5 | ab99662cebfddeed16d16125c52dfed2 |
| SHA1 | cfcdb3e8182bbe97af03fc81cee28cc6915d8ad9 |
| SHA256 | 6162d9d730af5ee3707ca730a4d79c79910ac0b2a128acac0791b9fc8d75c472 |
| SHA512 | 8cb0a407890c70527efc3e208ce7287b4823196c180be4bb19a6c72b0f0f32a31db6e7faa21927e9c7e49ec0335e41aec3b2a8273c812b86db2d3d4a3335d9a9 |
C:\Users\Admin\AppData\Local\Temp\MMgW.ico
| MD5 | 7ebb1c3b3f5ee39434e36aeb4c07ee8b |
| SHA1 | 7b4e7562e3a12b37862e0d5ecf94581ec130658f |
| SHA256 | be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742 |
| SHA512 | 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6 |
C:\Users\Admin\AppData\Local\Temp\Yocs.exe
| MD5 | f4aa18957ac4a88ca6dd3ebfcdc15aaa |
| SHA1 | f18a5bf17b94e1023e3e4207a9a3dd45c764782a |
| SHA256 | 18f8e45f5fd1bd3744419aed64bc6bd2d2b5af3fb43c9cce53f26dc8b62d27d1 |
| SHA512 | 7170609013bf6865b4656ba2cf236d9452d7b5d42f24daac2632e73796f7f8b49937e90e183b7bda0c73b4d992d1a95e2b4b8fe07d9960c1bedd1826915985ec |
C:\Users\Admin\AppData\Local\Temp\mEoc.exe
| MD5 | 0bbc4335c81608611f5d751b4259779c |
| SHA1 | 532db0a61b6737fadfaeda449dc9abaf90312176 |
| SHA256 | c62dd1d2bbf7087fbd25bb57bd0e41ee74c1f54cef181debac3498adf25ebd20 |
| SHA512 | b743a116c16ca249950740bdb28a437c90b1c158316a8c514a37225ef00191f826c18ef98aa889fd1b289c15a0a862d87abaf7490cb3e4300490935e05c7ba0b |
C:\Users\Admin\AppData\Local\Temp\IYYu.exe
| MD5 | f3b9e4fe74b4cd5b82c2c11a25fc2e92 |
| SHA1 | 5d6680c367f948b040d40b0433f6a511c7cfba5f |
| SHA256 | 523596a60a0ed92f714681c926a15fe79eb8cd19629d2d3ac76a3c0966c9a6d6 |
| SHA512 | abc04be2f50043f72c44bd820fc65191e0ecd4338e1325d8ddf6c66618f9e5390e2ed2d946550a5cffbc7a131250b03b81eeb1d8ce26135a20e4a0e57450a4be |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | bef68e8be209b9834a1a3e98e9ed76fc |
| SHA1 | 5c77c28365bff4e5d53da7a7815f55501e3c6ec7 |
| SHA256 | 1e553be8fe2f9d1a7da642832d5f8c9d5b6b6374d86a592ca7add94024a45ad2 |
| SHA512 | f080489667ef05cd61c3e58b5dbf7e6e16c00fd6991eca61c84a553d419f9b03c44e523026bd4d5e5d8e2024c8f280ab9e151ff83dd440d5e86668d2e4e72352 |
C:\Users\Admin\AppData\Local\Temp\Mcss.exe
| MD5 | 511288dd29f2d6124c7c81562d4f1e9d |
| SHA1 | 4d73386e4560d71fa7ccb67f0f26de61b6ef42a1 |
| SHA256 | 37a599b5768dd284fa2f7e403cffcef5189a2221637c58ca53be3b9d558507c9 |
| SHA512 | 0a38b10d06421324c22c9ddf79b9519053596867ff3695105042262ac92e6538b9eeb86ea401e7c9556c93f84e54f2fe6dc7d4c996c341e7570603e8b6b4640a |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 0b6c948ec28cf8c8e83d4eb48c4825ff |
| SHA1 | 200cff3ccba999ad073fb084fa2dba2e33999def |
| SHA256 | aac5dabf56036498fdf4fd575d60564bfd60d7069f99ffbe90913700c00039b2 |
| SHA512 | 1567ca304a8af6a8ea3b1d6db8812645ed7c9ddd14f685aa08d515638bf4043eb4152eaff028782e36d981f122f2efb484c15df9dd4d862f465937cc49af7058 |
C:\Users\Admin\AppData\Local\Temp\SYga.exe
| MD5 | c14638818909493a1b5bb8c03d1b3581 |
| SHA1 | f30a0666cc95027dcb36d5b6501dfd8a849ec105 |
| SHA256 | 8874a410a60c0c393058531421df34edd70d37896904fbaec64d3b22357f208b |
| SHA512 | bc9cb9aad2d0d61918be790088b8567d0b94e346f6a81cc3f0e0fd1857362f1614710367299edce63edbb619c35670fd07405e408669269397a4fbaf3f74096e |