Analysis Overview
SHA256
8c2d37665861b2652b06805f38fedfcd44bac6fe889f0ce9997c3f13a43a5543
Threat Level: Known bad
The file 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (83) files with added filename extension
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-16 17:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 17:57
Reported
2024-10-16 18:00
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
107s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (83) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe | N/A |
| N/A | N/A | C:\ProgramData\ymAcoQcg\HgswMIoE.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HgswMIoE.exe = "C:\\ProgramData\\ymAcoQcg\\HgswMIoE.exe" | C:\ProgramData\ymAcoQcg\HgswMIoE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XgUoMIwY.exe = "C:\\Users\\Admin\\eoEEoQsU\\XgUoMIwY.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\huYAIEQg.exe = "C:\\ProgramData\\eOogQIgM\\huYAIEQg.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byMMAYIQ.exe = "C:\\Users\\Admin\\DKIsQIkE\\byMMAYIQ.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HgswMIoE.exe = "C:\\ProgramData\\ymAcoQcg\\HgswMIoE.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byMMAYIQ.exe = "C:\\Users\\Admin\\DKIsQIkE\\byMMAYIQ.exe" | C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\eOogQIgM\huYAIEQg.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\eoEEoQsU\XgUoMIwY.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"
C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe
"C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe"
C:\ProgramData\ymAcoQcg\HgswMIoE.exe
"C:\ProgramData\ymAcoQcg\HgswMIoE.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isYoYwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCQkQkIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsoEUEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIYgAIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMUIkowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSUMkowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoggcoIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyscYEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoEIkQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOcsgMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncYUMwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqcQYQEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEQsEYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYQkwwws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWEQkwMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUsMswsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYMMMckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiYoEcYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaQYccsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmUUwcQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoccwMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\eoEEoQsU\XgUoMIwY.exe
"C:\Users\Admin\eoEEoQsU\XgUoMIwY.exe"
C:\ProgramData\eOogQIgM\huYAIEQg.exe
"C:\ProgramData\eOogQIgM\huYAIEQg.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3008 -ip 3008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3360 -ip 3360
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwgcIYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 224
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 224
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaokYMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYwgcowc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqMwkoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZocYYIYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmgcMQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwMEwEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYcogYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eccAogsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wogMwYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQgAIcUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGAYEooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAIcswwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkwAoYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgYkgYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCgkQsso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icYswMok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rookAEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaYYcsgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUEoEYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rywksggY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwUYEQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAMsgIsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiUgsQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGMkAwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCkgoEUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riUoEgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baAkIYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQUAgQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCYsosIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGskAook.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIsskAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgAkYYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIQAEIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUAkQIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuggwwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QusccUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koQkIIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGwIAcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgsooUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEkYYkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsgwkoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAIQwYYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyssocgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqIEoIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMMEAcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAoAMYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiAQgwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqoAQwgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuYwIoww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiksYMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUcscQow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aasQUQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkIkIAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUIAkoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWwgcUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imssUQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqoscsYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osQIUoEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYssggwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkQoQcEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xscYMgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUYUsQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMUgooYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCsQUsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGoEEMog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgsooUwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twcYwkgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCkwMsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWQkIQkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAMUwkMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiUAgkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksYUkQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEYEkQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\likAkUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmsMQwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv n8HJyDLZFEqacSbMTlIvNA.0.2
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.169.14:80 | google.com | tcp |
| GB | 172.217.169.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4780-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe
| MD5 | 96d18beaf092fe13fdc4579f1a89636f |
| SHA1 | 3cbb513984cd36d7386889445964c342aea15a6c |
| SHA256 | eff38c97f6dd5b5d222fcc0ecb633eada1b5afd386fa7d6507ddef871750bbd5 |
| SHA512 | 841a21df415fa075eadc8e62ef8c994f13160858211554d59ad65afeabd8d5d1d5fbf021a9a5841f93fc3e23834aa39808e474de069a067ad645b0ef71d1e5f6 |
memory/212-5-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\ymAcoQcg\HgswMIoE.exe
| MD5 | d29793db63903b1fbf17323719c7bfd6 |
| SHA1 | c6eecbc3e9e51bd06097f206b898f01d1969efe3 |
| SHA256 | b06b3f3610de98fea7604c5a7d348aa1789c0998ce86432db597457150a557ec |
| SHA512 | 94d69d006b50407ec97b2fc444757d5d0b358acb06f2d2b57a4d63dd42f9f03be75f7b8b8e29aa2926e46b88ba9c84d2c55eaf078309c393a7ad9e7f5cccea42 |
memory/1180-13-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1384-16-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4780-20-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\isYoYwEk.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
| MD5 | d715f659c83f2b95e8a4ce1233822e94 |
| SHA1 | c2a5cedfe5e05fa74d17bc6c9665d27823c3650d |
| SHA256 | 8a3d3787c7a87042010865e1d0aff07486ed919cecf52b21746ab8c6ec7de94c |
| SHA512 | 1afe9f4713af2d2e0a509fcf2e727bc4fec2099291480d2edfa9f4e0853376d690a42d5c7af37232d21f21afa98d5e8ddc6c45fa8f2829e9eb6930792f92dde5 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/1384-31-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3008-42-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2288-53-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2660-61-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1816-75-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4788-83-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1512-87-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3088-95-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4788-99-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3088-110-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3872-118-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2628-129-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1304-140-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4016-151-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2864-162-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2556-173-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4000-184-0x0000000000400000-0x000000000041F000-memory.dmp
memory/916-192-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1928-196-0x0000000000400000-0x000000000041F000-memory.dmp
memory/916-207-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4492-218-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2620-229-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1856-233-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1856-241-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3008-245-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3360-246-0x0000000000400000-0x000000000041D000-memory.dmp
memory/224-247-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3124-255-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2196-264-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3008-263-0x0000000000400000-0x000000000041C000-memory.dmp
memory/4160-265-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4160-273-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2564-274-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2564-282-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3124-290-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3144-298-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1396-306-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4480-314-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1444-322-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1928-323-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1928-331-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3456-332-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3456-340-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4484-341-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2148-350-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4484-349-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2148-358-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3976-366-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1408-368-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1408-375-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4172-383-0x0000000000400000-0x000000000041F000-memory.dmp
memory/388-391-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3476-399-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4536-408-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4740-407-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4740-416-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3456-424-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4244-432-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1560-440-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2232-441-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2232-449-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2280-457-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5100-465-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1616-473-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1200-481-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1048-489-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wYsY.exe
| MD5 | d829a0ed44710a1654aaab80e574222a |
| SHA1 | be917209d9fed8c4e64550a97d2d4ebbaab94c07 |
| SHA256 | 6d3d00afb0b0c18e30a64765eb759bc777f6a2b87ef9209a28a083decad77663 |
| SHA512 | 5f98d97636f815386008a26680a96bc570ea5bf2926f90b81ace3f642e1f738e659c1010487c4c06f29853f9d628d396ed73015e7a21da9bb67a7f411300dc04 |
memory/4488-513-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5032-512-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Aksq.exe
| MD5 | 7bb78d1ba4b2b7089b1159b71303ac19 |
| SHA1 | 4443da49b2244b94e4bd91c0badb393f7b86310d |
| SHA256 | b5b57ffd7b27884b0a635d5321da139832b868ca3a377122652e68b7b55ab4ef |
| SHA512 | ecc803338a17cde79f6bc32edffbba99e7f186cbd8f3ff854e9148192e3ea4d448f7cf520272ac3b51456571adf7783ee5dfe998d93f0d09f94cd79d9d64fe45 |
memory/4488-535-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgIy.exe
| MD5 | 11d3b57f0a4d69b66ccdd7ca59dbf7ee |
| SHA1 | b7f5faf204093cb277c3a2d7e3956e0352624de0 |
| SHA256 | 8c02a8c9d0416b64cf66afbfd3d23f325cdbe7af19b4ab5a526462498669c4ac |
| SHA512 | 4d344001338cbea8e181ccb4413bf3d99e3dc24268bfe148e4bf2aa7208fa892529e339e63c2f142a21a8fa480747737e87daec75d22ba8b30d9a2b8ad8a3d02 |
C:\Users\Admin\AppData\Local\Temp\YsQs.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\yMwM.exe
| MD5 | 64121be64cd190e6dae9aedcc5e87265 |
| SHA1 | cd3a01a899482eb67eba80dbf5bb0b4efd0e8b13 |
| SHA256 | fd768b61de06bcdc6987937bc38b40654f8f98f789e1bd223a291264b9b01351 |
| SHA512 | d9b29bae8600580b35f65a8598f56ca107c882a52e36c6c29ee133c1b285ca5ee6a6441b93ec9bcff3cecbc4956ded6bd9cf0f9a70a7678bf7aabe040eeec3ec |
C:\Users\Admin\AppData\Local\Temp\SQom.exe
| MD5 | 3e52b07d4c62b448a407762835197943 |
| SHA1 | 91c990e454dc5f0937999204acf80825e602ea59 |
| SHA256 | ed4b656966d5af8e46370f6a882bbbc17f8bf4cda78f011646af61bb727a8c72 |
| SHA512 | 187216cdf39424add32b5f5209f6e768e6b918299f34a3b6bf9ee256ccea450323cde38afaffb6ffb3320c2f06d8996aadb8a4036909af469e95a09310c4e361 |
memory/2180-584-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aEgU.exe
| MD5 | 1006f84e5ecd433198836a4f1aed0059 |
| SHA1 | fdecd00a51ce2cb0f9a735b26856e1507572be90 |
| SHA256 | 934634edafb99dcb3cac478cc94aa8164e7b9a3aeeea76dbdf5c32f01ab90e97 |
| SHA512 | 534bfdbb5e319c758e8131832b1fba4d76a27002c668897680097660b834931e54b99dd6533ca890a5298d39e2b2af7a176a5726d5f7a591072387b43e03ffa1 |
C:\Users\Admin\AppData\Local\Temp\CkEs.exe
| MD5 | 19bfe06ae94c8ec36ed2ebb2d01d76ad |
| SHA1 | 38703a9a7c4a221f7dbe1f1dd1597f517932851a |
| SHA256 | 4e93248a2eb70a09ff5de941a3cc271c455b3b38b31b920334738541c4e47d0f |
| SHA512 | 0238535599ce518e88823e8f533e3454b0fd2e0b5b4bae0783c9bea6a3cd85334b25f465049767e67bbf08d3c88638441e7760240b8cdebbd9d78eba4b9a844c |
C:\Users\Admin\AppData\Local\Temp\mEEu.exe
| MD5 | f678b9af9f0bd1aee4aff1ce9ea6264e |
| SHA1 | db844066219078f87c0252d6a1a3affff0a38d91 |
| SHA256 | ebf5a2b9f53a1d9911c960f0d63e52c05b526b38b7f1650daf2d4ccae5b8534f |
| SHA512 | 45df837a2b6e9a5e19059741d950e4b0dd14489a513977591df008e4f0d3cd0ea3753f6ccbbcba89c1852e1c2bf879bee4373b40940dd8e7134e3a5f7afa58f4 |
memory/1392-634-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yIMs.exe
| MD5 | d287c2b058e9fa71d3078d204476ba2b |
| SHA1 | f3498414b35d9a52b2fcdd563aaf8dfe9e3bf9bb |
| SHA256 | 68a1faa8ee9c83ff225c3607715711c814b18a9559caaa1e1ac2b96c14316d60 |
| SHA512 | 8f3826f9f5d43817f52807be292f0afa01be084f78f827666fe5518cbca5f1ef3eb7d51e1b236637c14e7e91373108d2bdfa29026b15b013cbe7aaff89fd49b6 |
C:\Users\Admin\AppData\Local\Temp\cUMY.exe
| MD5 | c01bb208bd912a10fdcddc7f5693f515 |
| SHA1 | 0ee9868b84ea16e2fc1842f07e6205e443a8ebb2 |
| SHA256 | 6dcb1da5457eefc5de6c153ef2f86eefb9c753798a758d74a87a510b1fe6d583 |
| SHA512 | bed11f193625efee7942cd1e76ed6b9fb43fbe10780e161bbce7ab02e3944d780f7d5e6b286a3fe76100aed36b1ebc07a2c59b43829d589b870c59f617d59ad7 |
C:\Users\Admin\AppData\Local\Temp\sUIe.exe
| MD5 | 57a5c1f6e694981d300f4888d2c294d5 |
| SHA1 | c0a14e446d7b90510d80b4c95896c5fca4aec82c |
| SHA256 | e4f033962ac1ff3053cd04e5812fa911a05cceba2729ae6ecf87c305b7002943 |
| SHA512 | c7ff32c3371f1561681709a346ec1f54e8ca228c7568906f46eca44be886d94504cccb303adfd6f99f34986684c170a640e21a71afb8f818bd97ee1a438e0f55 |
C:\Users\Admin\AppData\Local\Temp\CgEs.exe
| MD5 | 1879dedda3c20886c057eedb54e40f44 |
| SHA1 | ff2b28ae3d627e7f1fe58e63f1962366ce863908 |
| SHA256 | d095cb7ff29aacb3829004e754e7d202846145d6ac97f318b0b0469c31043a4c |
| SHA512 | 2ecc86ea046c9530b553f74fa24744396a947e80f66cc95e1408ddc705088340107ac25ff3e3f5059baa011e3527e5310690fe18396c2a307ef679eda9d1148b |
C:\Users\Admin\AppData\Local\Temp\koko.exe
| MD5 | 79c87ee9c52971ed8a360b77a34cadb1 |
| SHA1 | 6ce06249bd60c0cd7f84c0d37453fb20cf71e7d3 |
| SHA256 | 0d06a09956c0154f72cbd815f852472d03f15a47278e054919d82dc9c1fa664c |
| SHA512 | bf23fde0f5ef420e33cd2a562833941195aedfea4c9763718d49a2720c92beacaa5e17178f0b0348eb740361a8a2e00fcca9a2fe4d5756c3dc37a5fc53ab8a1a |
memory/4128-711-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cgYQ.exe
| MD5 | 6478c801156a1f87e1d5cd1df5f154a6 |
| SHA1 | 73430d0209c1a9bfa1dec4237650a3f9fc804043 |
| SHA256 | 8d617b65f9038a4a4315ed5eb3c17ee935590e35addf73be2dcb46534a5cf667 |
| SHA512 | 7c031e8015f635d01c1fe8ef6d1bd056c418e870f9f8a47b756919824d09af8cb53ca88637fb7f331b534a6d465027263cedc3937c8b43d3977b5a422902f758 |
C:\Users\Admin\AppData\Local\Temp\IEcK.exe
| MD5 | eb1bdfd86545b25804f44dd6d8d49516 |
| SHA1 | 3e844257ee740c2352a65605a4a8e35f77310590 |
| SHA256 | ff127b66447e18d27a64f2c5a644dbbd82d86023bc5e1368f7df5eb59baf23c7 |
| SHA512 | 8f9b9dd36ee04cd3dbbd318f8da27333ce42a7cb8d4f4a11d05be9389f0cb958fba7bde36bc0f69898ba9f7b84d7e715b184622780003a71230829e0b45ce68d |
C:\Users\Admin\AppData\Local\Temp\mEwm.exe
| MD5 | c349b28b98768fc00f5a97273daafb54 |
| SHA1 | 0d0e8c83c0956ba576113b20a991dcba4e3afec0 |
| SHA256 | 0260a21d80b8d58ac1db3922653e3510d0ad0c1cbbd131becad18ae86142431d |
| SHA512 | b0c25cd3b4e2c14be5efc1a7561e08680d370e52d41ef186914fde640147ae71ca6ea3084cc2c381c0488dcff538e02909879887f280727da0bb8015c8d78323 |
C:\Users\Admin\AppData\Local\Temp\cEYg.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\iMcy.exe
| MD5 | e0877fb3025d26e944b6c2ab0188e0f6 |
| SHA1 | dc65e98af5d48bd4a9c43f3f8a936f851b93d3d0 |
| SHA256 | a86f21be125ca50e7f9b02ffa158cfe86e5907f13a64913273f8c70408910ec9 |
| SHA512 | 6fa8822c33c4216f76de9e5c38b0a468f7e5ca3fb05a13bc03126456f6ad2339f3582723eb6d474179986409451e00888ec073228ee0d835c32e267526a3614a |
memory/2132-775-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uMUi.exe
| MD5 | e0c651e0638adf65497c87b4e99a9d92 |
| SHA1 | cbdbce8053fd13c41a8b68085914c823f0b89985 |
| SHA256 | 310b586daf524f350a2c950c71a6987040763e29857f90e208f415eac3c6dbdd |
| SHA512 | 0a295706a223fa746fee697e84b1cf81f952c09e0c123fd404be5a30423eedd0f505a22d03805a07c83cfccddb8ab7ed00187d91771c5f0f594da422837a0d20 |
C:\Users\Admin\AppData\Local\Temp\EEkM.exe
| MD5 | 8dc712c919f3f0c377fbd6c0e5f56ec4 |
| SHA1 | 98fccf0d8c70775f79fc99b1bcc4aee582a14aa6 |
| SHA256 | a74b46865f482c1e05a1977c03adb861ed45a601a6de6026e0c29b8f9a83caaf |
| SHA512 | 7e09c5a8f1886ae050ceabcfc5bdc284a3fb6abbb9b47c416e265701f78c5dc1cc0b4887512138bfdb3002ffd13b6436f73931122cc42b541c1a7abc5bc2f896 |
C:\Users\Admin\AppData\Local\Temp\iwoS.exe
| MD5 | 60c5f4002544dee58380cf3fe2f3dd64 |
| SHA1 | d1274cf5e1f1e4da4e08466dd795678ef0ddbadb |
| SHA256 | fff0d41d38d54f095b4c36615631722e77d10c945270570f506d6fd1578d833a |
| SHA512 | b84ec3931fd2e4846d820f39014bc84d9587a822c9b26a7c797e1da456f6b2573cb2f3200c49b9229e7b6c63fdf592453bbfd8e09c76eadf97af39374660bc7b |
C:\Users\Admin\AppData\Local\Temp\MUYK.exe
| MD5 | 2d493a1bba0b7e8382f707113a45e339 |
| SHA1 | 8a65d4f2fbe2b1e6dd6da66ac3962da8a5623d51 |
| SHA256 | 5ab042a480e1a5831ed601cfc5efbb697ecee0bb7b08ee02967017d108174f23 |
| SHA512 | 52fe7823f76f0d437891520263db9a36baad3e0d1b0f6d607fb74a36f2e5dbb2b0273f8c27833348c9dbbaef4bc0360892f6e2761ceb34425fc382db19005f13 |
C:\Users\Admin\AppData\Local\Temp\IgkC.exe
| MD5 | a3ebc0a1e0bff8249464190fa15649e3 |
| SHA1 | 5c5f50340c950d94c03dcdb894417144a56e4254 |
| SHA256 | ed5cf55355530e2dd8e5c1a8a736856f10e5981cf91e641a6fb0c6adf53ccce1 |
| SHA512 | 57266332a56b25ebab5b4fd498b47972bf5252e19778976e3a6f7556ce3981cc4d0fffe7f5c6f05373585efa606a4450661e05bff6d004f2a8db1cdf29196f07 |
memory/2148-840-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uoIW.exe
| MD5 | 7a1fef13c14de4251bb2584a66a20f22 |
| SHA1 | f64d8301c167297f0b41c509aaf2d754aeb2beba |
| SHA256 | 09db67ae4aa8d3d87bd6a4b23a4145b80f4deefb77b16bb4e2dc74d7c10b0e25 |
| SHA512 | f23cb9580877cacb41d2d1fc477f0a77cb12e43bc7584760fda39c90f6ed3844e5e5a5267d6564907fe4322bbd529cb3d88f427adede5a0ea0f8e70b85e29da8 |
C:\Users\Admin\AppData\Local\Temp\WwMg.exe
| MD5 | b1a14da226605b9badd667277c97edaa |
| SHA1 | e336b110373f57a4a799af1c26a1e2a2983690c1 |
| SHA256 | 3d5e6daa11e445e4eb9a8cedceaf69e0f537838d224f3c995e13077a0b9554c9 |
| SHA512 | 76765bbdeb5d59e00c86237d662889e4709bcb7028a52d56e6e556ac85a74553325c451cfdec17b7c96dccc9ea67bf09299709a069a3b2495d045d382c9f9776 |
C:\Users\Admin\AppData\Local\Temp\mUwk.exe
| MD5 | 08def248f9548534ce8430a5a466caa4 |
| SHA1 | c4ed479dbcea13f0e0b791ac834210577a9aa555 |
| SHA256 | 14ee063d2e1edd7622f6708a4263482bf31a67bd1eb37f51c043cee6545f0cf5 |
| SHA512 | 65c43b4c8310c48b324bc15ce66f6554fa4226a571874a42525bf01e18f26a7b9a5181efabb0d8e314fdb82565d34b49f71723b99d9b192889c3dea677279950 |
memory/4492-903-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SIcu.exe
| MD5 | ef9d53ebeb2e4c2e64dfdfbc7878e8ad |
| SHA1 | 88a922001658430a576cad695a64504c9d85eff8 |
| SHA256 | f7348a2587d1bb9bde64437f39796bfa28a309476507e592e7194a222a46922c |
| SHA512 | e5ecbf3e56bfc5e8cbd2493cfd746d962b3b1a210e99395588558010a44fe21d7714eac7abbeb5c7e46e11d2986e2d13a039b2a4404e2671395bd8ab13e80374 |
C:\Users\Admin\AppData\Local\Temp\gQQE.exe
| MD5 | af654037c329f6219172523dee124349 |
| SHA1 | 8988becf8979c5a0c0ea9f6fcc9ffd26673907b2 |
| SHA256 | 80d2f4588ba54c7feed35125352331e0f2bf2734993cdc7118dccbfebf4f8dff |
| SHA512 | 341ff88bc7c66b14a7f02097478e93ac90817592535980e778c0f1f0251a16e98b1d4a2f8b20da80bb8b7cec52959459ef33dcdc8f42696c69c87d718b63eaa0 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
| MD5 | bf7b05186b2a7df4da6dd0c82f53a8ea |
| SHA1 | 381dcaa182846391c0700572c162d91a3f8193ec |
| SHA256 | 03a6a4ce4a8eba26eb70a3e46b00cea3d9a4c539e2550407d87d7857e7dc63b8 |
| SHA512 | 105b62ab0489d461ed033fa2f5f444dbe8aac71b095dcd3c10b27f12332744ed22d6a501537ae63c3e2ae4439235d6bb0ce13154fa882476701033c6a032c3f7 |
memory/4596-951-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MAAU.exe
| MD5 | 3277947b59e7432f356c0e5220ace9fd |
| SHA1 | 14f42832678b6ad17773ac5ddddc580d13cc6cb8 |
| SHA256 | 6f4c99e94771cb9d910252506f2093e1ddc06b9cd2e7b4af869652ecf4957a8b |
| SHA512 | 342909b6201ff5617cec1c9b0c505d6c1636126450dd1b26996c4f39c972ce27ef1cae99e93943e6c6ebaea79e1584b5aa5978cb2b185266bcecc4867981dc68 |
memory/4820-968-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yUkk.exe
| MD5 | 2de37f6cf9b83aa6eaf8b7e8398ff085 |
| SHA1 | 7751e065055c37caf332acde7e165352eecac0b2 |
| SHA256 | b446cfd44bc4bd1ff88e48f1d13e105ea61a43a54921393ac8323bc35bbd5ce9 |
| SHA512 | 80956f9b2504270057e36e18d98d89322cf2011fca7594b6944365d87e096751d8cfec53cb8fe1754efbecac19602b6885bea1b49a1c3316c9726da59b94fe60 |
C:\Users\Admin\AppData\Local\Temp\ioQm.exe
| MD5 | 24744b5e2888d391aeaca82b72aa73ad |
| SHA1 | 706a908c126589c4a9ddaf66716e7863ba87f81e |
| SHA256 | a045a913c4f66d48d5665e455830bb34af5f55a7249a6a2f22d4f195cfc9b732 |
| SHA512 | e0d3b200f87e020f358546fec6c766883c6dc8968b39d4aacd90edad6daf5f3b8e65362f21b51ffc67101030fa8c8974289a398bf15fbc7d609803dcb8ffd279 |
C:\Users\Admin\AppData\Local\Temp\UoEq.exe
| MD5 | ca9a5da254bcef41a30c397dac05b79b |
| SHA1 | 5ec8859361bd106f14553933769472376bf762eb |
| SHA256 | 8ff11a3ce67413cda503e972b3c96eeb7c9eb90f65983bb02c009307bde22a09 |
| SHA512 | 8bd7f91fc6f07ed7ceef6fc631c27f43e8d4f5a43cd718f18c0c7afcd0d0f210abead04685a02a875bb10dd43c834a9d74d506c406f124a908806d99c21ff8f0 |
memory/1576-1015-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mcgU.exe
| MD5 | 4fd48d45ffc134948b84d3b159401612 |
| SHA1 | 233f0a7204da7df3194ac8e3e7c9eb462b039011 |
| SHA256 | 31b49f78b91db28e686f454283f9c90afff29e093feeecd6e9fc2beabb6f2613 |
| SHA512 | a1c6214ea840aab662e59578754a3e96ddac2037bcc442df868036a9252b5658e5ee5a448d4a069a1a64e2740e72913ba95761a00655444b50af775e437913c0 |
memory/4596-1033-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yAMU.exe
| MD5 | b244a208644ca8178905efb715f8bd7a |
| SHA1 | 546269966d66540b5eeb04ab6f7a53a8656da3b8 |
| SHA256 | 79beba8f29c6b6b395fa6e98b10871deee4ed8e2556626d1a0a4a518131e666a |
| SHA512 | 26d9bcfbde75d11ae7cec7a26f311c487e05998a9c16954535163ddf604b9a050c720bfa88e7c368d63959e2427682603a630e7ab7667025149f1b2430e73eeb |
C:\Users\Admin\AppData\Local\Temp\aIYY.exe
| MD5 | f795f509b97da0d50812426442f497d2 |
| SHA1 | 65867f9b93b493e601d785df65e1c7a04a90bc14 |
| SHA256 | 4a852067b171ae95f32dc262b24b1858d918590f6ffc65c015d7cd0ff495e3be |
| SHA512 | 8b563dfec3e42607ade603c7fa1be116eeb60d2b7ef764f06c1f2746287e17985c63df8e51e221e8d60d67d93262183823d23add5378dd8638db21b1fcc2f7f8 |
memory/1576-1069-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QooW.exe
| MD5 | 7c40abe55e19fc72d27f8ea44d1e3209 |
| SHA1 | 48eda17743a2f35656bf17ee50b4fd65e5ebad74 |
| SHA256 | 15ec6d4870d66b02c851acc35c934379cde325937d2de53a84dc80047470c81c |
| SHA512 | f321246e217da91ff662ba9d85a084ada06b78bcf4292497ba756a5ce383c974100d99531aa9fe83782d26f8ee188968b612254eeff77580b2193a8d160cff62 |
C:\Users\Admin\AppData\Local\Temp\WsUi.exe
| MD5 | ad09a18feceabfa3f39ec4de3cbe3b55 |
| SHA1 | 352e6bf2ba64bd9115500514346192ae4ef036d8 |
| SHA256 | d2e3beb71f4a666a29e5c6554a76eaffd98815994ffb2c24a42cbcdeb4576369 |
| SHA512 | e797ceecbf27a45b371a80297a8f2caee7b56932da7cc80e2880c865ca9e68a9d90f2174e3dad58913c334ddda6c7ed9b57c1627bfb3b7a7a520b5564d9a9732 |
C:\Users\Admin\AppData\Local\Temp\wwAk.exe
| MD5 | 2b59b4dc6335226ff7d29b498d9a7221 |
| SHA1 | 3ce951a555127944f63b0350fba1f1fde7f6296b |
| SHA256 | d7d52d01f658946d6f2ffea725a3735e61de861a39b0fe1d9b4f725726e7994e |
| SHA512 | 3ecf96fbf592d099caa511e9ccf2c28a7dec033b0b8212a9510f783e8d962b1c3e9f957e8b85393d7d8dafec3ead36e0e2317a8d9c81d2fafd29527a2b53f81e |
C:\Users\Admin\AppData\Local\Temp\OgQE.exe
| MD5 | c8a6656b9dfecaec07305b325f4e5240 |
| SHA1 | 123cc45d4aa418500e676a10be38fd447eb1ecca |
| SHA256 | f30abe5a6e56b81a2a0809819b858be1f90b4e5ae6b7ac5cb757fdf1f91a53f2 |
| SHA512 | d54ddc8e00943cc15c91735862bd2e42f5203c59f4ad1198091681ae665a6aa2b16ab16456051a905c4cdeee4d8e8bbbe33761217d9b94a778c2fe260743425b |
memory/3496-1133-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mAca.exe
| MD5 | 792992da8060f1dc9cf69458eaf695e6 |
| SHA1 | a1575dc6e518fbf293bb7f6ef3c28f3eb416f2ed |
| SHA256 | 174ab4e84fadd0e0b6044726add046d12725fea8701a6bb73acf11d454d288b9 |
| SHA512 | 62266a2f715b83dc964131da777deb431769b755c6c761cc5a7adc4a117428bc5b98ff0322bd555b3cda522575a66143c7e85b1d7a886b3ea6d6a9334a2b5c96 |
C:\Users\Admin\AppData\Local\Temp\uMMw.exe
| MD5 | a994116d470eb5fc8a14d030c8a42452 |
| SHA1 | b0249b5e8b1579a7cf1ab08585bc1ac042647b04 |
| SHA256 | 7b73ab1cc12f17587434e6af7eb3f10e26008952ef333cad63844b1839c369f3 |
| SHA512 | cdd32b1cbbfb786102c520eb1e218e18c2fda9914532922ac2e81105fa05ec815a49233324e4811499099c5577442eff7be3db0d4dc46d7116ad9984dd9d5e60 |
C:\Users\Admin\AppData\Local\Temp\WMMM.exe
| MD5 | 3bd7a396182a36bc2c76d6b6afb224ab |
| SHA1 | d9b0aa591b211f6cd50c2180c472dec4124230af |
| SHA256 | eba912a5d68cb0e63f3d9c65057364a22a045b39a0c714b503616bcd82435b9b |
| SHA512 | 532c0879edfbfd193bc7f0a5925bd82cb39006bdb4d84503139b52cf3461d3c31371405c93adbc25519063ecf6a09b26691d262862137fe080d824b736f041bc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe
| MD5 | cb842512a4b06f1d71efea7c346ac60c |
| SHA1 | 8ea2bb679ce63f0dba4388eb3280b0555fa27af6 |
| SHA256 | 9cb55387c45241d670bd93fb881c5c3250f802a8f21d0dfb7595888ce296b4bc |
| SHA512 | 50a2d104f6baf6b2ad7ac89c883dbf5a03892727f5fe326d4d738c1b2e589990b0fc408b2f474bbc3bca6e1428e5d18f0f43945271972de5845490eb62c7bd60 |
C:\Users\Admin\AppData\Local\Temp\mwYI.exe
| MD5 | b25b80fa68f61f9bec0157ac5560dfb2 |
| SHA1 | 31141b6279fcb9577da9959e8a649133365ceb15 |
| SHA256 | e5b0104cada7d1d42e5422674545f97a419ac957eea6765e0e6c47af53122086 |
| SHA512 | 85832811abb0acfa2864b9fd885eeca054b25150d579c1fd07820d1cf96d9a77ac1a1195d92666aaabeae6a4d54a95ac3c803a360f5625b28e0e676393316d63 |
memory/3064-1202-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ckQe.exe
| MD5 | 8023626fb018514d74b429ac540e57a1 |
| SHA1 | afde606aa779d368e87b7887805d125f1a772495 |
| SHA256 | 72bdfb9e6d1edabe94309f0cea2ecfbd6dc8770a97fc0cb98193c5dba76a590b |
| SHA512 | f66f04de20b90363a60612ec82c083e1164ecc510199257be885f708074eac155d3421241831d24c07470e8af2ec20cc9e191c3973ec17e32ef2350e9473a2fe |
C:\Users\Admin\AppData\Local\Temp\ygwQ.exe
| MD5 | 25f793cb099fa7b706b62f6781486a2a |
| SHA1 | df0de93023be894c9ad25b3c12540f4acc2e7cc9 |
| SHA256 | 23650504205c25cd208efc3d8691fa1f7a32f43e0f7724d0681715d44cfb13df |
| SHA512 | 926878a850944502494a61fd3ebf4e1071ca52dc0fd7cdb20d23e7981433ce6373c9cab15fcca425f0a33d7afd95309b4211a2bccc920f4d137a025d9791701a |
C:\Users\Admin\AppData\Local\Temp\ogYk.exe
| MD5 | e7a433cae666ba90562023d6592297a6 |
| SHA1 | a8c847fdfdf96aadd3776d9fb958e9ccabf72636 |
| SHA256 | 560571268cffed57dffc4d1779105445bf95a98006808075c81f6097206683ca |
| SHA512 | 4df3d151f1195a829e0c27abb59078011d011b3bdb0d29a15669fc153e6b1b6a85e9fea5de1ecf12e1c58ce0f7c8a75fd9f0c061c8c303f4e59d60447cf52a3c |
memory/4412-1275-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YQgQ.exe
| MD5 | 144458c6cbe5b84b2372b01160e836ba |
| SHA1 | 6bbdb8097bf608cf0acd08fa7133fe73eb048913 |
| SHA256 | 415fafe3f97b5c1947d76b5f7ceff5718069b77493127ef26153b20f1cdb4df3 |
| SHA512 | a7d78d7f5558744dbb55f872c361b3484ff80ce751029bdb6db1d089ab30d553384307e7b75c1234f29cdb1193d551cec2dba2de46930bc28119ed55afb10a6a |
C:\Users\Admin\AppData\Local\Temp\mkok.exe
| MD5 | 97aaaec87d1e9533b8b97acdaeef5a23 |
| SHA1 | 01ff5533d54b983726b5263de3efc3018e2715d7 |
| SHA256 | a621c2c910db563e19172f68fc519f3439e99288bdbc5acb54b16f2b3086cbaf |
| SHA512 | e63b1d17f21c6bd1ef59a2e8ea2fe39f1de97c050fbb3bfde87f7319ad38fddd4f49d0c8b2a0d997feca11d09a3bcdf103f7f744f69af7a7df93c30a2bfdfdda |
C:\Users\Admin\AppData\Local\Temp\mksk.exe
| MD5 | 7c1a0d678625f9fbf0f451f997347000 |
| SHA1 | ff840d41c1d48519b8dc7f551cd098975c684ea8 |
| SHA256 | 9ab2f9e1020f0129d153ea8267d2f88d8a85bbd4948e4e4e4985cd9b56a99f35 |
| SHA512 | 4f4e4441d2a5cf3aa4ddf30fcae7e98e99093c8df5b95e05e04000a0630cfc957a9473cbd3dcc3cf94aefa827f9662479947b8ae07b75eea213722da5835d2d4 |
C:\Users\Admin\AppData\Local\Temp\GMUc.exe
| MD5 | a974f0735c5ea55fc34cf318e1697cc8 |
| SHA1 | 48b6c7a78cfdf24291016cfe6a2dd2085501c2d0 |
| SHA256 | 0dfbb870bd3d127a2d29b4b4b0025d933f38023bc006e26c95146c84cdfb752d |
| SHA512 | be89e56e6f0ce4d6c7582840a2aa76d230892a1810c2a7efedc0be4f220bf049ce5c552b932e9fcae8d1bdbf0310bdec8af80bad4b814551d4ad13d5f18b53f3 |
C:\Users\Admin\AppData\Local\Temp\uIwW.exe
| MD5 | c0db128faf16aa0767646f4eea8cf460 |
| SHA1 | 0d3ec5f66527d05db209644fca83bdc62686171b |
| SHA256 | 0b01c44ed88ef83e67800c7dfd7938892fcc0636cdfeb1069779c7d3bf4bd11a |
| SHA512 | b3dd6e5531d434fc4fbaa5b9f1709173b7fd598ec724ace51ffba9355fb4c31ff2b773a898dfdb0ca8c90a15db04a4f364d8aedb5c6d88d313b9209cb71f3731 |
memory/4352-1338-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AEcs.exe
| MD5 | afe3445b652e1ce8c73499460af7d610 |
| SHA1 | 523f2c097df4a44912deedab3de965d53c91a303 |
| SHA256 | 1d1e268d10b216f1dc948b77d1e3d21cc4187328f992c932d94cd0338150bf0e |
| SHA512 | fceceead40d30c046a27318510ad2b97f353044300e85b33bf6f986b800361d90e0e0f45ad1efa38bf8e4b14a1dc68ba70680fb1204ed00c37b2f08ed485412b |
C:\Users\Admin\AppData\Local\Temp\MQoo.exe
| MD5 | ea55eb91bbf18d7b6a18019bed8425e8 |
| SHA1 | 85b821b47cd058c776b34394b033a76cc18dea4b |
| SHA256 | 25d95b23d206ad08172aa6ec3af465786a837c41b9840b97d1399b61f7b220a4 |
| SHA512 | bae16c48cc2c89498aea8886390ecb48a8c5ee60694544d4551db798f240e26b5d52a01807d027bd36d90907ed34af935d5813ab279c97ee7489ec03602a9a2d |
C:\Users\Admin\AppData\Local\Temp\GwYc.exe
| MD5 | dcb925e93659137a1f3fa9ec2134fc38 |
| SHA1 | 96bdb41bdd03252b3a9193f78776ed576b52c53d |
| SHA256 | 103bee6269178fd22335e2f1b3323739d09905a465bd714771d690b4aac99727 |
| SHA512 | 94fb6eccf1176c8056826e5478bcb5f4fe33867ed030066700ee8ef4fe0e2d4ffb306e6c9252f5b540f52588b2fb29e636b7640fcc899ee7fe0172e5f2db569a |
memory/4800-1388-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Qskm.exe
| MD5 | 213f873a34bf16940b3adc7ae7649ea4 |
| SHA1 | 51e9170a9df9567bc89a5f9c0f8b3d5845d98672 |
| SHA256 | 5524a154bbf2f4ac97652ccb22c8e373954f7a6fc7cfcc28e0b6f73abed30ccd |
| SHA512 | ee8c10ce631aeae1ab25e3be538840d49b8bf73dfc1155b6d1d20ffbfc8f297505b2bfc03c8feb24aa98e880adb42628c2d51853ee839a9119b7dc9937edc06f |
C:\Users\Admin\AppData\Local\Temp\AAUY.exe
| MD5 | a332b7efd722421f8b0c878ceb7c5e04 |
| SHA1 | 8d5521e25f00006b137b6764c1c5a75ad4fd4687 |
| SHA256 | 98370984209c29b8e0b25fd46a2724608fc3fef0f01595ce20073c7ec16683ab |
| SHA512 | ec6b0dc5272505814331cf9021712b4f8f9936b6e92622dfedb844e0aad4a410790571a26ba08860dab71fb67a1b0353eedc67493d9d89c5e05c25bd756214a9 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.exe
| MD5 | 11dbf381d26409ae6668eceedd0361eb |
| SHA1 | f7bdc356ed6395c394c8185094bc81b80ebb724e |
| SHA256 | 317de43db0d55cbfe19b472ad8b385a6f4ba8ba77c1139a3ddf5ba356b322007 |
| SHA512 | c6ca3f543634f7d02b855c5e68f149027981d053998532d6554e02c1405588fd68d4b93ee43567fe61f1483fcbf749af008c7a3bd6d5417fa3227de136765568 |
C:\Users\Admin\AppData\Local\Temp\eYoi.exe
| MD5 | 4c23193b733b7204df69104da09997a5 |
| SHA1 | 96556c15c1de854dff0f54939c3ff9b8cc0eb872 |
| SHA256 | 3335b1ef04d3deaea5508073acf3e79172eadf94b7860446372f4b1499451a0d |
| SHA512 | 0a9c18e332d21b59a2515cb88c0efc15de858377a3c2238cfb3b5f59e1aef329e4ee9fc001d9942425855f8316ae47e105e9b197936bf2fdaf184428af5c101c |
C:\Users\Admin\AppData\Local\Temp\AoUY.exe
| MD5 | 3ead6b9810c6f3e40a119c519ced5a5d |
| SHA1 | fcb226a69d27a2c600979ff7944a7cbccff3f495 |
| SHA256 | 181b237260924e3da1a9aeec2b1b4c028ecdcc97c7795108da6d4292e13604af |
| SHA512 | c4d8c9a6651b6a069530673a6ad628163c20fc65d5e1d8c1181fed131d4d98b8857796ea79bbebca9b5249bf0bf0bea7ba5e3b4f4b06f0cfaef7eae7cda6b7ad |
C:\Users\Admin\AppData\Local\Temp\qkwI.exe
| MD5 | 11cc392d0ff43d087279ed8906cfc284 |
| SHA1 | 6aa6219496892e32f19e9c030f6a90e9f2210d15 |
| SHA256 | c2b6235dd530807c0d2d034999dd5169340a08517f389358ba86f44108dc7ecd |
| SHA512 | fde5eb25b81f4ae9f99b7b25374026c906cd99b4ddc56d63ac0f2504fe293ada2d7c7c8138e37e758f2b3225939df32e4a2e8b87d807540a485f3445db8eff78 |
memory/1184-1480-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iMAk.exe
| MD5 | 74e8a12f7db0c4ee4aa386d38f1a5610 |
| SHA1 | 16a8a84869fd57fb1c493459db203ad1c3b220ea |
| SHA256 | 65baedebae1a2840dcd97a8c620cca46b5d223894027c596befff645db719614 |
| SHA512 | 97a7a8a07ebd2ac2af88914d07b7035dd6e472141711f06ae2b598cd62bc4a1b6bd9b6f439550401a2ccf1cc3d153029d5028265c41f1d61ae1ec989b1b49717 |
C:\Users\Admin\AppData\Local\Temp\iscs.exe
| MD5 | 0759a3cdf90b30c1f8f951f4389f60de |
| SHA1 | e21c826b13e58fdd32edc1428b3db73c52b72e30 |
| SHA256 | 4c7f10f9a9525a36d774b94f900bc2ea73c1e234ec13bf3b070c20efa5549db7 |
| SHA512 | f64d6d8ce09d790c268fd5d4ff313240d2fd35becbb4e627beb85b2c09f869c58111a62b5344acaa54d99cf80900c055532067a317699d7543f81bc3f5f14a92 |
C:\Users\Admin\AppData\Local\Temp\msoi.exe
| MD5 | 445359f86aa6ef53dade0cf4f3c16984 |
| SHA1 | 0665988419e5cd54a987433adce803cb988941eb |
| SHA256 | 4c39236dc87023b092d734201049933c085367b663a5323753027272938eb15f |
| SHA512 | f19fe917c71fafcec2b97ff8f264a785d128f5be99a348c598bd6439ba40c595edd12949d96768d4f3e77d3a5b324520c3a1a6912d06c48b6602d34d97028d35 |
memory/4924-1529-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SUQo.exe
| MD5 | 94c5178c577389b386d3ce9cd5ffc99d |
| SHA1 | 0e6200515522252b074373b167e3020aac90f7b0 |
| SHA256 | 4d706dd9074cf2a9e8ce01f7260334481d31a075ed55e5dc52067be37326125e |
| SHA512 | e51fdd90f073fc52bc4866f19750c41ab2d3eed61ca13884e482e2546d3a14e5225f967983e09b1fce6643a2a01b81d0135f8665c7ac4578c625eaa0dcd8db6a |
C:\Users\Admin\AppData\Local\Temp\IYwa.exe
| MD5 | e9b120e9ef14dac3902acd19c7983df0 |
| SHA1 | f88514df5c63e5cf70f0fd6350cba9ac012dbdc9 |
| SHA256 | ad9db42eeae0fec9fc3e174b75d77493c2210b8c794f79349a23f1c14ea43f86 |
| SHA512 | 3b581f897594e8012bb444590b77a8775711a16a9f24703ccc5fc247e924b703aed7811844790cfb1c42bb2e90ad03d42b11239f30336a64010d73fcbfadb42a |
C:\Users\Admin\AppData\Local\Temp\agMM.exe
| MD5 | 2959e7c91b101448ee90af88c408099e |
| SHA1 | 0638ef2c576dd32f7c97ad24e45ff91aae9f3638 |
| SHA256 | 6e728e8a2dcccba9cc53d36c071f52373dc7f5f29ac1a6b60dede826e98cad4b |
| SHA512 | 77e828b7e794cc75d1f18a006fe6a145d0342589d85597b1108021e9ff73e4203882b8e877c1ed44db73b887f224388d83c1e81706e7dacba24801dae33ae604 |
C:\Users\Admin\AppData\Local\Temp\OssU.exe
| MD5 | 403d0be6b77633a896cd83b146562139 |
| SHA1 | 9051d2c2c14839dfa4b335289fc21e057565b846 |
| SHA256 | 69c9b43858b312372e8127d51051306399416a9d05b4b1af6a569bc1cd218ebd |
| SHA512 | f9b4486b39996c93cf2f1e17136b064b1124b401b2f337610c50d4ae0f3f10ca4b15285f34db98c6218cab8edf235bc2ce8f9c726bd37b6e3c39b6c4e5aa84d3 |
C:\Users\Admin\AppData\Local\Temp\IIoG.exe
| MD5 | c29d886121df6c1b45a78abff73916a5 |
| SHA1 | a23b99163bcc74c11bc67d2b9e6fcffe4704a91c |
| SHA256 | 580422c78ef8f379057c1350bf903799b03a044902cb67aa0feed37740841c8c |
| SHA512 | 99a66bd354f6a01287b25a17fac209542069577fc2699ae787475e26825e0eabac2f28a44a7a6e9b76c27ecae77ac7b83c117d7b9e37e3d4d173fa6cc06c771e |
C:\Users\Admin\AppData\Local\Temp\YkYw.exe
| MD5 | 5d7cb181b0c2ee8ef1e4e9fadebf0d65 |
| SHA1 | ca926f9f7c58ef9bba47dfd16cbef6f8c47e96b6 |
| SHA256 | 952eca952731e1edec23bb489eb912cf238b65cf036b11a42a1d1e3f4884ca11 |
| SHA512 | 38180a947b4b4665a7f94c9bea4b3cd57fb97c172f9b096901f080ea6bcb23b0507605a228f7ce390e7ae2daa8b2ce2aaeda3555f634693943a06cadd7b45d05 |
C:\Users\Admin\AppData\Local\Temp\IAIq.exe
| MD5 | 375a0ea8ebdecf4b6be5239a42ea9ea3 |
| SHA1 | 1305a67efd9a6b61cf424c5250b44ba92902a3cb |
| SHA256 | 1f8e489811997d3b375921241cc7bc140d3b9576f6ccb863bcdf94ead05c6534 |
| SHA512 | 9a2f0b041de1846c43d0e81904383facffd9bf45c76fdedfb03abf62f77dff9c36cb999803a63d7bc138e733a706d2b6a48dd6dcc93195c032d299fca1ed81c4 |
memory/1188-1633-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe
| MD5 | 9b7e2a1b27ba969a4431b1b53bec2a98 |
| SHA1 | 8d0ada50e94cf8ae20f4323395bc3c641742caec |
| SHA256 | 6802f698280735cba706c230a3395d8ff349fd032b7373f6576195293e977715 |
| SHA512 | 8b67baa37473db53e955f32e46c96d2fe342b84145558dbaa249f53b6f7e4733358924d26292bc2821cb7c89cc8b6718204cc51a97ecc018c0cd9a45bee3bd19 |
C:\Users\Admin\AppData\Local\Temp\gsIW.exe
| MD5 | 6d1d154a14036dbe49d80470976096fe |
| SHA1 | f6a6f4aa3ef8bae2da7cd83bc5df42a216a5603d |
| SHA256 | 7e10e66c833d1717581bea72289f16b8ac4d2758788e4d9ce7c0a2f4fd8cd4bf |
| SHA512 | e275122ba18b67bfbf40e01e643bf3424e2970f8c31f14344aed49e31c4826aba96d852bd6ba3fccab256c5f9de19fa8c89da0d8fa30a9c24b389ff0cd9fb77f |
C:\Users\Admin\AppData\Local\Temp\yYcm.exe
| MD5 | 0f9f29db1cd32b648234ba3ef0d0cbb4 |
| SHA1 | 00dad57dcaf4b57fb380f63f9db073fdb58a78bb |
| SHA256 | 9cd73edc81acfac900c480ccff7524bcf367131be597770d59daeeee7734c42e |
| SHA512 | bbb3677586993417b69ca99fa164f15b20998f40f4934c171a3d98cdbed8c2ecee10dcb992989d99d8c1e9ab001609779389bed578d60598e12ce8a441323732 |
C:\Users\Admin\AppData\Local\Temp\EwAa.exe
| MD5 | 8ee5e863a1d28f542ac5edd9b92b195a |
| SHA1 | a2e00f170bb0be242bb6d50ec3f6f0fc0ce8e259 |
| SHA256 | 48867736926fe644a1a7135e68deae8f02bf13aab9f6b44e63bbeef3418951ed |
| SHA512 | 92a3541b55db0e246e113acdfcd36fb45b349a93c3eaa2737a59173502d33199125ef3ab580b5dd290bedfcf18af6264ffeade54f84d4df53373b2e706a1d841 |
memory/4824-1697-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YUUu.exe
| MD5 | b98e0f2cc4d575a7327fc372361ebf77 |
| SHA1 | 2d7656cbfe5562fdf8325a41c19afd923351bc2f |
| SHA256 | 1aab1576380fe0f53dd6eff0401850275b4c4555fbc7186a29d7ebda398e11ce |
| SHA512 | dd3a11d041cb42c30746110d37f7f9fa00c77d10a6d5ac121130e333184140fc84f22179706409eee8ff76b39ef445215d84a5048a0d90de38f32db0bb54e4ad |
C:\Users\Admin\AppData\Local\Temp\sEoi.exe
| MD5 | cf56d8d502b6909702452f0911c2a99e |
| SHA1 | 398a11e4df0c0c9324eac10352f49a66091f664a |
| SHA256 | d3b050a9570554b57c57f4c9e06c6f5a163fa19ec9011d44d7576af872b2aeac |
| SHA512 | f8fbaa42f7b3b1d3e71aa84b791eba8da7743da58e792cc9e05b627b2f746b34c0424a9ab94d5c701a5bd721abcffc2cb485474e0db33b09f69664100cebcf5d |
C:\Users\Admin\AppData\Local\Temp\MwMM.exe
| MD5 | cabdd5454fd5f621840ab6fdac94efc8 |
| SHA1 | 5a50bd7aba73581c44d9aada856942db81fa9234 |
| SHA256 | f9c1a6d89d8a5da35fdd2792f56e0e54f864210ce3eeb0238c8b4b4007ccd6a7 |
| SHA512 | e185d8284e4b3ae4ad85784a21541b788ac2113dc7e7235d93416c42dcc824be000145bc06b6dada0394b632145e21d437e4ab789f1fd3acad6f9415715a2c5e |
C:\Users\Admin\AppData\Local\Temp\Wggu.exe
| MD5 | 422edc136c1bee59299698f2cce524c1 |
| SHA1 | fc673e2b5cbfca28276242469bd111a76cc892ca |
| SHA256 | 0455498d8fd2067e94739601cb46d55eaa9b29f9a462d986fdb0cde5c149a77a |
| SHA512 | c9230ff7721403fab500d51a09af3f40e9b88598699bc5e669d7e05896fc8e46b62b522b56a0ec12e33ab1323edcdf648dcf4ef7dcbe615f446f6ecc6bd70562 |
memory/3608-1762-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1712-1761-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mcMa.exe
| MD5 | 3923753bf2c5823df87ae9d98404de49 |
| SHA1 | d5a46304c70334cbf01cdbd8a3f97c7ec7cff265 |
| SHA256 | f489c4ec8f4884768b90026f36b0591c34c09c557d0fd48923a7bf076916ee67 |
| SHA512 | 0d0bdca3b0cc77caedb027e3fa214ef79f0c532d8f462096f7e0230b8c9f8aeec077d1a35d111466d05f57da8c93238a3c383f6aa776bd453ba282097f959d10 |
C:\Users\Admin\AppData\Local\Temp\QAQY.exe
| MD5 | 31857c9db22606bbcf6d835aa7d9b37f |
| SHA1 | 06b3e26b763dc1730612c5585065693c9e2bf276 |
| SHA256 | e739c68f15210e34dc1edefceb5be6bb022f46c5e5f7e054db6172f8f53e961e |
| SHA512 | 8ae57cf872bdb06dd5b1c19fb384b9ff284e948186d185e41b50fa0cab0acf4c6f597f73a8e48a802207c55933707dd19ee69b5eb08d5b5d6db8f51e220f0b08 |
C:\Users\Admin\AppData\Local\Temp\MEAM.exe
| MD5 | 6786d641282cc17ebedd8f1216e78949 |
| SHA1 | 6589a8dd3ccf02ec7f905cd8fcc6cd1316e66dd6 |
| SHA256 | a6723cf4b10ca2ba4c9cd83cdda593f5014d326e9ef8f14326a2f28c36c36fcc |
| SHA512 | 4896fd61317bca0b9b0eb76bd9dd9fdb085e6e7094800444741233ba0e9fa8575e3d9f2bd88fdb72ce3d42250d791138ef923db3a6b17adf43e08e036eb359e0 |
C:\Users\Admin\AppData\Local\Temp\IsgC.exe
| MD5 | 032e825092a5658eef4acd9e10dca75f |
| SHA1 | 446d47684d1862fbd5d9e561ffd45f02f281b3e7 |
| SHA256 | 13042110514c26b46a53bc2248a7cf196befabf6e668981f5a215f54171857b4 |
| SHA512 | f5852399f4741e1bd4a532f6c90b9e5acd99ae280eb3743d89c16c9e61d80d7392fc3ce7040626f587d233b8eed822b5f3d3aa0b226eeae17f6acedbfe2a8479 |
C:\Users\Admin\AppData\Local\Temp\WgMq.exe
| MD5 | 687c0d3c1f557cbeb2fe4896594c2d95 |
| SHA1 | 7e60789f8086feec8001178a77b046900c826582 |
| SHA256 | 487483fa27e8f65f96a44fc65d6a48e4d6b6cc325043e0b94011c434557a5f8f |
| SHA512 | dc52d5cb5e7793f7240c4f40925659ed9eb4cf32edea1615de1940d531f3c976ce8557fb61f5afdaf35cc98110102030a7d23fd083850bbc0eb95d2f5ab31d5e |
C:\Users\Admin\AppData\Local\Temp\gMoi.exe
| MD5 | 54f11525851495d9b758da6852690516 |
| SHA1 | f70cec82d1b764eea985deeee95eafeb02147a53 |
| SHA256 | a0299a660712215c629704ad4f4d9938069eae8cbf6b9a07c87130416f9ce465 |
| SHA512 | b1a0aaa33abc22fb49f0ca4964e1fe6a16cbf8f2d5d946c931a0eb9ebe96058e921e98873ff913901864d2a7c485527a31ea3009ed80a58cf29b5a96ac2fce1e |
C:\Users\Admin\AppData\Local\Temp\AoEC.exe
| MD5 | c81a7d8c42ea17d5a958003c966ffba2 |
| SHA1 | ca6c6d275efcfe0e86af56e8f80ea96816396c38 |
| SHA256 | a4f1d603b3d44d04cbd693b2e0be36282f3331a7691e384ea6c9e4307a7b3de5 |
| SHA512 | 7993da62e71f590ba3d58da2653430d8711399725c94c4eda61f6730ec3f842e773ff1335be8e8e72864ed6b66508ebc2d742d59a38badd7577f59bc2482395b |
C:\Users\Admin\AppData\Local\Temp\ScMC.exe
| MD5 | 439c7771361771092a39a93d46d2c015 |
| SHA1 | bcb62217f14274241357bd2d3ef339291ced6b78 |
| SHA256 | 072bbbbd6de4996cd20f6938af735c33c075e5ca866f4426b3a3b0f26212577b |
| SHA512 | 32b581832e15b54a6dd5d869a5c7d35e684b5f3fb863f12658de3aebba86c3949719dc7e04a86a6bbbab6c4afa79a58160333c5e0df48292e78be4c4fa39158b |
C:\Users\Admin\AppData\Local\Temp\Osgw.exe
| MD5 | 339914ce7a03e10a567cc999211a2efa |
| SHA1 | 8e93cbc6185a812e3f97912035fa07c13690b442 |
| SHA256 | a8856255fa5633b288fbf658573a9a143fc990848a7d0f9ece9c766e8eba08aa |
| SHA512 | c0b08f8ea50f477802297e4a0014d050e3ec83c45656c8ad0d900e6cd5b726a0866beb8f86c94c2dd8b903591508534316e7792e6c3664471eda5dea761610a1 |
C:\Users\Admin\AppData\Local\Temp\aIwo.exe
| MD5 | 1f3b2dbed546b54279bbc2b7db1d86f3 |
| SHA1 | d276a3f880fc905f54e11f6d8fe4851d2a1034d8 |
| SHA256 | 06f9a6a7f9347fe943c182f959e32e9c0d5926e662d7cfb015312beb759ad035 |
| SHA512 | 8e90816bbdead6e1a60ee12b5b2d113155deae87b554ec5f83ff04b49de906c357a48be98614a373def43eec463908fa2cb1b2873d4b5637e91453c7fe70ec7a |
C:\Users\Admin\AppData\Local\Temp\aQse.exe
| MD5 | 8aaabfea225860cf1d9d5b0c8348601e |
| SHA1 | 0ec06c815c4736eef1b0e8eee30bd9747699e3d9 |
| SHA256 | 24ed91d3b1e21a818f977200d5e78b39e7d319e50c10832475902cb6156816e7 |
| SHA512 | df78310648ad6ce4102fca1a6f7ccd08a5c4b9a3a4d1ae092d311623e484326c12cabdea6e059a77b5b89d57dfe7e73da9369ce9a86588900f682871c564defb |
C:\Users\Admin\AppData\Local\Temp\wQAw.exe
| MD5 | d3282b75a707f4127ceb119b4df21548 |
| SHA1 | 494141fc82fc98e7cf85583ad753c1f51ed8345c |
| SHA256 | 75f930efbb70229fd82e0aa4ae3bf23e4f9fc7088d6182ccdaf81c40103b8aa1 |
| SHA512 | 55aa24607fd2cdfa77b3f8c8959139f8974d259283a27e75e6d4531b306b7d83882729cac85592bd57a0fd7e82b45a11fa8bc0e9e53b2c3a1a21cc5e8861071c |
C:\Users\Admin\AppData\Local\Temp\ckIQ.exe
| MD5 | 1333c53ea96d6a0c7599d9207d9dfc50 |
| SHA1 | 827b957fefc825abbde459229b561e54db3d36bc |
| SHA256 | 8a34726e2060b008f7ae494aa8cb299f34b7d988691d77143bc1971884b28d88 |
| SHA512 | f1dadcd77441b5835cbca7b96a582ac59d65e634cea30a1d753d94dfedc9b8f0e08d20c5e58534885e5ca5e2d3ad6dcdf3e666cdb7cfdbb21438cb182348c2d4 |
C:\Users\Admin\AppData\Local\Temp\mcso.exe
| MD5 | b35f48bcb6b3218ffc0357153ef5c63f |
| SHA1 | 23587012ed3bb19c8277fed452150344f910c10a |
| SHA256 | ce189f1340ddcae99773bc182d90ae2e1a221f768bca5d290dcd59b87f8b7076 |
| SHA512 | c8f112bffed8dbf7f85bc163c18fe34c19049c343f62958b2d858b153369fbd5c486bfcc362e801d425b7c2c5da1c3ccbe57ad931bb934c43aed03ec9c4eaada |
C:\Users\Admin\AppData\Local\Temp\sgsk.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\ckME.exe
| MD5 | 0f0933eefdca593727bf893c42b6e000 |
| SHA1 | d44818970f98ed3846267b488f1f51b15b1d8a26 |
| SHA256 | 64ebe9e3fe1f60e0fbd9c08c71c9c44884cd8a8483025ecc0195b0ba4a074afd |
| SHA512 | 134508f2eec237cdacd910d1254ac017f346664d1f51f549e4d496a9dee2cebe8cf186ff9faf94d62a1c8267cb49182b9a550b8e8193ae4401bed454f5a269b3 |
C:\Users\Admin\Downloads\PushImport.zip.exe
| MD5 | cffcb20f306a650ef2c94f53391a15b8 |
| SHA1 | 1a3de7bb6f0248f19b0989731433f7d32a0b9764 |
| SHA256 | 851f3d77468d4ea4777cc7051d23dd5dd591434387967996e4a6a1fcb933c3f1 |
| SHA512 | d012c3f40b5331a3e400da4af470a02dbef9ef875938a1297066ba96af283f5a6718de91f57fbf8158acc1c81f10677171079068ad2128327eec358777cf8c94 |
C:\Users\Admin\AppData\Local\Temp\IUsq.exe
| MD5 | 2c28a8a1646771679eb4f43a12a056ed |
| SHA1 | 44aba6c52c23829ef2464e642ac8afbe1c6b0be1 |
| SHA256 | d80bf31fe1a5f4f494e93601eb70a50c56e3575d9cf6f119928352bfea5716a7 |
| SHA512 | 0349982bdf6954151b0336f4b4aa6300f2620dfbd362468916076adcb1474cdd99b3c67701d24bad88b7e3bd8c92fe6495e77bdd0fb246014afd15169c49493e |
C:\Users\Admin\AppData\Local\Temp\mwMa.exe
| MD5 | fe24230eb2e44dae1eef9717c26caf26 |
| SHA1 | c3fb5b939b4e0d998838404157315d1d5bf88731 |
| SHA256 | 9828ed7b0961ad97a81a0c75b01e1e120e627f90a30bf8f14e43255bd505ef81 |
| SHA512 | cfddba2e36eb2379c988a24d914a438d2c53f786b96385e5481699b16340391aa8940e9c0366c7dc0ef8167227ffdc2a60b7d43318db24fe795d56dae6e3023e |
C:\Users\Admin\AppData\Local\Temp\KMYY.exe
| MD5 | 495c94468e88be06c96251727d59f6bc |
| SHA1 | 35640a58f5b5c09138ca6f72570f305e44744781 |
| SHA256 | ea0a16d5026858bb18fbc9071a4dab0000beff3adf7a4c3ddf00d1f9cd64a4ec |
| SHA512 | b009e1afdda9422c686802ca5ded50a489389bcbd44e1b0a232705d2b85a0c86ef1a3873364c4e3b2d72b9500a5acef2e8b133613646d1505c753de9a166e78d |
C:\Users\Admin\AppData\Local\Temp\kkEa.exe
| MD5 | 912294423b9b5f9bff44d75c5f7a092f |
| SHA1 | 2e1f678f0b135d332c58b4ede1d1da8ddac62d81 |
| SHA256 | 3eab997379cf7eba3311fcdba5569499cf5d0868da29c1b5328ceadd22521770 |
| SHA512 | 0b94b939c5526bbdc3a67b9c5dc5f6475602447baf3ac801d756b9b983cac856969267ecbe3ef18b15d77f2cd10eda62d7dace87a60fa11f92739d960e730f5b |
C:\Users\Admin\AppData\Local\Temp\gwIu.exe
| MD5 | 9092f8ac65d1983c08b589b4ea64693f |
| SHA1 | 4a72e7a492b4b62f6b78f761821391e14269fd2f |
| SHA256 | 4ea26bd97d8e056e6e21da58818c13083c1cd02f65f93101a2838e47c001990d |
| SHA512 | 619c45f0aabd4743a064405cdf4fa0464c5d7dcfc4643667ef13d1aae338d3f0c2b08dc478e61a573da3bf1b03de4a7eadb545ee8b2b4a287b4dc46088accb97 |
C:\Users\Admin\AppData\Local\Temp\IYMM.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\QQUe.exe
| MD5 | 9ebaa31a7aa83e9bba03e92fdd63ff89 |
| SHA1 | 63586d6b1adb06de51f405bd2ff26917f1333082 |
| SHA256 | f0bbf72366b499ff4662cef5fa84e81fffa1c96c5e44efbfc31e7539e20254d4 |
| SHA512 | 576f49c6edded84722952326ebf26afc8835ca32a063cfaaf38c42fe75f455080c832a0410e5ef88e51b3b969748042ef5711ee7d8c3b5021791336f02b90487 |
C:\Users\Admin\Pictures\WriteJoin.bmp.exe
| MD5 | dadc2e10849f95261bca65f5f72c45a2 |
| SHA1 | 5da9185b4fa21db5a5e240e2cd2af4dd9aaa8f70 |
| SHA256 | 15fa17c8dcc6aac93914011c954b045412420fbaa9b4b540b2d439163bdbbfbe |
| SHA512 | 676d3e0860178bca31a9c3afd6354c58a206eec7b82c37783806ea9ddd55edd08c89dab0a03190089fbe2d20b7644e7f9a83fd1bd70cc7ae4f71d656101b3e74 |
C:\Users\Admin\AppData\Local\Temp\iIww.exe
| MD5 | ffeecc3d93fbf3ad81a338d4d6c2bdfd |
| SHA1 | ea70b4c6b41225076cf7bcc2a60163be541f3279 |
| SHA256 | ecd6ebdac3c707ae8c8a9d2707f1f2787b3202de565c315085a16944ce8a3e8d |
| SHA512 | b84c214776f235ff974bf2d3f1c6f95f6303aa3ce22f191868bb9b69abf963ab4eb5a49d21eb77804965e7bf2edbf7ed6b8643c311dad00aeb4fec73a3edabd1 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | 5bf159b87fc9559d1c18f92c9c0b2745 |
| SHA1 | 09079e13031bf4766c3df1f6825815d88ded3954 |
| SHA256 | ca172eb47bbf820df8c4990c6e04ec11e156b9c14b4c7a8fb98b0cbee4eb4a16 |
| SHA512 | be8e3ace36d695aca5ce4c5becb79e7558b60b0b990c7f71f5e48d42e2373842bb6ace77e61deb08c9ddc18f0435ada508dbd7f58f87ddeac63108cbf8beb3dc |
C:\Users\Admin\AppData\Local\Temp\MEks.exe
| MD5 | 5db673c87ca00d31bee1ef8a8f18214e |
| SHA1 | be10e49006cdc382de4a75bc40577df9e9602e35 |
| SHA256 | 0916136f50cb18487a097a97011dc4d1c50958b4b548c3c5a59c7d9e6349ce79 |
| SHA512 | 4d725bcf5e33d812d25ed766195dbbde59cb384efcc9f4770996274b5126b49a8e0b488e0a81fd836832f2d8c2ab938ff613a376120a1646d30af595c49a8c11 |
C:\Users\Admin\AppData\Local\Temp\ikIY.exe
| MD5 | c0d17eae374073736d2072d65615c393 |
| SHA1 | 706a101db76f9ba69d2463603b5c962d8fb10d8e |
| SHA256 | 55c24da7110c72a85ce4b3c08fd936b09b8aac78737f3629717880499028d941 |
| SHA512 | 8e3b29438868a39efc59ad7e1613cc3b0f6d90ee3eeb7431679ef2364d46c7800c7c67eb5cc2704f841bf0fd9bc3a06f3756d83978500f6033e9ee78ce5c76eb |
C:\Users\Admin\AppData\Local\Temp\gIIm.exe
| MD5 | 1e8d0ae6f1e82dae555b0158aa7e0338 |
| SHA1 | 04050c5df641f36880f6560adab419734e4d45a8 |
| SHA256 | 5df751cf51119c477bab5b4cd58985495d9d8541b18e3162451ef6762f5f4948 |
| SHA512 | 02566212394ea223db2c45c0be98d9c8f4865f146e94504d7b986c1a393c2cdb6c5f41095b9ab27eadbabd9ed0cfa8af8e31042d55234f8a80795ed87b8d3988 |
C:\Users\Admin\AppData\Local\Temp\iAsY.exe
| MD5 | cabc5d8be23ba36f0646e006467dcbc0 |
| SHA1 | 09fdab9e59bb71556fc3f1f82bd4ebcedadf51d7 |
| SHA256 | 59d236f7a34f324359a4c7a61c84851c1b96d82f6d5a572290ccc4fb7d597bce |
| SHA512 | 824174fa1abc2bcd5a1ab8037c0a075546fe778b723beccef9cdfe8a5a95c68684f646e25c60c212d2f6573319821b3105f777a01cfa75303c07560544ea839c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 17:57
Reported
2024-10-16 18:00
Platform
win7-20240903-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation | C:\ProgramData\cUUgEssc\OKkMcgQc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe | N/A |
| N/A | N/A | C:\ProgramData\cUUgEssc\OKkMcgQc.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OKkMcgQc.exe = "C:\\ProgramData\\cUUgEssc\\OKkMcgQc.exe" | C:\ProgramData\cUUgEssc\OKkMcgQc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\GmUAwUEk.exe = "C:\\Users\\Admin\\wyEccUUs\\GmUAwUEk.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tKsQkgIg.exe = "C:\\ProgramData\\niMIAkwI\\tKsQkgIg.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\uOQoAUUw.exe = "C:\\Users\\Admin\\pqIwgAIo\\uOQoAUUw.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OKkMcgQc.exe = "C:\\ProgramData\\cUUgEssc\\OKkMcgQc.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\uOQoAUUw.exe = "C:\\Users\\Admin\\pqIwgAIo\\uOQoAUUw.exe" | C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\wyEccUUs\GmUAwUEk.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\niMIAkwI\tKsQkgIg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\cUUgEssc\OKkMcgQc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"
C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe
"C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe"
C:\ProgramData\cUUgEssc\OKkMcgQc.exe
"C:\ProgramData\cUUgEssc\OKkMcgQc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOEoIUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwQoskok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMMssQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AkwgEMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWAAoUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSYMEYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\wyEccUUs\GmUAwUEk.exe
"C:\Users\Admin\wyEccUUs\GmUAwUEk.exe"
C:\ProgramData\niMIAkwI\tKsQkgIg.exe
"C:\ProgramData\niMIAkwI\tKsQkgIg.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 36
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 36
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQgQEkwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUwQQQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HqIoIEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCAMgcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\riMgcsoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQUAcAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAMkwggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UwQkQQss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMYQEkYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HMAcYMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lUYAYgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQkUcQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAsgEoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UoYsYgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSwEsUcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iKoEEQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GwgoMUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\puEsgwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hGEgEkkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1996846711-141375339811044930174398698731734652599163216291-1501132218-2101275519"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqwEEkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bSAMcwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2053657950-1448534598970516641-1138209088-105192762-683915045-6154864681321865949"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YCMEUoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yCQkIUYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EEkMswMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1970664945172203365-1360865182836622583-176360585114261144191551685855-822967447"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YecoIUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13008743891756097600-5390318832968633181411607919-136582195-676825596-2127271051"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9629197031650094943-493838183-1948921462-1791331270-21775914-826878118-1380777981"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\usIIAAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "884682096-20958555178860974439881438195832295462016953569-5363876261574590819"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQAwUwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKkEQQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4031761441973066693-104078386620937374791601692608-404633338-295169065-1136356769"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lyMIokMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuwkAgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "94573537863438226-59349681892570123019831466281811419700-218349845573230899"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMEoAcEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1862436180-1147906114-21193091691434582737357516249173159902610126509171920138070"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-192323560-965764843889334371805349963-2063508565-59204693424792381539394267"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoYAIYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmUgMwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NGgMAYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIIIcwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-467116351560340240715950109633035181229681578-304537653-960225529-304275672"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-915930821608826712155017176511947111791105401958-1275179935-1976367471106236480"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FwcwMgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-459046997-195467274410020794311021775054-1208129185-938445406-1667604457-1039634196"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RgEccgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-787719560-696147128-8893582562010303731-519852979729068967-10388016661497601043"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogooggMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-38040671842905814988065591914486079-21082867961577321658-5393020961657447278"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGIwAUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\scQEwcwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIscUQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "143587016-1573976677-15585618291601634641-2340653871917293130227763316-1302917272"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11116316752066434658-384022949-18587567441554171520468664384-14449175731532933133"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DccUkwMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-179496490-1425839353-99335346317021942681079054892-2687550221408017349-1351655475"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HKgAgscM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "121030619613220938821142451374-577458610-829094058-14009962751375558-678477843"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VaYsYUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\syIEkgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CiMgsEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1481956095-1452940822-17040855139037952527804322-1560502345-1545440455-268305970"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "153092679658332779391549044-80818038618561608517894751501166805719348074802"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yKcQYEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2804018022079397736-2112918654-125296040415225928781365105016-2001105875-86281749"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\muAsIgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1501868802-1710106219860080367157581046618100200151540479751457004331-983429825"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEkIUQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6871315691517296817-2905749156157955832028070556726372893-6266580981754012355"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vowocooc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUEAokgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2133583736-1847363737747665915714534378-7324708761738485168358458713777444624"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "130917765-1513506799-13733257721433897849-1752426908689612579-13368922622094927333"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOkEEwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "252779751-13048622521264831518-393003791534594081279921596-1914435466816206470"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "222919241444826355-257771693-212162798970900325-13023159501368094200-1525069601"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSMcwwEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SgkcsYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-564700513-1322868073566965270-1874123926-19986024511034674912-2039940057-1942985694"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3530780911383777368-1590795649-625495890-216357051151515376119291017991755368822"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\osUQkwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wIoIUUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcAcYwMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rwsYgYYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1157214688-118775644765565947199332477414640680825808507861662327277-669445124"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.14:80 | google.com | tcp |
| GB | 172.217.169.14:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2068-0-0x0000000000400000-0x000000000041F000-memory.dmp
\Users\Admin\pqIwgAIo\uOQoAUUw.exe
| MD5 | 49aae32b5204464234752d0a76f195ae |
| SHA1 | 6f4bedc92cd50bdaa732d4de03e48848dbda6dd5 |
| SHA256 | e0c48143eb5e6f6e1c9ec3712018325fac19355414a097024bbe0b1665ba3a35 |
| SHA512 | 91a3c07870906d38eb7e75bb89318c19ef218f4c3656ae26682f780730a06df7fcca850b76ee29015dfa74e6dcc231011cf9941a48486fa23bfead155fad438c |
memory/2068-4-0x0000000000320000-0x000000000033D000-memory.dmp
memory/2744-13-0x0000000000400000-0x000000000041D000-memory.dmp
\ProgramData\cUUgEssc\OKkMcgQc.exe
| MD5 | 166fe8f069356449b7841fab8c2305dc |
| SHA1 | f198b6c62f2600623e067265878ed04ac4069429 |
| SHA256 | 77665b9a3e5e6589c555a0e78668670947706e14c221c92abe8013c335892a18 |
| SHA512 | 79fec6ac0793c1df9452429cdb31ce5b5ae1d18bd3977f4e77b58a8360039d0ed86a58c7d0839c32a2f6d91829e399d93c2f46730b7e3a5794e4a6a5624c103d |
memory/2068-16-0x0000000000320000-0x000000000033D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\veUwoMQA.bat
| MD5 | 328bad63ff114aa54e46148be98bf770 |
| SHA1 | 82d195023133246f8369efc84e7dfaecbc433715 |
| SHA256 | b5402110880edbf5102c7f7c61f5d5a61b18057876ee87314e313d9b33eb4cca |
| SHA512 | c2cc4ccecc38ceb3a8fc5b18a47728dae6b3db250e824e783def381f00d96308907a622ab6bb06dddd98bfbaf83d50d594e34af0c607f81dc667a66615fd3f88 |
memory/2568-31-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2760-30-0x0000000000120000-0x000000000013F000-memory.dmp
memory/2068-40-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jOEoIUYI.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\PoYgsYEk.bat
| MD5 | 233c255b8fe9ae5d27793c3d7643b437 |
| SHA1 | 2a340f3a243b223f9a60471efebc35a4fef528dc |
| SHA256 | f7e94d61ff64b76b2a26f9d7da8b13a42f9c4927808445ca083e8496c9cd1b78 |
| SHA512 | fc8cfd8f788de5587dd0faae1263d26d9a672d74f5ed0be8ed2db7d05e20f8aa848edca4a1e306d7257aee6642685dae886ec5507b0d2a5ca847b3b035a8e51e |
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock
| MD5 | d715f659c83f2b95e8a4ce1233822e94 |
| SHA1 | c2a5cedfe5e05fa74d17bc6c9665d27823c3650d |
| SHA256 | 8a3d3787c7a87042010865e1d0aff07486ed919cecf52b21746ab8c6ec7de94c |
| SHA512 | 1afe9f4713af2d2e0a509fcf2e727bc4fec2099291480d2edfa9f4e0853376d690a42d5c7af37232d21f21afa98d5e8ddc6c45fa8f2829e9eb6930792f92dde5 |
memory/2888-53-0x0000000000260000-0x000000000027F000-memory.dmp
memory/3028-55-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2888-54-0x0000000000260000-0x000000000027F000-memory.dmp
memory/2568-64-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NawYockw.bat
| MD5 | c7b9f5d5043b9f4e6d36ca61ae8c2f23 |
| SHA1 | fca460c37e42382e625c1844e30e4ec24b06d28e |
| SHA256 | d80a9985566bd6274c0f1d64f41ffee11b407e2151b23db9c2141a9db61ac5ae |
| SHA512 | 2389fdb1295deecc59ae1b8d78b27d7110965b094309111e6df51d5da8fcf5a1d9e4ec1d56f4986a19a5d9eb9b1168e3ac0694da1907a114f4f4353f06b3c081 |
memory/1832-79-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2840-78-0x0000000000260000-0x000000000027F000-memory.dmp
memory/2840-77-0x0000000000260000-0x000000000027F000-memory.dmp
memory/3028-88-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eicksAwI.bat
| MD5 | 8c2fc05a01712e923be75b08740e7fa1 |
| SHA1 | bdf5e21b1025b95f91b3818235fb4df9cb507190 |
| SHA256 | 2987770d75600e9794972d83d2acd494d10035828a22e9777bad93f4fa5a3c4f |
| SHA512 | 3dc47169e4d3d6426eee3eaf0599843391639e646fa839a22ba2c2911e2ea4d041df5a44af30a41d504c8c9af74369641818ecaa50ed3519f306cc169a1373e9 |
memory/436-102-0x0000000000400000-0x000000000041F000-memory.dmp
memory/844-101-0x0000000000260000-0x000000000027F000-memory.dmp
memory/1832-111-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UMgMwMEA.bat
| MD5 | 526d4242d59bd6bac9e004f10419335f |
| SHA1 | c2ceabee53525c81e36b090501189337f79ea94d |
| SHA256 | 0beb3dc8bae72100af3e780234bfee82c3b945b944afab5f7d526c596ba23280 |
| SHA512 | 529c27922eeeabf328b659e50cbb8880ba3e61171887cc77294b93e22b92c63136a21c0ce1e0e4f03760812b5bdd766d3edd2711266da52c5a3d4e9e706259de |
memory/1348-124-0x0000000000120000-0x000000000013F000-memory.dmp
memory/2512-125-0x0000000000400000-0x000000000041F000-memory.dmp
memory/436-134-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WeIkMscg.bat
| MD5 | 4c1a0187e5ebde850fdc898cd0af4bf1 |
| SHA1 | 0a51e9ff9ed687bc6cc16eb1fa8c0b7e3bcdfae6 |
| SHA256 | e7b72c60b6ab00e25aaff468c71b9fd597a41e8c45362f2f08630b6280c160b3 |
| SHA512 | 5d103892f1a7723674222621d291b5d4bc4d4eb4b8ee4490b6a04f33180b7ebb7cac404ebbb74139aaaceb7f122861b8d8b9f5fc849ca36650977f00f08aa299 |
memory/1924-147-0x0000000000170000-0x000000000018F000-memory.dmp
memory/2512-156-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2244-161-0x0000000000360000-0x000000000037D000-memory.dmp
memory/2244-160-0x0000000000360000-0x000000000037D000-memory.dmp
memory/2612-162-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2560-165-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2244-164-0x0000000000360000-0x000000000037D000-memory.dmp
memory/2244-163-0x0000000000360000-0x000000000037D000-memory.dmp
memory/2604-168-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3016-167-0x0000000000170000-0x000000000018F000-memory.dmp
memory/3016-166-0x0000000000170000-0x000000000018F000-memory.dmp
memory/2244-169-0x0000000077670000-0x000000007778F000-memory.dmp
memory/2244-174-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2244-173-0x0000000003D50000-0x0000000003DA2000-memory.dmp
memory/2244-172-0x0000000000360000-0x000000000037D000-memory.dmp
memory/2244-171-0x0000000000360000-0x000000000037D000-memory.dmp
memory/2244-170-0x0000000077570000-0x000000007766A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rggsUIks.bat
| MD5 | 33d6374ebf167c5e153c069399c6c111 |
| SHA1 | 62c2797927d98f69d8652c19001cce1add22c1ca |
| SHA256 | a3904509a878444b99f131344e8df5afe989dc97c0f168641a4d14508c8f67cc |
| SHA512 | 12bb10ce902161edf992ceeacb14259b2e5adf534eb28e77fdacc7966341f48a8c2387ae650044840132ba2e1bb36f3561663cdba0afeaa241b5172f40053df9 |
memory/2604-194-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xEUsAccc.bat
| MD5 | 10219a191bf1db8f8b4c644f9d9c438b |
| SHA1 | c808aa5fc5ef81489b88fdad32c77726a9076899 |
| SHA256 | 055f7af7489bb2b8edbd184ea8765db0110b93197a8e3198072945b14c671285 |
| SHA512 | 3b71202170b90a7ccab01e1204ec7cb3121c922527f1faa8084ba4b2be4066acc143b4e82d659de509bc844f576aefb3248f345e736c73bc7bedb9f6248eafe5 |
memory/320-207-0x00000000002E0000-0x00000000002FF000-memory.dmp
memory/2404-209-0x0000000000400000-0x000000000041F000-memory.dmp
memory/320-208-0x00000000002E0000-0x00000000002FF000-memory.dmp
memory/2364-218-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bOkUscgg.bat
| MD5 | c3c84e6df6a9f354d542c254411e5ef9 |
| SHA1 | b9ba6a38c5b6e6d4a33b59d04ab14ac8b382fca8 |
| SHA256 | 28da4e6ac828b0b14a81d8f1de4932435e42f49287187359178a5dc4091367f1 |
| SHA512 | e345eb60a68788db8cab0aa571ca6eb856435c407be5af87c96c992f04d45d8204a4bcbeb48c291e39a9a9e325f801e1822bf927e6542ae50565633d98b6aae1 |
memory/1688-231-0x0000000000260000-0x000000000027F000-memory.dmp
memory/3000-232-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2404-241-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tGUsEYEI.bat
| MD5 | 8b7c9120d4b0d27f1ae3dc5c4ce60158 |
| SHA1 | 2fc87e31d1dfd5487498acf9786d9e017a1ba2c0 |
| SHA256 | ba39b9e3263c5a7ece750d89849486d934517353acd7d629f9cef89d92352ed6 |
| SHA512 | c96020ecbe3dda7b77f1e48b99555319e1989e9f552673cf38188c61941acf3531b34250aea482ea9e8a3c70d3ab1d1a5085b596599a84204a038318449ca13a |
memory/2208-254-0x00000000000F0000-0x000000000010F000-memory.dmp
memory/1820-256-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2208-255-0x00000000000F0000-0x000000000010F000-memory.dmp
memory/3000-265-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qsAkcIss.bat
| MD5 | 393ae80478ea64bd967fdb40bda8d9af |
| SHA1 | bcf73c0fb7be94255342e321f20a5b29313e3f27 |
| SHA256 | 3294a0200ccabf51456be43f640d974e13b5da615c8437500329b57ace8a0242 |
| SHA512 | 815c3362f05cba5cc7b5dfb66f5f64edd2616c225417fd1806ee202afaf13ade208d4cddab043777460511ed0648d8e915855a568ddc6da7a7bd92f1f920c3bf |
memory/1572-280-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2708-279-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2708-278-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1820-289-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KicIUsMg.bat
| MD5 | a0b31a2e5bb22ffdd7794b0a5730717d |
| SHA1 | 8c8a6e442f1b6923a3f2c5f0116f02092955e631 |
| SHA256 | 418538d88d9f680bf6eae190c387cb80fd1ad8220385e6dcfd515e42ba5385c7 |
| SHA512 | 62f891df64083d6eb491d612f6859bf8e49586e0bdc869c46df91951d0eb4c9897b484ad8017548fea8149c24b3c7ac53393769c039c05f70a010085bf3017b7 |
memory/1572-312-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2052-304-0x0000000000160000-0x000000000017F000-memory.dmp
memory/1716-313-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2052-303-0x0000000000160000-0x000000000017F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oSwAcIsM.bat
| MD5 | b07a925ae4a12fa40205af2645f19ffd |
| SHA1 | 98eac9016ba1474caba4cf1f834fb09885c14b41 |
| SHA256 | 6b7395cfefa7106931f9a5b487d4b4da6149bb11385711383450593aeb24dcf8 |
| SHA512 | eb28ad2f0cdbb18003be7a3154871df204d0490a1f1e590db659454d755c56134ad4975b21fdb4acbd68aef92d6f15146d33ea868ec15348d5c54eeed1d9e916 |
memory/1804-327-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2764-326-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1716-336-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bcMEoEcA.bat
| MD5 | ea26b536a66d05a49ca5da412129de7a |
| SHA1 | c6d6bee9e6c299dd958e4a14f1e08dd47193795f |
| SHA256 | 63cbbad1eb265306c8e53d3f525fb686eafc08b37fa11547b7cfe774fd2fa36c |
| SHA512 | 462edf0ab4461de341ef98778b6a7558764afc28bbc0d0f414bea3382f0df641768f12020049fca6831c0486b046546f6b9efc01ddb1951ad1c8f7d9d8fe90b7 |
memory/2192-349-0x0000000000120000-0x000000000013F000-memory.dmp
memory/2192-350-0x0000000000120000-0x000000000013F000-memory.dmp
memory/1804-359-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XMYookAA.bat
| MD5 | 1e8b2ac79f531ff562a8978da9cadfd4 |
| SHA1 | 5c0772b708d33446eac5f34d878c8038618f9057 |
| SHA256 | 9b36d7b61f4dd0ef44aaa79e67b50a60ce40d51c554652873533c172e411a5ec |
| SHA512 | 2871802bce51fb9f962d77eaedaf5cfd16aab8cb828c7c29cf5ab41632fc9ceb9317159fbeeaabfd59f242ba69cb50e5e8185aea3aeb5f18a0a17d61d4a0cbd8 |
memory/844-372-0x00000000001F0000-0x000000000020F000-memory.dmp
memory/1256-374-0x0000000000400000-0x000000000041F000-memory.dmp
memory/844-373-0x00000000001F0000-0x000000000020F000-memory.dmp
memory/1136-383-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FCoMAEgA.bat
| MD5 | 132c6d68ffa892fbaabb2e0575122e1c |
| SHA1 | 83a5d0aa5745dafa1200551698cafb8d3fb943a4 |
| SHA256 | d97df1711711a871b9ff7fd3dfb6e933aa85b04f7c27928239e7c5018725356b |
| SHA512 | df215c40355b875b0e4a17d609a9d2e3cf03dddd2bdd50e610cae01adf2e280e70d8ea7e76f0ba9128f0193b8f88a1489874e5a3bc8f149c0c6bd53a02560ca0 |
memory/2116-396-0x0000000002250000-0x000000000226F000-memory.dmp
memory/1784-397-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1256-406-0x0000000000400000-0x000000000041F000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
C:\Users\Admin\AppData\Local\Temp\mIUa.exe
| MD5 | dc00029bf1ca66ba56951dbf645efac9 |
| SHA1 | 200d5e9deab0534c17aa077b67db1ceca2da8e6b |
| SHA256 | 6ec285c8e87d502b947f4e12455d70e1ab01aa1c3e578fb002e84fc4f5b4145d |
| SHA512 | 77aaa069ca70bf60be219aa762ef87f7579307fec2c75c872d9d275859492edffa86721ed4365de0da187d936e42c336c6c053984ecc0e8eb79ba58b39ea2021 |
C:\Users\Admin\AppData\Local\Temp\lecMMQgE.bat
| MD5 | 53d36fb90578f0b5a57b1c694644e757 |
| SHA1 | 6e8b6877a5a08ba83db4958d84a78b04e5cb8215 |
| SHA256 | f54ca8655b41ecfaa0141bbbec656e67bc5cbe0ee487fbb46b882d9885584b33 |
| SHA512 | 9322e0034ec201f2c4eac156b248c223f1f9cd346d3d991cd40b3d11bf75f5b5297ff009c3f0343749008fec32b719682386a007e6ce1de931564c69866bd9d1 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
memory/1784-446-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2752-448-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1704-447-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ygso.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\oscM.exe
| MD5 | 2796c7423cbf4d41d7219c07151152b8 |
| SHA1 | dd277dcac6307e0838bd45d3700b3312309e2ffb |
| SHA256 | e8f696bb20eb60f3899d4680a9a32b3b3e4ef4e047846a58a6bbc7bcca598f81 |
| SHA512 | f894e16f8ca8ea8782a0792a14a637faa8129966c32ef9a0ebf9fbfe078c09cb6be87b30a16fdb3969ec5655514a0b91b17a092856b941273258ad381bf91749 |
C:\Users\Admin\AppData\Local\Temp\GecYwQss.bat
| MD5 | 47d854ac8040cd0b78fce4b45ea82988 |
| SHA1 | f2b94c1ef83c5eec680e7462f486f4300d9cfd78 |
| SHA256 | 5121edb063313abca66b5af9930556d249c838bff932fee832cfc71f504eb850 |
| SHA512 | 1891d32cb0e7a38b95bc973d386527db47366b0074523e4b2fca3687dc4b899458f5ea553790cd7e12efe9f2efa81f39918e34da775947eecc5e9829dbe6ea0a |
C:\Users\Admin\AppData\Local\Temp\ckcQ.exe
| MD5 | a4d6028b68e9117d53c2526a56f6836f |
| SHA1 | fa735a5fe662621ede487d83713dd4119380469e |
| SHA256 | 86eb7730952ad35ba5e5054adf8a098999faf254c3e779e5112350adba7989f0 |
| SHA512 | eed8c39f1f9c6514bcb1ed70757c6e5ac277bcb895c8dd567f06b2983c5823660ea7e0fbc46641db5ad70beff168f9c67ddc641df1b83cbea66134633df0e79a |
memory/324-512-0x0000000000400000-0x000000000041F000-memory.dmp
memory/324-511-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1708-513-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uIAG.exe
| MD5 | e01adbbcfb386e69c79d477f5376dfb2 |
| SHA1 | eb8a8f6f9cb02323eabf8fd8607477fb8eaa5b45 |
| SHA256 | 547204ecf403ad513458aa6d2af6546513a4a967733eccf47db4a04ccd0bdc27 |
| SHA512 | 1a1c492e4a832b8afbf4ec204bd4fea5744ce6228527b9d757bea7d8b7ec51192e20ce3fd32c95526908b9c97f1f688acea5ef24a74d014f37048002adce0744 |
memory/2752-535-0x0000000000400000-0x000000000041F000-memory.dmp
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | ce283c3080a9eafeb5fd375e09c3c1cb |
| SHA1 | ae78fff8267c705d8dfe32c2e786a7554cf8a4e9 |
| SHA256 | 9cb515abdfded00077c5f851913c204f43e353b1480aeb0ee38151e3ec558ac9 |
| SHA512 | d80b78113f7e50a9aaa499efe35f7413376ddb618159749a62dd04766e0be07cbb3c12869c1a95e5a5f2ddcc0b5891e9f29c43442d79f5899dfaf620b8e7e88d |
C:\Users\Admin\AppData\Local\Temp\wsYy.exe
| MD5 | abd51e0b1061f6e051f99233cd8e8a1a |
| SHA1 | 8836eca2f29c6fba9f57724c4c31ca2443d34262 |
| SHA256 | 1ca58ece735df16586ab4ded65490a04978178a1dd6a35b378e69915675c7145 |
| SHA512 | a27e6ee8b3c1486264c9a3ea5c61b1bcc1ae046ebb106d88851fb7eaf9dfd8cb0718b5560bc8987cef210db2a066ca6feb707229e6d5f86a26519fa702b6ab4f |
C:\Users\Admin\AppData\Local\Temp\yoEO.exe
| MD5 | 085a6853f6e9b3c5c28d5a206db0542c |
| SHA1 | 3ccba9458af44636b6677b6cf7474be9b4d308f5 |
| SHA256 | e5ce578902d3c9ad601445e6aae3e243b43eb549634d9a84aacb6355284f81cc |
| SHA512 | 4852974d8bcc2af49100cd71577a53521c0606332c4f5ca0c5e0aca08a974de19740a9eb6c741ee9ff4dc693fe6d5de38a07543ed69cf071f387b4d5e15d5a59 |
C:\Users\Admin\AppData\Local\Temp\qIkQgMEU.bat
| MD5 | e23c24d57ff58c95ec4fe287bb948599 |
| SHA1 | c5c3757d62aba4f4140c6510ca1493087fed541e |
| SHA256 | 834ebd14e912414f4b64b591f8d15fe17c1a319360e26c284521d8afa70eec84 |
| SHA512 | 98b4829a930892968c4e1bd9e2575037cc649cae12ef11ecf6b13ef3752632fbd80c33ab62c73ed7ca5ba829a540616644a3383e469fa31506d56d0f223378a2 |
C:\Users\Admin\AppData\Local\Temp\AosE.exe
| MD5 | 6a3e63f8add4a69003dccda4ebf3c02f |
| SHA1 | 85024836b977d0c48f37a4feaf6fab129834dbf1 |
| SHA256 | 1d64daa57a1969bbca923453eb063f8283707ae1db9a934a1c1ede10a6feeaeb |
| SHA512 | 4f0eab00f9d3426a7ef5428e58db2dca78f874bbcacacd3c39c3b8020ede08fab9094d5b0c9d9739270c251d84218e98abacb38ca597beeaf762a3e836574d56 |
memory/1768-601-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kQQy.exe
| MD5 | a9a9ae089d61b5df7a85fdccb4713cde |
| SHA1 | 93aa150fb9fbd8589ae69797212c40e7e8450606 |
| SHA256 | ceb527aa1ce6fb36e2e679b1922f733e2ac87410beaafe2ffdd6691e7efce09c |
| SHA512 | 5770cf80846802a3a2e98d5f51a34d446dc80dff01530d50aacd2561c42e48cc2451474e3b856e9d7d04c9a0cd52a53822ee4b859f402fbdbaef23a55c25f4bc |
memory/2468-600-0x00000000001B0000-0x00000000001CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QoAG.exe
| MD5 | 9f11593204d6b47b565be54a13f0bc45 |
| SHA1 | 6f7fe4c79a1062da9a2c869ac9acc5e8d990086c |
| SHA256 | cf8ae34ebf5f34f487d883efa54890772d1214c13ba9bba0d149f3dd3114e243 |
| SHA512 | 1dcbb0ed15cffe67c053beecd1744b14eb9a3ae418591b0760a51dca9a307fe6ff72868f889cd7a35c14cfe90b18150cc4dbb5c331c5c068b23584dd4414f5d3 |
memory/1708-627-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2468-598-0x00000000001B0000-0x00000000001CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uMYy.exe
| MD5 | 8a52072d1b696cd2142c359bf4848e53 |
| SHA1 | eccf027bea3fd930a8489096587d0f60854011ce |
| SHA256 | bd0bc7cb096755a2e3074f7bddf7bd237d80322d9d6a3a0c62265bf39b0f764b |
| SHA512 | e7164eb6bcf66d68f857930809b6ea88c6f5f1007d43ba8ceffa64ab6279c8ce6a12217a5b653f0d41d4f1efe963b3fb7e8ee8fea4cf84950440a06b6a9425f1 |
C:\Users\Admin\AppData\Local\Temp\UQEU.exe
| MD5 | 52b16a3381cb113c7910068109a28538 |
| SHA1 | 97df189f254adeee0528b9b10c2d1e90f56119da |
| SHA256 | b2412c3884f0a610c360acbc0f28f0cc8c996c20e64fbc945d6a4f5b8b25d59a |
| SHA512 | f221c7e03e0cd36c1b7c6b0162e362864b7502041fa09117caafee0ba1e6df9fdf5946390a9ef79539bfec76301ba22d16d0e04f5da925654354e4ab893690b8 |
C:\Users\Admin\AppData\Local\Temp\QwkkAgYo.bat
| MD5 | 95d84d0118c6f8ef4ce9364e5093f37d |
| SHA1 | 5408fe0109d4c2224d0eeba71f7ea6df314388e4 |
| SHA256 | f94e123eda663c54604077de21f4b6c852ee87080ec572a7067b99d489152a11 |
| SHA512 | 82c93c1871d0b256c3af50471e771f15bde3c4e038ede31a6e32369d7959b87ef65e449cab25d98c570b7cb367ccfcfd28c35374602a23b516ccd771985bb196 |
memory/2120-681-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1564-686-0x0000000000400000-0x000000000041F000-memory.dmp
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe
| MD5 | 4628f9fe9717068c8137f3dd0252220f |
| SHA1 | ddd4b6cc3dbd453f2f6e4b3ff5b3387b2b73c7cc |
| SHA256 | 3b16cc7f85ec0e430631cc568f404e078a8084609a58f91793522a16d749d396 |
| SHA512 | f84f22bbf4dda623f7b074fb2628c707bf93cbd92e22b78d46496ef2725c110e9d930d4d39c2209f685faff4b4973bc9ad5b43b6d2773610be6c71c94340b948 |
memory/2120-676-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1768-708-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cgwy.exe
| MD5 | 87cebb1d329c38d7bdb9c5eb6cb1cb76 |
| SHA1 | a8853bc4260825b00f1c32811010ddccde1d7cbb |
| SHA256 | 53de6c7d760b05082b7ae060d96d0e666300e4f9cb2ca75d4ef473b701fa2ad9 |
| SHA512 | c89a2021c8301636a9670ec209f22e5d6569b31c9f1b5f86528587b46ce7d8c2b9d006e405fcfbcc3a61704d1d73f4d4c8c5959dd638c7bc00dc81f719c33b31 |
C:\Users\Admin\AppData\Local\Temp\kYkw.exe
| MD5 | c5909033cb9d3e734ecd955c63b2b8f8 |
| SHA1 | be4467988b734d4dd592ada96bf7ca408e2008af |
| SHA256 | e2d20dd9d450fbcb2fc059b1c24e0fd7adeccf01856d76e297df8ad74b3f047c |
| SHA512 | 5883b44c81ba6b029a45bbfe3f6b53d8143bc73f8acb454c67d6ed9c75e4a7f0c01137b38327ee193980a9c3f3c7ce552e535e34ab4c5fa3474e7a7e72638711 |
C:\Users\Admin\AppData\Local\Temp\SAIW.exe
| MD5 | 06787f0a3bc6b5504f3157e000ef1fea |
| SHA1 | 831218fa19aaaabfa9f4479df50581762c14b754 |
| SHA256 | e5e2074bfdda553da38bf2cc4b67df8dec7016eba3cfe149eae85ec8843b1077 |
| SHA512 | 100ead167c7ed3eaa09b561263b37dd1e591637ab79e3506138a539fc93649b5850e1b2a7851ba7cfaf9334da632d0b24132e8d00da3c4a4b5175b80516d00bc |
C:\Users\Admin\AppData\Local\Temp\icEC.exe
| MD5 | d90a57cfa0c58a663469c3c62a7314e1 |
| SHA1 | 305e5431fec5372bc151d615936dd28645e00c12 |
| SHA256 | c344d4b7535a65912795f93cb1118ca1086afd6232140105ac173db54db5860e |
| SHA512 | 8668a4a42f65c2482ae0150548e7fe7715f31fb6d007db6babaecb0495539d7d9f4757eda2a3b2fc0520fd5c7b6d573933e360d345d9ff77f80987582f81c3ad |
C:\Users\Admin\AppData\Local\Temp\CUQswMQU.bat
| MD5 | 96ad0eff52f2b83562018b303f9d277e |
| SHA1 | a86f481a5e0a887a4a0db9a5b0666637ef7a11d6 |
| SHA256 | 731c65476c1cebf7d31fd9280d6d6ff3d333fb877e3b0e47f583691380444a1d |
| SHA512 | faa02ac54db8f7f6f240c9d14cdc11e453f2a027c6750c1e79ed4fc84f7849338232f8b2fe0d6a460350451f4ce225a39d4f144dab873dd2b59362cff6121f55 |
memory/1868-772-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2352-771-0x0000000000160000-0x000000000017F000-memory.dmp
memory/2352-770-0x0000000000160000-0x000000000017F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YUQe.exe
| MD5 | 4737b7d3882d96d2c8f84e7c1df76c47 |
| SHA1 | 0e34920a3a894519ba0b5c5a0eb7cf9315e16125 |
| SHA256 | f387b099a47908a9955f7883afb4c1f7747147f9ac79569c1f702d09c740a947 |
| SHA512 | 325a84c5e0b4866a3fba8d7bf2694396c17560e657248ec6268aa1c876fde4703090cd1f70a6de6fe05d648eea6f50d225610d9da6b8863c38e12064e7e80759 |
memory/1564-781-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GEQS.exe
| MD5 | d92044b7ae27667424c21d7d3f6648dc |
| SHA1 | 7609e4b43c731c49b5edaf7a99e49c82d52a1629 |
| SHA256 | 7ef34ee12ac180700896c817363614c8a52eac3b1aea09404f65b3c5f91dca19 |
| SHA512 | 34da9d4129f2b399389874fcbaec3a013acdcc212a9d385543d4e72415b6279baef9f9818b7d7d73c8dab69dcf024bc42c349eb9c8f692e405a96c53e72a3070 |
C:\Users\Admin\AppData\Local\Temp\yEYe.exe
| MD5 | 7ea144b5fd5674972c3ddb85fdd3af60 |
| SHA1 | 8272c1c67a5e37e1bddeb81433ef33e8e2c65e0a |
| SHA256 | e20c36a0302bed9b2f79ea9bf1650cee4d10cea38c78cf7f3f145294f8c6d6b5 |
| SHA512 | 42b0435ab68a01aa8298cd6365e95c05c6a71e12fe2bdc199db36bb54ead130a3f2c8da0fdad39696b6740578901f62ffaa4f48085ca27bd95575937620cceb8 |
C:\Users\Admin\AppData\Local\Temp\MAAq.exe
| MD5 | 140207ed37d679b488836e015f7461f4 |
| SHA1 | 4a50d47e1c9c40d85bc905368299984e00f7dfb3 |
| SHA256 | 88dd6ce01bbf209c51b8c6a2739f5d23e83cde7d576d96bdede6a8382046cbcd |
| SHA512 | 9c7bc533cf3ec505757d50ee31c17da820b60dc838662dcb4e10384f787ed81850a8f490c5f258d6c131ba166afc361c531586d88d86b1a92e7b0387ff270b83 |
C:\Users\Admin\AppData\Local\Temp\uwsYwMUk.bat
| MD5 | e2b00e216158526a603a986639275ee3 |
| SHA1 | 559b139c6a7967fea0c0d35fff41cdbd1dfcc020 |
| SHA256 | 3e6ed1b8f6f83512e49cc4937aa6d4491d2cb6cf775c48204b55fcbd8bb7d75b |
| SHA512 | 600cf819efc009406883272affde15896a70691f25c8d87b76889657a0a264dcc11cced4a6f63eb1f7970272e9ad45b9267d883bedf03ed99ed8fe93f9544617 |
C:\Users\Admin\AppData\Local\Temp\gMwG.exe
| MD5 | 3de0baa593cbe0d292ecae38a5abaccb |
| SHA1 | d943b3a7d9852ed7b399f81a8c3a5eb528f48361 |
| SHA256 | b3e15d1da2623c842388a8885493bd23840b936912a9f982fc9ee76e4d12945d |
| SHA512 | d642c6416e44d88fb4bbbabae4465c5136888ee4e83431efd6cdf685fdc94270a219807ff1fc6d93c0666a32d12d65339401b3e7c2f6aa03abc717176b8c54fb |
memory/332-845-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2680-844-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2680-843-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1868-867-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wggs.exe
| MD5 | bbadf51d2b0282a2708827715e0e727b |
| SHA1 | 0e81c1b8d33d672d51d67ea36875e218bf9ae361 |
| SHA256 | 0a8706dcc8308971305fe555a3f35eb8efb4972f08bc2a451bdae8ab979077e4 |
| SHA512 | 8031b812004134f0b2959cedaa9317c8109b1f28aa92a6c0dbeea5c721b87f7c1570a236a67425169bd506daf48f3ad4eee432f1e9106ede78f53c55fea3c1ad |
C:\Users\Admin\AppData\Local\Temp\WkUO.exe
| MD5 | f2fa0ca8bf073485e0592e309879f1a8 |
| SHA1 | f011f5418914d54d0c339b6fa61babe691c83f18 |
| SHA256 | e4c70c745f4ee1be2f022603c1259c1c24c9d97694284e1a675e15f2eb6836ab |
| SHA512 | 7774c6301f1a13ed517356f5d01bea7f95c0a6adcc511ec98eef718b7b0b972f602e703060e76df0477e49451bd49e3494e4b7eac073e0b15111fc93bf03f95b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
| MD5 | 520add0cf7d4222ba19d5d454fd4649b |
| SHA1 | c2c0a29a59de78805a886d31887cee2b4afa113e |
| SHA256 | a7e1206c188052429fd6e131a7f7567342dd4b28deca72283044fc93585e8be2 |
| SHA512 | 0b8e35e1a8ee41013f004fd8058941a3cdc157b14cc222d22c8b90d275209ea0d565793e4d04ffd7829d5a40cbcf56ab9a7932879e856e90951abc2211eaf4f2 |
C:\Users\Admin\AppData\Local\Temp\hKwwwIcI.bat
| MD5 | b6993d93b131b8ce25c440e93931ebfb |
| SHA1 | 0871d272808d4f0a2938c89c805248a667e6804f |
| SHA256 | 1fe6b8f0c654783e60a9aef5f61bae9830b528595dbe200ead6d9afa0eb922b6 |
| SHA512 | 078851a2b184874ac882f6110c18cff7143a1a8947ff3ea1475447e3ff841fddc3e5f3fc2b69f399e34ba9e033903ed38da3db3beea8f8949ff4feb4c3f952cb |
C:\Users\Admin\AppData\Local\Temp\WcUI.exe
| MD5 | 2493347891c8ae3fc52621360fad4e11 |
| SHA1 | c9a66ae559046937f0af3d3bc9f5c313812c68f1 |
| SHA256 | 14e19eb2f91860d494f66aba14e59e58094b01eb1560ae0345c895024b006d1a |
| SHA512 | 4de13161e147d30fbdee6f08416846d87f275d218bc8306aae25ff4e7df4d8aefcae09594b0cb75489e50511aed97730b39c73e748b5fc48f4948d31442ba92c |
memory/1648-917-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2596-916-0x00000000001E0000-0x00000000001FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IIAi.exe
| MD5 | ae5314dbd7cd63be50237d5a9c0d49fe |
| SHA1 | 1e09a8b81dc565f3281082bf39428d7a307a68a7 |
| SHA256 | 07271fc7102327135f40f909619d958ac2832cfb5c7fe6ac9a4e2bf379112859 |
| SHA512 | 0af02dc74d7c16fb7468f7562f72d9b53ad2159da7338e5846883c44b1ebf309b695acd58875d97a0d8d80fa959b34083f5d2caae9d561576e8423d5fe5ff5d1 |
memory/332-939-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YkYM.exe
| MD5 | 9d94b1f35e95381bd982b98feb9617d1 |
| SHA1 | d11aabd54ac34c08915b6e884040b29255649227 |
| SHA256 | ff3de4b3c6e7544da6473194d41ebcc0cf3bfbeb88af8766ef7511a3ad6f654f |
| SHA512 | b827cd7c1c467c3b55bcfd2c1ad25745bd74b44f30f86a51a08ccc2139415206462e3213573c2309676d8adc914b9809e7d3699114e0263620cbb80a7898e18a |
C:\Users\Admin\AppData\Local\Temp\OgAU.exe
| MD5 | fc097e25b21674e135ab772b6ed7f1f2 |
| SHA1 | 897d609d098a7db99c74103ffdbf862bb5146636 |
| SHA256 | 85c0d8e5503c1fbf91552959025d63af0f60d40527a4bb2453246d8f6c7ae479 |
| SHA512 | 2017f467111c1d76958bfaf63407bcd858768ed48f36ca00f27390c26f3f4ca69e7a8b7fff6d8e5cd532bbc3f7473460377b0d6d6f4afe2f7629f0348fc56bf4 |
C:\Users\Admin\AppData\Local\Temp\WcAU.exe
| MD5 | 195abb90cdcaec667619f9ca7681b53a |
| SHA1 | 3c216e9aa024eac81a1d8ec9194afaeb58535913 |
| SHA256 | 19a1fb45e9f07790c487c799e071483d5d5411a1ad700fb4dc7750993dabf8d5 |
| SHA512 | efd3ab3411540506a0676c2399664f420ffc7085afe1555023cbe16d699a6411237c18d1c9547b59c47c47b4e6d871b825ceb48bf1a7000e3728890c44d14eeb |
C:\Users\Admin\AppData\Local\Temp\iwsI.exe
| MD5 | fe5194a3f852c676ba5bc81ad36c46d9 |
| SHA1 | 653cd89c5c51e0e4302fb1bf081b2e7f79ef6fe0 |
| SHA256 | c1bec6011e29dd9ecb8e373764083a159be8790a049f066eeb199108cbddb677 |
| SHA512 | 9040df9027f635949eb9454c82db21941d62c5a99d4366852bbcd7542e602c327b0f91c97b2d1590a08885d545fd1e0fd8f9537adcfbb33be83a184fc35cc890 |
C:\Users\Admin\AppData\Local\Temp\JiEwckYg.bat
| MD5 | 0d28fee892866516b5921f4013ab2ecf |
| SHA1 | ff6c34ed6b813d23f65a7217126c76730623f9c2 |
| SHA256 | c93e7549ccbc89ceb800d3012178b4f7485a8069936910d385d7c518acb5ccfb |
| SHA512 | 8aa61f6171d187f7e4dbdcad2b77ca7fd81e57c127d916f17993bdf0542189351e78fa4b64f103065de41ec32fbf63e57a61bedbf1cac4e85a0a094257dd0709 |
C:\Users\Admin\AppData\Local\Temp\Ckwo.exe
| MD5 | 6ca9ecc098f113dc4a4eb896aaff6b52 |
| SHA1 | 5ba1d102ece69490d9e454baa4fe8bc6aa6e4dc4 |
| SHA256 | 07b57ea018dc047a314f12cbf38c78ae103d3335163e89b885a917a2e0c25a34 |
| SHA512 | a8af533470a5c3ae4dd31eb0ec0bcdda52883891ddf65978443d4f1d9b3fccf9e727a6216ba3a48b977700dffd8e48507b79865d9952df9b16b93bf43dde6468 |
memory/1952-1015-0x0000000000170000-0x000000000018F000-memory.dmp
memory/1952-1014-0x0000000000170000-0x000000000018F000-memory.dmp
memory/1648-1024-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WYMI.exe
| MD5 | 605451b26cbf874a65bd75fc13c183ab |
| SHA1 | e71a53b269753ec5b086fcf8310db9b716e9f0b6 |
| SHA256 | e9459cf0212f9928cac8881d16f1e39a13f1560cca883201399154fdfdf12167 |
| SHA512 | 81324786865800f8e9dee199dd4933684c5eed1106923d729126c0cb275183d350b420a801e18dfca1f344521162c43b39906b4b0edbf44559bc3fa4dcb0494d |
C:\Users\Admin\AppData\Local\Temp\UAEw.exe
| MD5 | ee2eeb01f23bb4947f8e384c03c5a0d8 |
| SHA1 | 8462b031927385e3b48f38084a065b8dad699840 |
| SHA256 | 499b61dae78c51b1f1d6c84ad57f35f7112a3804d683f0b992876eecdc292548 |
| SHA512 | 9c000ab29d1df2ac843aeec031c6885069a0015a419495e7f9694aaac209272ee14f7a4b2f4840f47d74bce9db9134e0ea1a432941324dae6e4d404939583a4e |
C:\Users\Admin\AppData\Local\Temp\EMYC.exe
| MD5 | 8423791de1a6464199f9a403fc5f6f8a |
| SHA1 | 0592372eee5671ddcb8da7425d04ad98b58d0fa5 |
| SHA256 | 13d6c142c2da0181e88d98984a67144c2a787630842e4e1360f8150ee28b286b |
| SHA512 | ea717fa8d906b883e5bb8025dd891059a347729590841a940ae2b7ca5788476c985ae129dff81bdb21cf587ac616c643bcb6cf72ffd890762b437bb0cfbec2e1 |
C:\Users\Admin\AppData\Local\Temp\VIYMooEQ.bat
| MD5 | 605087256b62299dc19b4f4af1dd52c6 |
| SHA1 | 7edb38672fa0cbea9a640b20fa09ccc73c18f58c |
| SHA256 | c7989ee52b38c733a35302d4007a9616214949adeb87b4eb8ed5cc715c7d6002 |
| SHA512 | 2712b364f39516ad909121b837271399aa9de53a9e85a2193f320ce089e3e7877db4307dda50eeed98c9026d5b68d1ff58a4cc971860746703c523400f57d819 |
C:\Users\Admin\AppData\Local\Temp\WEIA.exe
| MD5 | 2a430481764a064959dafc56d9d2bb94 |
| SHA1 | 8a70ab72132c19bff500cf9aca587ebc081a933b |
| SHA256 | 1dac3ac8c4b2e9e811388afc2dcf5eb69f92a85a3b70f1d07664ea055d3ac312 |
| SHA512 | 6d597f19fb7ee188cd643cb5df3e907f85ac3a980af783f7eb40a242fb61fb54e3969df1879a16c7e5a7e50f77f980d032e266de5091e9ad8785b495fa1aa84e |
memory/2936-1086-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YsIm.exe
| MD5 | bfa80b02c6fb43d880adcd8b41eb8999 |
| SHA1 | 3b64b9b6cb4e5e8fb6af91b8672071f7903867a6 |
| SHA256 | f453a1ddf73de6eb7f0d2da727fc2eca26c26c85a5f29f4b23c2f986006a84ab |
| SHA512 | adb94fd3fc2691a0a9836b9dffac73cc8f974028c2c8e23a919b0563bd3b5acf52c4f0b7c8f495278f30196993d6fb798b719156e85523432e758267ef1ba220 |
C:\Users\Admin\AppData\Local\Temp\wYEy.exe
| MD5 | aeef8a64be5bf039d1ff149ca08d37f2 |
| SHA1 | 7b8ebe7d3dd25475753a7150fc64cad2e0b0c54a |
| SHA256 | a720a3d1b51d5293a0a059205f2024f64c920e290a89e7035ea69a2e4698e359 |
| SHA512 | e7e8ebc8784b3e043374407f5732ac424fbb58b224d0f510b2cc1d6ee1e1603ab34c63bf3a16e8e5d1248d60511d35bd3b6e1d767d0b60783b2776c36a924ca3 |
C:\Users\Admin\AppData\Local\Temp\kcQs.exe
| MD5 | 65e3f155abab4a1c19483c5698dcafb2 |
| SHA1 | 0234991a3dd871721b688027d5048ac8635221f4 |
| SHA256 | 523882d47a98cbfe33eb747887d848456240836fbf2e2ca3f6f11c2f417fa9e6 |
| SHA512 | 84b0b787abe541f05894435b0a584aa0c3d580e8e67c946cd5e7f2a3f6a8f7c52655aac359c80846df1d078d2a817898d2e036c6dcef00837eafe8d0e01a08f4 |
C:\Users\Admin\AppData\Local\Temp\jIsYQQcg.bat
| MD5 | 1358b1c2de12a9afd5d7ac9788f79444 |
| SHA1 | 996087eeffa9b0481c4fd0c6aeedb2cf84aa7296 |
| SHA256 | d4fb2aefc0febaaa2b1570aa4549948f33860f003a147896e89cd8659b25bbc5 |
| SHA512 | 12a49ddb700e72d94b6e70e78b84d4fbc2859028908a508fb7c555ccd9c3bae8a16b8580bfa4dbe9c9a37656a1db4720ccca4860aecb42317b4ef57eaa2540bc |
C:\Users\Admin\AppData\Local\Temp\qgQY.exe
| MD5 | d66e616848826dfbf478b339fe1ae784 |
| SHA1 | 6772d3513388be4b2857d83167161aed792b79ee |
| SHA256 | a233fbeb386ab126775bcd4280903a4354c1e1280708b1eb9b4d7dfc467d4050 |
| SHA512 | 82ce5fbd17451cfd2af99f2f4e2be6319e22dd34e7d11470dafb29716267170012b6f66e10d1a07c1f2c81d01b80bf1b99189be59212dc9add4af074e949ef37 |
C:\Users\Admin\AppData\Local\Temp\AYgQ.exe
| MD5 | daf819426e2dd6dff012b9bfd191e238 |
| SHA1 | ba7824fa686fcb07b6eee15c9e5e2ce2e4222cfa |
| SHA256 | 20efeaa54d9d8d2a2c011508b2976faad497c3d64c7856aade40ce6da5e45d9d |
| SHA512 | 504b6a1ce5c891a36ce678e9bae31007c3ac9150f2bd892b7a99909606caf068f73d4684b5d894fdaef981f3e22232fbeec9d66a5a0564b80495703f7dc90ccf |
C:\Users\Admin\AppData\Local\Temp\Ugoo.exe
| MD5 | 94daddf868981f512e04ac30b65e7da0 |
| SHA1 | 74f57915961c51634a17797c48238002cb914f11 |
| SHA256 | 4475ba99e17c346e853d7d06f22f6ab3805bf52ef2c14f7afc26f0de5ffa18fa |
| SHA512 | 7253337459983eb51b40827659ef954d483d452ea13af92fd2c213d7b629ae94d749422bd461d75019d133fe92cb1c19e8f303d80a6f9a7528045b901d198c8e |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
| MD5 | 717b1e0be1cf6411203ba01ad6f7ed1c |
| SHA1 | 6641199595eaa51acef7eac11fed719075fe5df9 |
| SHA256 | d53b1d15201070b54857d3ce7e39f327da614ff8f2d572a38c834efc25e789c3 |
| SHA512 | 94c43ab879359c48750a221adfb05001a8fe20f24661d02c06a6afa5f5bd7815da9a9a6709d57aee1c6a44b1808f589a086addbeea127ef58f9daa3226ad963f |
C:\Users\Admin\AppData\Local\Temp\zIoMQUsY.bat
| MD5 | a47e4a8e9c631e825da3eb386b4ee02a |
| SHA1 | af4f258d1d65acb885a5cf5ac9f523b13ab02b75 |
| SHA256 | a2dbfbd26c846066850f64e94b58cedd3ab54872682829ff86384803861dd3e5 |
| SHA512 | 81c0353978c04dd0e5f7dadbac2699257893141828198a48530e4e108c4ac12cd1613b0e4119b65982413737d8d722c9764020e18d124b7195373197667e2647 |
C:\Users\Admin\AppData\Local\Temp\EowA.exe
| MD5 | 49d1b256437c7dec98d1f8a3c1e3ad56 |
| SHA1 | 3d68c8a0dd86b3daf0b785f689d31fc33f94a00a |
| SHA256 | c8ccfeee33222d7be0de5131f17fea59b6a8e1a69ec5e234231832093c72ac39 |
| SHA512 | 9d814d1502ab5245c7c4d78c8f1eaf3a67da1fba85bdc8632969e62e4abba6ab8ff8c7de4c9eaa3df53b07ea02a689b09a460545245d6814730e51ea533e03c3 |
C:\Users\Admin\AppData\Local\Temp\iMMq.exe
| MD5 | 4feb24be00178e51eb6c24fa877c014e |
| SHA1 | 4b12cdc4eb1197581418b90470811b4eb675b34e |
| SHA256 | 602edbb0486e47084969e1a28908f8c545d5f6e5726928363a1dfaa579b5a832 |
| SHA512 | a84ba42f3d5fff5437cdca1c0beb36ed84453667477f15a52db910214d3793d7b7bca4ae01038dcbeed00c33b4c04a9fc78e948ed0e3e5831f3e92ed63f250d3 |
C:\Users\Admin\AppData\Local\Temp\CUwo.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\qUIM.exe
| MD5 | 825d0df2ab8bdae6585fdd968455eb89 |
| SHA1 | a7271ca509cfde27ad3784841f6b2c996667fdce |
| SHA256 | bfd883ac3179550af98d679ae71cc43c81301159e4a47883931ca69180cf9fb5 |
| SHA512 | eab7481b370a4514c580123365486cc0e773bbe4a3dcb91dba6db7a8135f60efe27ea6cff5c1d09cd7c792ccab964ec94970932c70f0210bf92b776ad2d62bb8 |
C:\Users\Admin\AppData\Local\Temp\KocY.exe
| MD5 | 98b1528b826b5d19d0862ed2c97e89f4 |
| SHA1 | 8085aca0c4a04f0e44f460cc90fcaa712f53ff61 |
| SHA256 | a0c49878c7749801a2e7fe021ddffc0739cf14222818698b1e5b53d18c0d28f0 |
| SHA512 | 04a13b1408c8c404167ccba4852bcb5d3b8c2c388678107a64fe5a59cf52067cb78df6f657f19465600063763ba601d2ecc658d820b23078dad4a4553b19e258 |
C:\Users\Admin\AppData\Local\Temp\aAoY.exe
| MD5 | b467f9d83abf8c0ffef085aba4cc4047 |
| SHA1 | 8a3db47a7833e754f9be669813f9c3e3c19611d0 |
| SHA256 | 591aef0ec9a8f5a4ee707426560b1504afc612ed44372addef91c96537534bbd |
| SHA512 | ea9d05eeb138565c3c224d01649978753670150c4b14bb291d52a85480b7944feb000a7493c7cc1cce6ca29e80f56bca45bc3d2621376d42497e507a8765c397 |
C:\Users\Admin\AppData\Local\Temp\imAkEAwQ.bat
| MD5 | f2edaaa76e324d2dd42609960fcc674c |
| SHA1 | 621071c105dd92447e70bbd5928c525891f4ab0d |
| SHA256 | f6bd4358f97ab5200ad40b95608353b8b360da95d81b22643787a20c57c54284 |
| SHA512 | b827191e3d8bff10ebb612710eebce103a76a5a0ddceb5a5061f1d03fb329bc9821e6d71af25311d2b219cb6cb71e827ba7c6859d6bf97f96af6375a405785a3 |
C:\Users\Admin\AppData\Local\Temp\QEAQ.exe
| MD5 | 7576fafe126c13bd8edb78cf0d176dcb |
| SHA1 | b0aa3cb0f55280811fd5dcea7fc99a08f60bf32a |
| SHA256 | aa8d8d713c429d8aad3abf61fde562b2fa156ffc1d842d122a219f900fa52d3b |
| SHA512 | 94c616c82bab22e281bcac0e29bb98dc3af83fd829a4b2e1dd32d4897fe801824c54abc8b49afeb66c22238c8908565cec296caa8c9485245e42517023f05511 |
C:\Users\Admin\AppData\Local\Temp\gooi.exe
| MD5 | f86b51c4f66996935e1223dc839e3880 |
| SHA1 | b088fb79090303f8ba56e5b492581f3b756ad4e5 |
| SHA256 | 65bf21d276219cfece8c1c29c0e383ad0ef7ecc973ed4808c7fc4f6ac3339b41 |
| SHA512 | dbcc6bf86a0b63a72e5ddb743f277998c27e730d71a38da04a4c8303d9870560231a66175a7b200443cd1f3dd875d188255e1b04676045df137c57790bd0b96c |
C:\Users\Admin\AppData\Local\Temp\ikcwIQoY.bat
| MD5 | a8da8123b2d16091c9b264fd91355083 |
| SHA1 | f25764ea816c948c847de3396359ebb5ceaf6e66 |
| SHA256 | e52b8399cdef753f011f38b3648bf3f381850516437ba048daacd12287723346 |
| SHA512 | aa677958fd063930dfde9fe8de91da97c211804b7172301487dc0fcd4eb54de2ff267c7b62cc46c8bc711c2580ab179dfd294c1d50b9f8d9a71d0eb51e27eb66 |
C:\Users\Admin\AppData\Local\Temp\IIEi.exe
| MD5 | 22cdc35a82125965b4dcf01fb3f71734 |
| SHA1 | ef3f71d8a10bd05fc47e0e6d7a7445b0472d6fad |
| SHA256 | f221ae626104804c8d110f6d02cf04648991aab4d9dedcd5379f46715a5ed867 |
| SHA512 | c395d4ba3b3fcda952a0b28a16d6581aa42c6f6568d93001af5af9868eb6da78b83045d1e9f330f4fd30c81645f883ff3873085313aa9112eb3648b0cc5dda83 |
C:\Users\Admin\AppData\Local\Temp\GIQY.exe
| MD5 | a562836720637e4d70aa75f31c7a82c7 |
| SHA1 | 681e1eab94c5b253c0e9018604b73c8587abedcb |
| SHA256 | 124b291ec48417e11fcd7de09eb55bad384344112dcb5590d03ca8f21fb7358a |
| SHA512 | 7523435298e1b76420eaabc98468fe03e34a285d628df98360a66f1a481a61811ccb4a57751536fdd73f531648e11f76a488cf5413dcb95c5cf2f8289cc69f84 |
C:\Users\Admin\AppData\Local\Temp\SckK.exe
| MD5 | 16095171e1cd98f5d9389b15952e87f3 |
| SHA1 | 1f435268bb0e4a6c05bbb8edaccb4ab6e84a793d |
| SHA256 | c10b633aefc60d6ff001c419eefa4de77fb0c9ea67eacc8cea9ad50abdf39815 |
| SHA512 | 94353f4257326334a4183f7ea0c3756c0e5fc4f7c04837d1783ed854f5ea6350693fbe9889717f41191dcb3ee414c843a1108ec807e85948a13904e7f8411621 |
C:\Users\Admin\AppData\Local\Temp\KEgs.exe
| MD5 | fcf47896bea4a1b30e5150d14b23e4d1 |
| SHA1 | 84f6133b85d811c4eaf8c0b6535c913e5cdbf00a |
| SHA256 | 18c8d155a49b940150bb59c4472dd529b7e9296444eaaac6d41a15ce6720410e |
| SHA512 | 44bca7475cf2ef826bfb5dc4d14407adc22495ec208412ec85ec46493dfc6bd15832e4ff9947acc9b92ce887932e8f31102e7b1e59ab42ceb8267e8979472af3 |
C:\Users\Admin\AppData\Local\Temp\SQMM.exe
| MD5 | 4171f951915502dd1e8ed90833134628 |
| SHA1 | 32d4defd05849682969909508981992c837f614e |
| SHA256 | de95fd07a69413c87baf8155a90cefc2b799fa207697d76b8f0c051c84cef694 |
| SHA512 | f68f41a65676276e92502f0023c53556633e87931926d37ad1cc0db38565df49c26c74f760b676a29450a4b2cb9a429911410e60e8b304fff98ec7d961e8f3da |
C:\Users\Admin\Documents\PopTest.doc.exe
| MD5 | 17036aa61903b35cc5a9ea0dbb95553e |
| SHA1 | 6a635b7fea8e4da11e1e574888d2d3ff5c7ab44f |
| SHA256 | a6a4d81596b85552dcd26f2401f5091a37eb6c4f08a4ed6578275a19b23978e3 |
| SHA512 | ecbe47b8268c308b4d1276b6d9128554e8f7c5ab92fd702aa2e550e4aa09591ffae4a7193e1726d6eeff8b3a007d5ac81e1392e0fc470c9887a7ba172576d274 |
C:\Users\Admin\AppData\Local\Temp\CKowEQMg.bat
| MD5 | c2652feeb850330db9be44c38d2ce75d |
| SHA1 | a9004b5e457a99f0fb3805a4a3f41d5c086808b9 |
| SHA256 | 857f59a6399cfa58a527362a8ad502f3dc8e2ca91bf8aac342b6b2b23440754d |
| SHA512 | 9ed2c19ec4c65935f3bc313bab98ddc05cc48c7d2dbd905d1f3afd069a1e42ad3a5af63c5e654f21014cc54b4656454dcf5cfc1d3434518b623029f08a63c448 |
C:\Users\Admin\AppData\Local\Temp\sQAu.exe
| MD5 | d0df14edb2113be052de4253e7b05e14 |
| SHA1 | 44c59e5391d4f12f8cab18b4dde8a33061a1066a |
| SHA256 | 5d0e46950141fa4ca1e35440152ef7ab2058a22c785c5d5ea5d0e8e32e2b8d04 |
| SHA512 | 141b3660c13acf9ae557545f7853f1f6b868fb0ac7126354411a77c065354d983cff4f0cbe46627109db6a74033bb51c1213ad0916956ec8603b4a6884bfe4b3 |
C:\Users\Admin\AppData\Local\Temp\gkYS.exe
| MD5 | 6aca85b44511bbfd0619a9e431355a3f |
| SHA1 | 0426d5413a03acdeeb57718fbdc30b789a68ced0 |
| SHA256 | 72e7d40d8ce8377240e185c7d517a4b70aa5ac75454f778f69bfd9bed9ffdeff |
| SHA512 | 91f4f9a79c7662602d74791dbf181b459ebc73358cdad59e35d0927084f3a90ce102fb784025764dbbfb8cc1a8c9bd8893b69f40ab17545f5545cc1b84d00895 |
C:\Users\Admin\AppData\Local\Temp\uYsS.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\kwQO.exe
| MD5 | d4feb2ffb2cdbbd567b8f6fd88ae4ea6 |
| SHA1 | ce4c0a4409ee5e1583798d0c14255d921dfbc599 |
| SHA256 | bcecacc09a015c615b01037a0cf9f6c51e0bf42c68e87236e6e6b9de9dfb460f |
| SHA512 | 78c2bf99dcf4813fe65d7e4f33286f5e88fffb56f0d05b39d1f15d3ef275d95736c8446f12811879af0a49d83fdd06aedbb9b7f7a268f17abeec0bec9bad0221 |
C:\Users\Admin\AppData\Local\Temp\QwsokIYA.bat
| MD5 | b2c798ae83babd9c47c6cfa68251928f |
| SHA1 | 2c27ea13ec3b2b90c54061b408de288fd3325435 |
| SHA256 | a9d6ec241b674d2acc19334a34ca32de1fb878c1f7bf3514b1f205986a0f2545 |
| SHA512 | a0454fa2a53a926720e4bb1bb69c36c6a69611a2d700e2e344c3ac120bb0230940d1ffa006bb15376e176d91fdd906ae0ff95bab20e72c754dcc8d2c1b6146fa |
C:\Users\Admin\AppData\Local\Temp\QEIW.exe
| MD5 | cf39f03f74d6cfd3ef5975cd3a05cdb8 |
| SHA1 | 8cce912f92e88e372f7be14b3f1adb36eefeda8e |
| SHA256 | efa604767e68ddc810aa71a2428fc15309e6e6a2d9570f09508c294aadec51b5 |
| SHA512 | 2c1dd204e09de2467d4b78155552c5d05bed7ec78968ea8cab557c6386535bbe9d4476ed6fccb8d1f8bd5c7937a17236028647e95e460384f5a50fd6340578ef |
C:\Users\Admin\AppData\Local\Temp\qMMI.exe
| MD5 | 0156b65c18124fada83e291ce8700e53 |
| SHA1 | 2f2c3840762806ae9f5103f54181f3c6ebf1f093 |
| SHA256 | 50660c78882aae91dda31c3b6c41135e99fc3ab695f28852f458970d5adc4b86 |
| SHA512 | e97c7e0db18ccffea209f2f3026fbaeb1211bdecdf24aa8961fe95f83322dc3a2cbe7b348727360acdf82f63f5cb5f4ffd04ffcfd3c12ce7156f496507537529 |
C:\Users\Admin\AppData\Local\Temp\owkG.exe
| MD5 | 3eb7114ea028ea2c69938a7c59b9e9e1 |
| SHA1 | 568a581b9e8b09b0f4261ed4bebed0b6b800c579 |
| SHA256 | 5b776cc13af99a175832c19b1d194e21215c06d820cb1c6c02e83b9399e0abc2 |
| SHA512 | fdd44a70e67c3cd878dfc31cfb403e55acff65687feed86b8f0dad58e047cc4c0ccbc05a8b4530f7bc960c7906a5b01b53227287fb7196b1f304001cbee0f252 |
C:\Users\Admin\AppData\Local\Temp\mkMs.exe
| MD5 | 95268d892f47618da33bc710fb9a150b |
| SHA1 | 99abef97692e4d17e29c8671ca1527f95511e938 |
| SHA256 | 7abe794abe259bd14734c35da1e2b2c471b5be5b1346dbcd0c20ea6edca38abd |
| SHA512 | 87b4db2de4302bcaa11b72854d5f994006d82ba7bc658c9876f00cce5afdf5e98e0f6af119438a230e0ad787ad89db7f17b56bca76ff410884dab84eb55def18 |
C:\Users\Admin\AppData\Local\Temp\WkEi.exe
| MD5 | 176ad2f4b89c8dc0f2d4e47d5aa645a4 |
| SHA1 | 8bd116edc086b4ef5a83e55ea0c07225f92caf8e |
| SHA256 | 7676a98728f3ae4748a9cb1a46f9eeb413d515df676572de509f910e932437d5 |
| SHA512 | b7a7cb23da7ec9fe4a46b42ec014d2f339db271c8ec2b1ff6c211b2b8605ec1831a29a321501f3aadbef1d5a1a207cdb309b15446dd8d099506efd6c17ded84e |
C:\Users\Admin\AppData\Local\Temp\Qssq.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\Owki.exe
| MD5 | 071105450e76ffa65b22616e83b14dfc |
| SHA1 | 0cd3eed70fc28cd6d99e19bc32063539ebdb962d |
| SHA256 | 9a728a336ce01d88ddf1a3a39da5fc13d456f047093079896418daf4fb5484fa |
| SHA512 | 135a87e1eef94fbb271d0225d79d52474458e62d5aa895b2f4b9e90edc931bf8f817f4b520a66220dc28b3f032b864e95c8ebcb860ae8e95e55d766c64e58fe8 |
C:\Users\Admin\AppData\Local\Temp\BmcoUwks.bat
| MD5 | 87a1ac84041abf553472ce8a6c54ecc9 |
| SHA1 | 732a2745b9ec587470122d9caecde52412e79998 |
| SHA256 | 6eb4c3c815a7040162fea187a03010dd3ccbf6f8fc9bf09bceaf188b2e961b70 |
| SHA512 | bcf607a384d09dc130eaa3e750f5faaee85cf2ea404699532af7c447e87f0cd277b74b8a64beb6382c2065e6163fb2fbd340bf87c2b69f6c07946bcbbe44cb7d |
C:\Users\Admin\AppData\Local\Temp\moMK.exe
| MD5 | b6fad466110edf0474d048496d45386d |
| SHA1 | 800516a00ec5084b8eb8dac2746e115299433cb8 |
| SHA256 | 1435ed85ce7c6229f77045a499972f93f7362704d5cc21ba8b92b6889669dd4f |
| SHA512 | 03bef1551239ad64521b9a78f9bdba04a15a9a378a33fa6011df54e1e6866d2b5a2d115677acc9576020ee53ccdc7d8a032d3c84fcbc9c60b657b81da79ee73a |
C:\Users\Admin\AppData\Local\Temp\KAow.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\Pictures\OutRepair.bmp.exe
| MD5 | c57c87288462ff63361a23188c78dee8 |
| SHA1 | ece1693913d35e5c6b948176b7b310d0fef3b724 |
| SHA256 | 4aa89cff03f8788ca957713573fa50f0c675ff2ed205cae666793cc846685eff |
| SHA512 | e68c2eaf75482011a27069aa34e16832ed32e0408e33bfde25a8b035c06c821d65356e9f9d772141b03515835556ab41815a9d04615081fe89b2f8d9606f2b07 |
C:\Users\Admin\AppData\Local\Temp\mgII.exe
| MD5 | 192a70dec7c5b53353c2227739c25d43 |
| SHA1 | 58d3d8e3c4651c0b0c45e9070154f0dd6d75de4a |
| SHA256 | 84a040270f2b0701062f5db528f6f8887b913f42338f1a36efdccf2b941e1a85 |
| SHA512 | be3cf9ebfe83d7d63752a31ba35d2e15b5ae62a98c3719d3ed5b0856e6d1f6181f4a8501222aaa908d18a5a6454fb7199321480c7c4dd13ccaf318b95e4a9b90 |
C:\Users\Admin\AppData\Local\Temp\icAM.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\AppData\Local\Temp\UUwO.exe
| MD5 | 67f9fb8e1f7aad8ee4099a461ee5af46 |
| SHA1 | 81bd3a57c3a7c22856b6d0c5106d6424f4141855 |
| SHA256 | 2fc85beee72999edb599f1bb8ac542e01036b165008e15b5204e830112fb7055 |
| SHA512 | fe2ea07db5dfaf2da258089c56d637c70437a7af756b851e252c0405dd30f38db6fa067a712c2f55b707a162024cf075674b04d73a4ab45b20f0bc1943e54bbb |
C:\Users\Admin\AppData\Local\Temp\PwUAskwA.bat
| MD5 | 6876ca3b3b86577c6eeb793a8165ea2e |
| SHA1 | 43cfa26104795c0404ddb9e539992e4a228d3de6 |
| SHA256 | 9eaf3ec0f0a6527dd652f02ca1da826711b61cdeb74b280eeba50a9bf2ed314c |
| SHA512 | 4d59496d7ae41c07f0d3b9bb78ba47a457abb766aea3e308092aaeeecf1b60989c811016559db2e3a80acac0c8cd05e4f7cd9ab1af0795b293b5791cf970b2c0 |
C:\Users\Admin\AppData\Local\Temp\AwwC.exe
| MD5 | 20d23f597898f0058a4e833ed965e421 |
| SHA1 | ac841faf107c2a11a41410235b742fcc3ed0431e |
| SHA256 | d2c01ada70d80b727e829848a1adbd16aca7aa9b287c5c0bea58fb6532d2a9a3 |
| SHA512 | cad07337bd597c3dd287cc2265f0e98801f11522aa3272b517a2069d086d3e795edfe8ebad6a736a3ebede22f21d716b639b4576d587232741a35e870451b659 |
C:\Users\Admin\AppData\Local\Temp\gsoo.exe
| MD5 | fb8d6e585ab3d045965900037f744194 |
| SHA1 | a54b67740bdcde58dd2c09b4be97395eebb1d357 |
| SHA256 | e0ce550d8d9133d60cc78e4d910a989e978b5876f6a4e198e04def1e391acbd3 |
| SHA512 | b5e4b367b9815fabf8b689ac2e1f29ff068bcfbcbd556771dcd3e0894016c86b3139ab166df192886964ace3930aaf9e956c465c69808f6d1a425c7b954031a2 |
C:\Users\Admin\AppData\Local\Temp\icUM.exe
| MD5 | 5412c38a80204d3bbb3e26f2b09b4922 |
| SHA1 | 030316fb8eaba6328312f1be4ca97c60d088f8fb |
| SHA256 | 63e0e109c3ca0349685ae346cafdfbc7d885f50844b98fc666fc48bb18cfc476 |
| SHA512 | f2f755dfbdbbbb39e6e9531af197dea4ae367a710e05862a1e13f4ced213bd4a1a2879eccf02ffbafbb235c0196d6591cca892d493efe179b3045431bd3b6ac3 |
C:\Users\Admin\AppData\Local\Temp\LWAwYcAo.bat
| MD5 | 293d8f6a00dc6d4277c4a344c026552d |
| SHA1 | 2d1c7b3c71c0b10737cdd8f09eebbc12f280e48d |
| SHA256 | 0e41de664da84df03b624b196db26f7836c4860cba0f6f3515b2dd94d6a933ea |
| SHA512 | 98092b034b3f7112488724115da4611e4944cbcd3e84046a13e1fd68296d87ce73b22dfb1b84d22411a9897c4de4f5da3e4f43c94c5a9559fe5f6382765c266c |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | e97edc20f89660711ccaa5ce1d5a44c3 |
| SHA1 | 91faaa8f86214a1141d5d828bf6bb0d4d5e66e0a |
| SHA256 | 3f30decd1753e3372474fae2da1a1dee406f6ad9b6032efed2f43f4d8926b9cd |
| SHA512 | aa24c3f85edb05b2ac247a6555f9501d800395380816cfcedda16cc8733de7bdb0802e8b2b69025205d1fbf20bce1ab4488c541150e9d81461dcc8ff34037854 |
C:\Users\Admin\AppData\Local\Temp\okMW.exe
| MD5 | fcd5b3898cd9c79a8c25eb2feb04e445 |
| SHA1 | 3a4421186a5df2dad3aa390186a39eb3d98671af |
| SHA256 | 453c970b149740d852cd56013ee1494ca118f31011e9e468eaba5295c8101048 |
| SHA512 | 4d5ec9bb20dc267c6502bce9505c4c8b024708fbd1fbb163bc35fe8fdc05489b1ff862f065cd48a29ce40811406ab9ceacd56fb6968c0d1d531621b482a02fe6 |
C:\Users\Admin\AppData\Local\Temp\XsIQsgAw.bat
| MD5 | 0726739b7b7f0af275e65c939ad49e11 |
| SHA1 | 6be2366f61d5b4057611be7ccca8f77956378134 |
| SHA256 | e67863ffd94e056e92b6c182a2bc3b2c793e3ba2ad9e92bb8e51dae59cb4ca95 |
| SHA512 | b4cd096decd2733df2802ca0487e14b14745004d0b5047e0db9a4ccb4421c564e4237dc3a124c99e8ca98e10b454a50ad0edd4a78b8526f6b1fa08080f4faac3 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
| MD5 | bd5c1c2077a8dd27872ea7155d21b05d |
| SHA1 | 9ea460e39c6389c3f95a0b86798d83275dfadb8b |
| SHA256 | c4a1f7ff799889edc40b13481070545a3edaacd2dfccf41ed43246219ba20cb1 |
| SHA512 | 4df4aa5e479ef8c71f4f9810b7d6f9b0c1e121c5c2f46f91853ece6667ec3ce620c34a24b3868c37052056666fc0a058098a42f1847936f98792e1f02c87a1b6 |
C:\Users\Admin\AppData\Local\Temp\Ekco.exe
| MD5 | 453d557794718ea08019198292701e15 |
| SHA1 | 1cafff7dc45e88b5ae74bf0b420fd41bb3b5e2ed |
| SHA256 | 20b07ea3db18e078b03b47c94fc00e17d1193f1ee29af8db3d305da7bd2d50a5 |
| SHA512 | 663d8b9f94db4cf88c7c657e4e393ee0e1bc5542014c54cde2920136fdd9456ab893387909a3a11b27b05235bb8a1af40616ead89168aa084b1e674d77dedb60 |
C:\Users\Admin\AppData\Local\Temp\ysMs.exe
| MD5 | 930e6d8f6d2dc405572a788419022b1d |
| SHA1 | 8b0e7e8ff2b9b5df188c4c20e89f3e57dbd59363 |
| SHA256 | a614b9a28dddfe23434bb70271a43315d337dd7f61ac44337d495b4d291ccdb2 |
| SHA512 | fd493dfa147a0d947074eb267ac7030f99abf95d2b2058c9057d519e16ac78bede1def92b5d39bb43c86af2a3306060dacd1ceb0de23c4b747aa4f569eed477f |
C:\Users\Admin\AppData\Local\Temp\CkYa.exe
| MD5 | 61673a48db897a801b26af129a97a07f |
| SHA1 | 7233c13b1119ea3af01a32580e9f3c4bcc8d4e91 |
| SHA256 | 962835a6963d16c4ef4e9c54b78ac3ab44829986648da61ee980ff769eb14db5 |
| SHA512 | 8229c3b79d751185e29104948491924dc65d2b8ee3e15ef47dcb168d211685f1b8eccd8a21a0b4e9c3fcb925c76afcbef198f4eed26ca78f43671bf3205f32be |
C:\Users\Admin\AppData\Local\Temp\QowkoUIk.bat
| MD5 | b8027f4f1c6db5f4763a27bb85845dff |
| SHA1 | 443bd0dc251d448e948990cdd0075638b6dd21fb |
| SHA256 | cb9da55ef49bf11efe2b78cad0229abae8188f30d23c11b60d29460612043cee |
| SHA512 | 2e3ebc0a83e67c4d34897c59472f49c924a9144605bc4c05f3d2941fb755bd66ae5e678f39b38e7d8983601e5345305cb13777f1dd1f0ecd1b7e8c879214cd7f |
C:\Users\Admin\AppData\Local\Temp\SMUe.exe
| MD5 | 67d1bf1245e3149d9bf0c9d40099d6f5 |
| SHA1 | e25f1deb44dd6d235f3efdd51d742184a06be695 |
| SHA256 | 280fbe48172b07e1a6acd18c586879916e1dfb795341e688b48f96c02f01bcd3 |
| SHA512 | 84924e683f7a9cba8e8f6dbbeb75512ba22f26cf5585efda9a586329fd4ec99bf57ad70c67d792cf2b0aefa8031cba7f012a7414dc1a0b7d81b307fd6e069e51 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe
| MD5 | 45b0b4391462147e94dcba8d2ebbcacc |
| SHA1 | e6359c412fc72c2c50e37edaac1fee9931506500 |
| SHA256 | ecd03f950d22e893a14318e78752a738b568eae13ab126d255ee258905305773 |
| SHA512 | 72edf8d1d62bb6bb2b691490432c93a17de48cf3a8295aa228d14b6c749b91d0efa6b2017842694b0ac7aa15571ae8fad50cd7496f567ee061b8c846a87987b1 |
C:\Users\Admin\AppData\Local\Temp\yCoMscIc.bat
| MD5 | a2c479e148fb7ce4d2124ab51bdd55db |
| SHA1 | 0a2246c1826f026c4e3389de64a9132e93ac969d |
| SHA256 | f2cad291a8148ee08a0f12fe2a727ebac06f1a5a01288522abb3400f4887c27c |
| SHA512 | e5a74ee347688b2179c6a94215205e50c94e85a02651b90e3207b9a96ca1f2401cd97666aa2089dffb9d842839f34dcdf8b0efdac6fc90056114129a3cc0d4b4 |
C:\Users\Admin\AppData\Local\Temp\GAIk.exe
| MD5 | f1896b47c1aa77da76d18ab7c80c632a |
| SHA1 | 94312737a8ea7cef71e58731e5fe4249d6b941fb |
| SHA256 | 2993ecffd847206c6e326250c798335d11b58a4b03337920fc49f965983ae127 |
| SHA512 | 00243ab74566b9365fd0147df3958d0ac6edd326eadfcabc79799f48c241a5d16d62f865bc362f6731e5bc13ad3528ab0863aa1b9ed37db31da57058d5de73d9 |
C:\Users\Admin\AppData\Local\Temp\iMMK.exe
| MD5 | 3072414107a5b1a8c4bf1a85b6acdadd |
| SHA1 | c07a3580ed206e8f8be284786d7295cdf71b5510 |
| SHA256 | 003be6bd1c4e954d40fbe3b16232bb8494f78612f4182b36308bfe8ec61fce54 |
| SHA512 | 09b7cc408b48e7284a88246229c534121641472f5a6aa9ad39846332df29ad4c242a37d864cb7a231b01f6b1caaa906fef5cd1d82cd0f6ec21db59adffdc0e18 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.exe
| MD5 | 0e125a59d3f15b0ed03def688d7ac703 |
| SHA1 | f994a69b58a6195a5d969c330793f350baa4c2e7 |
| SHA256 | 8fd6a599e21e2d84ab3e2747a419314b663a89c548407345b743e077fba70d74 |
| SHA512 | 535e92a9827b8dcb6bcf7d344bc5e5ed6a2c1a357196e1b84e62aad7dc6f7c1949c4d7d163bf8feb35e72ff25fa3593775033bcabc604e30b33eeacf74d1030d |
C:\Users\Admin\AppData\Local\Temp\IEMkYIcA.bat
| MD5 | 38c3863c817a2a7810922ae8e7cd0f7f |
| SHA1 | f6b570fc602b14c584863d2b9c16be62bc9b6088 |
| SHA256 | 6daf7b8cd6f4eb05d8f3889170ef2bdc26d5b842dae90f1a499a47f9337a9a72 |
| SHA512 | faad3251f5ae1f08572de3875e7d075bdeb25a44fef066e7f4aab3a9c0b45d489001fbec36525fff5c9c92a8d8d70bd956724214e795b7a726c6dc7ec4c7785e |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe
| MD5 | 09c922bfee0489b519fbd528159d75a8 |
| SHA1 | 61a1d7186194233ae64b4156c4cc9b76eadf044e |
| SHA256 | 32cabd34cbcf15f2899b174b3cbc39476bbcab03194d99d20d18e741644948c2 |
| SHA512 | 5de8e396ad3ccae099aacb6c73b223d5bc10791c92688190b04b584dd5ec2aa2837cf88f7606ae21f542f9bcfd4bb3dc7143c0342bdc2673de854e8dccc1b172 |
C:\Users\Admin\AppData\Local\Temp\mkMK.exe
| MD5 | fed7495dfba31af6a42f01de9c194f12 |
| SHA1 | 2f59255ec9b574914e0492321ffd74437358d162 |
| SHA256 | c2ad0c1f6b85220867b60875c2d6eedfa5086c5ad1b4ecfa7e74ddd94ce5b042 |
| SHA512 | 0410aaaf7add2a3cab1c5bd8fe1fc8a350964d67fb794ddf42e5d9abc26b681b94baf9496e1ed8a5d0270ac21fe28fd48d05b259eae564437dcda2dbd6dcb287 |
C:\Users\Admin\AppData\Local\Temp\kocy.exe
| MD5 | 5cd703f48e980ee8d24dc2df0d75e61a |
| SHA1 | febf97393ae2eb752ca693ddb30fd76c081e4000 |
| SHA256 | 8f66f0f90d0d14701c2829595ea96909fa481a8bccb9f104581438a013ef50e8 |
| SHA512 | 6e8d0785479e7dec020799be1b2ed33c102b06197113642f922f5bd065fffcae8e67b8db43da6a7f2a876ee1468457fe4ba74d6254fd752428818019cb1ba4f0 |
C:\Users\Admin\AppData\Local\Temp\nessYkcM.bat
| MD5 | a3f5d7f40bf13b73bdf1ec9d79a4f9db |
| SHA1 | 331c5bcd64a90e9335b64fdba21e0cf7a41a9ba1 |
| SHA256 | 162588cda49aad71425930d7b633f7c7d61885a1b2e59536560f59b70a9b1d3a |
| SHA512 | 59c320aade468316fb4fdcc9ffe8a60566549f4b1371708b42909a128dfcbea67486f5e35470f10efd613ff1f4bff38a9498212414a0c80c75b35b9119836360 |
C:\Users\Admin\AppData\Local\Temp\IYEC.exe
| MD5 | a3a84971992f30e79d7709642a087996 |
| SHA1 | cb336a8ed871e044e9217112b4f750ce8c99b3e2 |
| SHA256 | 1f910fa060b333bea7b6b2b35efb774f3d3b9d64f5d0f16c4589ace77a678d3d |
| SHA512 | 0deae61a62252d483af08a2b6bcbdb920a2850254019160ea8dfbdfcc9fa2d8a9a0a3bbb4c8a21c7d2f7c3e4e18005d86c96eefc21734cffd468f19c655a71a1 |
C:\Users\Admin\AppData\Local\Temp\SMwU.exe
| MD5 | ee9b3a4eff9cb28bb476ae9278cf1789 |
| SHA1 | e3e21f5b9227bafee78780ebd7078a46531af65b |
| SHA256 | 48cf61ba513103d735fcf01048aac08d3534dae016cc49f3e64de5fd5781ea0c |
| SHA512 | 8c2e7d9f4fa3f4b39e21e4ad5a99508d1e0d2bef7e2f56f2f1416df77e6be8fd7ac89232c18e25ad8c4026a8de744cd595c1cfc49b7106ab0f2134e53314b473 |
C:\Users\Admin\AppData\Local\Temp\neQccIAk.bat
| MD5 | 31326fbd47177b185a4c426fd05a1468 |
| SHA1 | b8706e0d2e1b021d178c7bdd36d81a6802aa453a |
| SHA256 | d58488ec44b149a4584d0620b7ae0880939a7f77bb63cc129d270246ece8800a |
| SHA512 | 002550f240045e61a0c94d6ea92b1599a58cd8c92446ab3516ee87b9d5d7f980a98cfe09976f8d4074515f69e98fbd4603a3ee063c40b6b31da4d8d57969bbff |
C:\Users\Admin\AppData\Local\Temp\WsgS.exe
| MD5 | bb3a77221cd714e0fa3fde276f64f2dd |
| SHA1 | 2275382bb62068e51913fdfa2cfa68e91832e6f6 |
| SHA256 | 3c4d46d65dbf770858392c019ff1acbae92fa84af8fdac67ab1e488ff97eb5f1 |
| SHA512 | 233f41ce8d27d9816cbd7c49476289a9c5adaad58119c603beec82e9282d8fd65e8670edf9e2b80270470580a69a7ce6515e2e0bda945556dd5a3724ae19dc2b |
C:\Users\Admin\AppData\Local\Temp\KQwi.exe
| MD5 | 2d197ff10b3df74792fa51b92949df7d |
| SHA1 | d17a28cfec5af413d38c60efa8a85f84f3aedea1 |
| SHA256 | 28a4c57d363f4539d6e7634f8f924e958dc23fe4f31b430c040b4ce5ced6c96a |
| SHA512 | 6804f1c0a77c8a8a52e89633262dc4b06e7aca739fc57ca4a1f3f782354791ae07647aabfd78197d7535bd2c57deabe47a5946a9a2a95992d83c7dbd003513e3 |
C:\Users\Admin\AppData\Local\Temp\Wkow.exe
| MD5 | fe1b7dfb488c6221d062702658f2c0c5 |
| SHA1 | a7d82f7b3b6232d4be442a1c7bea64e648a6bd79 |
| SHA256 | e4068f6031f858f51f69d48f430627c03a1ed904e3d047307805f50b7636ce69 |
| SHA512 | 3297c8760c2ae71f75d5b383d4b840315a0991b5e4debaca49fefa6495546a82eb3f12aee449b1352ad20baea4f028d97b234563bc6391c74209b6ad081ae657 |
C:\Users\Admin\AppData\Local\Temp\HGgsgAMQ.bat
| MD5 | aceddfbd2a8856bb537e0e869171be3d |
| SHA1 | 71f2ac8f92a369840c3cd0331e2dc79ddb9c0ad6 |
| SHA256 | 948bf8cc2adc83f65b0a389ce00dc50311ec9c0ae41147bc26338da63fc2ccb7 |
| SHA512 | 97aa66ad640419320679368b439bf43839356cd951a5d458e0e7829ffa3dfb1714d51ce439a96ee367ac90721d5bd5112f3ed1430b7cc7d13241f750e312e692 |
C:\Users\Admin\AppData\Local\Temp\EAMc.exe
| MD5 | 0a02743cc7f6ec871783055b1ff565de |
| SHA1 | 03d08e22f82b0af3ba40f00672ab2f5cfaeba112 |
| SHA256 | e6108fa3449593bf545b15a398959d4df079c3dbe3ef6d66128d5a81c94925aa |
| SHA512 | 54e3313dc18bc9b6d86ec7863035dfe53fef71ed8639a2171079898cc39e763c37ac32388e3d2539a6f6a24b0310a4aaf07746b859f8cfb9db5a23b6f4eebbe8 |
C:\Users\Admin\AppData\Local\Temp\SQAs.exe
| MD5 | 1e8f516cb1e7d04322e1a9c46cbc46fe |
| SHA1 | f6da1e20f52a7dd9b78bf0cbdfa5251deff846ff |
| SHA256 | d4af3d1ed824732a416992989e00e7a68e09c98ac4a76f6e83e1ccd278ebd262 |
| SHA512 | 3cb2b4f339386eea673c6660730c66cf5eaf282729dadf76dab4e98f8f4b28c6f8cb1a465741709786664e3686f8123c9b10324296fd3f35c7e1a38722c47baa |
C:\Users\Admin\AppData\Local\Temp\Owco.exe
| MD5 | 7868e88726888f8059b8fe44167c9039 |
| SHA1 | 1ac84254bef9b2165b25591e20569f929ac5af45 |
| SHA256 | 36e67698f59bbdc1f0b488caf8dd93f2186a2b4b3bda8e74d9f307b37f7ba35f |
| SHA512 | 87798b755c4bfc13950d41689ef851d0e0cc66c354716360451c4ff2a9d18f54a5ebce6555b0382b8d8bbb00e0b7f01364a6748a4eef7c2026859b0e8ff95200 |
C:\Users\Admin\AppData\Local\Temp\yAwc.exe
| MD5 | 51a75b48427b7b149dfb715e540b89e1 |
| SHA1 | 709bcb98401df01d2031155c3b683113c995d379 |
| SHA256 | 7200f0d9e7c257291a763eb894c0986972115cd3e268e955fa5d46eec3b3f9f9 |
| SHA512 | 60597f127e566e6e1288ac24c151210847bcfc2968b110ecdefbea35295ce0a3fe30c1c31ba8440990a79c73b74fe34df0c174e37c88a35d3fa248667ed0d0a0 |
C:\Users\Admin\AppData\Local\Temp\jKIkIUAg.bat
| MD5 | dce219a73d962410f9e43d1f8e8f1caa |
| SHA1 | 5d974e84c0b9df57d7c9f1247eee788ba6ac6c69 |
| SHA256 | 0eb748a4097f61798a02e55e5248ed2c2551c9a520871c03de7d90a96eb807c1 |
| SHA512 | b5a6053462099ebdf7fed64775f20b3a0dd629d653327c4b8755bd5a515436f0d0d5982492d2f3cd8c30f023c39f4b11310b632dedbd4c2654dfa36df0ae73c0 |
C:\Users\Admin\AppData\Local\Temp\OMUA.exe
| MD5 | f91cc5f19fd8e9704a6fa8974d0ab30c |
| SHA1 | 742d557af18d0363b0c61a60fcfc0b071f98d9bf |
| SHA256 | 45c8b416d0323e260108654a4c3d1fe8c1a5e8e2f1e229653578bc13d07e0311 |
| SHA512 | f15d7d13ca2629a9fb12b889928e16dea1e1757167775c78e668b25f5c4bcec878353c9c3608064079e9ce770224ffc7c1e532c02457541d0b52bfd56c75761d |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe
| MD5 | 78a38f9b008ad7a6b907a3eec82514fe |
| SHA1 | c362abeb197c1a62fb7171661ae42e574d352f1d |
| SHA256 | 7b7c0ad29283def43af2e8e730f6e1fb595cd082fe8194543f485d01c611ecc0 |
| SHA512 | 8f2e007616596b522bfda70c8313092ae3e806ce5160eae4e9743f09054a6daeef34676cebe58ff87df4c1a400cd87aae347a41e6b67cd1a3a5e807dc8205f7b |
C:\Users\Admin\AppData\Local\Temp\oYkk.exe
| MD5 | 38c93e5702c90ce5ae96132868f84222 |
| SHA1 | db66831b6b9708ac562a0aacc2decf7314bd4642 |
| SHA256 | 1fcf6c2a5db0d3683f696b06c9e00085b496ef252536479e92506b9fcb5141f0 |
| SHA512 | bda42db5665daa6bcd997c31affbdefef9dbb271087058f1a7f4a53c0bbc14bd5e9b567d33ece02f8aa71060b8a28438f3e69e472b259c06ff89756d1bbf0964 |
C:\Users\Admin\AppData\Local\Temp\aMYI.exe
| MD5 | d7dd6fe0cbfb7d395b89ecc7f1ef07ae |
| SHA1 | 953914f24f9df83300bf4ad6fe23c5be1200aee9 |
| SHA256 | e2e0b234784c415f6c2bbca3b4f5893525089040367e4dbdff3fad6bed4b9b76 |
| SHA512 | 671bc84c0645e23f7482542dc129cecb4f5fb018b51085d6b92d41fe3e9249620c092a2664c3ffa556ecdf29656831c789ca2597c72ecd14bc702262811c532a |
C:\Users\Admin\AppData\Local\Temp\QwoAgMso.bat
| MD5 | da43e754d4a2aa3a7750ad11a6449b5c |
| SHA1 | 47a0cfac1c2455575795036cb8c37b1513f9d9f7 |
| SHA256 | c60c9f7fb25bbb1102bfeb4f13b3f64f5e42c0d8eede2aab353a8ae187e8f943 |
| SHA512 | 0822d3600547bbf6c04d98094963bbd59c011c24d8700ad69499c5dcc439f031d479a365c13552a08264ae0ee1af4a08fc40015a2c33a6a9a6ee9238661bb333 |
C:\Users\Admin\AppData\Local\Temp\KcwA.exe
| MD5 | 023e7f47956e09a0dae602fcaa335ae3 |
| SHA1 | d1be1ab2d29a0fc50ee87660d366455fe7a262f8 |
| SHA256 | b8c84c9de46d5d4be7a6e073ebd26906700671f9fc7e62fa4cbcf14a36aead78 |
| SHA512 | 0359ebb7fb96af28b88703c92ce753d2325fa214e72c0c4146b529cfa79b841310662617614515979447e123e783c8e825ae1be057cc5ac5af5172ec5320c579 |
C:\Users\Admin\AppData\Local\Temp\GUAM.exe
| MD5 | 4c05ce6394a200ebc0a2721834e5850b |
| SHA1 | 10283c2f858d79768c1c0e668847884cbceb2863 |
| SHA256 | ad96198b1cb481a60f2c4a74ece31555f9b7b8d1d335beabbbf517137ec2cb14 |
| SHA512 | a1e73d740f10b16facd5ed49ed838f2e05b3047e64181443b23294246d9ea661e34c9933ab1fa7b6a112b1095ba1f54f065d30fc779f7d2731083a39ff211019 |
C:\Users\Admin\AppData\Local\Temp\UAow.exe
| MD5 | b587dcc8eae0f5b40a57f456cbdc197a |
| SHA1 | 39ac4918227450d9e3a1b90caaa6f602cb55215c |
| SHA256 | 5d7b45365509e14cd7276fba13273cd2488247f77cd5d2abd84c48c1551acb4c |
| SHA512 | 31a729cdee959665eedbb274f64f58ecf4bd961f61406a27019be613811323ed06d6b4d85326d7b614cf5f4e45069483ed589a54a33f3b59c5f71e1efd725800 |
C:\Users\Admin\AppData\Local\Temp\GWsEoEgM.bat
| MD5 | 6f0a5bfd2c3a022756ec2f1fc61ec833 |
| SHA1 | 7f0ac1dc92f0265f3137e107771e478cd75f06d1 |
| SHA256 | 2e431cdd4dc2deeb9df12f297d52b6507eabb8532cce4cd41a8197d92a67bd9d |
| SHA512 | 13e647f1f849c74b9f69d9d45d904686397cf9c984bba97b843f3581b50008ea6e1b29c40b035cdac066d4deb7c531225dc28ef2be06d14f3256eb0d57f81801 |
C:\Users\Admin\AppData\Local\Temp\CIoq.exe
| MD5 | a2cb4a7ffacd9fe2d8b3e06c8d2ab1b1 |
| SHA1 | ed527a6066494d911d8d29a2196bb5485bce35c1 |
| SHA256 | c2ef01e0d0186cb9f97108f67dc3a6bfddfd09ba29074cbd790d3e5498735377 |
| SHA512 | f82f678cf3fe815de5e0162a7e22a37a0419ebf59ae42ecb52afa9a79aff145d961bdc0cb6689879497afe831e9bcf636c152b61e01e5bacf6eec74bdc7c178b |
C:\Users\Admin\AppData\Local\Temp\cYEy.exe
| MD5 | 30d178cfb519224d4429cd967ed16ca0 |
| SHA1 | ee4fbf4d92207d7bb5969600dd092cbe33244232 |
| SHA256 | 7783db2c65bfa75934c43659583e749d9f1dbfc6454b22918a9cf55c6f23800f |
| SHA512 | b826ccf976c80475aec167fd9889312e1465cc91587b3f862a97134410af9e93b20bac5800a285d88b2f5bd74cb60c440e506bc9a3e82a0162af8b8ccb6a81b4 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
| MD5 | ea41314998cbb6a211ea26c631bf0f96 |
| SHA1 | 0e8398ef00bb848c1b6980080fe1118f371b10b2 |
| SHA256 | a78c9b2489c88154f0112766b2194fdb9416419aa075c87029e8a789230f95ab |
| SHA512 | f2efdf23224d52c5188c88bd9654741106748dd68049e3bf527db29c5e647ab1fddfc975f957d2027335681c90811e17af37faa2c830d7e3e0efb64278bd87bc |
C:\Users\Admin\AppData\Local\Temp\MScEIMEU.bat
| MD5 | 85380ee041f3265121a6e0fa3e552d49 |
| SHA1 | 0f56eb4ae47cb81e56c21df34a3367846f8665e9 |
| SHA256 | 2cc2b9138c62f1268e3c49d2a9a57d57c58ee7544b28ab6635ef341d7c121b7d |
| SHA512 | bb26a767a8f93554dcc902249fad0f2361ae640222ef1b534ba978a3368dd9776a0c69d36447d1439948d71b14d58f417fba639a5744faa09294a8b7f37f1c47 |
C:\Users\Admin\AppData\Local\Temp\cAUM.exe
| MD5 | 89c54b5a003f2d9c79f1d7001438c557 |
| SHA1 | 0627c0f2c485c0fedc6219d1493a05bc5a3ea13e |
| SHA256 | 106e862f14fff123c2900a6792ca275cda7814d4c1c64f5f61294fd99030bb33 |
| SHA512 | 722a764f6213d3cb0076ff5f5fecdb9b70b275c606bc18a8644b975f50fe938214e29cdf187da78dc7c9566d49db9cc5a9a5945e3756816a7556b3eeb1df7f83 |
C:\Users\Admin\AppData\Local\Temp\QMwI.exe
| MD5 | b198f4cff2500ad3cb5104f07317523e |
| SHA1 | 90000c10b903560fa147c401f5672d92575b9c67 |
| SHA256 | 8a43984e66fc2ba76daf9ed405d34849d50602aa1fcf610a925859e1f122e9c6 |
| SHA512 | 5bf538f544c924b4a148839a3f3d90dc3b42a4eccf75f2179db7b8624553c959b554c499dbe1a537aac660b7d29d30c2e60975b3c15dcd56d1b033f2f335dc7c |
C:\Users\Admin\AppData\Local\Temp\Akki.exe
| MD5 | a17bd157dd0729c6b0d8e59bac492293 |
| SHA1 | 75ee98c860dc4b77a19c82b181311cd281856d8d |
| SHA256 | ea45fe21743688208b28576ae65c781dba1a53fdbad3c198cee9d259cde5b641 |
| SHA512 | c78d4e5e1db5b70ac1e61e07cb81efb75f7a45cc8d518fe87101a28f4b1b075a160737b1c5dc26db9f6bc6937abf5033be95ddc6615dc754963a4222a4be87cd |
C:\Users\Admin\AppData\Local\Temp\UYwc.exe
| MD5 | 77507993ff7944b1f515d955b7a6c286 |
| SHA1 | ae6accdd7b2a03ce7686ad1a6b6ab401ad17b203 |
| SHA256 | 4a9e214f91de6145b3e777b29bc818b4fda6693c97b2e45c80461e611e5b832f |
| SHA512 | e577b7ef799b15e2f99806a74a725f329080dcbfd30f5b76a90c49c07e523b52e7cda3d608032ab8edb52c479f80528bcc45d26abe8baf8418a9bc7bbb003218 |
C:\Users\Admin\AppData\Local\Temp\gywMYkQA.bat
| MD5 | 69b5b3b9051e73569a7c0f6115781a9f |
| SHA1 | 5e121e5d1daeefb4ab5633c7b17978f75f23422e |
| SHA256 | faabb590e72dd5d7c5f5550779b5df20005bb02962ecd36e4b27fd26e062d300 |
| SHA512 | 0cf573f27775284e787343ec06fe2f8bac91d63ec2ccc97b99b01678a6a7b9bdf8f564217e11763ad76e3f22762b05aa2af03f13aec1213802a31c0f86bf54d1 |
C:\Users\Admin\AppData\Local\Temp\ykQa.exe
| MD5 | 7dd9f9a1bc2d6c4eb60a5f33de745216 |
| SHA1 | 2263ea928979642c5ed3f1657fa2a0b278ff87e7 |
| SHA256 | 6cddbc2c5d85c9b804358f104a2596ba31734a38dfbbb4525ddb99f49e45a6c9 |
| SHA512 | 2768dbc86307b94bc6cdf9d7562e85867c79ffedb31c182584959c3ee4b8f1b4ac0a989f3df7bf8b8f56a087add2ab2b53d45d5453c2de5d368467851e28d1e2 |
C:\Users\Admin\AppData\Local\Temp\VAcUwAUw.bat
| MD5 | 2107c6a3d68cd7df509bb7b5ea61a358 |
| SHA1 | 07dba502fe7a2fd5f284ff7ef3d5dd81c8854388 |
| SHA256 | 4b0cc6def7c51c6f9f8c2006e774df9b13033cc666d7f96c28704de5ca8cc519 |
| SHA512 | d8be4672b8c212f784688f4f819fb0ac2cc792938352b115051f7ca46b0eca91b518bd4e913997346c30b8f0e4ee5747e38ab756eaa9f8bc247590de1508a563 |
C:\Users\Admin\AppData\Local\Temp\OIcQ.exe
| MD5 | 27e98c9e49a0b4b6fc40a5ed318c7985 |
| SHA1 | 9e1f38afdbfcc8d8f7e611899821e3763132b90d |
| SHA256 | 7f1f459dfd9656660cab2930e20bfc25f3097fa2afeec3134862e59c2cf6a3f1 |
| SHA512 | b85d0636bae817b2b0926738452e401a97ed99aad681be6d9adafef33ee670775410107343cfa8acced30fef6fe982014e8c60520e9cd6c2e504cd4f932416f5 |
C:\Users\Admin\AppData\Local\Temp\ssIq.exe
| MD5 | ee1ce3bb82949a042690f758b0379f33 |
| SHA1 | ddb8cf05e4bbb07c5be3b6f2b70cf9295b26460e |
| SHA256 | 5a3508b887d96233c2b1f91f20cb71fa7f97460257afd0efe1655254f144cd05 |
| SHA512 | 7493167155c3d430e6bfeecadd4452826a07d45d29cde353ccf819c12cbf369dc687baa2839469ef0815bd2ec3923b1adda1600499a9c04d2953bef459a4ddd1 |
C:\Users\Admin\AppData\Local\Temp\nIQUYMEY.bat
| MD5 | 577ba0412679867ba245ebfcdcfc6f18 |
| SHA1 | 8a1a5c44b446e1f22509dc7dd03730683c607aad |
| SHA256 | 9c463e2f9c100a3224a41fb1a77652c4a53f78e4f4825af980694c2b9098db72 |
| SHA512 | ec2fa908a162a07847c403abbe239818b8384ffb84a676b58fe38389d943f7bcf6803a455c3c6c94734d8319e5eef9026c7b5c17da77ed82a1ec3485bd4b2b69 |
C:\Users\Admin\AppData\Local\Temp\Qcwc.exe
| MD5 | e752ef2987b52fb5a8d86f64f3f5e24e |
| SHA1 | 345849fa2f735196690a357d5941319d23530a6a |
| SHA256 | 0946113fcd7723fa8dfaaba3b4b0062536689623e3804a815129e33c1f730b56 |
| SHA512 | e136d4250a0153371a66337d9894d4eb23dafea02a62f567607854ae44ef962f9521a5c9670ddaf49d03144d0dce5a51f9686f108cdc01385673622636302254 |
C:\Users\Admin\AppData\Local\Temp\SkUW.exe
| MD5 | f6eb816bc6f9379ea42810e204b4f196 |
| SHA1 | 0997928c68ce3eb6279df579837b3f932c0eb65b |
| SHA256 | c83448cc361561cd710c74c8c2c1b027e83649ac56f711eda79de736de0a8cf9 |
| SHA512 | ed9d27352dc3a3ec8a8b79e5ac558b60270da416ea225c6faddedea4f23e7ff783581f533cb0f8075012a48e3885708e61aa887d16dbca24006c40b7b7b8a9f8 |
C:\Users\Admin\AppData\Local\Temp\YIYs.exe
| MD5 | afa258add371ad8afa07e2e148470281 |
| SHA1 | 08b0dac8b5cd2fabc5499d1ad36fd6aa7fa6f919 |
| SHA256 | d3f5224e345eb2c4bf2e0e26132a7428975dbdefe71b526be83028768ae7c8f1 |
| SHA512 | 40ed2bf15614567a0d63e205bc755839d056fa6bf4511a82bf06d22fdb47281dc28d02040d648692da681b0a2a5ad006e79c7c8e694512fcd77e6b953a7181f1 |
C:\Users\Admin\AppData\Local\Temp\MgIU.exe
| MD5 | ac88752c85d6066e71b55b91a97a973e |
| SHA1 | 344a309be999de4525f9853a1cc8f32bd32721ac |
| SHA256 | 47df30450b6ca025950e5ce8d65f85d8c7a811e1f12b920c52331fded0041e3d |
| SHA512 | 5ec02ee116bc7c89e5a99b084a4434ae2861f2eda1fd1463fde26f096cedf35cc570593cee1f0a5219441847693d90c36f7aebefa0a0561b04a1d55e429a1446 |
C:\Users\Admin\AppData\Local\Temp\mYMa.exe
| MD5 | eef51f1a81fb257c748dc282b71ce33a |
| SHA1 | d94f905039f32e5e5273ff86ad014705ef8ae682 |
| SHA256 | 0a8411b0643dae252c936847637f99792eda7262ce029e9502c7d049d686af78 |
| SHA512 | 07ce9950c5b2cfc75bb71ebcf875b2cf97f9e7915f1c0578d1b61a6903f054ae5183c4df6f77690d3d349ca1ea767437061753cd7206e4c1ac48dd47a0cc1e9e |
C:\Users\Admin\AppData\Local\Temp\YgkI.exe
| MD5 | 374c043167af3bbb74d30f6a5046aa8f |
| SHA1 | ca66aa7bb4c25082fe9f8bb267d158c93031d784 |
| SHA256 | b77ccff48ea017734626063776cdf2a849ce1fb0fcb2549338ebf8e477edcc4a |
| SHA512 | 21fbc2d9986204d69214b1b90d04aecc0e678d72c41a4e7c443d2d93b851ce6354d4be34fcb34862adbc959e79578c9e1fdea5b2f2d9895e364fa83d6fb22338 |
C:\Users\Admin\AppData\Local\Temp\cgEQ.exe
| MD5 | 5ac9e7553f304054323e22bf99983160 |
| SHA1 | 2df790841a0ffc32876e15f33c16ae9462456876 |
| SHA256 | 257550bda283238bbd2af96c2b194967a99488bb0bf2aa8b64e4a8b68d11f41d |
| SHA512 | 4fd80a7a388aed0b977df32e58f7412431cbca356b6e35f37b246c011d0d802289cd7ea40e92e77aca2ddfcfe45dbeac4c3560060313e71cb3b6f7b8f6bba8ba |
C:\Users\Admin\AppData\Local\Temp\wUom.exe
| MD5 | aafb41a561dd3e794224baa61d019b6c |
| SHA1 | 81837a01d94d03d5f8bc2b26097e65c8ce2e88cf |
| SHA256 | b7030512a66bd5a670df541a6d62827f7b2a7813b683c15ff25bb0eb393f3f1b |
| SHA512 | f3eb177fbeca49e04927e41e5d9bab43c49e5b3e300f84277c727ec17523f0d7b3ef601f7afac6240db5a678461b6074c68ace880264aa6b400cb3ee98452682 |
C:\Users\Admin\AppData\Local\Temp\miAMoIME.bat
| MD5 | ebea7b555523da0e9a4a72946bd65c0e |
| SHA1 | e8ea014a9329554fdb0ab76104448d1592a95ece |
| SHA256 | 0e0f4cb98c541ffe8a55fe65e2ee420a655a3903df00fbafdb5297ded0dd4a88 |
| SHA512 | 0084902313ce89577959e8cd9025999875b4081e05dbae0ef74bf3553fb00a55b0ed6bf844e0a856cd191dcefb65ade8e4fb3609f3094a5ee457159172d3ddf9 |
C:\Users\Admin\AppData\Local\Temp\MEEC.exe
| MD5 | 88204b0b333c61cb12957df479eea290 |
| SHA1 | 604fdec6dc64504850ace3486c34bd403b03f3dc |
| SHA256 | b952c9de12876fde073467749e5910bbc07a514749a0a8c6117b7d590b820060 |
| SHA512 | 51543aaef95d751cb695a3502706f7ba1b71e277fdf0f1cf377681f9adf8d7847f63b0c5fce1100cb3fbff2d170af6bc6def63f2caa8c595b08b664a1452a6be |
C:\Users\Admin\AppData\Local\Temp\fcMsIQAg.bat
| MD5 | bc1ce8873c3ef05e9fe41b47a19873a4 |
| SHA1 | 62f3b28827897ce55c9c2717747a7aa8466ff8e4 |
| SHA256 | e2faf70df5efadfdb47383739c217907726bc28f3004b1d5380338432486c5c6 |
| SHA512 | f3f6989af1737b19ae07b0d0da7cdee036a427a383dd162624b6baadfae672e81adb315a84d7c6033eb0610ed7ff7ef1bd14bb1676acb5ee534b3e1e12138ff2 |
C:\Users\Admin\AppData\Local\Temp\qakwEsAI.bat
| MD5 | d11ee3615c17f3b234d1be530b67112f |
| SHA1 | 192f3415e03698bae5b2ed4a5581ae2e82e0ff84 |
| SHA256 | f930455cb5c6233c820caeb7e57f40c7befea66fc94547846251508b70724f70 |
| SHA512 | 27c19fe7ebb925a6d1951a404c94b71d951970d47c26ce8c03b22d128c760bc276c5afa6ad133ebe578841966241191342a41b67fd8b8923e6194ee6c6b9f935 |
C:\Users\Admin\AppData\Local\Temp\GMQowAMQ.bat
| MD5 | 112fdf7d04efce5da46e4ca3d799f8d4 |
| SHA1 | b97a4162178eb373fd3934e6190d59ef002d0712 |
| SHA256 | 428bfa7ac1260e8a70c5ab17b4c0200952369254d6d6fd931b1faf18e0d60aa2 |
| SHA512 | b4f6beb7150f35fc748f4d9d007f3089583eda1250d417a89f539b2e6ec43445b9efceea4b465cb9cb3c9fb96c90d54a597fa5fb9ed63a33343598bff08a9798 |
C:\Users\Admin\AppData\Local\Temp\qUYgMgkw.bat
| MD5 | 162aed88901ec50d855aa6ed6b351ebb |
| SHA1 | 8f408fcf7dddfaf95b8f9d2ca4b85d1ed4bff99a |
| SHA256 | f31511d9bc754c7b5a1b8e8ea2ab439bf7a153f8b87bfe742569525a2b224434 |
| SHA512 | f12965cc7afb635f229e250688deef0c3133026b53ece98047006a3e8a868367c5c434ef074d960ba7c7602ae0710dccbe69799c03bb6b08d4518c39b8a15c0c |
C:\Users\Admin\AppData\Local\Temp\lAwQUwks.bat
| MD5 | 2191a3a7d64a16fbb1c20db2d7891489 |
| SHA1 | 924e1f869d964355185a7f976f42da325c1a5f6a |
| SHA256 | edb8f297634fd457ff699d1ed3bf8a35eec70ecaf0e3d4f0f968725946301712 |
| SHA512 | 5a4623318741d15699277250bfc6283ffe38d05ff307c1ecf24009eee100e8adba68fad44005b7cf1e37a7f8ad1005c4c5be595459812da9b2e3350b437c0fec |
C:\Users\Admin\AppData\Local\Temp\JmMsEIoI.bat
| MD5 | d58ecc32c837ea4d5fbeb10d4bb76889 |
| SHA1 | 0de35c9837cc998f573ef213b584164dff3c0b8c |
| SHA256 | 3aa1decc4530353be90fb936ec753f665428cafe399cd02455482d4bdd980793 |
| SHA512 | 85945f2188b53bc30c1ff191262854efc399c09d9019852cc6e24d5e8af9eeebbab99cbb8bd977e99296f7913f367906b4dac14dae735f125251224e398b7a38 |
C:\Users\Admin\AppData\Local\Temp\FQcAUsUA.bat
| MD5 | c8d3af389ef18895db4cb477f34231cf |
| SHA1 | a1a8fe30963e7a8e002908530dddd214203ef7b0 |
| SHA256 | 1e0ed04f9361cdbc81fde0da865467cff11d22221ef74788dd10a169144116ff |
| SHA512 | d4bf899d1c75b15c896a67dfb3146a2961f3878b1e7d10fe412116fa7baaae34fcc9517f73c4f45c5088b70edef27e27d329fbc25aeed02ea6743b1ad49920f3 |
C:\Users\Admin\AppData\Local\Temp\HcccQYEM.bat
| MD5 | f31c4c1dc0bbad7ae9cd76a17d146c00 |
| SHA1 | b3e37ab9e432d25a78a9a9cb06342f72bb13a12b |
| SHA256 | dd480cba54529aebb8de4b1bb64e905ec3673bb1475ab06797f921e38aa745e9 |
| SHA512 | 0e1eefe1720539c255b0a679e441b0edd3f779da71d927b9b5e3326500345a04606b61cdaef1892df718c55cb4e07389173311ad89795952eaf930a8df723ac5 |
C:\Users\Admin\AppData\Local\Temp\eIcMIQcU.bat
| MD5 | 47e1231fc48701e6ffbdcba5e4a02aa8 |
| SHA1 | c73a1cf6d2add0d43eacca1f6003f84b1e0c88e0 |
| SHA256 | 27e5fafe7efc7a8f0d971aa89df09fe0016288de3bd5efc2bbd02de195afb813 |
| SHA512 | fa740d809b6788957bb965ce3e5205f52c82c2b7351ccec5fd7d9b020968231b05863148f8dd1b44b01ba2ecb2db6ec145149f278a7b26a49420112dc051095f |
C:\Users\Admin\AppData\Local\Temp\sgoIEUsA.bat
| MD5 | 1014355be0d5043b010c53590a587587 |
| SHA1 | 249098a74d1ea2a8d63031f491197d001beef5f7 |
| SHA256 | 5718d0c4687508812b36352f543b67f1d81210b7fb5b9b6685a3e215e01240a6 |
| SHA512 | 85de6b823f0c0a56437b5c8f59fa135f7d7edfdfba39f609cf1f8b7185f5318f3c3edc4c8ca22b1b1251c6d110f3149e836b8b6000c73054c085497bd8abb818 |
C:\Users\Admin\AppData\Local\Temp\GUQYUwgw.bat
| MD5 | 03f410269bde1bbda8bb675f8371e45a |
| SHA1 | 9a3b006889363bc788b5d3b43ffdc9953692545e |
| SHA256 | 732d711cc3423a0c8b648a06d51e67c074aa4a345935a93f46ea579f8acb1b0c |
| SHA512 | 8bab2ff412406026e0e1ef0b1c6f79e7b59e6a35a86e63c22e5d1915650b87b5a39e8376429b49671c9a1d964e1c511ff43d8cd45edca1789559f3ab189fba2e |
C:\Users\Admin\AppData\Local\Temp\gOocgkAw.bat
| MD5 | 3952cad75252cbb363812950ceec0ec5 |
| SHA1 | dc2897bec2d89e522f5a79d105ca7febe4636eed |
| SHA256 | 4fc925e45c7baec89bab7a84b515076c29eb8ec8d592e83975752c48745d3198 |
| SHA512 | 80a4a91c684e0bb2b37a5b8d2e22d3f3e6e9ad8a5fb8aafa89d5b1c2bed1fb72bd79672f4d5c8c618c0da6b49ad6c031de3ac0a9e2a80cb24efdf0bb2c49781f |
C:\Users\Admin\AppData\Local\Temp\psEscgsU.bat
| MD5 | 78d405a583bd9ea6b1d952ef5794e26a |
| SHA1 | 5c71cc7e1ef18ab22450a1013e16617cb1c53000 |
| SHA256 | 8c27d15bd79d5499bd01ecbc2d6ca27a51db3678d99667b7bc21e696cfc66853 |
| SHA512 | 260e977b16d28cc632a7a8416f997c45634cae7f8e8330206316dc4d0d9a946e3f9707fa965d7e854328b025e64d03588fe88cb682575faed4ac5c6944412da2 |
C:\Users\Admin\AppData\Local\Temp\nuIwgIUw.bat
| MD5 | ecc5c93884f044ecdfa0b2c47cc068a8 |
| SHA1 | d611385e202ee14bb4c99dcfc5dc9b7aec328757 |
| SHA256 | 83b43f451b2d6789641855be0a8b2722168da23b2ff46a88e52a4a01facba9ff |
| SHA512 | ec6973a9e5c282624e3a6960f6ad2484628bd64632b600122fab78179828b234210ef59de6506a5a50b23a3331d210442624970f6f355862886000fa730af327 |