Analysis Overview
SHA256
dd7dbc78e267a832e8ada5d70ef95158e77f720c0822f44b7de39c9a5405ba86
Threat Level: Known bad
The file 2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (80) files with added filename extension
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:44
Reported
2024-10-18 02:47
Platform
win7-20241010-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe | N/A |
| N/A | N/A | C:\ProgramData\hIgswcck\EWIAQIkg.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\oeAAEcQQ.exe = "C:\\Users\\Admin\\cKEAIEsE\\oeAAEcQQ.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EWIAQIkg.exe = "C:\\ProgramData\\hIgswcck\\EWIAQIkg.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\oeAAEcQQ.exe = "C:\\Users\\Admin\\cKEAIEsE\\oeAAEcQQ.exe" | C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EWIAQIkg.exe = "C:\\ProgramData\\hIgswcck\\EWIAQIkg.exe" | C:\ProgramData\hIgswcck\EWIAQIkg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\hIgswcck\EWIAQIkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe"
C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe
"C:\Users\Admin\cKEAIEsE\oeAAEcQQ.exe"
C:\ProgramData\hIgswcck\EWIAQIkg.exe
"C:\ProgramData\hIgswcck\EWIAQIkg.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nYYwEoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XEIYoQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEAccksk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCsoEUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOAQEAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYMAwAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWwAwEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYAcsAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QoYIcYAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1506167368-121326098571933161115011811319986577739215635521715838944811719078"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-471722675145223109-165406953812815181219576907981849445961-861954592-1205277036"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yQAMkwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PAEUAMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HcYMUEwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZyoIYgYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BggAMAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FiQMMcAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "847862670-68046052513054573601312092431181050667-1187683668-622635692-997112796"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyIMUwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eAAkcYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSYYAkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "779025898-1233074173-4733102061871073416-1687929293-1088376264-52891305626291690"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "212874069792937623-151793325352532416-1981460410-525525725-449203097-2146385281"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqYsckAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "535432082-777601937-8592059281693241210-11520929471932031012-959895861445613863"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2095032663-956203888926272941832367038-472928387-2152142291904522690465943718"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3608053531604192414-280146818-1590456231-1088582954-567478952-14043756891643237521"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-844760650-869434733-2125015529-1835083545-1975435563-2099096673-880740634-580913280"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsEAIYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ReMQoEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1105613896-1979648457-1413556803-102081228-1986209641194619761-1168711974-1875068803"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1850115814-1115447309-7315015042035048459-1665232590-162628445721423043951263666574"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1186356397-9699432801980618356728186886910577724-703379784504300701939748000"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-184259031532794933816160904511307728944-90571795468458860-2003683660-183572886"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-102859447487840624-363704795-1605535798-20512396615136005891536802162-1372889370"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hcMUAUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1741080409-487981911-329836698137964971-21036482361260378521-2129414361-904022849"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1002894802-339325842-196805867612321935801048565490-397765206-1007173002-1137188608"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgYsYAEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-149602287381878994413216055562130584324-1089356354-21387433691356049045-48014904"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "269502927704360130-1714867471968829866-9164512221725928358-148963021-2004757046"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
| GB | 172.217.16.238:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/564-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/564-4-0x00000000003B0000-0x00000000003CD000-memory.dmp
\Users\Admin\cKEAIEsE\oeAAEcQQ.exe
| MD5 | 6acb2f31358df899b3f2ec10fc4cd728 |
| SHA1 | 4959034e0c93fc90d8b97c6908a85496e5492cdd |
| SHA256 | 79eac1d69d66ac75d42f317dc156360534cad317fb677b306f0e262245eb5395 |
| SHA512 | 4980a420e1706ca63129b68db65fc7d2ef90cbd59f7c1283111fa5f1b8cc957a3a10df920a0de4939dc7b427d9689dc6e254ca01f9738425e7f22ae19e4206ef |
memory/2080-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/564-10-0x00000000003B0000-0x00000000003CD000-memory.dmp
\ProgramData\hIgswcck\EWIAQIkg.exe
| MD5 | 58156d03cfdbdb0cb04bb7dacf3cbcc6 |
| SHA1 | 5a3b208a0042ddf7a9f1b7f17864f1aa936ffe7a |
| SHA256 | e5cafaddc376108534d8e032fbd2549da2780348e4227cc4eca66ccbcea865e8 |
| SHA512 | 9210d7b3cdfd2e104c628a7c241b0b5c6255c067ae54b098cf38bc8dc9b546deb3ab1bd105030e346183aed8cb88a1d7e2007747ca5162e99f9650126a2a1a92 |
memory/564-21-0x00000000003B0000-0x00000000003CD000-memory.dmp
memory/564-22-0x00000000003B0000-0x00000000003CD000-memory.dmp
memory/2880-31-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jaEQQAIw.bat
| MD5 | 9d63c62c53dc994a0f40f4a9bdc37b6e |
| SHA1 | bf1087307ac13cd9043908c5ef2030cb979d972a |
| SHA256 | 45a5e6e77c9d235f32ea7b3825a9235801258e7ebb1efcc50d19469c4cc3e6be |
| SHA512 | a617135979623654d9618594a9fa720d1bb6a76081226fbb3600a62f2025a08229f366f904d28a0182c0e2a6295ae82e18a4a01e360674049a6f5b81d1f50d3f |
memory/2964-34-0x0000000000170000-0x000000000019B000-memory.dmp
memory/564-44-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2964-35-0x0000000000170000-0x000000000019B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nYYwEoAg.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2700-36-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
| MD5 | 35cbde129d22ad6080dc8fed0fd3e185 |
| SHA1 | e29871c61fe34d7159cf12daa543e1679f3ef63a |
| SHA256 | eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265 |
| SHA512 | 009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60 |
C:\Users\Admin\AppData\Local\Temp\foMQowoM.bat
| MD5 | 5a6c4fe3cb030b2b72fed77dc4b9b2fc |
| SHA1 | 4a9e075665ababdd229ccc69a53b10cb5bf8dc3f |
| SHA256 | 2d3a7da9d4cc4283844df4378f716e237055f00a8c1872f8acff6e0a9f5eb83e |
| SHA512 | 1e245efd32e0b51f6a53fe50b95c13d4ce136f4acab026347379a82b8e40ffa5fb8b7b6821f8ac09a56faed22ffd8494041ec5f906d1b28ff7ac8c50563edf16 |
memory/432-57-0x0000000000180000-0x00000000001AB000-memory.dmp
memory/2700-66-0x0000000000400000-0x000000000042B000-memory.dmp
memory/432-56-0x0000000000180000-0x00000000001AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\RskEYIUs.bat
| MD5 | 4a3abf2c0dd1112268397765d0c85cc6 |
| SHA1 | 9fe5f1d053dbd6377fe8eaec0b92b7fc0df9aea3 |
| SHA256 | 00f3dde7d9397870ab8e52e711a26a9ccd3765c9aae1937ad0e56e3a489e10f8 |
| SHA512 | 8aa1ed0abdcdb04193769f5049606857965dbf0f06dc7f3498de93428df911e135b7aa8e434cfa453765afe67ff97bc2a0de035691ac384fcabd94c9213b5307 |
memory/2196-88-0x0000000000160000-0x000000000018B000-memory.dmp
memory/1968-90-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2196-89-0x0000000000160000-0x000000000018B000-memory.dmp
memory/1884-91-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YAYAcksE.bat
| MD5 | 0ca62df0435b5eda02a279d383dad2f3 |
| SHA1 | 455b2d5ae5546c7537ccebe1ab10afa4db79872e |
| SHA256 | bd0f14838f2206d3598adc6e8796587a85fb137e0e1b785c4cef1fb0eefd1373 |
| SHA512 | 855c39d3ca435f1f3b5885804ebf7d4e5b604613fdac8d5b768ea3735b1b38a4c128e7aa0485071b160c3da613c9f5b6913d0f7174ca51c366f314fd21742d3a |
memory/2220-104-0x00000000001D0000-0x00000000001FB000-memory.dmp
memory/1968-113-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mcIsUMUw.bat
| MD5 | 247d480b38c563a9b5c6efd8f4ba391b |
| SHA1 | 9abe6afafa17b97153296ae04e1188bce8b3a02a |
| SHA256 | 4b3211d69d791ec21999c06e75a880f81ea037c43e0ce39cb12c305fe3c8afb1 |
| SHA512 | 70248ba61a7578f26230b5773a4c66afbcea44fcc8bd7a4f51c6c4a9422f4d938a7fe772a11345e0b2646dfebe3ec6f411c1551cae55b441c8a77e74d538d774 |
memory/2240-126-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1920-135-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kwgAwwAM.bat
| MD5 | e9d50b7f376b04e7a76106813771ab37 |
| SHA1 | e3f4f197bf6faac664e92d4e90f4e42edfae5f9f |
| SHA256 | 974230db9bcbacc976993406e20f83ffadf10ac7ecf6b266fc03b6e86a16f88c |
| SHA512 | c1df6ebb47a001b1fd84e7965bd5165d191f08d80e6c7d8bf4c0b716c172968a2536c02f3b6676cadcf8d0d2905ae0a03aafd7a0cae680677bce146d1411d9da |
memory/108-147-0x0000000000400000-0x000000000042B000-memory.dmp
memory/108-148-0x0000000000400000-0x000000000042B000-memory.dmp
memory/884-150-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2072-159-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SEIoMIIE.bat
| MD5 | 5011d3a095624155ddbaadc2393f2bb8 |
| SHA1 | 1fb955ce1bdce7e8ff4211d8921ba3b53ccbe27a |
| SHA256 | 2b6e01fa3c1b26e849112bfe4eab9a1e32809c97e312854f95b2d491e3fe510a |
| SHA512 | 03a4127832308582870121c3a63e27d42c6ff8d9b668fbb266b473b3ad838a37efba923098b28041790354c643b67eace8a20398481d890b25b4b1fc9452cdbe |
memory/2828-173-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1128-174-0x0000000000400000-0x000000000042B000-memory.dmp
memory/884-182-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keEcYEwE.bat
| MD5 | a4ea08f91974f93a3a39ed4c9373d608 |
| SHA1 | e7fdf06a12c482c60af3a5fc26470ad883f95c25 |
| SHA256 | ca8eb57af5dc7c461bddb1806fe96cbdd4856abbbb38bce7d3e87941dc3b334a |
| SHA512 | 33a48b2f6b959c2832464da20802d7ddd3474244248b9e95b3ae7a26b7dcfe2edc62de9df668ac39c0d98e1b53f1b1fa9288f72e398b08bc737535587b43d368 |
memory/1940-203-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1128-205-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2700-196-0x0000000000160000-0x000000000018B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YeoEIQog.bat
| MD5 | 3d7d4b722f22dff86992dda3bf275fae |
| SHA1 | 6dc3e83a6324adc01c36b8069e0880c40c3b9b87 |
| SHA256 | c9fffb2d5f998f165a25bf8d61e565e939bbeba1494316c3db163547aab81d54 |
| SHA512 | dc102eea267644295a00137f424938be8ea40189b60dff04b5c3014f217f5e03ee211890145ed5cb87efe731d8271d4b4364709540c2836cfb009d4da0cf1f28 |
memory/1940-226-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2720-229-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2216-227-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2216-228-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sMEQUUAA.bat
| MD5 | 9f4ded12d5c867e582fa44ede638743a |
| SHA1 | 245b5677899062a84bcf310fa2f88de472cbdca6 |
| SHA256 | 6220e0fa7d22d26164152627840b54f6dbd1a0859ad24d1e35aad21de84f1989 |
| SHA512 | 8f26ac1b666dcfd4290b1c361c9ab66a71af55d5f8c29c666d86c7c5b667fe929c03e15260b609f3de233272849424e7435a41d76b78f143facd0b4c209f6c00 |
memory/688-241-0x0000000000120000-0x000000000014B000-memory.dmp
memory/2720-251-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pyAkwIgM.bat
| MD5 | fab7ab979fc8477af5b50c8b33a1adec |
| SHA1 | 1122a2038d1c19e672c01d09940d75b80bb280e3 |
| SHA256 | d829b70e50694dd26a694f5b652d6d09e371ef0940e2b8c59dc79a6a1d20210c |
| SHA512 | 25946652d0bacee0a55adfd69de1b5d173fa135daf8e0bfb058ba595bd0ec72d63d563e8b4ef7c4fea1941561be974f789739aecd57d00c239ca0f7fa5eccaa5 |
memory/1692-265-0x0000000000170000-0x000000000019B000-memory.dmp
memory/976-274-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1692-266-0x0000000000170000-0x000000000019B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XokgwIUg.bat
| MD5 | 3bbe5bc2b7bb5cba546076850489f0ec |
| SHA1 | 7d06620b1707e5f4f6196029b622491b635b6e17 |
| SHA256 | f6dba59874a4d4f6c0a4697521a84a4fc29b41113651ea164f24c51a82686cc4 |
| SHA512 | af7c5df33c3df741e2b1dea6f34d38b4fa3768d782339bada26aec5037de37284a919ac75cf6d5dd2e8596458b0311285b8d5b6f04fa3d990611e7cf7447bb87 |
memory/1252-296-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1508-288-0x0000000000120000-0x000000000014B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PUYYYEII.bat
| MD5 | 3ecc0623121b8258cd91eb72c4a021fc |
| SHA1 | 3b0bea55700080a00bcc635958722a41fe65584c |
| SHA256 | 24df42d48f7a94d56be65c5d172fd664e480023c6878a8f5d89195fc569351ee |
| SHA512 | 8dc46610d5a8cae0968b0dd169d03f807fbd7b034a706f2f8de7f02279a2438a15535c107a801ac9ce345fe0cac09c0d2e7488761e6cab2be4f2d258a3d173b9 |
memory/2812-317-0x0000000000810000-0x000000000083B000-memory.dmp
memory/2604-319-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2812-318-0x0000000000810000-0x000000000083B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\regsgsIs.bat
| MD5 | 66373a9c960d5bb19f89068c5a2797b0 |
| SHA1 | d6ce3e479207e1eef007d38224ca9f16a1be875e |
| SHA256 | 7a7c7a82777b67bbc7927f4060882409a96e643efa7edeb379a2b1081b8032a8 |
| SHA512 | 1a340cb72b33b8c8ada3ec018111cee7d2e66d7235206bbc772becba81508414ac63cffac5998e113dadc83c34684ca00f462122948ae36406e2b7c7cce86338 |
memory/3060-333-0x0000000000170000-0x000000000019B000-memory.dmp
memory/564-335-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3060-332-0x0000000000170000-0x000000000019B000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
memory/2588-343-0x0000000000400000-0x000000000042B000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
memory/564-380-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3008-382-0x00000000001C0000-0x00000000001EB000-memory.dmp
memory/3008-381-0x00000000001C0000-0x00000000001EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tCEswUgQ.bat
| MD5 | 2d484eb5af7a49d6724afd2f48081d3e |
| SHA1 | dee03b08faf829dcae7c7918d232cf16ceab8fc2 |
| SHA256 | c550710a57f6c91f0a252ca599cf564c108c75c5ebbcfdb32262dfcc031df996 |
| SHA512 | 90dfd0a4d2640fa704a68e492460c029b2fa33709f84749dfaba1ea52d55c3be74aa9213e1e5cb96e9d873865125a1356148e299a0b66c3f263b27402ca509ad |
C:\Users\Admin\AppData\Local\Temp\SwQM.exe
| MD5 | f07f4aaee2b482ca5ec2b3e5c0f7f980 |
| SHA1 | a206e6b9d014b7bdb486ab414c609e3a66539c5d |
| SHA256 | 6b5264a4a2ae0a61104ba9c26a61e3caf290bdae5bf79f82d05fd96282319fc2 |
| SHA512 | 9e16e43646fc4e6674556a45b4e955d0cb42b56c070b12dba35650a49cc67830fd9eb0ae91316b2d5fca21943ddf781a3da506227b10a3251a1a39fad6029bb7 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
C:\Users\Admin\AppData\Local\Temp\ouEMkkEM.bat
| MD5 | 046ffa1519ddc91e14e3ce13d2bee259 |
| SHA1 | a10125e94c33b5d83bdc7f53087062eba741064d |
| SHA256 | bbe3ba40e86a6deadd69634ae5f76c4fb34b941ffcbbb8d0b13ac7e02639d393 |
| SHA512 | 067b890c6655bff8aa2e6f246c1156a8e7740fe5d04fdbb7a0bf78677a3ba9f33ab832a7f334498256780bfcfd4a55982e7110805d32cbf9071b16b75f5a1620 |
memory/2460-405-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1288-406-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2276-408-0x0000000000260000-0x000000000028B000-memory.dmp
memory/2276-407-0x0000000000260000-0x000000000028B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yOsEsMIc.bat
| MD5 | 8d46004c1e4ba11faf8815a205b39ca9 |
| SHA1 | ce5d7c12a350c6e5b1d068acb16c7224c34491f7 |
| SHA256 | 929f5d275089e1b179fb5bcf84cdffd73c2f5b2ba93c15281ecbd28b6b399a25 |
| SHA512 | 2ea079351d06b3fd40ebfc0053a52874b04fe9480eca18d21be24d0a04316c1614b1fa3ba506b3bbaa3093b951b1ec3d86f985de0064962cbe86b901841c16a3 |
memory/2492-439-0x0000000000260000-0x000000000028B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UAco.exe
| MD5 | 45913d2c1aebe186a67e35314f301945 |
| SHA1 | b18674b7c7ddb2a9f9d63bee0b4f4611004e924b |
| SHA256 | b378d4d316a19e672793aa755cdb6f328c1a25df92392dc8c4e3c9d9a51f56fe |
| SHA512 | 5fbed213d8642ed3b429d5113333a573a0afbafb70eb4fb9a5155a722cad68cb9b63ab4f3ffa517cbdd73a8f35c68bad3597fa0a2c981a23ecb973a61f5cc6c1 |
memory/1408-441-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1288-430-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2492-440-0x0000000000260000-0x000000000028B000-memory.dmp
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | 87526d8ce8b47322c9829d2577d0e0c2 |
| SHA1 | 7aad6804202090e429339894cf33a4b2d12142b0 |
| SHA256 | c186f3552f8300d5c1076ff229fd7e235247da20da58a7ff281f3ed2da21fc83 |
| SHA512 | 7080272082734a07ac289d5465006e0ff12e6287d12438d737ab0472a73f4b33982d8ab4b4693c1615335e973270740d39c768e8ea9bf8de87e151c54c1df4b1 |
C:\Users\Admin\AppData\Local\Temp\QgEi.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\UoMcoEkg.bat
| MD5 | a27ab456a2494ca24fe3323f18a2f024 |
| SHA1 | be1c4e1d6dc1fce4433d0e169620506424c43afa |
| SHA256 | 50b7d36a8045e05f4c5a84a609374b19512848a62f3b0652e9b8be63163d6646 |
| SHA512 | c84b4b920fbb1487e0b5e6af3f05890cb84a580af8d76a4847db6b4a1a93276d3008c519eef9360fedaf720efbf36f7e5dcd55ab088827c2ee20296c2d21d150 |
C:\Users\Admin\AppData\Local\Temp\AQMw.exe
| MD5 | d9345fbd057690c40e688c8dacadb9b1 |
| SHA1 | 9c6e1ea356ba06c45ade3ffaac7346d52bc77142 |
| SHA256 | 6618a9d2df80c9618b431fb5c7b1a11c129d0eb0f9a107e0647a8661dbd806d4 |
| SHA512 | faa4f7cd4c228a304e6987681b920c8990196271c07405984fb1183ab824958f7e513795fc3983a994e8e186aebb20a87565a4ac06cb24e37a8fefc381717442 |
C:\Users\Admin\AppData\Local\Temp\IwkI.exe
| MD5 | 666cb7cbf9e86596aecb8a7d6814a982 |
| SHA1 | a9470e0a85e31c14e8153edd633249f1bf755d24 |
| SHA256 | 15631446cfa875866dd2cb36e96b190526a3e49c67ad2be65b8d7af9939753eb |
| SHA512 | 97552b3279eb45169abb82085f3c58d689406c50386e516f85790866eef4ca496293e72bc564cd1ec09db2d4319de8519bc57c6c718edde71c50f5eaea117833 |
memory/1408-506-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2692-498-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qMkI.exe
| MD5 | 6a9967d8ad12e8306fbd3478a68789be |
| SHA1 | 7a293847346ab8cf1d04ae8f86ad46a30e26e947 |
| SHA256 | e8dabf1c2aacf8a7f25e485e8f2be8f7acceea295a127755cf75a1e1b0cfb875 |
| SHA512 | fe1d0245aca2302631bd02da473a0b99afdc7882a984022931d491dfc4da2e2078a109c22484a6d89d9f1b1d99f31a82acab57bfe5b013ac4d51a8e19c1f5217 |
memory/2332-484-0x0000000000120000-0x000000000014B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iooc.exe
| MD5 | ce23b9795b0a936ed19d8936c8bca157 |
| SHA1 | 636ebbe2d59f7e3026615985360e327a7555b9eb |
| SHA256 | eee20e00b729f687bd8761e13de8063b761a416628294314b08c23fd974e687f |
| SHA512 | 5cfad7c3a63bbacbcd186ff9a759ffceb967692ee7bf8f1cc9d3465474e49c79be25d11dc7741e83805a36ccb06f8ae4448773e48b17fe1e85a3ce62c7a15c90 |
C:\Users\Admin\AppData\Local\Temp\sQEC.exe
| MD5 | c0aa4897e6bf03ced254256be1d420a8 |
| SHA1 | 8f6b1f229345f2ab3629668a9167be20e191bb59 |
| SHA256 | 37027c03838b77af8f36aa83f4bbad3fa0c5e51807a7fb3322ad0c7f996dff4e |
| SHA512 | 842ca9f2e05c5814dc206c7e2bf51927a55cdf542466145868f4a19076e5a1b38f7e15aec91dbf9bf8164fa6b8dd66c9a4a68665140ef889e6182e96d0ed0de7 |
C:\Users\Admin\AppData\Local\Temp\aEkMMocg.bat
| MD5 | 190436205ec0e469b5442906788238fb |
| SHA1 | 2bfc539e3bd1a8741400aa9dff6a4a43ced9691a |
| SHA256 | 4005fca0b6b1dde6737c4751e1a6c93e462c3968515965206e2780619f98f68f |
| SHA512 | 997c301a97e581a4564321a8641281117cb56ca294765736bede1d83668344f37de18fb93f03c4645008f2fc18bdb69c4930a811c3e29a3d577c1c33a4a3c5e8 |
C:\Users\Admin\AppData\Local\Temp\SQEa.exe
| MD5 | de30ee32b31ae604fc26349874dcc053 |
| SHA1 | 62687e6dd7d7961fb5905ebab309c32f702aa1e4 |
| SHA256 | c9e1d21813268c208e187c81c77fdcf829fb21511d0853515023e901e7883839 |
| SHA512 | 17e75496c35fed84b415589ad820fb4e391dac3195df99ac001e2156807e271e0385b04b0c79ff00c1dae0b95a355fa0a1be082be6e49ef121f997a04c9cd9aa |
memory/2692-579-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2624-581-0x00000000000F0000-0x000000000011B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EooW.exe
| MD5 | a9703d8915428d815e2bc0c2c3c93b5a |
| SHA1 | 4e115240e539c209504815f2b3c5e98912fd2789 |
| SHA256 | 52dc0c0626aa57374df4f9b53c400ff09e0676553cdd5437fb9c5dd5635350d4 |
| SHA512 | f3c16e546ffde14a336d0ae7d5c1ae3a2efd770909d11c9b34a79c5873635ea37ca9d8e11aed4341f938833b6503bdac17677159fd859211f470c84c56bffd13 |
memory/2600-595-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2624-580-0x00000000000F0000-0x000000000011B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GUkO.exe
| MD5 | 94abb9365e19cc9860291d1d97c294c9 |
| SHA1 | f6d9e444ff006f6f8f9cf88b0710b0ce09ffc9ec |
| SHA256 | b0c537eba4bd27d94c89eb43e18219d8352cd89b3e10106e6f088817291b5217 |
| SHA512 | 04cef40f234ae4583670d479a27eea6bf072ed8340a1244e58ece281caab6bb50b83e1abb1ff8059b3dafbe4b37794c83062245414bad2391608f02ad2cbf27a |
C:\Users\Admin\AppData\Local\Temp\cMsA.exe
| MD5 | 2314349660b22f3c4f2903b0842076a2 |
| SHA1 | 365028c69b7e92596a21ebf08e1b3711b976bef5 |
| SHA256 | 3b4d48a0ce27e91c3bce5c105df9327736e69733033abde267b09bfb7df86616 |
| SHA512 | 8723900461015693b2f850bb4b6350e7985d7543d4dd2af5b77ea3dc634efcadfe961caa1fe0ccf85d2a1c2274628a16fd2033dc6d56fc657e866418bba12386 |
C:\Users\Admin\AppData\Local\Temp\kuEYAoYk.bat
| MD5 | 51d08f1e8109b10199dbddbee9608d48 |
| SHA1 | 95fad4cb8cfa9dae6e35cd6a4c8580d4b6adf6b4 |
| SHA256 | 545d5cbfa596b21c9c50f2258c9f82941c7ff54037003dca6bfcc99cde9f5ed3 |
| SHA512 | fd5c6af12efcc71948f0ce3c706461431aaa3b3301fb5d1628b35d7b598a034a842bcc8a7e7d051e80f208a459d789400232e200e6ba9e4ab3b3642edd066e72 |
memory/976-646-0x0000000000200000-0x000000000022B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OgIY.exe
| MD5 | 606a6af05dd25e093899e1021c055749 |
| SHA1 | 13898237571e85750a472abc967190d792cf4977 |
| SHA256 | 20427a145c2a78fe0da4c715af91a50b2691f10cb3eddce19e36d5e4e889f653 |
| SHA512 | 0b4afbdfc7d202e4d0a44847a617a3cb7c73ed919be7c40b159dfd413b0e0221672fef0ea16f9cef0a8d4bc9a93e8bb6b42dedb11de55b8544b2c0a47b3b7879 |
memory/1700-647-0x0000000000400000-0x000000000042B000-memory.dmp
memory/976-644-0x0000000000200000-0x000000000022B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eYgY.exe
| MD5 | 1fc5d320c0a5f944ec075e58d66c29a0 |
| SHA1 | 73565fd9860be11d78a5126fec555e0f29dd5926 |
| SHA256 | 66f12c66d9a6120e6b8f3dd9becd9670f257b9374e37a1efb8a5c257021b5af4 |
| SHA512 | 74a7092c74fc90eb152e017d53d30c2f82c2a4831820d67385abe679fc904e2837cfff668c7a9247b0b46113de1b59f8108fbbe5d9582439496a69cd437bf84f |
memory/2600-668-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AMwa.exe
| MD5 | 20971716ba4013b00bb4d67e224bec67 |
| SHA1 | 7bbcedcc34ad7d49fc8acca3c1b1fdb361bc82d4 |
| SHA256 | d5a3d495baeaf4e63246efe2c76a0d2e66d45983b9dd148aed73654754653c4f |
| SHA512 | 11b3a1e98f214aa64e02523f67fc7c6f3168baca3de67d709e1aac5d23ecab986f16c7933c8674f545a2ed59dcab909c2da87b9c81fe50f8458ec517f86ce027 |
C:\Users\Admin\AppData\Local\Temp\mqwoAYwM.bat
| MD5 | 40b1f368ef47d7a5f8d5a99be4e49ec6 |
| SHA1 | a88e4cdbda18cc97aeb0ea737cdbd794cf564403 |
| SHA256 | 572d420e5d97c3f629c921fe210fd65d11fb6d3af182b09c885a565dd5f35ce0 |
| SHA512 | ede1fe8db1cebc623ba8bbf199901e5d19c788aa06b7041c36ea0a22f93a1c4660c0ef86f0ce1c2f4c30400892d5798ab7cb6cc287e489a7a4aefc4d144c2331 |
C:\Users\Admin\AppData\Local\Temp\wEwW.exe
| MD5 | e6c0eb82c466961250b4cee93595d146 |
| SHA1 | 42f2d4674e5c939497391a2eedc774fd4dd1a73b |
| SHA256 | 5aff63e4c75c1dca0336c6fbc01060ac233f22f07750d11c6ddc6351507caa95 |
| SHA512 | 676d47b7d36e666cbd907189dbf9f814ea33767259007c5a7f53cb82cceecb8a4ce57baaa431db65377c14529fffe819eec1ade570d715d77d455716212b5ce3 |
memory/1700-725-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EAYi.exe
| MD5 | 9abcf765991696faed7ba6f7a485702d |
| SHA1 | 2ce9c24c771a9168334cfbffcb9f971bc99699e1 |
| SHA256 | 5e57514397b50f676a26f623c0e0f81015d881ec2806737e798b69e058b176ca |
| SHA512 | 84fe88eabcc15d9233083048539803066d6c576157dd37c1922e3aeccfd3967f2e4ee38a3f4b898ba01604e2d77af2304d865fbabd89a9c984b3123fa03563ee |
memory/2924-748-0x0000000000270000-0x000000000029B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SscG.exe
| MD5 | c68df4a1dd7c90d60e80913a388a5f37 |
| SHA1 | e101134acde19926db16ee3123214028e1e0ac39 |
| SHA256 | c1fcd3da7576cb230645112fd5dee5b45e16ee296f40961b5ab3fa5d61b0f81b |
| SHA512 | 90b119b469379df207a03f8a6daf7c7cf66c5b2478fc8b0dacdd20dd5b1bfb131868b65d9e3dbc874069c9ded284eaca116892425b21802bf42f92abd013b052 |
memory/320-749-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\koIQ.exe
| MD5 | 865e91ec8f26cdab13ab9e0cbc11d6e2 |
| SHA1 | bb9e694604fb791a0c31854034b9f1b32111f698 |
| SHA256 | d84d0ad42013b4d1a40eb3285ed3df95709084b1b0ecaf097480d30fabbf8533 |
| SHA512 | 52067925516a658fc690064efc71891cbd20ec5adccb53143cacd049a79b841cf87178f2176306173b5a3c1f209dc3bd2afec74a5a5fa7e98f7064504a7c7252 |
C:\Users\Admin\AppData\Local\Temp\OoMi.exe
| MD5 | fb69768e63a4f9cf011aa73c2ffed61b |
| SHA1 | 77584f0752f10b7f7ebab60404f7c608519e8c46 |
| SHA256 | cbeb3cb8dea0e844dd1998a59ae77e199caf7802f61b62242eecf674daa017dc |
| SHA512 | 1f798e4ac66673a2330aaa2ac86825c0a46acc97be8ec5e84affd2ab1d373a7844d1f187276ee3c068b64bdda1ee549b294b6d3451532b3b06a7bfef5ae4a826 |
C:\Users\Admin\AppData\Local\Temp\pesMwcQE.bat
| MD5 | e2ba2b30adb135f1c43290d0b4804768 |
| SHA1 | 6e92f1a43cebefee4cd64d437261552075ee5462 |
| SHA256 | 842632788bec618c92b3a01715ca0ded9932ea1002b3da80cf39558210a0d9ae |
| SHA512 | f136405f2d3b53cbe5bf3ba1b506473c89c86a68dcde8e2ca983c270827aa8cd1c76067777d435ffc4800942de27a631bc33c9be5dfd97cd96cb7310611b9d91 |
C:\Users\Admin\AppData\Local\Temp\Skok.exe
| MD5 | 39cada3d4bf7e48a67d1c706cab0a72d |
| SHA1 | 4275f1aee49b658cb72dc2e9590e3b912e40a471 |
| SHA256 | b222fdef35d7448df325cf9b7efc9aba139b190b186be6fc17246a1e5739d684 |
| SHA512 | 6087d958d2af75bf05beb76a79787f228c0efea04599cf7bbab14453c833d5f82d4b5751598464ca575a96ca6c517f892115e64e5e877a7330a7c0a13a26ffc4 |
C:\Users\Admin\AppData\Local\Temp\OoYm.exe
| MD5 | d4d468f2d5c0bf1b0bab8ed822d47f7a |
| SHA1 | 5d8122650c57087824ae25b8f5b8ecf205ffd270 |
| SHA256 | 6dd4506efc8e0c38cba3c4503bbb31782f65f8b5132aadf8e823b446715237f8 |
| SHA512 | cabf420a9594b09df7f3fcf4f4e53b263deb6d9ef9c9318b792e9a810d6b9f3343efb8daca18e3349edd098b57b6d951514b6fefd815aebd07b426439a898b0f |
memory/320-810-0x0000000000400000-0x000000000042B000-memory.dmp
memory/368-813-0x0000000000120000-0x000000000014B000-memory.dmp
memory/368-812-0x0000000000120000-0x000000000014B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iEEi.exe
| MD5 | ec755bf8b533b15a317fc5cefaf827b0 |
| SHA1 | 822628f8b307812c9c9d178df8f295952ba33c54 |
| SHA256 | bb5b198bf41a792d309f8b43ed2408b20df8155527e4145806a846d9df756986 |
| SHA512 | d9fc56ffd23763ff9dcd9daeca3030d67336f8913e0c7f881bee348ab5fbba3a4c2231d1c0021a8fe483e15f5c67d8d43a7886aaf6f8956868711e0ffbf62b1d |
C:\Users\Admin\AppData\Local\Temp\IQAE.exe
| MD5 | ca7c9fc83da859e9f4d35cbf53c0eaef |
| SHA1 | 48496e6f09a0a9adb0f3888e2bc5e5f89cf06fa4 |
| SHA256 | 04453e515dcf9e3495d5ec7f2630cf57b36fd4f4353ff5b5b85daf87614d0d5c |
| SHA512 | 49ec2411caa33171f446d7f356150385a0e155413a43b7499d8db106184b777cedd187c8dd6d7ecb7c4b8cc1c77e8d160c8ba324b60d6dc9e13b735820829382 |
C:\Users\Admin\AppData\Local\Temp\coUI.exe
| MD5 | 441aa9e9a80615e4f6e677e383684336 |
| SHA1 | a111960a02e6e92a6bc3975a751d0e34d78581cd |
| SHA256 | 2ffac34118ffe4f7edb6f22a0a13362f030d1cfe4506386358c6f62c7f8a9788 |
| SHA512 | 406c7addf86c7ede7489b335c4249af77ed7975c084fb33d89b8f091d1e85968aac55dfcba4a56150f8568873bdc6a3080d692c3daa6065eaf64fa51a6441744 |
C:\Users\Admin\AppData\Local\Temp\IIAy.exe
| MD5 | c251a39c8cdb984a3104805c8177503d |
| SHA1 | 40150c6eff5d407d9991eadddf364dbbb7ed8e69 |
| SHA256 | 3897fb5402f066c61cf1f640c7fa123b808ed543911c4393e1157ba097e55c3b |
| SHA512 | ee357be69f1174bfd7419cd2703b51fc0b51e647fcb3d92f404c3b35fade4dc833f290239511e146a714e1bdc5e65377dc7d1834f41852774577bb15f9fecc6c |
C:\Users\Admin\AppData\Local\Temp\VEEUMwUg.bat
| MD5 | 99b9579a8c98994ab7d1954675f4bf2b |
| SHA1 | 8ba75fd8e98d70722990f57ad925bc9ecb379766 |
| SHA256 | 8da5b0edcb3c13fd606c91a2c1ea8870a154d77b4f9ad6716b186f9ea89820de |
| SHA512 | 123fc2083cf033af68b32ece61e1d4db6cb4f681daf54f622aeb92021b9a3c6a29f1abf7844c3a96416990b26dd441c26477ca5eacbed84e4a4315da5318ccb2 |
C:\Users\Admin\AppData\Local\Temp\SoUU.exe
| MD5 | 0021ded07c59bdb3ec03399fe58a5d3b |
| SHA1 | 754b3d2e35d78c50ab111989e9f29827333e6ad4 |
| SHA256 | 90062eaa0e0a04e524eff3227f2482fee50f34a1397db1f1b35144f58a9aa9be |
| SHA512 | 65690ef2dde81864e4ac819db1690e0a74dd4c0c2992b574d23ea822b3e7a01b8cdcc6f8df96a6c3d48cbe6dea27a411fb4135a21c4ee510f6e90a2b3c517aec |
memory/3028-908-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yIgM.exe
| MD5 | 7cd11224309effac4fdbc8b8358aa7e2 |
| SHA1 | 74aeb067b9dc45a81bdf41fa5bbd4dd22f7aa5e8 |
| SHA256 | e6ca4300cd454eaf00e40c659ff847d009b08352582e349a5fbfe2b611a5d0bb |
| SHA512 | c6146d9b00e4fe8b0d590afac4a45bac30ce5efbd7e4251dff31938e6cbc7f985b03b211482a72338c0b094329ca458753c44ebe478ed195c969f1664368ae43 |
C:\Users\Admin\AppData\Local\Temp\wwAU.exe
| MD5 | 8134e2ddc3b1d59dfc79aba2d998e5aa |
| SHA1 | bd21eb0debd2035ec62a615f11606e7baadef85f |
| SHA256 | 2bc49aea949e0b629c67497d32a9063efe68b0aa0e50de63eb88d46fd7e78d5c |
| SHA512 | cf37f8d9a8937ead34391dbcafeaa25c78ec124b2ac7459aef944f9de0375009f1f15f8f977049c66a461abe0457008e4b2189d2174c7d73c0a73b1bd9d43d33 |
C:\Users\Admin\AppData\Local\Temp\YIIm.exe
| MD5 | ea8a78781f4e4b3f007975cd30528394 |
| SHA1 | d50673f294539542c3016f75fc57a3ce1ef96313 |
| SHA256 | 7fb2b87db93745556d60d4c24e09b4b20436666cc664f84506e94d5ecbccd941 |
| SHA512 | 8bbd5ace143055f757c812286d5d474a2a77ee0df2fe95d5594b6c08eb1aa4817bb917e8f7cf0ea2d3522630104371e0c436097bc818c2dbf512bc27c5281a90 |
C:\Users\Admin\AppData\Local\Temp\swUY.exe
| MD5 | 307c3503da2217a8eea51391d59c3af3 |
| SHA1 | 940aa4e361c30c7421767b904d66360deb2acc60 |
| SHA256 | 9ef054fede26ff9595ede89d95c0e4a6ce83010120a802571bbfb68b05b515ab |
| SHA512 | cf799e8dc19c0f0ddd306ad0afbce42c466e3707df8eabac1f8b02e1f6fb5921628ff823c7cbef3e3239d3517d221f5550714b693e7d3bad22e2140d072e3f3d |
C:\Users\Admin\AppData\Local\Temp\IwUw.exe
| MD5 | 8ae5f6e678da747fdd18598714e4abcd |
| SHA1 | 65ca2ec538d4e19f3ce03301737ec5c4bb93c24c |
| SHA256 | fa6d77651bb20f2a7d014577c9324329a2f5095925a407be62067cfab1b4892e |
| SHA512 | b21573f343d981497b0bf53c90936d23c44401a3d1a4fd467ec1daeed2438aee71e2ebac496d1614f66981c50eb02bf88b917514b2fdb0be9042a078895933bd |
C:\Users\Admin\AppData\Local\Temp\EEIy.exe
| MD5 | db483a3a467373e8ea72a9b0a7fcd34f |
| SHA1 | d97b7aa280308c41b0a92fefe5af5bbd6c406eac |
| SHA256 | 88dd2a0514540cd97279326a683a5b5f0164d0b15a871c75b5a44782199d5b35 |
| SHA512 | 442b6b60fd4ba662813efe68fd5c03e5cc797410cef1be1adcf922877e510b32ae257055e8563382032aa2c682733667a49f9d769cf525b6bfb30e665a0dd444 |
C:\Users\Admin\AppData\Local\Temp\SgUG.exe
| MD5 | 6199ce12141f5551948b1b93f471bb2e |
| SHA1 | 730ffe123911117ac7fb5b31e36e341ec1dca5a8 |
| SHA256 | f94ad09c20f9500676b5e018617eea04ae6854c0858ccdffb7c7e750809b89ab |
| SHA512 | 6659bf6ebe85d7533a3b5971164992a4a7c9d57a91d229ca9a0d3919186f8dfe32a2302bec16841fde9599dc02146b43c7c1fd19ae70f049ca928f0cdc831953 |
C:\Users\Admin\AppData\Local\Temp\CkwY.exe
| MD5 | 36828b36aac89394307860f43c757b22 |
| SHA1 | a35edfea55c828116ed992449747f0541243aed6 |
| SHA256 | a6a3cd29b2a7193daf12e61d42a26dab3d5a08a1a6d3f283a1ce9378466e2326 |
| SHA512 | 4180e129eba114bb80b402cab56ef2421ceb38d86f64883df9aa1efe5eba69f16c3558a10f427b4ce6aff8a05e5e27d2245a25363ea8907be0c338e0663a469a |
C:\Users\Admin\AppData\Local\Temp\eMgc.exe
| MD5 | 6c99aa432b91fbae9e142bc4ab5c4c30 |
| SHA1 | c908aba88e0640e3dd1056e0c6f2ab4e8b2664b9 |
| SHA256 | 1d47d5a1d6d7b27303fd20e7d01589c58981a4a32501d9293f3ead05ceb69554 |
| SHA512 | b9da9ce3483b4273ece84b737eefe7071b0bb134fe233539bdffef95876c5181edbf161c05e4812ecf521a72979cce382183aa26d6c1254b1341bf194b385151 |
C:\Users\Admin\AppData\Local\Temp\aswA.exe
| MD5 | 4682c09e988ea5bfadea64113964815a |
| SHA1 | 211c66235ad745e8e48ce626275f1a001bda05fc |
| SHA256 | bff37dafb621382431422da8aee9975a1190a127dc90d3eb4dce5cadb6ed7bbd |
| SHA512 | 022bedf85b56af05f5a6a581e5ed616971140a68c2bf1f4ff0026066f06eff5a6bd20675153b271aa8996f6f8d8ede40231e7b3213cd5c7e2ae9744358713c48 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
| MD5 | 2da577d2013ba3dec1e94e139e09c0cb |
| SHA1 | 9947cdd191c3dce7cda079bb440c4e0ba156898a |
| SHA256 | 30366fb1a7ee7bce69a445c3cd8bceb5c963e114ca89de63f95c85754cc92e75 |
| SHA512 | 228e84f59a237864495bb8535116ecb3ad5408ab3264b9126ce40d8ab466b23cf04da5d9e725e2f2a92c556c095d4c079de8e389ec917e009600fd711b703e48 |
C:\Users\Admin\AppData\Local\Temp\ooMG.exe
| MD5 | a307fc30a7dd55c8e4aaca172adedc4f |
| SHA1 | 57671f33755c9e28074ef29f491dff7453147e77 |
| SHA256 | 9d0ed86ff98b5923219b00077b0447a8cbf74630ce7f33c726dd13adfdddb8f5 |
| SHA512 | 11aeb6877cccee92bcd7702f6fb3aefba6fe0763fd90a049d723f9386ad9ecd78978f356043d19ddb1d97f0edbf652b98e46eb26d6d60ae5625d03a1ac325d0f |
C:\Users\Admin\AppData\Local\Temp\Owoq.exe
| MD5 | a1061fd7d9305600d0d4f0e485fb14e5 |
| SHA1 | 8085bdd69c7fdb6900b6da552c4bd64262400c05 |
| SHA256 | d6db3c9f7735e2c15c1bfc54827205040516d509a763d11034c9fecb6967ce32 |
| SHA512 | 124249ac3e5aaee0d57ca10926b372cffed5db336d1cbcc8670377b536da2b6848e092e3f2bf0e0de91938e3539dd2a5b4983ce64804f2e1424f15ec3c9a1a57 |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
| MD5 | e2e43dfe585651d34667c1736c43b0b8 |
| SHA1 | b61044e26db1a9075d911fc78d6858f4b0e3bfab |
| SHA256 | dc3c8c72d695b5ecdf3deb19dea3d5bace912a2ca02f5246e5b4ffca5949c6da |
| SHA512 | ecd1fdb0f53e1571d84a2417a9f961b7af63eedafad3d065f2f017c6e324d011e2d1b2e534324992648ff090aba35842b33a6b1fb80748fe7d06f2068ea87add |
C:\Users\Admin\AppData\Local\Temp\YsUW.exe
| MD5 | 235a3f41af697f113c76f62ba1f3eefb |
| SHA1 | 226451ca00fdf58db4cb4ccc8ff9a3bb121ecfd2 |
| SHA256 | 2f150a34b3492f96215a8c81d4e91e8ed61c3988848bc73e1948e31ec0b289c2 |
| SHA512 | c11d8b975bb1f98e471cadf9a686126775bb047b5877fb3ed73d785bd21ec50f562ed4c392f52b9a6b5fc06e5d6691a810dbc9ac5d55943cc348310e2f80689d |
C:\Users\Admin\AppData\Local\Temp\Wcca.exe
| MD5 | e654e5db7851378dec746a40a566efcf |
| SHA1 | bf11482200da818db6f7f0b537abc7a7cc0d314d |
| SHA256 | 79b52b67679647e577e1970c465a8d15ca92e54d7cf7b15a3b9ef4e99ebe1dba |
| SHA512 | df22bde42b64f11602074dfd4f22d2c6e7c8a33e0ed541ce7a0b18b229294e7e63053daac900e8e64a528b97823825a50b827c7076bc84ec310d944e0e941d3a |
C:\Users\Admin\AppData\Local\Temp\yEkS.exe
| MD5 | 3bbc3e230918e561adb42b528dac9a6d |
| SHA1 | 11c825b7f486ab4f8f74c9c1e9b48b54f2dd3fcb |
| SHA256 | 1289580b784897fc434e85ba3c160c604531a67f0d43df35b4610f842df9cfd5 |
| SHA512 | 83bc5dfa8350817b65c3b62edd9b3b6c27c46f0358f8a0957b4c6962534cc73839d42ccd247ead75a309491b0ad3d473fec3c41696621879306765f7fbe4771d |
C:\Users\Admin\AppData\Local\Temp\yMsi.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\yYgo.exe
| MD5 | d8862ccb80b6d3153c5015a11a62f832 |
| SHA1 | e5e623154a15b16b425c63a5ede059cca6eee7b4 |
| SHA256 | c5de9c210979ee7ebb2932a8d105fe0446222a7a7a486b1056fd16e5f21f6881 |
| SHA512 | bf09a05d16ee88a458d7dcc1c5a4faf88b08bf36ba8bd4784d7c7ad9a9e76c8522a3c024741413f397c4cd7c7b9fe8e3cdb80cd7aa5fed141e9783bf52e0f524 |
C:\Users\Admin\AppData\Local\Temp\ewUG.exe
| MD5 | a6b04870a56d1989f7d93ea3f76efc63 |
| SHA1 | 0c50ee2dc8e9a9a0e2e91c329b4a69ffc084313d |
| SHA256 | 37ee6dde712abdcf4825fd11a0d841777b57be684b2befb6b57b46128bcfaa70 |
| SHA512 | 31040260d2df9ec8698a7ca87d465224d375c65e539dfb7447b6dcb8842cdedda30c64f38ed3379e9f14822435d2b8d01fab3c771ff18456c2572f4d11d30a33 |
C:\Users\Admin\AppData\Local\Temp\skUA.exe
| MD5 | 127dd53fabc633304ce9f7c5a94d17bc |
| SHA1 | 0bcc25a45db5d0815dd8779661b84748e1fa2b44 |
| SHA256 | ce9fe7062e41fb697f90d0d3cb5a24fe35c7b65dbf4c25327e96b24e2bc4d809 |
| SHA512 | b430f97d12ae6ada70e3fe659d22d72ca58f8cd25d87364a6db49ccf9a8e8f5a531f597e18a37a3833ee18a36e578748a1e5f6d5adc67e30cb36597a827cdbf2 |
C:\Users\Admin\AppData\Local\Temp\yoMe.exe
| MD5 | cfe6d29fbba6355be89eed31e86e9f9d |
| SHA1 | 830054209dac8bd03e29d22e19eafcc14172f571 |
| SHA256 | f9af7798a47be8978cee5aef3786ce6456c246008a3813b8a582cc9b869f7b37 |
| SHA512 | 883a75fe5961c4570efd37665395c3e3cb4031934a307555246858ce27f124ec0632c569365ac4d49056b8b9513193f17857879bcb76c617d716af8ed02e1e2b |
C:\Users\Admin\AppData\Local\Temp\GIMU.exe
| MD5 | 375db3faff9e8917bfd34d5f28b14a10 |
| SHA1 | 92cb4463292ef5c72af50dac458074e86d259c17 |
| SHA256 | 84b2fa3aae0d6440d85871c2d292922177ae79e500ab7c7c3e4b939bd238b4c5 |
| SHA512 | 28c210018cd45daf996604ec6641df2a4a09de7562a4f48c43476b87242048650b54c5443a8bb75a9f119002c217f72276102dd3361b04ce989f9e15e692755b |
C:\Users\Admin\AppData\Local\Temp\gEEY.exe
| MD5 | c6bf7feff813fe1cba56ea67af9d4cdc |
| SHA1 | 605d75669e73328c5582abbbe5e3393fbf00ad8d |
| SHA256 | d572fe81b1a03f2ef5b659ecfe5c87d89d59f0c32b5ab31c018c594699b5a1c8 |
| SHA512 | 09c79261257b9f17fc8bbf93035b18c31e487b0155da8d2bbb3f17ab0d0b70687457fecbf7a40a81bc99f1a360239f9d7cd1a0f191486905d9ddfb204a9d13c8 |
C:\Users\Admin\AppData\Local\Temp\EMQa.exe
| MD5 | 4bc18ee1deee6818e381920cb761aa39 |
| SHA1 | 6efcd502c7728af105124fdb122884703377dc97 |
| SHA256 | 80e87164c4bd73b85e65bd90c571db46d1d343894dd3e73d9f647861c92ed46b |
| SHA512 | 35931560b2b2c5ef6aa4b87342775f66963317567c67b5bc5f49e0b24e4fd0ec9b7aa7128c23f0438b8ad48359a552ccd276ce23b9541f50cbfa9f42e898b65a |
C:\Users\Admin\AppData\Local\Temp\acMa.exe
| MD5 | eed9a325477dcb1c0b3daede316ac722 |
| SHA1 | 4eaef0e1eedd912d61bcc7c4be0cbfc88414c042 |
| SHA256 | 309acadee92bebacaa6ad0ab8def7886e9e750bde22add2af64afcce7133f301 |
| SHA512 | e7a684264908bcd5539b5e80f35d2cef34dded2434b67a7ea1801cb471fb44b9016d9395392c8cce47e2e56783c66427b38b926088bfeded73fa372880bc3370 |
C:\Users\Admin\AppData\Local\Temp\KIAa.exe
| MD5 | 606d068c647b7666f339735c36ac3647 |
| SHA1 | 368df43416401ff44e74fe2996f0eb07adec37e8 |
| SHA256 | 2592201b8f07e50287ae42443db3d5ac72f00a600ce85382d31ee414b28c4414 |
| SHA512 | bc5b81ea83d083ed93025e43e4807d3c7fbeb425f231cb5aeececc451ea7399574657b1a75bd9217d6bc79f1ceb1f9df4472fe05d3a69a0ffd97a347adba7bd1 |
C:\Users\Admin\AppData\Local\Temp\WkkC.exe
| MD5 | 58e2d1904e042640a388fa6cfaf77d3f |
| SHA1 | 2227999a9ea3f9fc1f865ad4f91ce8385efbc2ae |
| SHA256 | 5c2dd11c82736e546db45cc4bac60725f9eee30df7a01269083368e07cb93c6e |
| SHA512 | d3e183e8be9b0766ed2064661c14271071e421feaa48d8b308fcccde07432743498b082d1d5978d17bfa1556a030f1ec244317f7209210d26786b47e79d6e90d |
C:\Users\Admin\AppData\Local\Temp\EcUA.ico
| MD5 | 5647ff3b5b2783a651f5b591c0405149 |
| SHA1 | 4af7969d82a8e97cf4e358fa791730892efe952b |
| SHA256 | 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db |
| SHA512 | cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a |
C:\Users\Admin\AppData\Local\Temp\owEK.exe
| MD5 | b10bed91acc476ef1069cb4ec6504047 |
| SHA1 | b4f4a94015760912b3df44058e647726333b522b |
| SHA256 | f03dd1c928f5a01d2ee3eb25afbd8cf508d33ca0ad793cc407608504edb76d9c |
| SHA512 | 72d9f0a5c8944728d44f3cbcb0410167d12087fd627addd4ab9739e63597e4bc0775ed3fb8773d6d295ced7b8c7504fc7f0b25b77b3ae72365464c8db1d67ccf |
C:\Users\Admin\Downloads\PopDebug.xls.exe
| MD5 | ac27c286b868797ce6d261f08a0259b4 |
| SHA1 | 7c66ff2cf319c583106180140140583ab6a0a974 |
| SHA256 | a612ef0c30432c2e3494f4556b29d91a2370190029a53653a9bfcac27063569c |
| SHA512 | 3e9c25162eb691a43d3bc8af2e5ec988da9b7a40e2bb2af4ab98da474bd9310c4a4c4ac5cc2792ea4b7271dbc480478b0ac148fce9f2ff5d5c90401902d16702 |
C:\Users\Admin\AppData\Local\Temp\sIoC.exe
| MD5 | 4538865471f2b8dff6b6a7832d398e4a |
| SHA1 | 8b1a2d7604b869deba79bb766151a0662f2a0289 |
| SHA256 | e5ac205a5566f0e44c86fc47b3ab918c3d6b5ea5901a25ea7b2e8bb3a000d279 |
| SHA512 | 17b966ae16103397de9ad43b2d43fee103f25c73afdfc0cd5a01e0b0ded77a89aad64841c528a858bada8755edb6a869ab1cb7e5717ca083f87b4e61b980c710 |
C:\Users\Admin\Downloads\ResumeOpen.zip.exe
| MD5 | dfa11426e39c4024b953cb63ec4f54dc |
| SHA1 | 05cbee9121bd01a81685666e33853018d901c0bb |
| SHA256 | 0f6f9c5e3444184b29a12fa80cdd7aa0640754d7e0d9e418744239db40f50ccc |
| SHA512 | 06d8cd63f7a5686d3627e49d3cee4193fb03f0fe7baadc382b79b3b97f8d8bbb2ec42a7f0c41a564b9715acfe00ad293ca181c702d35d0135af607ac70bc0c4a |
C:\Users\Admin\AppData\Local\Temp\YoIG.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\MogE.exe
| MD5 | a6a88df556c633523f102ca58467f4e7 |
| SHA1 | 5d9689350a214ed2776ee47161865298187c7d03 |
| SHA256 | 20cd6a46a8c789f0644b8ba36dd7a74025c06c5a7e9ce4e1985b35983f0b51d3 |
| SHA512 | 77cb778dfd2d7cb083538daa2d937211d4af9f5252af5fc69640fbbc99f8379d4cfbfdb7a5a8e23d3fa94a347d2b04fec0ac2e83ecdbc8904b629a41d5fac482 |
C:\Users\Admin\AppData\Local\Temp\ukEE.exe
| MD5 | 57ba0673fddd97c7f6b2f5c342d5da4f |
| SHA1 | 2228dce4de7ec7c26f840c6ffbec8236e25a3505 |
| SHA256 | 7d77099c17cf8c86a38d99b490cdf7b89901c46d3fe2e653f51063d136195bef |
| SHA512 | 794a91882c257652b20084330b5723618308e53775338d7e983783f41559c71e6e96b9d90b54ee1b4285a968f95f4a9b50c2470b1e7b3de69a39ad7905ce8abc |
C:\Users\Admin\AppData\Local\Temp\WIYs.exe
| MD5 | b8dcc868794319ce52546f23d67f7d7a |
| SHA1 | c17f63365d00042ad958d2d4ab726d65d8c6f717 |
| SHA256 | 93d8598b544079697397c6d14bb5ad8a3e7c67701976a8e86ed081da90b7fcbd |
| SHA512 | 8160230e0c2eb066d06cf9a162401b2085e56856713c79767e8fe210f085bfc60b0d4513c05c5cf4be88a10683fee1702501f6f21d72690dd0a623fc27164010 |
C:\Users\Admin\AppData\Local\Temp\kUUQ.exe
| MD5 | 35c6f513dfe4f400e9194e84d4cd44b7 |
| SHA1 | 0bb81d406bf692c5ece180b6e388277e8e5b9ce2 |
| SHA256 | a2c6e34b64274abe281f78c68047e732b318914f050a1e1b7fa7f5edb2a83320 |
| SHA512 | ba347b238f607d26af4b26ef05f19592390423578387e2f2f39615588aa2533cadb4d79660c7fd022741b7ee8d43ebab287418ddfec6f3aef52ffa802ea0b2cb |
C:\Users\Admin\AppData\Local\Temp\Gswm.exe
| MD5 | 3d031d5e58e7461693279cfaa7757f23 |
| SHA1 | 0e4c5b04e917cb6ee0ecb88fb79d86a6cab12069 |
| SHA256 | e4c0b27e58de7ff7bc21643be050db423bb03b4dd5cb3b517340cdfcdd4bbb7b |
| SHA512 | e3190fc1f67cb9621d64f4fec2cb56fc55c2a40de9a201e823090a6e6745bc1dbafc6e70a4bc3e4196f6ba2a995b422fe7906e50596bcc0a02eadffa4a57eacf |
C:\Users\Admin\AppData\Local\Temp\Ukwa.exe
| MD5 | ededcae04a740c9419daf462e63a6d11 |
| SHA1 | 0e176f3fe84b7963927ff676923c61d9c04d7931 |
| SHA256 | e485a6ee7f9b622cca457ce2f47b99fedc9e1086a1af2059db3ea38f295f3eb3 |
| SHA512 | ed6ac7209b78dc2f5df5d9a4ff987c046e871c0caf52abb986324cdc1a3aad38668898f74ffae163368cb17401240e0eacabc83f15f6bc7a8e95f6ada53e1dd6 |
C:\Users\Admin\AppData\Local\Temp\EEIk.exe
| MD5 | bae89992a63f7ce8e051f3a56e124335 |
| SHA1 | b9778412971c350cdaf43c83bdd663fab2fc22b8 |
| SHA256 | 6de092a1e2af614f7ce346c0ae5b3d699d60b7251efa7578b2f125453464aff2 |
| SHA512 | 30c3789f9f49890c07ce91ae41c3be02597ca26a224c0d13db2a767e19e99201920722014516aa2b06e2bf9e88942c8b92e7839355617f2982dae540bab78806 |
C:\Users\Admin\AppData\Local\Temp\IYgk.exe
| MD5 | f26c1ef9f21a8c76e6c86013b787eed9 |
| SHA1 | 8eaebc93465f8425347b92f392b02875dfbcf222 |
| SHA256 | 4ad1173019b5154797f45fd6f8c06464189b3436cdbfe82cead09a234305e709 |
| SHA512 | e66d3f391c7d471b11f8af25d123100c15d15cd86919ebc442a603e024dee2439ca00df517f2c9e16486fb1cfa15ae014e6a9e449c872da0b667d3faf9ac281a |
C:\Users\Admin\AppData\Local\Temp\IQgc.exe
| MD5 | 839c1fe9f3148275c91e4159658bf396 |
| SHA1 | 75696af6dda61abd4494b4b805c683cac111b96d |
| SHA256 | 0b2ed0d912ed38dc3589d8b3a48710fd5d7e42af5ed5766b99959008c3e5e639 |
| SHA512 | 79d7fa1e4ab0c91d64ab91499bb1e704a2d064abf8132573261c4b062e2b88287d1bbcada230a60e234658d2b7cd9f5033ee128ce26cd55b8bd982acca04ff70 |
C:\Users\Admin\AppData\Local\Temp\KkUw.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\qMsY.exe
| MD5 | 094b38bdf87a6845642d27dd7b48f0b4 |
| SHA1 | 984c8cae0d9c5e22a155614ac06d3703f4e52b89 |
| SHA256 | b948fdd44979b81f9159fc98338487ae8b381683f7ff6483828f93132155d00d |
| SHA512 | 0f18f10ef17276e9af29091de2538079393433b4195e64865a825cbef938b5a9a46f89855ff2cc4a69de5a8fe0097edd9f18d1a78d888c375a479d14f6b26e67 |
C:\Users\Admin\AppData\Local\Temp\kgUe.exe
| MD5 | e1356b01ec85650bf3b4f92af63537f0 |
| SHA1 | 4c679cffaec95bb2cfae7c0b22d7c59f0ddd8140 |
| SHA256 | 4832a56eeae353126ba12d8590386b7e51ba8cd53f912d0b4078649bd9924d9f |
| SHA512 | ad1a19b3250b5544d5a595b72047ba51cc71f140129eec771f1988b11088950aa595bd23f38f58040ed36e5ab3369ad92ab036bb293208465b2b5d05d57932a8 |
C:\Users\Admin\AppData\Local\Temp\sQkK.exe
| MD5 | e091f49315356f54e7d8b3304b9a415d |
| SHA1 | ba5a5932df0837009bd818fd6ea52abcf4fea0d1 |
| SHA256 | 72e0d68990617cc9949594f7b2d96ea1b2a2d05cf9f32a4a166d9a02bd30e79f |
| SHA512 | e553e2fa6326c62e05b5d0db95f91ac911d76d01b18335248f438ddb31299fcbe0e9d03040db51e6bc059a56862edcf848e6bffc3e71abef1a6908eefe3d8ed8 |
C:\Users\Admin\AppData\Local\Temp\iMIg.exe
| MD5 | 5a969738f2357f981a4af26157f2d96f |
| SHA1 | f153f98baacb444a29ba3cbca3c7f85569a6e406 |
| SHA256 | 25de1e1f7381bfa1b790653158feb7ca98df6a36b411bc39f05b4a8032756b70 |
| SHA512 | 5fab9767135cf903e57062bda06985edd70b623dedd7b51d6660dcb995d0ed0bec36ff905c4e7702cb5d9fd723243a9f63469adfe922e0136462549cb375129f |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | 4b510ec482a82303ac47fa2c334235c0 |
| SHA1 | 14810ebc9278806df042f511c1bb33d50ad2924e |
| SHA256 | 443da4d0e9c41f5f74ec581412ca1f61bead7197122612e4f0cceb985b5f574f |
| SHA512 | bed8eefb4657dc7c0bfc2e57799a0c4fc556980f4dc2b77bb1d5a94a664746a22e7462793dec1f2ab2dbb5c23b1368f75862cb67900438b138b75445f7bbb6a9 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 49edb3678d663356000e27705c65fcbb |
| SHA1 | 79a41f7729afb1671fabba942a1ab334024b7315 |
| SHA256 | 01ff6fa4e239ff59c92ec3e04d4c325e8b160315718d7c0a50a567fd5b70de4b |
| SHA512 | 4f89eaf0d1f306ad68c918919fba46991e76b2b540f873da53c19f00f15747e2e0cdee7dc470d8ba6c04b3774f11e0258925f51ef13e2e1eca08192e18788cad |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 4270f0505bc8acd0b83e77ad8edd05ef |
| SHA1 | 31bdfb917977374117b2ba35d43c0577829e4485 |
| SHA256 | e41e4f97175686013d0a8e2ecc22cbb37383090b0dbf1e0a18e2e4871b89b195 |
| SHA512 | 5c8c11ebd8a79774c68e4dafc009aadd078489ae8bd482ade4c46f3975514567dadb4f820ab9907d159f6310280cbf6529e0df1c7db5942366175f9e8dd5be39 |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 6ab5c688bec519dd8805b037011039c0 |
| SHA1 | d4bcb7b0d47e5b164adf30b7b4cf5745bf1907d1 |
| SHA256 | d85e391d12c5caf677f14ac68638a7db15164ea297483fc15afffa9b14e186d7 |
| SHA512 | 80021014980b1790950df296742f8914746e606f047fe3cb40ee080a01c2ed1719d8d61da07ebfff8929e6ffb5c6616335bc142875fd1f3dd31f36429c8834e4 |
C:\Users\Admin\AppData\Local\Temp\KEEy.exe
| MD5 | 3f10e35c7fb24d06a41909d8437a3afe |
| SHA1 | 97ad8c39cfd763474d38d8b38e6c07a55731aa5b |
| SHA256 | d38532beb097a67697189f6c341bc2f6fe46f9d91ee8313c0c12bf8b6d257fba |
| SHA512 | 9a64ff63621e394b8febd79ff6183b496a38c0f4119ef932914e92d0aef91010314bab5f421b8fdab10a71242750a8d5ad9fae134b153933368fa7261429eacc |
C:\Users\Admin\AppData\Local\Temp\kUMA.exe
| MD5 | 77723ca732aa0a23f6198535644f017c |
| SHA1 | 0af37c11cb6860720ca3f8910530c08601801a49 |
| SHA256 | 0ad37c6a3089034670d3ab7092eec3f240b2371d0174e2190cca4c05ae4465c7 |
| SHA512 | 80a2b898b8f9fc7de354d64f42dfc6e6636e2306956932b0736568f00d8bfa62ff1d125bfd6198ffae470e180780a2b620c65c479b7b46fb6cceda3d3c79e106 |
C:\Users\Admin\AppData\Local\Temp\isQw.exe
| MD5 | e52cb446ba042c2b394525ef6f8d668c |
| SHA1 | 35099b2d4a7e0eb6088accd1238e5d73521f0118 |
| SHA256 | a7d458433a13662979cbf396534159f19e3d88537ff50db87f091dd0ad600357 |
| SHA512 | 3701989d2fdb4007c5049f73ea0529c6e3ce543b9b139644eee86615022445cb08d19cb7e15d124e2693e0b06ad84f4f175f59e3d7d12e7227972e9a42251fae |
C:\Users\Admin\AppData\Local\Temp\UAso.exe
| MD5 | 6f14bd36a80f8a5243ad42c56afa3cd6 |
| SHA1 | 4cedacce6597ca62da4429c798008e6210e37c90 |
| SHA256 | dc7ebe6798cd2569aa9cec95256a207eecf674629a984b2fbcd2f7742de8ab27 |
| SHA512 | fe9ab41a12d6b35d3c7e8260014e931417af67345c996b9a07c2cc4c558bd8cb059a68147f70a1db5cc1458f64e34ad61616dca53a7b5e46c548efb80476591f |
C:\Users\Admin\AppData\Local\Temp\ioMq.exe
| MD5 | 70cc80718c32f251613c120da34fb2ee |
| SHA1 | 07f519f3c953a6cb268ea6a6c25b27474f66fa0b |
| SHA256 | e938783bcc8180312fa50368c56ef5ff73658f25aaaba28f898fe3c7688fa847 |
| SHA512 | af7d9c20df5f5ec0131198b9e9305436445e5e795af6326872b9722268da732618b25888bffc92ad16df7117c6fb2b7b14c79ed1485f67463b29487a891e5a5c |
C:\Users\Admin\AppData\Local\Temp\gMIC.exe
| MD5 | 6b8657d893a48dbdd5c98fc14341d148 |
| SHA1 | 166117e45a32804458357ed42536c7a79c81db30 |
| SHA256 | 2ebed77b1ced800da340c6336fc05ca2bb28a847ac0043c0919bfbf9e8ea3eb1 |
| SHA512 | 508d100e004370c8211e62c8390581ad9b363e56dddddabe27c6bd4411d20382d62e1e5b4d6b57147527863c255ee9e6a1d29160e559212d4a92f7ec09ebd38a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe
| MD5 | d68144bdba42ad81504baf5aa337be7d |
| SHA1 | 6e1a4cf31da27a6e74890bf62546a9507cf20d25 |
| SHA256 | 317d44ebb359c65873e8cffa8320fca28b8eb85d7d7042db3972772a76da1f0b |
| SHA512 | 94295c7e61bd6ec4cca7d16773149a2d8dfc37be76c44737cc650e52ebb5c733ed55957c61f932b10865a60c6de12ef8b1cde14f5a946917c0deab909246496c |
C:\Users\Admin\AppData\Local\Temp\AYIk.exe
| MD5 | 755274f65bef2dbb2a2708eed3db65a8 |
| SHA1 | a4527e9b956ee6337157d43c3ff0ab5630611b2f |
| SHA256 | 1ef85272a5e8f00a7157c845a578c1fe541f3ba646ce3ada2d8e7835ac486079 |
| SHA512 | a8fec41a54fb687945cc7fe4c43ab065480401473a1e6f752682d27a026d633697e77ccf9eb36b6e033164159058c075d74391cb122b2be3c610a08c2620a28d |
C:\Users\Admin\AppData\Local\Temp\UoMA.exe
| MD5 | f214d082a2b9b49ae85d623b8e18558b |
| SHA1 | bf9c8dd65d6875de98e8b3b0f73c8391f0d45933 |
| SHA256 | 0c3f3bab99f61e5e89a846e99b4e29b59fc83df87ba4f71996dc0a7e5ad85356 |
| SHA512 | 0a39680a11975ab5fe58c14849284455e8d93d7dcd3758ca798609843aabfb90fe139c19c430cf5ae2453d9839325740b0e89e890ad38fbca2743b0a26f716bc |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe
| MD5 | 6c83da6353c9ae481865259299f9c1d0 |
| SHA1 | b08d814b9d800c8261f5d34afa5870b857b61cf1 |
| SHA256 | 0e03c374c04b69e10550c6c10726dd8432a2b9653be989871ebbd01ad5dc90b9 |
| SHA512 | caa9bd4a6ab81e8961fcf3f101f45ab98e1428aab2dae436db72006f32db10e8b43cf75814f3534f194ecbc3bbbd244584335831421eedeee8cd980069a2161a |
C:\Users\Admin\AppData\Local\Temp\QwsK.exe
| MD5 | 398991c2bf1434c2aea7a302e853e75a |
| SHA1 | a7806da04b325c8f2b3c29cbd00589675d4d81b2 |
| SHA256 | 5ce3baae323865551eef13702a3fdade97a396314465bf24b5bfd2986d500f27 |
| SHA512 | 3dd465ed2b76f43d0f44d69ea448c61c2bdd685a5b84b70a60b9590c5939b9a8e685a47befcfc8dba5e40741006b907e76fabdaa640e8984ec1217150711bcb5 |
C:\Users\Admin\AppData\Local\Temp\SwsI.exe
| MD5 | 24002862736ebe3398e1795badef7dc8 |
| SHA1 | 7cbf1e5bcda268f28a5a20448d91f5e1204332f7 |
| SHA256 | 08cfa06416ea86644bd4d5ad103c4aff6b6aa91f06e581035f6a1503fa8fb42b |
| SHA512 | fbbe943b4b675defff8b2f2278b55db9a2f5530c65cd946359875d9261cd688aa9e41514a7b70aee6aa5681750eeacf002285f1f2fbd656fb16376c76051aaeb |
C:\Users\Admin\AppData\Local\Temp\uIwW.exe
| MD5 | e74c30b1dda85ceb0221541df60560ed |
| SHA1 | 3e548f8b5a1f06376a647fea14fff674975480d7 |
| SHA256 | 1e38438a326f59457fd4d40d097c78d8eb944bb85135534c94e6da8cb9c82911 |
| SHA512 | 893cd977589c0211fae9a7dc59a652529db5173299e89a06a203e9f6ce3e60feb9faf2290536f671c313d31d40a5f78027d8444c43db2416861c7d580248ffcd |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe
| MD5 | 6d867e03bc8a9a1367644b6d2b744f63 |
| SHA1 | 37c50391b3e2b4b570ef6f3be1958e64958156da |
| SHA256 | c46e6e321eb31f5b224cc36ba23d29cb815e0daf63e8161fb6fbdbdf7fe2b231 |
| SHA512 | 06ec718ef5fc603ab2354e00b716d775b25c673a55c7058e5cdb2f7c49a590fa2b3e6b7f0711d670993405fb806a7e8544a29ed21ea2e659a44b841e5d286a3e |
C:\Users\Admin\AppData\Local\Temp\Ccoc.exe
| MD5 | d23c031b0058fe7b4936f603b68c738d |
| SHA1 | d4c0c408aed2ac560077b64933544f099dff329d |
| SHA256 | 6934b535e7226aa3a2e1caa25b595ffe776e55028fde53e596c0ba91af26ea7b |
| SHA512 | e37691d5012c2e6b1ff280ac5d7ba3bed9a22a8fe75765bf598d2d69a859e4e2bb6617de0070dbb0d312aa11f7918b67bc7ec7d1c0a02b003c099b12a36aa81f |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe
| MD5 | f83437cca14bd84a3df5509471dc3abe |
| SHA1 | e9f7f14ab2f7a7d59d39ff82ce2da7154f7a474f |
| SHA256 | 6860245e35e1c333c544af46a6a270ad79d5af9512289f84cba131309280323f |
| SHA512 | 0f9885b5e7e6c8d10ba70fbd8eb2d1bd2a7d4b88270c64f4598c5ffb62b8230ca0b32765cb5358ea7cd1b86222be56c245d2e79fece70abd432d7c90dc8705de |
C:\Users\Admin\AppData\Local\Temp\QAso.exe
| MD5 | c331d74f7f785fef842aed363a9893c5 |
| SHA1 | 8a898a0a8376c95f2ee7456987158f51677ae58c |
| SHA256 | 7b42a17df4c851db89e5fc31361434420a9a3031554e8cb458e2b8b1c243a093 |
| SHA512 | 1d1418c3156c20b7e597f7fbbf2fdedc3bae382485cd36b9564704ac39cb0b97b6be3aa19f04d3e2f05160733e7cc7fb23a55d760ee2f0204c06542a311e4518 |
C:\Users\Admin\AppData\Local\Temp\SMAU.exe
| MD5 | d41fedfdc98b43785821f6d84451e435 |
| SHA1 | ea19318aab873c2ff92fa224182859f70c4a78e1 |
| SHA256 | 72e66acce1512f6d40c490856d3fdcf8dd1fbad2bcb5cc14463dcf972d4d8457 |
| SHA512 | a1fd78eb0b04c6a92a0c8ef920b89e62deeeaf9d90f512c7fcd37f59e5f9ad270395309bc5532709a838d9cb31f6f7424d08b412039c3cbea791a888626cbead |
C:\Users\Admin\AppData\Local\Temp\MQki.exe
| MD5 | 1dfe0501f1c4dea1773e90f2a3865b96 |
| SHA1 | 54592d5064dc9a3fe21eac9373f72e7791b38552 |
| SHA256 | 32eb295a345e905a56095cd1baa97d3f852f846c57d62a12e4a304542a46111a |
| SHA512 | ca543026ce8370ad77441bc19cc047d0181c5bbf0eea0a5f4a302733079603e37d591023a15c50cf285c0fc62b6d241db77a3895e704418900ab9281e59d4e34 |
C:\Users\Admin\AppData\Local\Temp\MMMg.exe
| MD5 | a0bc5aef9ea74abe0d45d8fa2c8eaaab |
| SHA1 | 640877ec7574709055f8101e45ff1f046358c5ca |
| SHA256 | 5cb3705404c6fb7329dc9e7cd7d6543b8caff7a5719f6b0d5a227fd7788e9cd7 |
| SHA512 | e94dfb8a50f4922b5cf27dd49b56c9d0976d3ef3ecc598340489d7165023e8702ce7a418013b59ba33e09e06ec8da4557db72cb27bbc580582ce153295ad612d |
C:\Users\Admin\AppData\Local\Temp\oEUw.exe
| MD5 | 281ca4f8c8fa81e65ce1045732f0c235 |
| SHA1 | d09a80714da9461728c916a56a94b2806c59b772 |
| SHA256 | 862fdbec9d0765f5074dc5bb83b2d7acf5ea152443b739e23d686db3b04b7458 |
| SHA512 | a57bec7784728d39ee1898efd128d4f36c0c820e06ff9263db1e424c2c2bfdace9493485252dce102f0cf6b296cc498fec3faf3b89104f7eb1da3666ac101be5 |
C:\Users\Admin\AppData\Local\Temp\OwwQ.exe
| MD5 | 676ce0525770aefa858ba13786477437 |
| SHA1 | 8cef5d395154f3598b1cc272e34673f3c970b035 |
| SHA256 | d3daea484b6abfde5d60caad5fdf5eab22043a296693f9e995529cdfd1e85c16 |
| SHA512 | a9e152b1b12a51c595fb67cd02332e95d5c529a18565ebe73bc28855b830f28b006eacf91fde73c531807d665d4f3f7d4e82220fa7a9b24f8e21f8ca1e4932fe |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe
| MD5 | 8395d0067807512fa4803de305cc73d6 |
| SHA1 | 6ad1b8e49af69871b594510cd8f73fa2a436284c |
| SHA256 | 8dfa8564b4b6f2c8c1ac7ce01cc67a3dfc381bafb65e5a1a2a0011f982b18b0e |
| SHA512 | 34763fb0e4bb1559edcc68d4de110c6d98db29a3050db5d8e854887b11b5d605e16a4c5636243ca4398d5a2758c75d9bfbfbb6d611db7d1e97c14fed51557edb |
C:\Users\Admin\AppData\Local\Temp\gIUs.exe
| MD5 | 8eccb7ae0c19e0e9a6a936cb7b0fca11 |
| SHA1 | 484a692e24eff85f48742657411f505c32db8576 |
| SHA256 | 9425141ca2701c82c91844688b3e72ae3375c09dd98add94bc6a4f42b2faa0b3 |
| SHA512 | f2ca694edc3600f5cf51d176463d41082f094804046b73a6c41f98c94e99e9d9b83bee117058db895c8f7f3e73c0e3005a3df41cc7b01e5c6140b7ba42206ffd |
C:\Users\Admin\AppData\Local\Temp\kcAE.exe
| MD5 | bf95cf77ef07743810e8492cc9adbd88 |
| SHA1 | ec5ba7a87162ed15793fd1d920dfe74b6c78cd10 |
| SHA256 | 011e6b89fc1a29718abd9233419992d19c1b3c5cb2df4ae061437b16e5d5a652 |
| SHA512 | 067bb55b3fb896eefe912f1d4870371217eb8a8c4d28c465f501f7e210a684a3d6dd37d5a150f117cf3155c52836dbc9435073d11b5259c45cfa633d0bd2a63b |
C:\Users\Admin\AppData\Local\Temp\oUsE.exe
| MD5 | b636aff5e11afd68cb6d9b4c62be3d8f |
| SHA1 | c13003bc6942667d71b6be4e248e51c90408700d |
| SHA256 | 76ec3fd280ea6ae126df8c5c314aaea0ab0089c8126376ab8153fd13e9f9fe9b |
| SHA512 | 7f44a37bdc0da9d2f76c91e60b38b8cc2394026444d23c358e633d8beca5c3ef0c9e3d0e5c2a4bb24b10874111bccd12530276647374904dc0abaa92ae97e296 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe
| MD5 | e827e07ad89a567e600d44b65d48c89d |
| SHA1 | 41613bbf2252c2be2f1399c2b16f2698f05efeda |
| SHA256 | 5c3b3afcdd33fc68599e84dd346faef55b340eccbe1f0d1588613be744ae82bf |
| SHA512 | 8703d61c1470bdedaf52b8870def5689dbdf3fee23400104fb6a71eba7a067327ad4d8604ff6a11319ebf2cf53985bd24697b80020e948d4401d548465375f84 |
C:\Users\Admin\AppData\Local\Temp\IkwQ.exe
| MD5 | d3440df590c531bc790e633efc9642d1 |
| SHA1 | 69e379849ebc075ce9cc16f4c512381a4e99a71f |
| SHA256 | 279583e6f72172eedb5c2432033634cfa683d39576ab0ee4e4cc2c4ab2d00eec |
| SHA512 | 756131bdd2f9131fa217800c6ea4e6db5dcf83efa23fddb3ef5954c926e0dc7d7cee43ea0051d5fe71518bec5c391f1fdcc5f268d72fda713b49b9d75eabc7fc |
C:\Users\Admin\AppData\Local\Temp\wIAo.exe
| MD5 | 65ffcde71dd6c9dbaf1163f9d5fdc500 |
| SHA1 | 55f31fc1421a9a58a0104f3ac8cd383f48a39fb0 |
| SHA256 | 8e6b25a4335e3b4054160e4b44bfd42dd8c42128911ae86adf4acae66199fde8 |
| SHA512 | e5e94340892d00df15b1ab2d1b36026ea9d978d10fb248d6b23bd8e7232462c6c4e95d1c234d1436690373613cfc6fd12da72c49a2fcc245c1936efd712b4a3c |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe
| MD5 | 86aca8c2c50580512107706fc5a26efe |
| SHA1 | 69f105c8ad5d192ce32e87aa7313982a5152b879 |
| SHA256 | 6c58b8cacd18786395c3ca654b0286f766e101cba0b80e7364631bfb38c9fe03 |
| SHA512 | d3469c60f7e2dbedc06b96b06fba018d3b8141f1765680895f9b5bc5aa171806168572ed8461079b09e45a250d5079bbf3e5b7ea977bbed9e75a3e14b8ba2bd2 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
| MD5 | 65f0b5e334918ea6a3e0f14def36339c |
| SHA1 | 714fb8fb92e3f07a218465b1533a60cb4d0edb32 |
| SHA256 | f25cf68ffe2370b7727aee3f0747a73b50343b2168f63f47c9d01ead9c239e78 |
| SHA512 | d77ae32f723736e144680c4c89e9f2cdf8d9234712925e00a057a1c97a7ae792c252e7cd6443edec885d769341c4600ae7e81e9434b32e6ba23c6e5b590565b4 |
C:\Users\Admin\AppData\Local\Temp\YUkU.exe
| MD5 | 625c2abad664f663809494f693fb9102 |
| SHA1 | 146107f46c8d5c0ab1a0eb9b0e6611aac7185141 |
| SHA256 | 9af48ff2e9b67c78fb2b008bdde07f8f2dbed4e4e40ad453f2daeb434081a741 |
| SHA512 | 2a132a82753e7e047a3c687dff20a419e17d250dfddfeba797ee5cc6545b335ec9c38067ddb58debf15c7a7afe7b225ea28d3693e001d2ce36b5ebe7ab75ee7d |
C:\Users\Admin\AppData\Local\Temp\YQcC.exe
| MD5 | 5bca0f6ffcb09553f3d5bf1b49fa6bcc |
| SHA1 | bc0cf16b4f181e46a1c2e3860b027fd33e5d81ea |
| SHA256 | 450ea49d0bcc150cf0ba429baf6dcd2cad9ef5c52dc042a00a68c64114db8a6a |
| SHA512 | dcd7d638966656058760a3feeb741f7896db5b68da3b2cdf2024b0524388ca1aa342cde7d631f405b163a65ec991fc505e098f564748e53a2ee803f655376d36 |
C:\Users\Admin\AppData\Local\Temp\yEUC.exe
| MD5 | bd380decd51c75f482f143deacdb9ba7 |
| SHA1 | 00bc2a155869b040f20d3bbc48e6e5e365f86350 |
| SHA256 | db7b8f13e73e64722b292e656aa4bb4a89c4f4d357b330f31621e88ef10c7e8a |
| SHA512 | bc389a1af4a1fdbfe877307356897aaf5da82cf333791908ed29580666df18b5a33274132ac4b3a815754a518f829f44ff0dc5dde5405252bcc6d2af68d72cc5 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe
| MD5 | 20a8655d380d2ae967a76740b25163c1 |
| SHA1 | 66368909554273983cec54f69d7ad17cca6be39a |
| SHA256 | 566b4aac7bfbf4fc5b238b9b8ab31074fbae76676ebf962c53263d199836d1ed |
| SHA512 | 343af8365dc5bb1e379b233684141f0626d02064d81794fdb913d90d83df9164d468400638273e243ce7004baf385fc097dedf19a91852727ec450015fec8ac1 |
C:\Users\Admin\AppData\Local\Temp\oUwI.exe
| MD5 | bbe3dc6e87b366a6178c2313378eec27 |
| SHA1 | d7d92aa2b9aec398f45429969ce37fccd4bb948a |
| SHA256 | 80c5340110d3c6c51fae2c56bccdb82ffa07073d7a3e4a0f3629076ccea09577 |
| SHA512 | 519532db0b94143e6a50332629ba0cc00d40ba731491442c0d61c6bc7e00b65c7604a1b3f1ec5afe4a72d72955ac099c5913443a8b78b8883eea9e6dcb1f42e8 |
C:\Users\Admin\AppData\Local\Temp\SgAI.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.exe
| MD5 | f7a6d64252cb03a74022f118ae36dcb2 |
| SHA1 | 93dd15e3ad13af5b308e4d846e6f81ea2fcbee4e |
| SHA256 | 9f9e63cdfcc0413765a311d479c8fbe8876df3c697c1e24db2ac90741f91ac9c |
| SHA512 | cc9e447d47d62dc6b0f924676bc352731dfca1d32d46405247f8d1e60b89fd9279e52910d123df8bd2f01e6b0c0e4f616944f98c5d31fb8f64c8498139129c50 |
C:\Users\Admin\AppData\Local\Temp\OUcO.exe
| MD5 | 1fd60774e4f4b741e710d15f67a0b6ec |
| SHA1 | ce2a1f8222cffef374012871d2c617966a9be199 |
| SHA256 | a5a372ab48aee34a6d5246bed3504e04861ce7813e99fea520367a76ff2ec1a6 |
| SHA512 | 117f17bcb37293b529f3c6203df38be259d95322fc61d6c72a5c631a982afeaadf90bc28856112f4a8c09369c275cf393d7591d21bdc92f6d72ef4b859096681 |
C:\Users\Admin\AppData\Local\Temp\OYka.exe
| MD5 | beced10fb0edf458f2fa02f668190a55 |
| SHA1 | a11c8be3bcf8f6a6f46f62feab01e36e060aa15d |
| SHA256 | 47f44db395cbe0a4dc485d0aad03c0a6e3d081832350142fba42125ec354faf2 |
| SHA512 | de9fbaba484eb5b17e0404d92f4ae44844836720b7bd8caddef0e6fd750f34e3317a12f145215431f735168d1aae299bd54029c9c54c41c055c01d0774a6b308 |
C:\Users\Admin\AppData\Local\Temp\SsAk.exe
| MD5 | 3b45c75b1c32a8e3f23810e9878d3022 |
| SHA1 | 56048d4b744998c236fc951a0130d71c73e01107 |
| SHA256 | d503da3c346258bbf7d80556a0e2d32fa8d29ac1b5ca1a5cbf7320972b123b56 |
| SHA512 | 8c441379b98fcb8553647f90d577d3f9e9cc54893ea8de8aca90979fea93eac6424151ca36ac850f51fc3a4c0ce381b03924ee604dd70c75db8e5ee723f66dce |
C:\Users\Admin\AppData\Local\Temp\mwIq.exe
| MD5 | 7e4fd3b5a62c1694e8bb38d04f764597 |
| SHA1 | 2351f58898f86e3450211b1e5d30b373691cd199 |
| SHA256 | 6d79882cb38d95645a018f1b8f723ee608b96e241baf444ba573ba9192ac0772 |
| SHA512 | 8e1f900f51038f4b03c7885ca0fe279c14d6acbebcfcf88bbe8317371fdf614bd004d534d4ac988e2d67c31574df3a4f71b72c387ff6038c632ab5350d8c644d |
C:\Users\Admin\AppData\Local\Temp\wwAo.exe
| MD5 | 293b77890eec67bd5506ef4647ba3cc0 |
| SHA1 | e089349e2180babb51ff0c2e062c7ffa5717bf1c |
| SHA256 | f91481bb39236193238b938d482cfb135f0bb413cbdf40d00bbd576e1042edeb |
| SHA512 | f2ad006e2297ab0c1ae7717ebae956f60501b549cd77ef166b2f801f222450a8ebd7191d121ec2126618ee5de0e4d8cf4f182bbf947a6615fdefa2b73abe4899 |
C:\Users\Admin\AppData\Local\Temp\KMcw.exe
| MD5 | 94613a36a01026589e8c65b032ed46df |
| SHA1 | 3b6acd30e2f795faaa9bd2cd6dbf584397e110ff |
| SHA256 | cdcda80fb62eec85513fc7e55112ee61d700196f1183bd5cd94c5072539fa1eb |
| SHA512 | 89ff9d6d14d0ba1b4bdd05540154e825ab30e31ec01c559907a255ac780772e79019fbd2a8e265f6744a174cdc3de3249d983b816caeb763be38462408a059df |
C:\Users\Admin\AppData\Local\Temp\QksU.exe
| MD5 | b0ec93f217ac6957d89181d80739f3b7 |
| SHA1 | 66153d6e650910d8e922d0f7c1cb444e06d47d25 |
| SHA256 | e50daff5ef7ed513423c77b6c5dbb9d972a350419f5c53b2a5bc7d5e1c022830 |
| SHA512 | 1934861b18d35efa6a934efd54e3539acfc39e26e9e2973b84bd9f12c98eada7ac81a8ab40e401c54a67a23caa05c6e84eed0ca70fd8ed789de911b88d848da4 |
C:\Users\Admin\AppData\Local\Temp\gMUq.exe
| MD5 | 6f500b94407b3bfb11497f17ca566fd0 |
| SHA1 | 0127dbb9dbf8e791c973e4f4491e48ac4a465412 |
| SHA256 | c3f41e16367a0253cb92d880957f330609e9d6e84c3137181c440da4fd85f967 |
| SHA512 | 95ddfed1fc37f73cc7692cde4bdf2cd1332c04efe484fe73a26c729fc63ecb2e612d7bcf7964050720f169af29a7a4ae91d50271048355365eda23f465a08783 |
C:\Users\Admin\AppData\Local\Temp\qYgw.exe
| MD5 | d8709f5e56d600f9bf23a278a13f8d1e |
| SHA1 | 82ac26607113e9ff4ac071db1c9761e4402236ab |
| SHA256 | cc7e6081ca9adc0eafc87817779924ff2937425c0dc426662a124be2e24490a0 |
| SHA512 | 22ebc7075cbf3670e08867e3bd28317544d6dc4adb728ce1c7b0b35c99b1298b8e26258ce0ed261953b2eefb960d767468c7b540731958e612806cb77acf0ccb |
memory/2080-2299-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2880-2300-0x0000000000400000-0x000000000041D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:44
Reported
2024-10-18 02:47
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (80) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\ProgramData\LGMsMEQg\jSkYYgsU.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\vyUswEMY\lqcwAwQc.exe | N/A |
| N/A | N/A | C:\ProgramData\LGMsMEQg\jSkYYgsU.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jSkYYgsU.exe = "C:\\ProgramData\\LGMsMEQg\\jSkYYgsU.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jSkYYgsU.exe = "C:\\ProgramData\\LGMsMEQg\\jSkYYgsU.exe" | C:\ProgramData\LGMsMEQg\jSkYYgsU.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lqcwAwQc.exe = "C:\\Users\\Admin\\vyUswEMY\\lqcwAwQc.exe" | C:\Users\Admin\vyUswEMY\lqcwAwQc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lqcwAwQc.exe = "C:\\Users\\Admin\\vyUswEMY\\lqcwAwQc.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\LGMsMEQg\jSkYYgsU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\ProgramData\LGMsMEQg\jSkYYgsU.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\LGMsMEQg\jSkYYgsU.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe"
C:\Users\Admin\vyUswEMY\lqcwAwQc.exe
"C:\Users\Admin\vyUswEMY\lqcwAwQc.exe"
C:\ProgramData\LGMsMEQg\jSkYYgsU.exe
"C:\ProgramData\LGMsMEQg\jSkYYgsU.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meskMYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYEgQcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIoMkcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgcgkIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIYgUAQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMoUoAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKAIYssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAckoYoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYAcgAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMkEwIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaoEYkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgEsIwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUQQssUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOMEkQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQYcwwAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAMoUkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMAAgEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcoIcwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAYwsMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMkgEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSkYkoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dygYQsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKQcwoIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYgcwAQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMQkEUsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouEYAkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oesQYsEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGcoQckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noQUIwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HukkwEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saMUcAgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksIQMUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asUEIggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAogMkkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQssIEAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmAskkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsgQIogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiYwskIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmcMIcME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuYAUAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmgEEcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiAsQgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOAAkUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmcEsEEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkYAwUUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMssYQYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWsEgoUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUokgYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqocosEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWwkIIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOEQYUIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSooYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OokgkwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGcIMsgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIcQkAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMcwcgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwAsEEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaooMkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMUIwcAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyYgQUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USQEwcsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sckIYEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EucsUIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAIcQUAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGwIocks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkkQkYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heEEAkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwUQkIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgkscEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUsMoQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuAUUgwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWUEMsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIsQEggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGsgkMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goAoEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quEwQggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCIMQgMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCkogQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSgssoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSUAsUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyEoMEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOsEgMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYMYssck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeMYMokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiMEkckk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NigcUgII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmAkMgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSkAoIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaAEwgQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMwQcwMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmMEUoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqEQwwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuUUUUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vskQkswc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUEIggYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwkQEwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yssocMUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuEAoksg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIEYokQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIEAEEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv jckMLkVNskGIC+vvUHMGcQ.0.2
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.78:80 | google.com | tcp |
| GB | 172.217.169.78:80 | google.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1952-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\vyUswEMY\lqcwAwQc.exe
| MD5 | 39362545d87204f1958b9cb98fbdb299 |
| SHA1 | 8ddf3e9c3d4012935d7ebe5a9abfa081e48ed6b2 |
| SHA256 | 7d8f57ed8f44cb1c1dc2a3d90a2b4eae61e61630e18f6f1b1b0ea3257579fbf1 |
| SHA512 | c4e413238c8e6b8c3753eb912028829b649a8361aa639c444da3f55f7bb01399e28aa66baed470830f8f9f9cf76fc1e256740fd084bf9c4d0c2ed7fb518075cd |
memory/4332-5-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\LGMsMEQg\jSkYYgsU.exe
| MD5 | 37a1e9aa6f10b9e8f32c139ddd9a9482 |
| SHA1 | f722c6c911552f58d5952c063c11362aaae9af6e |
| SHA256 | 3b6600b38ffeff4860ff5aa85ef6df5c0eb5c58176ac0855ef5a217526c6adf2 |
| SHA512 | 51163415fb1323b150bf3c9ff9691b52222f18d3c9228bc3d85cb3268eb7efbe513201322c320840a7253a032e06622797dd074852cd8ef4ff2bb7089107667f |
memory/3548-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1952-19-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\meskMYcU.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-10-18_0ceb4c17f841ecfca9e8b2e8094af39f_virlock
| MD5 | 35cbde129d22ad6080dc8fed0fd3e185 |
| SHA1 | e29871c61fe34d7159cf12daa543e1679f3ef63a |
| SHA256 | eaed558d6439df7f6172277ad993c778b631aa73ffce8cd9619b525ff92a2265 |
| SHA512 | 009e3a9714454ae0b0ea87d391dd42583a390ce74d249a0421318dfa8af27e98d4cfc625f1923304a177a6824210c687f522082783c9920beeba3ab078ae2f60 |
memory/2852-29-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/1304-41-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2516-52-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4452-63-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3268-64-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4452-75-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3452-86-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1744-97-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1128-108-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4356-119-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4912-130-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1320-141-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1028-152-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3992-163-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1436-174-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1132-185-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3616-196-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5076-207-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3212-218-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3224-229-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1028-237-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2516-241-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1028-249-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4940-257-0x0000000000400000-0x000000000042B000-memory.dmp
memory/440-265-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3612-273-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4792-281-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4092-289-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4960-297-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2896-298-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2896-306-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4104-307-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4104-315-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4288-323-0x0000000000400000-0x000000000042B000-memory.dmp
memory/408-331-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4912-339-0x0000000000400000-0x000000000042B000-memory.dmp
memory/724-340-0x0000000000400000-0x000000000042B000-memory.dmp
memory/724-348-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4540-349-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4540-357-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3448-365-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1092-373-0x0000000000400000-0x000000000042B000-memory.dmp
memory/940-375-0x0000000000400000-0x000000000042B000-memory.dmp
memory/940-382-0x0000000000400000-0x000000000042B000-memory.dmp
memory/468-390-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3916-398-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2536-406-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3396-407-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3396-415-0x0000000000400000-0x000000000042B000-memory.dmp
memory/732-423-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5076-431-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3892-439-0x0000000000400000-0x000000000042B000-memory.dmp
memory/220-447-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4036-455-0x0000000000400000-0x000000000042B000-memory.dmp
memory/724-463-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3916-464-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3916-472-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2108-480-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2708-488-0x0000000000400000-0x000000000042B000-memory.dmp
memory/732-496-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4740-506-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3288-520-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WwgK.exe
| MD5 | c91e7d7ac8aced8be372fed318131bc1 |
| SHA1 | acdcaf767194c16cb044cb21624fc751501d93de |
| SHA256 | f1269fa133216b9ebba694b3bc38914c6bc52425729a4b91402cbda17e6e7079 |
| SHA512 | 84abf91068ee3f678b89fe9f5844b514fe7af0e274eac379ff9c09b2d0f6291ac461921d890bac49bf5953d6aae093ea496576c2d2ff7e521a3b6dda38712bd4 |
memory/4740-528-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sQAE.exe
| MD5 | 33c240afe29d3db86591df16c09634da |
| SHA1 | 408fabbfab23bf5532992bcfd5c919e75af85a79 |
| SHA256 | 60869e2e4bab6931a3062adbe4ada0c2460dcfb2aa5aadb16c77805559091d42 |
| SHA512 | 23e89748900066446f8174b17402c7739422a8e41b6f20c932bfb6b80c7ee74433034af487c3c3508b1a3ef5f2297ce514990738229b0836da931100a1a150b5 |
C:\Users\Admin\AppData\Local\Temp\EscG.exe
| MD5 | eccdadf03f893f36c19d02c942875801 |
| SHA1 | dfb8518319645dca77cc498925e504e2529cc9c7 |
| SHA256 | 3113eada32c252b8a9de8731dba6ad13caa81a6048bfdbd3952b68d5a4c0d54c |
| SHA512 | 340876e4a2371b70802582c9adf4c4549eac4d3595c5559e631130d05ebb85334da614ea4b02f54607da8f4159e7ca427f40511e5660cb24f04891b93ac3b999 |
C:\Users\Admin\AppData\Local\Temp\oQAw.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\GMAy.exe
| MD5 | 8112f8d43662de235a0a16ecf7aee6b8 |
| SHA1 | 577a7cbf71303becf66cc15169014e42274250d3 |
| SHA256 | a1b578b792ad9c34011e72303ab486597b601338ed34f71abcdb6c8d4b416dc8 |
| SHA512 | ac06c6328c077ed4f414635ba009b97d92d8f589a72062b1145dbab2c9a4dfcfb00fc33135c7065824e742cd53939364d6bc13a073ef84bd10316ff410899cfc |
C:\Users\Admin\AppData\Local\Temp\okgS.exe
| MD5 | 14691028182a48dc534d5a54204f5fd5 |
| SHA1 | b2d1589e42560e82f9468df056e81588c9f3a161 |
| SHA256 | 4acf4dd7193e839e838abd788a9d4dc6a4557df04d1f0de5c08b8103922bec58 |
| SHA512 | fb539fd48e52695f1826895e29d28225f3672a019072f9869110d5c6b4e106eddb0930e1ce3b50a63cdc0dc111402df5c93b485b5d2c1b3735b2a591a148b24b |
memory/4120-592-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gwIo.exe
| MD5 | ed40f174fcf65684538f7200362f7405 |
| SHA1 | e4cbd6c30dbb25fc8e3176a814b40d7cd4b79925 |
| SHA256 | 539852dab8b1bc87fa520118d401bce111fcb3c640f9312be58002e939fbd974 |
| SHA512 | d0fec99c22c6acf9fac0d6c031c9a1ee853b574f629566ef9f4f20dfb55f8fff5e3f27ba111f74f8c4ae20183f8151f0c71b1309c1996b165fff9f281cadead2 |
C:\Users\Admin\AppData\Local\Temp\ScsC.exe
| MD5 | de05c108b6e4eb58e9f41f1331ca8d5f |
| SHA1 | bc4cb476657674b8f148f813a6888267a116be3d |
| SHA256 | 449bb85ba38cf52361f2d758205d9895f6076f54b17f5ec6a7ec347c48cbd8dd |
| SHA512 | d1e91bd55f5e846ac4ac068448fc5d52e3e7c97c9504cb63aab17160d6df7a4ebe6bb2d277e103e84f6902c977a0ac8ecb755c9ab111fd9a59c97bab1ff5a306 |
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
| MD5 | 486f4eb713e75b559d5c0d01cde71095 |
| SHA1 | 42ad460c69a962ec5cc81a6022b0d026f74682a7 |
| SHA256 | 31874b6e040348cca55e1e4707f54ff8946eb0fa37fdc8ae70b36ebbb620db44 |
| SHA512 | 81c3f041318dfc52193b4e5c57fe8a87e2893f0853846dfb1335af99c83818a514bd231bac16d36a5c0b66701c5b801361374071a1875343aceb33b1bdbbfcc5 |
C:\Users\Admin\AppData\Local\Temp\kIQK.exe
| MD5 | f41f37226d311a97889e1665fc69c8bd |
| SHA1 | dd1b3c7a68e5c053bcdba9ebaf3ab44c1aaf5738 |
| SHA256 | 1c1bc37a0a3bd6836b41abc315058d26d926eb92f6d871c49e4d12dca26ef982 |
| SHA512 | e5bd546759271f3f00449dd90ee3f28a30dc86c996311e95d5058c812d6538e39058a97db2d35ce930f2f8f74122ba378ab8fc6c35abb774973da7458bf3ebb1 |
memory/4036-656-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YoQY.exe
| MD5 | bb66ca7ea5d2c8096e3aded5ef456ae4 |
| SHA1 | 6bdccdf6b420ec84d6558cb74cf3b74cf8a118b8 |
| SHA256 | a3ce6b3f70302976cfa7de0d419777745fbfac052436237310baa14bfc1351fa |
| SHA512 | 70ff2c12232dd5d6a2891ec1971bb0f96424a39cd594482e9def4cdd279c270e54dc089aba8755afe9f94da8be13334602fa543f1bfdc2d65aa9788db70e1a46 |
C:\Users\Admin\AppData\Local\Temp\yQce.exe
| MD5 | 5cb084208800d82ccd4a7b8737d47ddc |
| SHA1 | 58ca2a8add1fafa18f4590717992fa84b54dff33 |
| SHA256 | a4a39c2ebe36c4a7948ff7b5f346b42b002321eeacaa6445cc114e3905e60254 |
| SHA512 | 13611bf03584d8a5c26860c4f9481b23f93d1479353bf3612e414d2f72fbeed5697893c3775ed20f78644dc85d5fb20cdbb67065ee1c3c53468ad33642dee993 |
C:\Users\Admin\AppData\Local\Temp\ucEq.exe
| MD5 | 7659141d398de2d0a87e111862a7a219 |
| SHA1 | 353236bc085de64c675f992cdf80b349b2f4bdce |
| SHA256 | f6a0f4894cb9ee3a2e155ef80262724e3d5dd308ef313dd62f794a59bbe8a335 |
| SHA512 | 9f8b972e3a56924064cc366922444acc5521b1bf3d7c7e6d5a1105db7a39af0682145046a64350c71d4148821080758e509596583603c5b8a497d08195727324 |
C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe
| MD5 | 517bbc9399c7fdceed9fff5494bc6216 |
| SHA1 | 7fd3884710ef64d5ac2f18c984cfaa92ed978d0f |
| SHA256 | cb3ee8940c3b0cc5ee2581babc28d84d8b1b6c678b869d3ed30d76606906210d |
| SHA512 | 765c9020ea7d89201a76b4a09f5fa183dc4874a500b4f297e9ca9a67604ca9d09544a8183db477095e23d566353f8b7e21a4eedad9d8783081b11134418ab667 |
C:\Users\Admin\AppData\Local\Temp\Gkke.exe
| MD5 | 1d3ff35ef5a0c3d13e2f44fdeb15b115 |
| SHA1 | dd0f8c8bd42b66f38ce94d6e5aa4a01f442763e8 |
| SHA256 | f800072ce2b0c882b55ca2baed84e2bcfc575fe875b3ac251f3b97e983eca4e5 |
| SHA512 | 5a0414b940d3da8b93337c82dd6ce6bcf219c8f084b396b3019287a1013ecb9b3099128b92c0a3f9ae404cc082f8316d67f11c95436d7db4b3136347c525b84d |
memory/1092-734-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\igIA.exe
| MD5 | b453e7293de8eca12a4a55098caf20eb |
| SHA1 | 6be22e2f82e21aab16a7d6c933e340f1e7d1072b |
| SHA256 | 99fa05717bf897960e7f7f02cdfa410cb20bb9e6d91b8ff2cf1a98d6329331db |
| SHA512 | 8d005e4562907a3ac03107c26b0abd651fe2613067605a7c8527c1f4ee8d86fd1fe411abeb8ee690f3e287f8fbe959882d87a4038e000101fc18db7075814e2f |
C:\Users\Admin\AppData\Local\Temp\eows.exe
| MD5 | d6404d6eafefd93481ae88079289fb59 |
| SHA1 | 257837520489321b46fba7f0c79e373dbeff3fbc |
| SHA256 | da3d8801fcef3f3bcfdbc2ebbfdc21d535f199c2997e5472952fbb4d4e2a9ad6 |
| SHA512 | f7b95f527e4f7b4ff3d24c0903b084c827a9025d0ad7d9672aa4e6805317fccb394b9c4086f14537fae6e594ab6053ef29b3c8a6710a13ea5015ffc61b57e0f4 |
C:\Users\Admin\AppData\Local\Temp\QUUK.exe
| MD5 | 722de7de15434f67e39bf9f06045a0cd |
| SHA1 | c076c5f8d5eafa392bd01ff69656cb35903f52d3 |
| SHA256 | dda1612fe011851f94e02d98ec24ed072093f968b1e795884d62284e3ff2a266 |
| SHA512 | 0bffdb9b1fd49790a229c97bd91cf65b261eb5aaefda50116dedc0b02c2516b352008c5ae4888a12fa339e5faa83b264d6be79d8ac9cf48c4570b68f08d9068f |
C:\Users\Admin\AppData\Local\Temp\kwEo.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\EYUe.exe
| MD5 | f66fa1b9788e816b464e40b28f1b5cae |
| SHA1 | 3422b76b965aa5fc9a385d5ac14f801d3def2d02 |
| SHA256 | c74def5d60ac762dce5e255b3ccfe2c98c4c021513920501bf2804335c85355c |
| SHA512 | e895628941a58e9692bc2c23eb839799180923b32b3e2509f8eb60391d3c1a7d659b30ab6de84c4030b25e0f39120baa61e0c8ee1366becb222ca4d6ce4af5a7 |
memory/540-799-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4940-798-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CwgG.exe
| MD5 | 64afed44646673f27ff1a0e819192ea9 |
| SHA1 | 99a60bb48fff673168f7596ef710e6a8f1625ce4 |
| SHA256 | 0fd9dfb20b10ed1d62e220a254844525e320623531d770e64f100a275f6ba744 |
| SHA512 | 8fca3f85a4e296e5733d04cb5a6fc8fdb9787bdac986cafc9b39c8a85a4569761b407aa29c2a584d58027196ee796dbc0ee2700c2748226ea07d48d4b3ecc3df |
C:\Users\Admin\AppData\Local\Temp\iYUY.exe
| MD5 | aedd6bdd7640abc656aa23e99a5e922d |
| SHA1 | e595253907e0da3fee89edb2e550c295a064980a |
| SHA256 | 0acebea672503a039fe826009a46be0a7ffc0e1e267c933b96b32394001149af |
| SHA512 | 880f5158ee7c86a4c07d9554c481e485a3be242914fff32e7ce729e3649bb84383c504640de97f4eade3dfeb1555329ea149ff8dd96e484aefc29d416619b85c |
C:\Users\Admin\AppData\Local\Temp\KYkI.exe
| MD5 | f8b3142fd013b9391071fe6ebf9f03e4 |
| SHA1 | f1a43686194cd16766d23e43b42e8afdf21552a5 |
| SHA256 | 6a6d14a056ec087b2a5cef6469b360fdc48f0389c6a2074a3233a6fbe2f494d6 |
| SHA512 | ad005d8b30f304c59ae48b60b471bcc3837d3824e259b9dc83aafc696cc218f3bd49516aa498501413334c115742aa6985271364b1dc8f747fcb475c9902f03c |
C:\Users\Admin\AppData\Local\Temp\yMUA.exe
| MD5 | 919299a34cbf5310a1b3bdf5d4b1502b |
| SHA1 | b8bbe5c16e10d97c771138ecbb75db23f2c17841 |
| SHA256 | 85e1a23b69853a53e6859f54fae81d510bed1430c8e99dc99b27c7c81459764a |
| SHA512 | 0c6198787d08bec2202fe76ee8dee3ebfb99e86f74119e542527f9fb3ddfd57673b7fb08a706649de51bc9a4e5995559717513bf92988f49655edcfc760a24fc |
memory/3780-860-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4940-864-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OQIW.exe
| MD5 | c4098625b12525c832ddf73a847d3595 |
| SHA1 | f069fe1f12db41c44cfbfff8f5d29d6471281b5d |
| SHA256 | 745751a1bc1f8265716c0bba54bd9a2ce002c131d99c87b7fe852eee26030cd7 |
| SHA512 | 4c19ed227cde404288c700f88c528775e1d159d7a304a077f41872480aed1961112e055a9cf71e761019a41b75ce7df28524949ed63262f511e399cd20bdaaf4 |
C:\Users\Admin\AppData\Local\Temp\uUAo.exe
| MD5 | 23bcfd93eac22561ab4c1795ab94731d |
| SHA1 | 96963793bccd16b0e19e52860e66dfd3f6f8bdfc |
| SHA256 | 4c51e591f866a444d63bbaf708b4b8743359d443c220c12b42cbfe081ebab581 |
| SHA512 | c8c9c3dc50a95045304fc86161badac19f37c5262316e5ee35fb09f6d658aeea381a86f5cb40b179c01a85cca5d6dcbece140bf4982ebb3783430883d6d3535d |
C:\Users\Admin\AppData\Local\Temp\QMYA.exe
| MD5 | f59df0de63cf99e9f62f0f3b3cda1448 |
| SHA1 | d84c3bd1049d74f7442f6de861802a00c56378f1 |
| SHA256 | ba56245bee8cfedf750009b454c13255d67b985f5866821871f055b1a66c3c95 |
| SHA512 | 96cb38bb50f451424d2384b60e162353eeb0dc642301fc36655a82e6e3c4defeb5246faef8a9aa7bf606804c2e18cec50e423fb34ef3ab89ac09d58635f6949e |
C:\Users\Admin\AppData\Local\Temp\Okoo.exe
| MD5 | 97e6d81169dae21011704e5ee13c4eff |
| SHA1 | 11e862d8399e8d99bf1cf33e8f15b256569eb773 |
| SHA256 | a3d4f022f079d68040e969325b5d07f5f2f75276dcce77c161516f31907481f8 |
| SHA512 | 900a8867bafe42be50dc3850afae32a344b2f561949ed79bef89100425327e2b1e128fca4c893ab4f00d446cbbe22d295e6c5c54f513fd2317216ebae1a16505 |
C:\Users\Admin\AppData\Local\Temp\OMEK.exe
| MD5 | 12eda1629f8854ddc80a9421d0e6fc96 |
| SHA1 | 7095e0f8aae4381fce23232a9aa490364f859552 |
| SHA256 | e5d45d451814bba5a5cefacc751a9865383198a77768be29c9b7cd39c130b39b |
| SHA512 | 38c57afc09f93266eb420df0600f7ddc4675e14df5ce87f96846bcc950a75a24ff124545b1aab48fa889b07060548d938e4547fb95a634bb0f1c6a030a2bdeca |
memory/3780-942-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KwYe.exe
| MD5 | 6aa95129a06cc140b9632541776d2602 |
| SHA1 | 6b33f93d7e28ebb985580f9481c3dee3a2ba44c8 |
| SHA256 | 152968c1f443a2ed1a70c57ad2d463a9bbdbe539f687b171a0c1e0d3e35f6ede |
| SHA512 | 09f6df4be19134a12b07ebb0179385d1854ca3b0b0b4be9c3c2cbd1cb508e6fe950847df1a627e31d03b6be8fe3ec6c616c5ec5049b5cd0b83d8aaf7e13894b3 |
C:\Users\Admin\AppData\Local\Temp\iwkk.exe
| MD5 | 6f893fd189ea82fc7076b65c2e7b1d2f |
| SHA1 | 1ad070e76fee80b017e16144749d20c3fce08314 |
| SHA256 | 506c93ab9d9e72076161e0a1b4bf8e250545d5f75eaabf169ca07186bfb998fe |
| SHA512 | 1aa65e618ca2c70ee0f34e22257c758c1df4a6c39ec0ecf17e9f173b7d325974b69a5fb7ddb8c9f6495dc4a013b07c3a61b11483ce17525351e946cf64334f93 |
C:\Users\Admin\AppData\Local\Temp\Ycsc.exe
| MD5 | 4e33fc6f3b19ae6261d883a244f7864c |
| SHA1 | 3606640c129e7b663e01c1f5e55c85278ba5835f |
| SHA256 | 0b680f9cc38b949e993101587710e06837cebe8b0bd8a1dbdc9b2336613ccba6 |
| SHA512 | 2e2d639ec169b0c8d507e0a219d05b1ffd1d6a9220fbebb0331c4584cb340bfab49447a94c04ed3a1a2d14821b0eafcbeb0e4b8108007809cadf3d3f158b5089 |
C:\Users\Admin\AppData\Local\Temp\WUoO.exe
| MD5 | 84e96cfdc433e40487dbfc0f82fbe104 |
| SHA1 | 65ef79dcf05d740aa17f3150b47579a132768b26 |
| SHA256 | 4b47c7fa840e81c939441552231065e11ce2d862d6b5def7bff9defc5291a31a |
| SHA512 | 0a223904a29eb3a0448e4696f1da6acd0044a9f75c177c423b7969e643a9b1c89aac291af334aa98c9329642b0e7b62aa5959d99edee49b18448d35844e24235 |
memory/3436-1006-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GAIa.exe
| MD5 | 43f750579ea52a4e8a6eea122bda3d3a |
| SHA1 | 6f4e7910d8edd558a9f53747cf6ab26bcd3e3736 |
| SHA256 | 61f40320e61328808f288a3867934f34a9741889fb3a1c8e3cb40ec7d37366f2 |
| SHA512 | c4a944262e1bbb3362767fa3c04fce8a1d7f5a6550666ee3d79c925513621b9a3c2c29a0953a60602ff958badde60f17062ef013b636d5fe6c1bda36680f396b |
C:\Users\Admin\AppData\Local\Temp\wQQu.exe
| MD5 | 540ad8a169c3b0133f48daa52e8b6394 |
| SHA1 | 95299a5eaa75c5fb28653009b0bd8ff57d6c3c2f |
| SHA256 | 2d827123cd59c6b2d1a216f8c4499dbc2d8aa0ab1dfbd5db8025bfebc43a9059 |
| SHA512 | cdf87947bb25162fbce1f53d8aa01e43f786089b58d0684f6c4348331b16b75c5bb9348747ff9d97b054e21dd867456b364812a06a8390ca7d27327ed63dc984 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
| MD5 | 2d7fed41e1e879b09792c9daefd96223 |
| SHA1 | a0b3dac6a8d9ab9aa41b734dc57c3d3ed7ff871d |
| SHA256 | 3148f4e0a3998eda5b11e4022b7f3bb8664bf653631c633b17d3d9fa1727b624 |
| SHA512 | 3eec6313f885e4f3fb0381ef52e9b991732973c251338d685e674ede4776afecfd64ca9989d19c92c6a1081a1779cfe08a4c4c17c9b22bd3b8d8c3a91a51abc1 |
C:\Users\Admin\AppData\Local\Temp\GUQM.exe
| MD5 | d7cbf11f2ce0bffcc9d67279d2298a1c |
| SHA1 | ff8bf0e484461e33f49f1712ec2457d0e31e0eee |
| SHA256 | 2b2f90e3aca6853a774e2a090be5e146a0a8b46f8882bc1efb97c22f60e041d3 |
| SHA512 | cfddd0ac6b803110f3dd2a41fd856efe408ce77ca70b8eaee6a2c6b26427ec06f4fceb49a59d6461b4dc824bb871d589515661dd4edf48afbd318d22bac9a096 |
memory/2320-1070-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aAUC.exe
| MD5 | 2d57b63990e3f6efa0844b0e5c8ab2e5 |
| SHA1 | 75db1cbfe32e9825da88d375736e2dd57299eebf |
| SHA256 | b84923e3a1bd8ed77bb38525f7fe71b6e28ca0a8bfdcfebe17c2a0e7b6633b11 |
| SHA512 | 3420441a6c036ed7b2fd01431b5b5f7333848e6d8f1aa5c2471d70cdc81826d715c2ae8c4bed440704648325a10986cc771e5023bcd7662523550c5d17ba95ac |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
| MD5 | 5e1be7ad6435e59f80a22c0a72915ae7 |
| SHA1 | 92c0eb5ced2770f1cee509bc68efbd63bed68ccd |
| SHA256 | 378f26473be15dfdfdea5629acab589b47feab126d94301e01955ebc15558137 |
| SHA512 | 4978bb956e8b2e28763308b29babbf5f6511f869fd97514311bac3a5ed6cd51fc777e197f00b55bedee357291491c518b74da5b875aa34b8836e0e252db92f50 |
C:\Users\Admin\AppData\Local\Temp\mssU.exe
| MD5 | 22095c2a199d80b20ba2edbd15187387 |
| SHA1 | 7307a818d17e715c00affd94ce7851183c566c3e |
| SHA256 | b9728319a493f55aedf6c068bd5051aa8d1969cc8c745592f3551de9dd73b683 |
| SHA512 | 821f539b1e29c0471ceb8711c36fe840277278772e0a6fa0befee91955fcef6be0ff6a38808fe2303435493e047acbeb1e4a5bd1d5f9a57d59676310babdfa36 |
C:\Users\Admin\AppData\Local\Temp\AEwK.exe
| MD5 | 797d9d8d40a984abb971e0b5995527e0 |
| SHA1 | cdf055713d0d2ddf913493d0e6b6e9cc8745e2bf |
| SHA256 | b6a96f3740056cdd284f562446ee05fc3334b5cdec42c9e1fcc9d85d8cf77d68 |
| SHA512 | 8700e475fbb0c290a5cda08b3292d79f5d5f065b45f7d6699349421aa5ef280a5df9ceb580bee56f73bd0292260472ed0cd217f131427434c7684a8b8d1af732 |
memory/1744-1134-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MAcE.exe
| MD5 | 09e0c72e0936743358c8884b5cfc9de8 |
| SHA1 | 6442e1476dc7d24302970ae09b29bffb6cd69483 |
| SHA256 | b0ac35aa3d78a02560f11a9ee596638eaa06a4178365330b53b2b13d851d37e6 |
| SHA512 | d08d03582c2ecaac68e5ee9e91bd6f0047d2698c11beccf4ac6e427817105b62d8c45d3e839de58b1eafb2afa1b4477acd0acf5cedac29a5e6b06c1fb151df1a |
C:\Users\Admin\AppData\Local\Temp\qgkI.exe
| MD5 | a6fdf0458d48bae84a952aed845c197f |
| SHA1 | cd2784061bdaf66a2a25bfa7fd1ccdcde15873f5 |
| SHA256 | de51d4da058793df9205bf2057d5304b163a07258a3f14a654675cc3abd06d2b |
| SHA512 | d4708db96856f908327ec84e70fec489f74e5c55268a079566fec06fe8e67d9d7df02691acd99fdf0c15b6d4124d782418baa55aebf1f2d27c7847c892714c18 |
memory/2432-1170-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CMUI.exe
| MD5 | 053d7189954e63bc1225b4603c409c55 |
| SHA1 | 1ba6bd23bd2b67f540ae5029076452e357f7a2c2 |
| SHA256 | b9c29483505598033b06e95b12b899469137f8599dc2fb824d920d5fba48b62d |
| SHA512 | 7fbe03725846786efa243a70c84ed288bd2b564622fae685b973989b62684743d88c93e2030b2deffea4f4227bc78e3279741d773572dce6e9dce1d6754e245f |
C:\Users\Admin\AppData\Local\Temp\OsUq.exe
| MD5 | 707b8ff4af9b43f0a2ce2bb2cb559114 |
| SHA1 | 7580b0eb063bad3f7eb5840f266d60a84fcec1f8 |
| SHA256 | 97bdbdeb25a77a190fc6503e18ebdfd5fa67b205425b927bf4df4e5acaee5d33 |
| SHA512 | 528b402dd06faef0884860c68ef661f7da627a790b06720092a4162dfb2f686ee5c70ec4fc071e538b704b330cd63c9518afaa6cc325e971b03d6e3d00c95d55 |
C:\Users\Admin\AppData\Local\Temp\WkIC.exe
| MD5 | ee18e18de3cbd6608e7daac7cfef38b4 |
| SHA1 | 499d1e58a43ee07b40a4b6824c694e66f6ea6ee5 |
| SHA256 | b4f740e5b554a9c6ecddaee70b362858a8c784d5adbcd224b63892f01b6b8933 |
| SHA512 | 4663bf361e4e56e50e3e2412f25ede65cfb55c2aa62d8254b25cfcc60bdb4ee33b1b3721b37d95cf4d381eb9429aacbf35860dfff46d44817c55de0aa4e5d98c |
C:\Users\Admin\AppData\Local\Temp\cEkU.exe
| MD5 | 88ad26e78085c5bfd4b32ee3836ae83e |
| SHA1 | 15f3ca57ceea0f520fe653def290cfc745d89ff1 |
| SHA256 | e9e70a475c11feee715c426133c9ac79b21521eaf1869e5dd7f6f7850ea1de04 |
| SHA512 | 31b20039db4182e59d4ae8a94533045ff6b16a26a41e9dbc1577d4773f5f2ed8b373468372384c8b13dc750cd72edd306b90cc306050acc64df601691a7ed65e |
memory/2616-1247-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eoEI.exe
| MD5 | ee38c1325312ca67740ae1a2f5033454 |
| SHA1 | d6fb06d79e56ac8e0eaf4f91cbe6e1a3f956e883 |
| SHA256 | 847813b4b5d6756aa369f969c425bff73f4102e3c5e6dbb89b10acf212e7b9c9 |
| SHA512 | 0521ca068bc1ec947ae4917dc5cbdb50c7a36f8e1a80ed3892ab6eaa5a27206e14d37bc1ab9008e8e9a11d98496a39ce51f170817081119dc94c41f17b477b5b |
C:\Users\Admin\AppData\Local\Temp\OYwA.exe
| MD5 | 8141b39fe8a2c3bbe2daf03287c216e9 |
| SHA1 | 27f2681b0a69e50b78acab4918ae1799ad890b4e |
| SHA256 | 5662ed5b9344327d9628f290e5a053225b4981703007b9cd1334f237b4fb72bf |
| SHA512 | ae2a84d769795b9707a6941fc16ff2eeb5cfb14a39737868fe0970602c7aa85da6b416ea3e870aa1da8dd00bf980d33a3d3cdd1fcef4a43cd0b55848ecf353d5 |
C:\Users\Admin\AppData\Local\Temp\yckS.exe
| MD5 | 6e3e94f7c1c289ab09d5e033c63db2e4 |
| SHA1 | 2513d6aec0d10010b79a9a8271ab2e2000e3eea8 |
| SHA256 | 0f5338583c5a429f8dbfe8fb2550374d1c7864f2e0035c750419c360efe6bd1d |
| SHA512 | 57a4c001f044e010f2d4b76820214f6d429fcd98670861ea1b4e48de384b9e3819ee200c32ff97bc47c5f825c2e1c101c2f9cb9300220f6598b1bd5102c80757 |
C:\Users\Admin\AppData\Local\Temp\EkUa.exe
| MD5 | 2dad0f27bef908d6aa3d0109ac90594f |
| SHA1 | a778e41d4c33c117bdb8306a6b2d9d364237dcba |
| SHA256 | 7cc96da2a320a34c0f39cac7265ff78a12765064ef158614096fec22fc8c9d58 |
| SHA512 | 148e112ecc87b137d61c2bf1bc856856ce72a8005a2726a31f2e5ca4238d92dfdcacba67c89e015ecf5ddfce08022a06926d51bc3fd511168712d395425633b2 |
C:\Users\Admin\AppData\Local\Temp\MwEi.exe
| MD5 | 364c2dc3f76cd5c72533cad8628bb357 |
| SHA1 | ffa7e6891cc3312856af23cbff6b874682282935 |
| SHA256 | 53450be4e4f76e82c203363f035e7b1c0ee3b000860003bc079184867a3a0fc8 |
| SHA512 | b392fb1ff1ef3f5cbb71ffca3fbad3e17896d1a2c0e4e75ff767f53e4b982f44d08e8d501c0bdfa690a4f657dd1b50e45e699090691408d2b889978ed0ecb09c |
memory/3676-1311-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iooY.exe
| MD5 | e2bf5d891b5f78c0411a7e6617d61e5d |
| SHA1 | b1c09ab6f04fe988124402959eb92fd1688fca08 |
| SHA256 | d6946ec8a4eb08bc428d54f6665c4ad3631eab0a2c5f2a1d3797e844c5c62a2e |
| SHA512 | ae8c00f7ae073a8a8eecf004b9475234734218a3af3d66f4e7ae35f0f38dcba458070a78098366bb0072e7ddc6b018925e862aa74336e2ab38fd2b5e32b45355 |
C:\Users\Admin\AppData\Local\Temp\EEEG.exe
| MD5 | b5bce3924b5734cfed49cf5be4552cf2 |
| SHA1 | 52355dfe9e7cb926ab3be16fd3502d72ac1bf7fb |
| SHA256 | 2cdc914045d69898697328b0635c6f4f465bb9bd34f409042933711a22d4f992 |
| SHA512 | a088adde92ffa4c333dc1c71e2b54d799618efd3136579de864b574402964e62284163c13fa118a8d9f218d3d70af2525e3252bc781242935757cea32c826fa1 |
C:\Users\Admin\AppData\Local\Temp\EwEm.exe
| MD5 | 2b61c04050dc229ab1e919d16b301bf3 |
| SHA1 | 8ac3e09d459ce79833ae43a4be64443db9935174 |
| SHA256 | fb81d5643b4da839d61537c31abae81a6a7b53ae620855dc2851389da41c2f21 |
| SHA512 | 8c0f5d819f64e56716cdabcbc759df1d3ff759d2a645fd60045b3dde52621591c6b4cc38c411a4df19f644215937dcd624ef84a2c6867934c41ecfbba6ce9f8b |
memory/1148-1362-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3148-1361-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sAku.exe
| MD5 | 796249780fa9c07509acbb9b850751aa |
| SHA1 | 784d53cbd01333476f1760d2c50394c6bcc41e0f |
| SHA256 | 9f0e1e6d9e120b5b3dd312309380279cca9a66626860c54c3d9f3f40495242f2 |
| SHA512 | 84958b9c8e5bf0b2b81a81ea29765ae8fa5b90a408f1cec4db1449d76d8c57e65f9ba15823286a24c8943f7f59111cbdb57d31f06ac241e0993561a159ec89b1 |
C:\Users\Admin\AppData\Local\Temp\uUAU.exe
| MD5 | fdd272402012c195be8f524d3d400e66 |
| SHA1 | b97058068bb037ff00b85a08ea693842e049454c |
| SHA256 | 584b0a73df2e6815db163a96cea95e281894cff0b0188172303c9edd13fed9a3 |
| SHA512 | a58a94417fc39ee59cc199bf33e86695967b8b2f9105ee0cc1dde8ac9fbebc6922e351e36de369702fecdbc8322002ecd77742b24c7ec4307807f45106d2396d |
C:\Users\Admin\AppData\Local\Temp\KAYy.exe
| MD5 | 846b839048b9c9cd0a2dae82ffb53645 |
| SHA1 | 19c86c6efacc4e194ee19858b1d418ab0b48b7b0 |
| SHA256 | 78022a0c1861dbd5c9c3e5febe6605fbf11ce8336756098f05213de30a6a374b |
| SHA512 | 510b28e452358302f964b6add2c2ab271f95a711df510249c550f0258acd1411cff7f6ea29398d36c510f7e0b1f55b2da8ceb46e6516488ab824c6ea096298ae |
C:\Users\Admin\AppData\Local\Temp\Owwk.exe
| MD5 | 4014f587e400bb2e282e64b9988fa515 |
| SHA1 | f8c9ea8ae02c42e909b7615faaa99fcbfaf0879a |
| SHA256 | 17fc8f621ed24fe58ee410385a447ac3fafa0502ab346beb457ccd3374d49c39 |
| SHA512 | 0507bb5a6b44d31c9d7af9e92ecb9d50215e3615e95e354941fc57bcd6e5149b4c91d27423305f34d07ec0da1b5604dd0e510e93d523090ccac54998cfed5237 |
memory/4072-1422-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yIAw.exe
| MD5 | 917b05e4099048109213a092181fd327 |
| SHA1 | 8e22ef54230ef4eb41906e38c40942744d3ddb9e |
| SHA256 | ea05d994cb6eced0a606a043fbcc10180e7b83cf0514d81a573680919a656714 |
| SHA512 | 2aae4da2473f379b6fb7a67758aec6295ab1401277a71401bb7350a136d6f14b4fe03d800e8a3f5c8e5fbf96873e8dc3281e77e99dd2900cf6bb2f21627d2049 |
memory/3148-1440-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UMkg.exe
| MD5 | ea8481268e43656bc085933529509742 |
| SHA1 | 61d3e751131a85fe0bcc0be1a0dc95dbfef8da59 |
| SHA256 | 7874add4a7ba61b72e501728bf87e753339343e42f91028990df07b217aff86d |
| SHA512 | 2b6ca5c512a5b0c684801da47cfdc623a26d6665db7e5f307662f0b63bed93c116094cb11263e8edfce0c645fd7770dbb74e8457c00b7f0ff4ef08f57b946b21 |
C:\Users\Admin\AppData\Local\Temp\MwMU.exe
| MD5 | b36906613131cd4cc688ab4354a293fe |
| SHA1 | 471ad54b985123911e0371e2c1327afc82a5af83 |
| SHA256 | 5668ce21b019a8a2ef9c115cf208cb204c8f0041ac299233d94dd3c6798d61c3 |
| SHA512 | 230205c9c9afa5b5bd5de2a8bdc169330dca0e445c39969957c9711a0ae9cf36f075116a73c51c07bdf487b110bdcc7c3bb0e840d036f94fd5b83ea9adc6f637 |
C:\Users\Admin\AppData\Local\Temp\gQYK.exe
| MD5 | a062f921c68f28abbee5361cf6ae394b |
| SHA1 | 6ad9b0f6e59da045e54d31d53f6cf97855bdbac7 |
| SHA256 | f46c88e6ad853145f425528f1bb3175d3ff73f0bf4c4f17009604a9c71dcaa55 |
| SHA512 | 26c61a61e6972d61b41887060564fecc89735236b32d650d5f6b230e2aaebbf62bd6c328789cae360b8d6206683519d7da275755b42fbaaad17d449ae2311b40 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe
| MD5 | 367efdcba35471e4bb61160a46a2e5f7 |
| SHA1 | 918c4d38fccce90952834b029a96098b521d8775 |
| SHA256 | e76ee6f2e6410c2aa33469860c5ae59281a4f655a31ca0b7910576717b383033 |
| SHA512 | bd2f89106d7b4e8b9214cafb9eba42d77319cd7b2eef95f02ffd909e637cdc9148720090edfa1291d6bc9c38e10388a929b902a9eb4a0238ed40fbc3bf061d74 |
C:\Users\Admin\AppData\Local\Temp\kEAG.exe
| MD5 | a471822bba3ec0dd6f6dbff3ad3a29c3 |
| SHA1 | 0e240d9700e792cc2074e4be86a9dc78ff31e4da |
| SHA256 | dad1ff573ec45cb7dbe795cea8f19fe244c249af9b42cb4c0f10c4a24000e673 |
| SHA512 | f30201a0d957f545a28a14864c2855e8550686f2cf83fc3d8329ec65b1d76cc628cc83cd804fd317054da74abad9f2af6e699d758170dc4cd8dd22d6db5fc3b7 |
memory/4072-1519-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WEkQ.exe
| MD5 | 201e095458dc0205f171a3736625ac7d |
| SHA1 | 082da7766c4890c50206740b8fd06d3ebce3fc7c |
| SHA256 | cc42c82ab46837dea418f6077a7cf94f086481dbbe9aa7621287b47e888dd45b |
| SHA512 | 77c936052b80fcf518fad3860e2511ead29730fb9c493af1a242dc5f08ab797ed9e5b3f7ad3a93bf8e9f4c5c6cd7fba66cc5953a9284307e1d0a42f525efdd54 |
C:\Users\Admin\AppData\Local\Temp\GkIu.exe
| MD5 | 2d5b74d790c290757bdae96ccaa354cb |
| SHA1 | ceaf64a885fb0db95c6bc556518d447b540668b6 |
| SHA256 | 563b02d5949889f612079364962c1bc91ada59b27e4d39db0d27a6df6358a2b3 |
| SHA512 | 086a373aff3de4280ef9f011fe68236234147dc7fc6844a1026950ad42e976a70c48da7d0577ef57ea983eacc15f654f25c8e3f2ae7fa7645165442dac13d8ee |
C:\Users\Admin\AppData\Local\Temp\iwkG.exe
| MD5 | 9c8083cd114fcd8bbce2308042152939 |
| SHA1 | a1355986b064d3d15dec0b563215d7dea1e0dcbd |
| SHA256 | a81947de1fa670d979d3014a88f359a63b7ffe3593d636bacce6013ca1a748cf |
| SHA512 | 489cdb48b5118652f2a2a9a03a73f10cbb25f4c5a5f03631f0444b9cf3b1d7f8a4f5408ae353fb270dc86bad2d04a649d28547df84f24bc0efa40f71596138bf |
C:\Users\Admin\AppData\Local\Temp\IgsA.exe
| MD5 | 78302900801a22b9a19db8b6503fee8f |
| SHA1 | 3bfb75155e5e327a0adf634801cb2c83967fb49d |
| SHA256 | 5e70d58e0b76b41c1dc7395976f7b31a44176b59296ebeeb2bc84a7057cf2907 |
| SHA512 | d9eea97dc9fb448b856f9d0aec5f32f90c2816862e92c9aad92e02588df867bead9b841476085d04703c8b5b5dfd7364986ed688758697dd8af513eb657c33ca |
memory/1340-1582-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Oswc.exe
| MD5 | 510cd49333885af7aa43e5309bcf0947 |
| SHA1 | aa82f975753bfdca046e2259530900376a0880bd |
| SHA256 | 80ac250f72c7ab51d3a8885649da24d274fad63e1a571a48b817568b80dae842 |
| SHA512 | 588562b1fd21b8b90e3cbbe96412c8a265ac9ba17d3a32931d8a58713ac2c57a0eec609fe3795a344ee9ddcb51b10060eb2c34c41590ca226a3be83e5ad84c17 |
C:\Users\Admin\AppData\Local\Temp\aAME.exe
| MD5 | c8259ffae073ddd37a95c290e8642ac5 |
| SHA1 | 1bb205282bdbde06f8058120e4ec54e6cad940a7 |
| SHA256 | b75c54e4f41d92ae67954adeeb01686c5dc83163a4192509703987f740a1ac53 |
| SHA512 | 23ec76d681a5007038bddbf753530f9e40f269f41dd8b10cad04822d5c37bdad559618ddc32e25eaa68dfacf9cff0a8d0d808b097ce2fbb94614da0fb81c8046 |
C:\Users\Admin\AppData\Local\Temp\iMAs.exe
| MD5 | 4fb0c7c5f1a3f58ab2e452f9c90a3372 |
| SHA1 | 6e4c5a91a52333b24be191bda94fde355cea9eb9 |
| SHA256 | 06d1c49ec522159741b2c9452b0e5c87bb96b7b2620190bf383f797bf85354c9 |
| SHA512 | a7bce55d4b82ed669876edab450b334f2b725fecc36f43897a61d09c250786b3dc9d30c7e64d8a9b48aca7aa24744efc2bcf9e0db8c36c3f042979a4e7e8ca10 |
memory/2988-1632-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gQwM.exe
| MD5 | 554390de74fd7cd4b205eb1154f2a663 |
| SHA1 | 990d1343d9943fe1e2708b29972b8065054ebe6f |
| SHA256 | 0db0cee417a2bc964f8c3d26051013b3d333d82412ab179a8bb0cf5225ceaa40 |
| SHA512 | c17be35333285f455c3630708c584567a458ee644a65bdfe3583c10fe4ee3df82f67eac2cd82217d18f4a6bfea71f0f34d90f58a59984e8317339108810e3477 |
C:\Users\Admin\AppData\Local\Temp\cQIK.exe
| MD5 | 5e78afcdb2e9f88b452772f19a23ecb0 |
| SHA1 | feefb85689ed35803757b14f2bcc3d8b4784cead |
| SHA256 | 6b41c0c61bfa1547960e4b52b5ce6bd0183d4860427252a42aeedba80cf0af41 |
| SHA512 | 4178de219df8fc0e69f287e1ae781d8522cbaffd33126e7041f0d53209e8f6a140f742f1405dc259fd3dfe44188c1f20418aeff3000cf2537bc241ec0ef80257 |
C:\Users\Admin\AppData\Local\Temp\skoc.exe
| MD5 | 838fe3bc8c96e9285f14f4aeb7aa7f4b |
| SHA1 | c2f3394738e1dbdee15bc7bbcce8e1ee69874a23 |
| SHA256 | 27071a2a65028dfe13c9503ac05d61e57422ed77305cfbec33003c05079f7c87 |
| SHA512 | 487a2af1c7db0eceedc92bea60fa599566a52853c29faf1293a33d43989818b98d732efe391a13d9339778758c4e8888d27b365ad35e855d4da4bccf1a380325 |
C:\Users\Admin\AppData\Local\Temp\CYUE.exe
| MD5 | 83e00fb37df89868c2790cd1e4842ee9 |
| SHA1 | bcba806ea6e3ea14de7b10343ec7dfed2f2c74d0 |
| SHA256 | 40c1d3f2ce1ce0fd081a7c367c398dd1ec7432bb74db4e61ef4c1a674b5f6fc5 |
| SHA512 | 0460e1ed6e0069390257f962b14c6a102988aab3808d87779ed224f40dc63a9882b8b3507d6f76c5cca55f036aca698ee5f43374e683d8364e819ce5e4e9348d |
memory/2324-1696-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CEYO.exe
| MD5 | 51cae1c61c3759995acb9e2df22f6b33 |
| SHA1 | 7a72de22d160cddc2737346468cce6efe2ffe931 |
| SHA256 | c6ed41f674886868270d624519c7894aef448786cb4f48fb1345347d12a86c07 |
| SHA512 | 84eb33ed8ccc731be27b572e5a3888fd1747e6a894c98b2bd1049fe3a2545b15a5e6de0b902386065f55112ec0142d0f80a1f77567dfdbd13611a5ad03b843d4 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | 4c9a5d5ba124cec8fc9248baaa092d8b |
| SHA1 | aae12214d014b31be0b3647ff35913a1f4601aa1 |
| SHA256 | 404b2975a70921f15e988a6ef57cebe66ebf5c89f801885ca0a5e5be3cda7a38 |
| SHA512 | 1a2371c2c0d98b898cfc688d2421bcfb565a5bdf10972f17603a6d126c77a352d833a8cf9bb0b2e00e9401de02dfd050ef705c725ceb89537e3878688e6c3e35 |
C:\Users\Admin\AppData\Local\Temp\Kkso.exe
| MD5 | 278b9cbbcb8b553047365ec44c631643 |
| SHA1 | 10d6b78d979b122e7f95bf23280b07b6cc5cb18a |
| SHA256 | 1261f6d034e88324dadc5d38b9baee92c8affdfe3d62b5ba8b131e5cc04b7bdc |
| SHA512 | 9ae358a8086ab01522df88f016f2a449c91dc05c5da77d3cf13f6bbe57e89250b4e533cd37b5a9f1af7733c7de2cc69c483d1aff463584d94cb3801e34055f33 |
memory/5044-1746-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KgsG.exe
| MD5 | ac5e030ba6a3638a7f373adc9c65fa95 |
| SHA1 | cf14251394fa6efbbcd889bfac0d9e284cb1d9b0 |
| SHA256 | ca98e5b6f7d01ca77fae556d6fad93bd53c61ebaeaf8bc6d4b6505630ff19f59 |
| SHA512 | b5715cbbe67ecec9c28f7995f7ea91e2d7c550fa9db0527a72278861e0d3350276afab86f8885382f0a8cd6b58ec1420d26aa99b90bcd71428da17895686d72f |
C:\Users\Admin\AppData\Local\Temp\UkMc.exe
| MD5 | 3eac456533b0d92937711d73e2710fb3 |
| SHA1 | 4062b50cb2bbb33ba94918247acf1fad07e81cea |
| SHA256 | 2f9ad9ec612ef788b27a4850d4e2686ddaa3a57c2d55bd6bced6706359182ed8 |
| SHA512 | e38473aea6d4ecbea3e09fa15ba8d418a8b2cc6f0f3b6786a68e34b57b6187494c167f0c9782b15fffbe457be20d49fe1773d13eeeaa66163f0f496e44b0bcf4 |
memory/4416-1761-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aUgY.exe
| MD5 | 3a63faff3ed8f3475ca465fd04deabc5 |
| SHA1 | b08dace60fa6245c24e4458f778183e8bfc322d5 |
| SHA256 | c8b78acbded10104e0271e0b366250f9e498eaf346e86730c8a446500974679d |
| SHA512 | bad907a570c2790433f01537db0f5f6fb32c02239e53a11f13f4d9fe9c6f16d5b538e36d4eb0ae9f65f64487a6286c7c5e35359c3bf131a8a722448eb59c6c8f |
C:\Users\Admin\AppData\Local\Temp\Igcm.exe
| MD5 | 513e9f4e704164334134be0ecb73e77b |
| SHA1 | 335ba9186c80caf3ad55c905f656c33af5c4c650 |
| SHA256 | e43137451c561d3c2e830c2506ff73dd5f0662b2cd5530060c4c61e72e28e1a6 |
| SHA512 | 384c70d1157ecdbc5efa25e77e7a1ea67b6e6ecc4616e81c9e2a0ba0062947bfd5a01befa8abbf85c8e8a2afedcc49bf299ed13cfb966b11581d3dd4dd0b21dc |
C:\Users\Admin\AppData\Local\Temp\gMYM.exe
| MD5 | a31980e53b78dc2dfdc5c2eb9bb0273a |
| SHA1 | 5ee86133d6950322022a16278b98d9ae5a72b863 |
| SHA256 | 7634d8a70ac94729893e909b1290563e54c628bd099a3461f1825b7655c1c094 |
| SHA512 | 28e37c4fda776767999f53129168aaa17530d8f00223dbefe40ad8c59d5797b720e946e7917ef9113fef5e9f85690eeded0bc186248ca5ccdb7557664182347c |
C:\Users\Admin\AppData\Local\Temp\aEoY.exe
| MD5 | cc04af882d36855b78135f7934a9f6ff |
| SHA1 | 8f76ef3b70ab1606ed5406ddfa499f4632d941d9 |
| SHA256 | 09344ff305409592bb85bb3def117a05bf1b6e8a6fe8bf5101e0b27aa954087b |
| SHA512 | 2c09b82ff57f7c16554f3cc09bb6734283b627d1e86d24d26715324bc8f9df000f642b7632b770cdf0bb6c7974cec5bf62e69c73b54053f0d28315ba2b9f0edb |
C:\Users\Admin\AppData\Local\Temp\Mckm.exe
| MD5 | 9ab4b2816271d719d64caa89421b4997 |
| SHA1 | 92ae64de146a1f86790223e8c670c53ca0079217 |
| SHA256 | 80d907362c6cfac0e1b72d04afbf646f5f2e67470e41a63aa7a668223ba15132 |
| SHA512 | 787680d6f8eed991dc528baf258cb6e484fa811f9999e0456c7f197245994f15514852f015864d56a21cdc6ba4686f70a74c8fafccf7dfe2fdc909b40ed25df3 |
memory/4416-1853-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EMga.exe
| MD5 | cb194e3e54cf7c875ecdf32a8a986434 |
| SHA1 | 0560cdd51ca3b4c0c50a0ad53e90eb84849724fd |
| SHA256 | ba69178f00da28568720bc0d3d86b78b6507ccf0761eb37b161d969f3a711e85 |
| SHA512 | 6d5547ead6aa47eda8e83f6bc4e396122c3a613904374ebe8cad4c1e89b9be574baa7d837c69cae2b590bae672c27c9db6c0f9c49502fe47ad2d18ce482f1089 |
C:\Users\Admin\AppData\Local\Temp\okoQ.exe
| MD5 | c15245528149ff54fa302409473d34c1 |
| SHA1 | 8b36f39c1fd084451bbd50d004f92df514c9b53c |
| SHA256 | 25748349cd28844e00caf96887c24e10d7742ca9af944e40e8dc9bc811656f8c |
| SHA512 | 573d3a0b8dd3002181b542db565280f4e5b584477dcc6c58100925205177b30b0a040206d832af6a6a47852085f3fdd4fd355e7e93a3c5db37981add8c375bf7 |
C:\Users\Admin\AppData\Local\Temp\mgAC.ico
| MD5 | d07076334c046eb9c4fdf5ec067b2f99 |
| SHA1 | 5d411403fed6aec47f892c4eaa1bafcde56c4ea9 |
| SHA256 | a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86 |
| SHA512 | 2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd |
memory/1860-1889-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GwUY.exe
| MD5 | 95eb82a8f285103aff36a3a2026f0ac5 |
| SHA1 | 0ced165012d75a28d9254a69bc7d3d1c90d8461c |
| SHA256 | 1f352f1ac75fae65ae4d2bfe96792f29ace659b806365e5e122bcaa3a323556b |
| SHA512 | 09422d610da5f3a67415e0796b2cd6bcdb0e2460c51a8cca15b4f3e1b40896d9c9208dd0f8037ac82d614632ed29dc2a9a6dc627b323f681e1a5de410c0a1b6c |
C:\Users\Admin\AppData\Local\Temp\Oogo.exe
| MD5 | ffe0754ef97a348feb335a33769ccf26 |
| SHA1 | 41b1e02e7e10b28c1890bc87d7ee09a4dedcf6f1 |
| SHA256 | 4f90b361d7bc292752af813760f3169edd49e6af60e862121b50c4155d069684 |
| SHA512 | 44032cdeb4525401fba4ff81de1c49afbcc51d5c092ab184c8b96dfd97c9f64491b4e339d02d9811df7fa1252bb928776c4c94913d1259c3e0d7a62c37772d3e |
C:\Users\Admin\AppData\Local\Temp\KkIc.exe
| MD5 | 89e16aa86c75834d221a22af3e30b741 |
| SHA1 | 835f05251c51f64228412bdfa7577296e747dbe4 |
| SHA256 | 7450ac24f729d876f773f34af551bf01329afc7249ae1d73bcf5187be9efa12a |
| SHA512 | cd59b21ed06d5c6303dbac8c7331c353c9d79a249acc427d67a0ba760a7ebfdca1b85dff66bb6f6f46fce8223b1066e9909d7837db6a703a9ff0291525e9562a |
memory/3172-1939-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KEga.exe
| MD5 | cba673f48f2a3c546efe3af06c928436 |
| SHA1 | b13610d428413db67043773a230f823d7e9ae367 |
| SHA256 | 23bf7190c4195e83b757b8b0021871ebbb437b11d7837ce95545cf75a86db9d7 |
| SHA512 | 2309c528d17dc0643f88f737ec62b2511a2a3bcec0aae914cdebbc0ee13a4956e9b1ceb1eadc31f1cbe4f0e11e840e28a77f04bc9475bce0a423826d36c0b4dc |
C:\Users\Admin\AppData\Local\Temp\Aogc.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\SIsY.exe
| MD5 | 6477a97628a7060f3fe0bb269aad4f42 |
| SHA1 | f96ca6d325c1c5e42445b78ff9fd188da2040028 |
| SHA256 | c8722ea85e2229ccedebe6f772896eebddc059c0496aca8b9ce08aa8452736cf |
| SHA512 | dc7f60ada80b7a2fa42ab57880c919702fc4ec9993f8674315d2916703a49f2b9458d0f3f4080b2226df95537c59d7182dda4ee7f46351997536f7797998a113 |
C:\Users\Admin\AppData\Local\Temp\Csgy.exe
| MD5 | 8daab3ce39ed0d5a759e5ccd0daec30d |
| SHA1 | 260f662ace009d16e3cde93551d0be407558caf0 |
| SHA256 | 6fca4a1e55cb208405b8030c4cff20d711dfca1f81959a2435523d9fd3757535 |
| SHA512 | 451439467255afd2499e238ff5895d3548e95cf68be4c32385eb7c39483866e072d82fbc2275b8ada2d27746b99f7dd27bdee25636c14386b3eb2c713f4dee82 |
C:\Users\Admin\AppData\Local\Temp\OMkE.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\WcQg.exe
| MD5 | 8e04b6b8e50c5fb33fd280cb9ecb4856 |
| SHA1 | ff514f88bb713c176519525fee16fc67ae4d7825 |
| SHA256 | 25a27dd2b6236ab837992aae53b94ca7050f15aa285355a1d5c906abdb49c4a1 |
| SHA512 | f1d5fedb348e991f5056a4e9abe5da0debde5cc779fd161f77abac9080241eb8782a73eef1828755151bc5281864193a7f0023665decb22b8dada21954f32db0 |
memory/2516-2003-0x0000000000400000-0x000000000042B000-memory.dmp
memory/540-2004-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AMIK.exe
| MD5 | 687b702bb09af2f81af1564b5b5030db |
| SHA1 | dac41a1a14fb192937a06653891abd9849563acb |
| SHA256 | 0c0138d46557d51b600ab4958610615f3b31e682282090ddf62ab209f80b3a9c |
| SHA512 | 22eb8048066ca5690d20de3c43392e972f19d35584d1768da16517494f0de03d5dcfbeeef26a04ba6bc6192bce2f9ac6bc347f38354e217035e35a43d05d218e |
C:\Users\Admin\AppData\Local\Temp\isQk.exe
| MD5 | 5c80d1e307b5511d4842ef0041c9245c |
| SHA1 | e759dab8b36938aa8c670873e0b06722806b5ffb |
| SHA256 | aff732d6dd2266a8a7d4d6a321ea9037e62a9b43e0400be96fb486bfc402c0e0 |
| SHA512 | 93ac50d0c5312beb1d3cbab422cb7313f5dce2572bacc23d1eb26a70075211ea5229da24e9c449fcc4d2fc4f7110e31aca725f24c4440b54b625c0bf8770ba0c |
C:\Users\Admin\AppData\Local\Temp\MsEc.exe
| MD5 | a28fe19cf05817dee289dca6ff16693c |
| SHA1 | e7b2f3defc8c6c16fbc534e70bffe9c220d66038 |
| SHA256 | 6a7c9277cf0215fbe82eebf8ba67a20d587b6a593380662ea8047024bb0b0e6e |
| SHA512 | 2c260cdcdfc2280990102008469c616c734c32f7508dc12368be15ad2de4024fcff51e48d0796ba1ec19ca70eb303009d307f043d37a788e2061c7cb24ebc83e |
C:\Users\Admin\AppData\Local\Temp\mAMe.exe
| MD5 | 8d23f69663ff2383d2e7df5a9b06aedf |
| SHA1 | 8ced43cb60e61eeb5493938dc9204937e65c8392 |
| SHA256 | 998b515065c89e2e4fb3646c95275d2acf1acbb611e6e1e3f82c6e7dd16143f7 |
| SHA512 | d1f173193ecc8a1d24462a8206c86132ed774c214864787190d2fb1071a0100d8ab03209ab4ae8949f7d12688c25537a0746c088fcdc8fd3b75d7faa2b17ae74 |
C:\Users\Admin\AppData\Local\Temp\coYU.exe
| MD5 | 064e5da732dfae68d19cf86b2139da28 |
| SHA1 | 62a06c9c7097f42cb702c63b97aacb8c720760b5 |
| SHA256 | 99c745445250431489ff15f7ec779955a0ab63a9eb134d8015ab287020493b2d |
| SHA512 | 329ab94168697b7284a8eb80df7973a5acf3bd920a7d3c60019c08c2241e3e2922e9c5adfce80b1d7e398b46237aac2a4d80a47eefd4e988ceb2e3434b27edd1 |
C:\Users\Admin\AppData\Local\Temp\qMMA.exe
| MD5 | 68bae0dcedf90ee4d0b64bd6a1aa56e0 |
| SHA1 | 8f5e265696978d4e5ad250b12ee82a168f194e87 |
| SHA256 | 71b44c780cc3f75d0f9d02c633125784ee3381017e0ffa0be0330347eeada58e |
| SHA512 | 1f0df3bf69aaf02a486b35ffa009063656d15e39b3e418d7ed60fb8a418a2b061c228b855a9211391ea8f78b7431fdbee7c5ee843db9ecbf0dd6c73b0dc3994f |
C:\Users\Admin\AppData\Local\Temp\wkAK.exe
| MD5 | c28f6e1781e61a73da91739338a21adb |
| SHA1 | a2ddb807cf7241a5c970e493ef9a4722344e1ae7 |
| SHA256 | 57edf545e669fe76344042cf7316791b6b02cf0d203ecf6fe61c6047d3c81e94 |
| SHA512 | 3c075e1d64169f16243b4ad6c813e9a54fd5935605421548b5982ca228d273443489fa040d00d86776a4ff70c8f76556723963c4972efcee005b5bde61f58354 |
C:\Users\Admin\AppData\Local\Temp\iEUG.exe
| MD5 | 3443872a93754ae36881d15af12a9820 |
| SHA1 | 23e19582e7314f10411542d8f499c8b93cb117e8 |
| SHA256 | 95aeceddc6bdb961cc98dc0ef383da2b4cac5f73866b4663d52b65affe06aa3e |
| SHA512 | b4de9a397c7a3925014665f86825510c909320bf03fbace6335f54f29c4b3f470e68ec3018efc8c11f3138d90e298f8d23d339a2da5df2564cde867bf084eb5c |
C:\Users\Admin\AppData\Local\Temp\ikgC.exe
| MD5 | 0f33f1ed2ca79bc9f66815fdda67378a |
| SHA1 | 1e3c6493ed37bf50784866f8b46bc0f1d44d62d2 |
| SHA256 | e770ff951851071b4736082d747ab810e98fa8e34daccb1e8c6d55d9edb4e6bb |
| SHA512 | 4ce0baaf9183c318eb702f69d0e272b35002b23c83578bc1d66e7f675bb437a13140ecfa695ef2ada32992de3915273018f12c76e51a178006a9c6e6c5cad150 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 42309c5a8820a4f1c4c89a1053db9037 |
| SHA1 | 144495615a9039fe188ab32a6ddc704d64ba60ee |
| SHA256 | 7b2530126c7d7393e36e87f66fa948c21a03d59640de5293f4e30c6394d7138a |
| SHA512 | 9ef2f584b5626675b10e68804228d36482f1c5d27ebc11e796e283d983bb8c7e5e9f25ae36028cf28f6b7dd02cf7708cd74ba7c8698942179ce836db1c65d9e6 |
C:\Users\Admin\AppData\Local\Temp\kEko.exe
| MD5 | bfcf9c8aed760c102a91e0475e32ec21 |
| SHA1 | fb8ab13453c2741a670a914db737445c6ee18330 |
| SHA256 | ba389b5b74c09fc1c24663ab7a46fd00668d7643738945ae225c9c038bec243c |
| SHA512 | 2aaf5edcf84a07c506d39562abfad999b74a62420251b75dc0576e7f4b2acd9d9b787d78c21b279a39ed358bd728c1feab79ead36929991bcaf6bdcf265b58d7 |
C:\Users\Admin\AppData\Local\Temp\WEYm.exe
| MD5 | 92547e6a4f88221a0d94bf10b63dc78b |
| SHA1 | 315753e201b45c64eec7b2373bd607bbfb6638e2 |
| SHA256 | 67c098eae988701a2312c1ae2335d74e8757d4251c6bed7d1229c5e153cc2c2d |
| SHA512 | 945acb5e70b696a4fce801a2e28ccede87c1553882d42819ae11dbba801567521193e1057ffff0987c0b7944e65bee7ec72779e72d7b13dc493dc775738e0d74 |
C:\Users\Admin\AppData\Local\Temp\aocE.exe
| MD5 | 05ea7617ab65463f8d0906d0702959e8 |
| SHA1 | f4f76495b72b9b227fe7aab1afd2f9b3de0cf126 |
| SHA256 | 7bee6f7d4be61205eb986e372b363f3ea2c6f38207968389524ccf8f3b22ba7f |
| SHA512 | 1a56ae2db4fab67d2ebbc1c10d55a9ab2f97a9af546b95af29b706df53049c57e85ff07910ebf667bb688d5c20d7b9a0c2b5d85853ee44ff6c018e89ab1827a2 |