Analysis Overview
SHA256
c3a52e7cab3aae3f7d403144ea2faf5970f2145c3e71bec435c066588fba81d6
Threat Level: Known bad
The file 2024-10-18_c5753e1861dd547017dc501d1949740b_virlock was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Renames multiple (86) files with added filename extension
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:01
Reported
2024-10-18 02:03
Platform
win7-20241010-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation | C:\ProgramData\dCYMcAMY\ouUwQEwc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe | N/A |
| N/A | N/A | C:\ProgramData\dCYMcAMY\ouUwQEwc.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lScMwIQw.exe = "C:\\Users\\Admin\\mKsEIcsQ\\lScMwIQw.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ouUwQEwc.exe = "C:\\ProgramData\\dCYMcAMY\\ouUwQEwc.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ouUwQEwc.exe = "C:\\ProgramData\\dCYMcAMY\\ouUwQEwc.exe" | C:\ProgramData\dCYMcAMY\ouUwQEwc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lScMwIQw.exe = "C:\\Users\\Admin\\mKsEIcsQ\\lScMwIQw.exe" | C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\dCYMcAMY\ouUwQEwc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe"
C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe
"C:\Users\Admin\mKsEIcsQ\lScMwIQw.exe"
C:\ProgramData\dCYMcAMY\ouUwQEwc.exe
"C:\ProgramData\dCYMcAMY\ouUwQEwc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RkYssAQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LoUUMAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOIsUQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYsEEMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEMwgcQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EEswYQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WwUQwwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIgEAock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAQcYEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuwUMgII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCQMMYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pWsYMAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKYMkcYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWooAooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uacgoQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSUsAQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gaAAEscs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EoYkYgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGIAMkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2061874226-10872817861228594915-2066508853-1610934505-1290576343-1849610217-886149971"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGoMAUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgcgIwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1225731590-151279431-969689503186118060021013533392075054035580652598166361389"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RIQAcUkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FcMEMskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "423589352-457269844590639371370101970-837868254-6304348039622731512035297933"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KqkEwIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-183403387-20224823641318124498-7375306312143196995786002548-649993257-577091787"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2055119661524920360-571428158-1970467533-482682805-64403808-1433996204417965975"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VyUggoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21396382481262991894346598861-943517963330444332-462441780167316668-600897040"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcEMoYsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1938558442806336565-4759960451301128664-48019161615743249011228606399-1115698803"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-84274055129878738314291623901716750102-695236838-79584940391481912056650346"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OAwgcsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UugAQMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hyIIEAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IiAQAAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hYgsEoss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "680699757-4909836741098084422-62183800-1549948216605068648-2047370462-692278522"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwcIAkUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uIUsAUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14310309794677333271734393142-451586146-14769399801264671598-1855822098737610842"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5269116721011395720-1903760212075482326-5330508406561823681946572455-949690313"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWggYEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-93190903845225194-10074428131407865528-2028662862-78782031-1529944506-1338031969"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13567614711131434855997836617602442457-6236380031427441714-175563707-756341841"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2012853364-1291699275-352133198-247533103-1738982185-1325165576-211282788684204560"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PeMYYkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ByAUMwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1010777062-2825818261221836812-106707427-204069844619537615872101749811-2025530268"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\owQoQUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQkokQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKUUIsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18703576545864855221723102642-849816809-1510609045-653377251-403645138893564930"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "174615314920134007-250580094-19331093202107016478-2039163609-811315902204459069"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "905140426-593544484-519007602-1057747206-1191850960-181362718-933458572039397116"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LsUUckwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vycUggYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4986087592085770720471128460-1810595925-59677944534197816-509661791-1638742029"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcsQQAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1299017410-1141705419-1877068044-1407202709-1032034554-1082661021-3316443281469739196"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSEwIQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1860933506-10104913711829744449-2833699-584126840-8869816562132448505-1166354095"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2107635485-18414889031285329180-10896113881163641944-5636991396865374561422601326"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "24409380110992033135090414102717661661425814814491536641925991539-1457321204"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCEIAQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2618435236256490422136459925768483669575281838-19680948371879670968-1334309010"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-37110533713506659001599226083337225349-1728813790-2141738620-16429255842110470595"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-195767735-433474215-20702957181788445866-212249860825122270411899237972117301715"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1233169439-581708889170682316-2140974199724983192855969886-934075580-913945942"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zoMswoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19478178811072892953670861233646718334-525588307-138075855216552157031372230575"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CeEAUwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VWsgkMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-55145746-2029250919-679463579-742309050-301280780772177311-1367247033855112723"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MkQYMoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9845446102136483112-5829700081144971339-810944984-104727232609692802-1135244507"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4746448111628687195-1691012417-1763046800-15934267899153247862069685010-1180814452"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OcgQUcow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2061741536-130569470920435895792084926005-251345342-467538909-1552244867-769430616"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JoQgYggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5650921401304279056-1117004897-117021565-2783614076866882691825665990-787400073"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEYosswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21262361232075149606-1081501742-175243302469086343087004987111179458101395220946"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DUggcAwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lOIAYQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1972567433-207412100-652925144-650984302121483718615652408601088633302793429497"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\puIsQEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1287471696-75560586713169281361312531391-17277900262043060591-148624007-185592067"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2010363258-163366370016436935911865204325-846592994-576589352-205785962-1233149818"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LYgUMgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dqwwokkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2099377187-6543392021455327515505193498-120489090-18977343571719311337-1689852828"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-861146297807789266966803649835766737-1988172031629691768-13177281371077836297"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1024276780-854938442-546265602-17494860681453096837-1246243188-1372290875-1330714697"
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.169.78:80 | google.com | tcp |
| GB | 172.217.169.78:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2444-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\mKsEIcsQ\lScMwIQw.exe
| MD5 | 4af25caba5e57ddd39aba0c04ec1f6ff |
| SHA1 | b1ea3455b3bc443d515e0d50874221b2184cd9e2 |
| SHA256 | 2c145c0755db929a5aaf5cf9843ae0737cdc626b4d85e1768f729150ec29c0a9 |
| SHA512 | 14e62f4f353423334350c5e139b90d70e09bbbbee08f3a707dafa4e8a4f6f0b2fbe2ebbe9e15e183367fe279195ee4eec951d682f648b45d2828de53533c6bd2 |
memory/2548-14-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\dCYMcAMY\ouUwQEwc.exe
| MD5 | 531551d7fdbe5fb3ad785fd9ef2e2818 |
| SHA1 | 91e871921fe8f928fe7f214759e74e913ca19931 |
| SHA256 | fe91d51588d873dd199ecd37dbcea7bcef809c960bd0ccded37c51b956b2960a |
| SHA512 | bd7ac8fcd1814370a1e8c398efef911b5776a94bf857ea54cd2817ceeeb93584af0e31ac3d9ada97c5ee7c1e300814ba15e58717b58d9658a378c9bc75759ae8 |
C:\Users\Admin\AppData\Local\Temp\cMwIUUQs.bat
| MD5 | f6025528312e5d04961400bf17409311 |
| SHA1 | 948d22d3d82b0a8665c415e124c8a0d0228c106b |
| SHA256 | 8f7e32b23bbe668bb50971ee1fe22b1e5ab96237f2ea580ee65f059db0c57226 |
| SHA512 | 6225a29ee956cfcf25fff02f3a0ba9fa537a31026d76dc0e0af3642e3555fa7acf3701b62fc46573b7494d92f3a396e7ffed0a21b82bdfc2929eae3dd9676ccf |
memory/1256-30-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2444-12-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/2444-11-0x0000000000390000-0x00000000003AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RkYssAQI.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
memory/2444-41-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2844-40-0x0000000000130000-0x000000000015A000-memory.dmp
memory/2844-39-0x0000000000130000-0x000000000015A000-memory.dmp
memory/3044-42-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
| MD5 | 01756f45662d7cff811ff986e2fd4e66 |
| SHA1 | fd67e79512c5386dda615835a40dfe5f286437bc |
| SHA256 | 1732b081443d1e292dd1a4477ecd8be81fa350cf3b3ce6dd222567b7585a8895 |
| SHA512 | c78311075d33ff2a253dcb86911355ed76ab349fc2f83bc6ab042dcea56d5d092af8abb2598372cd988210549376d023f6c34e92cb8816f4736d91dad606c2e1 |
C:\Users\Admin\AppData\Local\Temp\lwcIIEgo.bat
| MD5 | d62fa5fc0f9e1f936db19e220f85fb1b |
| SHA1 | de1747f2ad3bdcd50de3cbcf96a07dab4b3b2535 |
| SHA256 | 9d9a34ad3cca628e921cc68b7eb1d1b0f1ab4a91cf95e2a89be7394b95ffcf3e |
| SHA512 | fe600bea85a0f52d21c31d25cbc15c76df0053e0eae6748b112897541488d0674d4a10f9177e49848c5634450fb862637deeb820169a4984804fe128c5153278 |
memory/2872-63-0x00000000001E0000-0x000000000020A000-memory.dmp
memory/592-64-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PMwMkIoM.bat
| MD5 | d4a42f888b404b6b993b09cc0e467240 |
| SHA1 | 677f2d4c545c7daaf64ab069fe58534f0f89b9fa |
| SHA256 | a5762ca0c640be7d79518ae355511ae8d0929eb5bee0223c3a49b13b059cb79c |
| SHA512 | a5064b5eb66109db2b87aeede1bcd663cdc069723258c807c730f485593332c5208a5ea7dc9e5efb55b1d84d11d689c674e65261df599bc70a74c337c6fcd215 |
memory/2112-88-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2176-87-0x0000000000440000-0x000000000046A000-memory.dmp
memory/2176-86-0x0000000000440000-0x000000000046A000-memory.dmp
memory/592-85-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hYUAUoss.bat
| MD5 | d4d27aae40248452cf8dc0cb13e65b8c |
| SHA1 | 8db2b5087429d0ba7535133b332d606de2f56fe5 |
| SHA256 | d9a68834c538e15d020e18c8f7f27489166661785d6fab77cbda2065a09eb860 |
| SHA512 | d0950b02b6311668d8827ceb57dff2c022537e2e69bd39f1ca2851cc2c5cc50b7b06594994f95e35f9c0e846850c666fe1a3f368d84c49a94c506a3ed14269db |
memory/2384-101-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2112-110-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TGkgswgY.bat
| MD5 | 0d963af21166633745f85dbd32cae5a1 |
| SHA1 | 4ae4e071cf4647bc3e1c99bd14fbcbb9b91a467e |
| SHA256 | f1afecf08e8f49f23da6aa666ea9240f6bf5b48ab53e7c4bae35856c6f13418e |
| SHA512 | c0e6d7f0efd617d66898811f1a1bf91891fbc19786fe430ae6cdc3e7ef67b09bccc7a7b64ea75da9bb95d2ca904f03dfccaa74349cc90668ecf1ac203abb02dd |
memory/2632-123-0x0000000000260000-0x000000000028A000-memory.dmp
memory/2384-132-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UyAgoUsE.bat
| MD5 | 81f1ad44d5554bf7c63d89bc65963aac |
| SHA1 | 150d9104237fca0a253ec2782c188a8652ebae64 |
| SHA256 | 9f3af7bd60d79d7e6eb03d201e8785b95470b8f2f0e2704f51793b4542d9caf9 |
| SHA512 | 370663f59d3023db70e554ce08edf2b1da8bbeb160bb8d9a2267bf2653feaef4f37c677b3ef9c477067a13d9282a7134a6a4985991f5d024fd0a682513ee63cf |
memory/716-145-0x0000000000170000-0x000000000019A000-memory.dmp
memory/2224-154-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jgUIEIQs.bat
| MD5 | 952d767224aba11e7f6633efa3604c9a |
| SHA1 | d72364e57f2c04540f8ccbd30f0856a4c4313374 |
| SHA256 | 7af468bddb251819f23a76ba9599137cb23fc9f6d98f12488b7bfabee0eebac8 |
| SHA512 | 07eb46516b4b95694dcdda586d19bc7434a07bc5beaa2ebe29942bb93606d80cb519ab54159e458b0ceb1b4af96ee556bbe4b1e7be1850b25935b93eb3b044c1 |
memory/2960-169-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3052-168-0x0000000000270000-0x000000000029A000-memory.dmp
memory/3052-167-0x0000000000270000-0x000000000029A000-memory.dmp
memory/2304-178-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mwkAQYMA.bat
| MD5 | badc9a497251d9a7ad706a7a615458b1 |
| SHA1 | d3b1372dd2dce4d9ef205e7b24f5f7147970d07f |
| SHA256 | ed0d443692b8de47557882fe16220a016a3c5db8dfc06496830147a8fa531579 |
| SHA512 | 63b43ed490f595dde297e10f70282911b18d50c86cd41fb7b69c61ea5ffa25a02efd02d5f46113cec31bcc97537d59a5201c39f8d86264dde25ad412880acf3f |
memory/2916-191-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2960-200-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MesEYEgw.bat
| MD5 | c935bdce95325ba88c63b48b5be5c38d |
| SHA1 | 504a318c5076a2c810029b9e573b1ab5ea130003 |
| SHA256 | 5c1edf56b75b09da69f7d0013bcf1db4d3c21f2cdd0894123b18af6cad187a40 |
| SHA512 | 212484a8634a8fb64abfbd3f3b59587a8a87eecdc271b12e9f066cb5d34811783fc582108294bf62c62bfa1e1958c35127a38ddb1830ee0b0cabeee99df23753 |
memory/1032-213-0x0000000002270000-0x000000000229A000-memory.dmp
memory/2600-214-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2916-223-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IGcEowEk.bat
| MD5 | 75b04566dabcaac7eaecae2c29688021 |
| SHA1 | 956a2ebb07c3bfc63532bf56c020084d28d83e22 |
| SHA256 | 408f3f50d95dc37fae37b94360e413689deba6e61116d52e2101d785ff2b05d5 |
| SHA512 | fed42a02ac844e9b5f94ee51c268784936457f374f823932089d6f38c8f7bdb0fb29042bc0d6fc4139d11dee8d968117f48826d3d58614299dfe2dd959a2bfb6 |
memory/1840-239-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1040-238-0x0000000000100000-0x000000000012A000-memory.dmp
memory/1040-237-0x0000000000100000-0x000000000012A000-memory.dmp
memory/2600-247-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fKYYMQEc.bat
| MD5 | f5fa06ae0aa8e18234c9616a5a711ede |
| SHA1 | a8cf3f44ffe740bef3284578dac2468cf670979e |
| SHA256 | a36b1207de97b8bcc974b3c969757484870734fe6bfd2542f95cc1ca75864ed1 |
| SHA512 | 254e42a69ae864dcb27e49293660b67ea6a5e5dde397afa8e6b33487b2453ff89b49acf3516cb4ee152bd3fa9d4a8ad1730a21029ed702a1557098343537a146 |
memory/2004-269-0x0000000000130000-0x000000000015A000-memory.dmp
memory/1840-270-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2004-267-0x0000000000130000-0x000000000015A000-memory.dmp
memory/2284-271-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PKMgoQEg.bat
| MD5 | a726522d69daaad2c4ed5f8ffe466bb1 |
| SHA1 | 5aa829f8d17dc76a5e500b9d07b8798333216ab4 |
| SHA256 | 594307995ceb10e1714d5af787ef1674db9e622a020df2eb50abf5fce99538b1 |
| SHA512 | d879d1f629fb324da35882d33bb2ca8c6dfe224c087eb3f5662febb6763e1b0705c6bb1dfb9ce657af164effb647997a4c3e499f28a1162c941ba848f1355de6 |
memory/1068-295-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1620-286-0x00000000001E0000-0x000000000020A000-memory.dmp
memory/1620-285-0x00000000001E0000-0x000000000020A000-memory.dmp
memory/2284-294-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wscAQwUc.bat
| MD5 | ccb4ecff2222be6efabd2223053416d7 |
| SHA1 | 42aa0a4cbbb17fe08ed245e0590fb2534a55c346 |
| SHA256 | c689ec42058c9a2628e0891498d7915dee3810316a8a66d82bdf418c526b1920 |
| SHA512 | 9e5e386dde5599ef8765c87d1360a7a8b9c4ab34ac5dd90576d8ad7b00b33c7212428e1fd705781c1cca4563c3db67c28f449460c7461f80dd212da3d545f6ce |
memory/2768-308-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1068-317-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PYgwAsYY.bat
| MD5 | 74237175fc08971a2eac5cb0467f641a |
| SHA1 | 2568a8f1630cb97c34e6d93cbc5fc460946f20e8 |
| SHA256 | 16e0db57600d8e3d2badcf356e35667f912293e1d9b99bf6b5b775e7502cb10b |
| SHA512 | c78581d6dd6ceff2499cb1003bfc62107d0ab07106a52dc87e36c9db422c46e6cc03225de1d33988af2efb12897d714045132d10a327c35ad64987abd7304196 |
memory/2144-340-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2884-339-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2884-338-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2392-341-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KiEAcwQQ.bat
| MD5 | af8f88e72bb231cb3b446bf7c210e349 |
| SHA1 | 41bc15e9a2908f9bed91f827cf4eb82de097f086 |
| SHA256 | 57ff13127f48f58a58535912ed8d04415377427e3105272cc1a61853b0fd7514 |
| SHA512 | 098e8c703b73b7d064dc9fbf484db55e34c9919a7bf79ddcbadedc1e7fd4d1395f43f89d2a69492a8bcd2796ce838ca5824bb174f92834054d6f14abd575ce41 |
memory/1884-364-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1516-363-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2144-362-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VWswQYss.bat
| MD5 | a3bc5eecc240267859d834966c5f291c |
| SHA1 | 16f5e252cc81bdf86a03d7534740b98888786e54 |
| SHA256 | f14ba79d08c830bf894e65962503f2ebb8de915bfd1fe9e452d6df12e4c4ca83 |
| SHA512 | 885fcd6e83f43052098d8b28048e71067b33ffd94e4407ee501cf06f4e6119a5fe69efa82f554c33da9f4d65c10f5eb1a0d1bc1b0fdebd4f8816377c0bb4312d |
memory/1032-386-0x00000000002F0000-0x000000000031A000-memory.dmp
memory/2668-387-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1884-385-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uMwsAIME.bat
| MD5 | ad087bd2f1dac5bad0fdf77c8ab41d51 |
| SHA1 | 0d3ebb599cc6cb8de1c59cd5ca273bec2bbe01fc |
| SHA256 | 417e865c9a01242dc4b69bf755d6ac983b110c6f6efdea5c346e86526fa66414 |
| SHA512 | 994ca92e7c404cacc6e8c0024f9d9255da1b943bfa417cbc4dae1571f2836eb5cc9707b3426ba7a09917bc9e71e38d8cb69d7361972fc499a61c184f475365bb |
memory/1672-400-0x00000000000F0000-0x000000000011A000-memory.dmp
memory/2668-409-0x0000000000400000-0x000000000042A000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
C:\Users\Admin\AppData\Local\Temp\eocK.exe
| MD5 | d724fdcca094037733dfa1f64c656cea |
| SHA1 | d9379304b9ff9edf15e7d34eaf317b2f90789949 |
| SHA256 | 0d9187ed15067463e2a86c6271fddb63d210308709818d13628bc183ade1cc5b |
| SHA512 | 0765aa54cf5c6dc442a6f123c9f80ffdc29e47a5a7201aec9ecebe8aa1ad7da88d9ec0ef81fffbe49b7364e5253e918bea55cfc6faf169eb3779f04d945f9064 |
C:\Users\Admin\AppData\Local\Temp\OIMwgQIg.bat
| MD5 | 0b0225130cd20ab3490ba2893cd794ee |
| SHA1 | 2b2b8b93bdfb1d992f33506338e140673f1b2635 |
| SHA256 | 8cdc455886172f10ea67ffe1182363c9fa0e55abde3eb0c43a66c7d6e84882b9 |
| SHA512 | dd621ac945c357dfe472896a7b3fa4d458337565a9c8cd46dabcca53ae2f1c3837c6c913cf8546a738390ad3eb4ed27b713758732a32e059297d9d7b6e7c7c03 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
memory/1164-447-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2712-448-0x0000000000120000-0x000000000014A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MMoA.exe
| MD5 | d228a7b911c73f854e5484a01dafbe65 |
| SHA1 | acef80153bd6b03681ae44a6462c881a6e2ac234 |
| SHA256 | d16c124e8fd4349025b809e0c625645488224167a3fad1bf383ee273dc797e44 |
| SHA512 | f543500431037c7b6144dff61e59b982e143fd1a1559e443920df13f9621a83246a486ffc73c320368cfbf90eade5b3f81efb4d4b73b73c7f6ae91b2dc0ea6c7 |
C:\Users\Admin\AppData\Local\Temp\MoQM.exe
| MD5 | d54e7d3a116595239164c24dbffcada4 |
| SHA1 | c00e4cddc8887896a9fb84adccfd24b1c8198240 |
| SHA256 | eba176f32088f65fbc4669718155986d848a3a8dc9d2bef045ea7163345aa94a |
| SHA512 | 461cb6307bf241e9244de7ef69c74c1b9b02c1abcea13bb9230c6268b8b29f69192db69d4261f191f2daf0380a93f86e4e3c75993a0b0656104879117f6569bb |
C:\Users\Admin\AppData\Local\Temp\uskQ.exe
| MD5 | 68db4702fa3a5e520c8adac97482aa78 |
| SHA1 | 0e7a4a526d9c1de879ed762813c7d24d4513d613 |
| SHA256 | 6cb0f889f008de2c50b6155b77b7396e07601ff71d2e8fab21ea6359e74beac1 |
| SHA512 | ec01524120ba8a62321567f59fec7f625ff2979106e3ebb3299e4de4aac0356bb81ba2b0082751531c84c4fca26f5b33c380d8f71d0c79ff9be1aa4349a11eab |
C:\Users\Admin\AppData\Local\Temp\rAAO.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\gkMQgMQk.bat
| MD5 | 0b87219a8a8a28d1d5c86da351b0fcf9 |
| SHA1 | e612150379f9279e669044c538d5deaa4518c0b5 |
| SHA256 | 905fe8648fe3b07af13c6d3e6276f247b778fc5e8e210cfb0705f62b40d41be5 |
| SHA512 | 1e8d43cfe7ebdf401374a1b788dfea86bbb0f3a383bfbfc06f9c8f63ff2f4acd3a187b864fb0d450d7dd2ddd855de81fb5e99ae70528d2767c7a7a0983c3bcce |
C:\Users\Admin\AppData\Local\Temp\BoYU.exe
| MD5 | f9495fc13eff6be75429a5ee83767317 |
| SHA1 | 76933406997d0fa9758492fdd81816d5e590b50d |
| SHA256 | 0d89fc655c1ea3497ef8f2d2091c748da1ad26a55292fe5a8d0fae2640d843c0 |
| SHA512 | 3ec52b56f5a77d2074eea2e712a63074d3f8ec7ec87b65c31b4c68a587e6a206e8a83b658bfef4170c0a0ebddd95627cfda5a3a1ddc37fcff54e95977eda241a |
memory/796-525-0x0000000000260000-0x000000000028A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zgMK.exe
| MD5 | 1c0ed39bdab746f45a0f1cae4c9bd252 |
| SHA1 | 3dbf0905262ccd9fdac6b1d372f7db293b62ffc8 |
| SHA256 | bcf6579bd4249dda22b806cde5bf877b44c8e4c8f6dc9bc4eb612c4189649557 |
| SHA512 | 43a439ea6f9cb9468f2e24fdd0c2d615bce73a44b68cfabed0f6734d9cdc20906dab2dc2ac287ffca3194425b1333876cd1f2812c9a211e6dd2fc6514f3d8b72 |
C:\Users\Admin\AppData\Local\Temp\vUgo.exe
| MD5 | ae1b65c5951355ac07ad381aea43f6db |
| SHA1 | 4bad30d50fa77448282f219939495ff28c1dbc9a |
| SHA256 | 06a16154be0fb5446940db923547f6e1b7e65754080d1189209a95d0f84064e9 |
| SHA512 | adfe95556692e830c808f9e6caa887978152207dd4b2599fd48a39297d5c9864ee9fa6d7330bc18264b0ca767701f2addc452bf04a8a7b6d79027819edff6fb5 |
memory/2980-547-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sIAs.exe
| MD5 | 8388ce7f50c492b3931d3b8ebb6ae5e1 |
| SHA1 | 2473de79dd0a3e8d1f5d015ec64116d2c9d44339 |
| SHA256 | fa1c17c1ce23f9e67af5fa80b03807c261cffd98859746e0d842c1275e60c9f5 |
| SHA512 | 9c56ef51ba852051dfaa3ed823d0846805beb0c42913e34d0b1b00fec00d52a3a4253d2cd4f20f9c0157288257be7ceffcc23e7858e4914308451277f1fe118c |
C:\Users\Admin\AppData\Local\Temp\AUkssMUE.bat
| MD5 | bf079e97f64710ced2e898af9d3af794 |
| SHA1 | a3948822d9ab4e138c9d63a8877e3adebc17aefd |
| SHA256 | 34b66116e449a344e76d1847a60ce057dbaf24d3e86eadc2484bf2cc6967b5a5 |
| SHA512 | a96d5a7d55094b2ac87a14ec0aa5a0a147f798f0234d466910753675ba403f4acdb7f888547b746378aac709ea9a3bb1e3b57181946e24185ab9280470cea4ab |
C:\Users\Admin\AppData\Local\Temp\AIIK.exe
| MD5 | 923750373023ed61e8e1cc893d04c90d |
| SHA1 | 991ca8b73643d5828ab9d19b0d601e95e8b6ab89 |
| SHA256 | bcf4f60ec84fda4234c3c568a69a16e7ff809bb87d7920ac5658dc63d9279bd8 |
| SHA512 | 8fb59b90ff1234c9a1997f63af4a6d89942e45caddb6e29f6ba5219cb47610cbe10de7b29c8d5f7e8f866d24afc0a7eb433b509b401969779e432d2fc40c5688 |
C:\Users\Admin\AppData\Local\Temp\VMoE.exe
| MD5 | dcb02a88fb4a2dddb5e870ccc254fef3 |
| SHA1 | 486e405f13ce5731f293654272477dc2f0e2bc76 |
| SHA256 | 5d806daee84b4bd296934e045c4d41b439b345be512d8ca0282555b918fe05ef |
| SHA512 | 2e2fd1ca3ad8610c01dc20c52844222ec43fadebb0414602106e5f6f4e3aa61d7ae6d13605ca934e8bc9fc749eff761491b37051c8602f7f456436f03069f0c5 |
memory/2360-598-0x0000000000400000-0x000000000042A000-memory.dmp
memory/316-597-0x0000000000160000-0x000000000018A000-memory.dmp
memory/316-596-0x0000000000160000-0x000000000018A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tEIE.exe
| MD5 | d76eca2d74fdc6cefec5a01d10b7f51c |
| SHA1 | 573ceeb386e8f493795a7b0331ea03a395dbb63e |
| SHA256 | 80bff3ee5e710a33f2fd43e8ad526bee527ea53c98bf57088c0fc6b23fc8fd6b |
| SHA512 | f93f1ae767d35412c0038c6a2b68167caf14529f02d16fc1939f4d09da53e851065c3b4d63129411173e12592832633344ce743640adc1ddf17630cbde276a20 |
C:\Users\Admin\AppData\Local\Temp\mUMU.exe
| MD5 | e5ec723322074fe5a58fc13c05a14dc3 |
| SHA1 | d8ed4d7222d49f7cb28c309e2256252326ebea83 |
| SHA256 | 3d84f480611422ed733cea5faa2102006bef15641c717a1332fd86f4e7eb78f7 |
| SHA512 | 6d552c2b80cb02e19fdeaf1eed14265331a3136f542be30a3fb4c2e206ee6d00a0a97ee9241e6e78adea6ea4d31a5cd66f844ad4b372955dc94f898b4e0e2a6d |
memory/2340-633-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hIMs.exe
| MD5 | be6077e17dfd01139d624e922eb9db20 |
| SHA1 | 66ad6061c0cf9f3a314bd877bd898e328a28951f |
| SHA256 | 93273384d7b006780b14655b9e3449461333e8aa533d3baad3c49240b436115f |
| SHA512 | 5ee3da21ea729037d8e58a5dd386c24baa669f6f039bc3213022968f405d3d1ab81abc87dd943afd185ad8c7fcb470191f556c63ec9b994961d403fd3625f123 |
C:\Users\Admin\AppData\Local\Temp\kYAG.exe
| MD5 | 72b352e8363bcaff73d08a07e70ac2b7 |
| SHA1 | 817fc190ffde33a394bfc2705bc6bbc509b6d84f |
| SHA256 | bffae436b89f74e4d62dc2918bb4f9b9c66238de248b433a0cd3df547beaf08c |
| SHA512 | 67af100cb6dac102e8d375908997e27d218e5e847c8cb55916fe93a4273ddf9d19c058f563af1306e88c7e22cb72b5fd8571e2d4e6989f309b7592757df1d5fc |
C:\Users\Admin\AppData\Local\Temp\SgAQ.exe
| MD5 | 20a597da9f29211e06f843709adab752 |
| SHA1 | 1de24dead481486be555552ac989a8deccdb78b4 |
| SHA256 | 545b36ff4deb6a9c0164fb280695b24828520d165acec61cb8d1c5a09dfecb0b |
| SHA512 | fe06eb3018021770a3053dc15a9ddc1b390791eec46246d08ae6e8a52a1817a80a5dc1bd79fc18bccaf952d438caf0abae0d99a2a2c483a64fe1c6c94408bbcd |
C:\Users\Admin\AppData\Local\Temp\tcwa.exe
| MD5 | c027b71b972991995f0402fcd59054eb |
| SHA1 | 6085b5ea42cf6fd8e01bc6e31df41df97acacb23 |
| SHA256 | 8ecf1dbde2ad73fb08b6d4b3cd80c752b1232e1a770142f9e9a031e7240aef3f |
| SHA512 | 208d92282bad8bca2a2d53f0b4b07ded7afca7bd8a34177aae006e711754be2a51b302ff8f8ec22c2f60c1c69ddb066c772066c2c4729578c0fb4d8803292792 |
C:\Users\Admin\AppData\Local\Temp\XIEq.exe
| MD5 | c317e6843de9a9181a873ed609f81b89 |
| SHA1 | 87519d630ed1c5717d236750d305131d08f16ff0 |
| SHA256 | 4503e4dc7875930ef81192730db2d6f64ead7dd72b1dffee76077c7a0eca6332 |
| SHA512 | aaab6f1ca9dfbe6ff9a3f3262f675dde7c37c9d1447dc01b00a89eb3f20b9988e042e91c417f754112c62af2b6c9de9ed4898cd8d97c764556f9c03e9d4b9b95 |
C:\Users\Admin\AppData\Local\Temp\oooY.exe
| MD5 | 0757cf7da6067ed52a2308f1b330813c |
| SHA1 | de5a4172abc1e96ec0d9c33a095cdc5e8db7e1d7 |
| SHA256 | b2c3a7f029fa8d472a15a7aeae0a40e463c4af85353da01085db068f509a4cd7 |
| SHA512 | 552901dbe28e402819e991ecb802022c027937b0a4d7d0d3b4ee9812508926c3990320b3084444082763d22ac301f5be9a352466aaea1fa379a5fe310b88fffb |
C:\Users\Admin\AppData\Local\Temp\pcMYckIw.bat
| MD5 | af1806552d6610a43c9eea7aaf292eb3 |
| SHA1 | 535212735785dd4609865aff1bc80e0da7317967 |
| SHA256 | ee99ee39d67d9c7fb22aa297632741824b84d003786c561463f74fc36492584b |
| SHA512 | bd733c242c56a6abcae584a023d4d2762316f9a77302646e4a9d5b985947f08c976bfb8c343f3a02f2845d72acd1797e5b16ef0f420facb20fc856ad1eb25e0b |
C:\Users\Admin\AppData\Local\Temp\DMUM.exe
| MD5 | 2eba728eabb9b54b5fc6980112e063ab |
| SHA1 | 4b15191f65652e91c2e6fe989338f0988f9aeba0 |
| SHA256 | 24c56272142872d57a98eb74eb9e639fe43675c3a362513a12aa578e227eafb4 |
| SHA512 | 40f5aec06c1a3b607446c6167eb030c84af2ba9e9146d4cba1c314efa2221a197bc015d42450dc176968ecf4a9129ada795b4f04d051fb4b62bf2bdcf93f26f2 |
memory/2224-734-0x0000000000290000-0x00000000002BA000-memory.dmp
memory/1320-735-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2360-757-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZQsU.exe
| MD5 | 9c941ca48b79632b2151d9ed0d01d71f |
| SHA1 | efec9b013379db10444f1b9670151f9c10c47588 |
| SHA256 | 1b155a1c2ad53e34a9e9d1eda6f721ace37767bfa5dd4ed01ef37589ca7616d0 |
| SHA512 | d0c4432ab34af62fadde818c16f9305683c8093f2f8f010c9590d8c148fb716a23bfe6ab18a9a06c5d1a233d55cff74bc605adcac4df436d32b2a36ddf045297 |
C:\Users\Admin\AppData\Local\Temp\zMcu.exe
| MD5 | dbc6f38be4d862e16d14383748ea2f74 |
| SHA1 | fb0cfb1a1a555d354cabca854cb6926fc6a63f39 |
| SHA256 | 5c18c1aeac6a2c137262a347c846ab4afdff9e2f3eeb915c1718271124377e25 |
| SHA512 | af51c8f507d88701ee6314fb97829511aecf21d16ff935010def1b3699f0fc56956ad1dec63646c235bcaff792cd17e1a4365ecfaea8dc7bcdf407a8f60b877b |
C:\Users\Admin\AppData\Local\Temp\RgAg.exe
| MD5 | 7d7ee451228c555f07b4e4e7c105c812 |
| SHA1 | 64472fa1033d99ba5c64d07c971b2ba5608e78c0 |
| SHA256 | ba7d4cf1ecfe98e8a50b0d998130c29cb8d1d8c6c5a28a347b2b6b8e638f98a2 |
| SHA512 | 8f93bdd0b568167a3e4ad3e99948eaffa3c0d33cc158e97437f2601b784a50142e52e2f2e522379e4dbf5b7568d9800084b1b84c42dd4dc287e0764e89539722 |
C:\Users\Admin\AppData\Local\Temp\nYIS.exe
| MD5 | 278d36e15e6aba9f0f9a3b7698f138d3 |
| SHA1 | 76dd19c566007e42bdcd5fe4eb219c49761e8ffc |
| SHA256 | b5f45a4f4d0fb745d9b75222321716e510277540cf54908a75a15c2b5057b854 |
| SHA512 | 0b2ae1be9d1f575992aaedfe243ecfb65c2ccb357c618257407342e98573a82e0b0c061b9750c0a240c618280729d1f83a12d06610dd692887d1275b3e0dac40 |
C:\Users\Admin\AppData\Local\Temp\IYsS.exe
| MD5 | e6f695670cc502749942bb926eee3db0 |
| SHA1 | 42dbe62d0d6202d00463733054b07930049fcc66 |
| SHA256 | 958f00c17c4b3ecc9b99187b234843bfd52fa1dd9af1beaf2b02230319b95455 |
| SHA512 | 823a5fb1e89ecec2c402664bcdb32b7125067db8a6d20299957fcf7908fe613c096ae31e7f65ed38546de59f5eb58ffb9446dce96b9d13bfd7ac3f0d214116f9 |
C:\Users\Admin\AppData\Local\Temp\HQMIowIA.bat
| MD5 | 9fe596ab41b0634c375079f5fcb038ab |
| SHA1 | da3189df0ae907bbb324123f58f1a2a5ac52ca97 |
| SHA256 | 57788e0302c85112fbeb35fc219455b25500f2ac602836692cc69ac59dcad16b |
| SHA512 | 4e30b905324d4756ecf6235023ff304b7810de20c7fd01be04c777fa008859578f2b37b1bfe99a6f9ecef41a7bb28a5f937c939f85737a72d29067fab1bfdf57 |
C:\Users\Admin\AppData\Local\Temp\bgUC.exe
| MD5 | 6cf80555496a7a0dedbc0abb99c55c8e |
| SHA1 | 2e9a265b05f2d145ebb7f2b3b39056f95d75bfb6 |
| SHA256 | 3352109d2efb36a006fdec01b4f76307c0310391c185eb757cdd53cf0b5ddf8d |
| SHA512 | c2fc7ef3881d29161846a8b06c9261d46821884300af7f962d23738fbd80bc7aadad748ded51bbdb25a750dfa5f2b75cec699d0458ec14a0a667b9410a3f61e4 |
C:\Users\Admin\AppData\Local\Temp\jcgw.exe
| MD5 | cdcb88e9c001b7c316a749a056c4f304 |
| SHA1 | 98b51138cf9c3d9191db6120185df8aa8313b4ae |
| SHA256 | eec7bf71346213f0642e651243e5c2151131398d51db6d8f4ecbd4ed1ac73721 |
| SHA512 | 777e2fe98dfb97ad5320fcc62f9fb2d33419e096b33c7bdd81a8535bfa42f8dcba5a9da4d5491dc224739b9d108cea54596ea44942b05df04d29a59a593114e7 |
memory/1636-845-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NEQE.exe
| MD5 | ec7ebbc660c922273439a544085dcb94 |
| SHA1 | e6e6a61905d2df018a2ade0e2671b499675e32ff |
| SHA256 | 65707cdc0c9d845b93c88adb2a6242d6b2be2027e3153219b00897834ac5fee8 |
| SHA512 | 10e0fddb88d7617eda04db1e9075185ec72237d0ea9c81b4eeb6cca92445c9e440521a65005f61f100753d8069d33c53d8c1da70b919ff9e15ab786411c1c260 |
memory/1320-867-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\woUm.exe
| MD5 | f3fd5a87820d9b920a9896b5486183be |
| SHA1 | 791665fe1da7c4c4efc232d579a2c767d2f5a0e2 |
| SHA256 | fe0f9616412e84eaf24fc84f0d4aa349d1d5f571fe99a7a712fc11001865bc24 |
| SHA512 | 2d129a9b7a5e1b3898f29aa67849a6dfeebc2ff7181ea2ca8b5728c7c05c75e040fa4cf9bd68c9518408f239483536dd3573d12bc39e8ece6fe552d5fcec62ef |
C:\Users\Admin\AppData\Local\Temp\xcgy.exe
| MD5 | 12aa25989f2283dcc7f0cfd608c83185 |
| SHA1 | cbcfcd0cd55ba0a0d89f62ad7f314110cac4cc84 |
| SHA256 | 2a7976a30f6ac288a93333022aca4641dd7b9ac8c8444ee5c56f2b6329d333ad |
| SHA512 | 199893e9fde67ec0aa1ac41d08337a843a76ea1b2fb15455b0d69feaee115004070c6f67ea3d1e402d18f9301ffd6abf5211f08a941ea969da4e4ea94e7c239c |
C:\Users\Admin\AppData\Local\Temp\kEQk.exe
| MD5 | 988d27faee56631c7c0d7d6fc7a75b12 |
| SHA1 | 032a14f315d2a03801783ccf4d406810d031fec4 |
| SHA256 | 51f007efa84a3ad71b4caaa7b412b4791874f63304d0fcf2ecc49b3ddf59fc4c |
| SHA512 | 74c26ec2c411f0fbfb2372c0f62b0605af9c177c793f7a81a1576f0947f625c6193c2cbda9af2ff9ad6a6b26510f128d9422c9ab87e142905fa1ef354c9b148c |
C:\Users\Admin\AppData\Local\Temp\tUwo.exe
| MD5 | e7d7177dc89dfd128d9e9e692f4e5bc2 |
| SHA1 | 4e011d791ba9769da374127d06f3d2c4888ce289 |
| SHA256 | 10b04613284b1fa76ed34dbaed098bb125bcb8ed2332f9190f32470fd060c40f |
| SHA512 | 0b3033826334a9693be65ed4dbc0009ebfaefcae0a58d02d7fa3bd79b830953ff51ed84b0f54de957329289f7bc893cc9514c0cc6b636314a54e4d1534a431b3 |
C:\Users\Admin\AppData\Local\Temp\cUos.exe
| MD5 | 832e850a7baf86c6fe7e50692ea8ad9a |
| SHA1 | 9c8b96f57047ee39a4e04f9b8a6755d0d6edc326 |
| SHA256 | 9958cb50fb6fd6cb19789aea843578b4e17163f2804b540d6d5cf40dcb196e63 |
| SHA512 | e7efea8e9f26944258f130875ac0baebb63764b0002d309171b5f58a45fb41ff3163bd44c3511f1ad990ac8c77acea7aef08dfffbfcc9371761be7a95ea3c1b9 |
C:\Users\Admin\AppData\Local\Temp\MMQO.exe
| MD5 | bb85556351d12f35ae65cf46593f6070 |
| SHA1 | 5536763a83cda2c049f5a7f6a70073e5ec156a4f |
| SHA256 | 19ee5eb35d9dd9572e8efea32f0b06d829fb77702a835e2f81611fc1cc9b8054 |
| SHA512 | c282b12bf6e3f2a910e29d0a0c040c5066ffe0c3c141ac3ab4a76a57375dc57aedabb58e7938f455e6bdd97ebc7b54d2c2296c12636aa863065c19388395c931 |
C:\Users\Admin\AppData\Local\Temp\OEwEUAoM.bat
| MD5 | 8d0f42258d9fad3a3fed33cc46fbe47b |
| SHA1 | d148a2d94d7d2c050b379523f649f858b15e9670 |
| SHA256 | f99fdc1106fffadbff9f30d4e6c02edb4a8e4dd971be5f4a7964eeae4550c4a1 |
| SHA512 | 0bf5a4e3e62f11e355cc9cd60e245613116e317ccb4758a6287b93d1ec333b7032d3e019c09ba077006ab2f602d77593d2ad62fdc46068fd9e84aae2bea0d5c1 |
C:\Users\Admin\AppData\Local\Temp\BwYW.exe
| MD5 | fd747c02947e511181a48f943ef61f01 |
| SHA1 | 3dbb4075d4e2d3a170810189306adeb057dcd0f4 |
| SHA256 | 15d4923a14c457652cfcb5f9a2f5a53995b956d3eee3f2bf00f9e68bde2b7af2 |
| SHA512 | b0cf1ea2b8199bafb0d475aedfa6061d70ccc1f9ba82d4d3beae7b790128ab703323b176a1e557c21ca75cc61180cf018683df2a635a68aabc25e4a5810be9a9 |
C:\Users\Admin\AppData\Local\Temp\MAsk.exe
| MD5 | aebff2e0d4d843bae4a4cbc42b8ec8e0 |
| SHA1 | 97bcfd1d93489b48adbef0dac54c757c732aca5c |
| SHA256 | cff0d3d03210f483e472ddf7aef09efaa6b5e841c06204168aaefcc9af0b7fb5 |
| SHA512 | 42e92f9d1ed02d2c568ccf748a224be5bd5ba8cf3ff5ebba4eb540767fc6a5db8f42b639efdc27af5e64a85335c7866237e51ff4741cd2b8b6633906648d4634 |
memory/3000-978-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2308-977-0x0000000000170000-0x000000000019A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KkkM.exe
| MD5 | 8c610b1269d53486e8adca2d996a09ba |
| SHA1 | 3007233b0314656fdeecced8926550bfb532fb74 |
| SHA256 | e228260948b6de004f0e27d1db02372b6017e70f75ac57d1062e590a17d58629 |
| SHA512 | 9cc5448b063dceed069c5d24dab92ed4a2fe41cdf51b9f6eb635d6f42b7a107da827d9dc727b1f3089afea99835545db92399cc082f9cba7512eabd907bf8af9 |
memory/1604-991-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UEsC.exe
| MD5 | c38f516c9a89a5b9d63452832287ace6 |
| SHA1 | f82543253816e650ac2bec10477e264ab4454de4 |
| SHA256 | f4a23181c3694b57af8f6f6e40f69356b28263b5b33f685510f05151c4a20673 |
| SHA512 | 846ad957e8b0f4af5516aca59e6e892338dbd002ff7177a1c8bb944c426a0c8a7cc43281fba539d177d244c6b748fdbd565f2aeb0cceccf908f04f76161b0f37 |
C:\Users\Admin\AppData\Local\Temp\gsQq.exe
| MD5 | cd5bb3e485d43bafe1e9a9314ca5b7e3 |
| SHA1 | b5c6fd5ba4a7e8dd54df6134fbc53391a4a6e075 |
| SHA256 | 723585e1135e443cd96fabf1484864544e0822781f35bcd9affd5935fe684368 |
| SHA512 | 32a5e2185f81dc9f35f8ed3f22d74be9e66e18593dcd086bc389af943a992ee0e45c0f288c69d0aea59dcca27393c02c9cca9bf377afb01e431aa6c0cebc9114 |
C:\Users\Admin\AppData\Local\Temp\UYga.exe
| MD5 | aa5d48c0d50fe76b110839340edb12d6 |
| SHA1 | c639c9be14f3ee87709cefd76febbc0166dd343d |
| SHA256 | 2207141e46a7edd8a60fa8f57dd2b9d14e03bbefa136585cb2fb0a71215086ef |
| SHA512 | 0b33c9699065816489317720f91ca1d49ba64f3b7b7e51e46c0b19e44780a07034e15efaa87bd0896367d2c8da810d198c1782acc62e756c97902feeab84a329 |
C:\Users\Admin\AppData\Local\Temp\FooM.exe
| MD5 | cdb75c3158d8188982e85379510ededa |
| SHA1 | a86921985a5df00923c1ff1c4e017fbbd7c436d5 |
| SHA256 | 9dfa7ff1f9b29c381cc855aa145bc2935224cd1f46480c9dd60a1f0705c137ff |
| SHA512 | b4c6b067e3698830d784519ee1dbbe509bec72d997f6b9863c67e2b74c1cf295fd0eb3b39d09c933f2214e2820261021e441f07983e341f3afad453b374e919b |
C:\Users\Admin\AppData\Local\Temp\DsEoMgYw.bat
| MD5 | a6989178b4b34052d0fa7f70cc87247f |
| SHA1 | efdd8df4062fea91041b8193c6ef09fa69b69990 |
| SHA256 | 7f41d95e76aa7f9f2e0aa1e4b540415cd395b8b00d6d1194dc2e238a5fe1fa38 |
| SHA512 | 2d97fb44c04cf8b9c98f78908a359cd326642bfa2e58e276fe153b6f365b99cc914a090e8e2d1ea207b1168efcb32aec73df80ed3e5589e163c222b96d04637c |
C:\Users\Admin\AppData\Local\Temp\eEwI.exe
| MD5 | 5e377c0dd61fbea7ad3b8b18e5556b43 |
| SHA1 | 76ae5b795438134ce2d47c4835f7796ce56f8e93 |
| SHA256 | 445fa0c3b228753ce3d0988fd3fe8f5f4deafbd2a632ef07b71aabe0502d86e7 |
| SHA512 | a29b36df0e3dd3df61db87f378ab50468f92497aa9229a9672a8a571c8edacd814a8b4ee004ac11cb50543c9fd3630339fc9419f144a3b589c7da0aea2bc91d1 |
C:\Users\Admin\AppData\Local\Temp\Loky.exe
| MD5 | 52339a3e37ad0270aa535912c47b06da |
| SHA1 | 710719b571da973bc113cce0b06d76c22cf1044c |
| SHA256 | 2f06f82914fb3690ca098bf5a90f2b2089ab1520bd079e850b69a08d5726ff98 |
| SHA512 | 35d57b71f605bc1a0e707d63e2661120c0383720e5c3cdf16c31c2d724c09539fe8ea4a1e231b92c8db1c0a73d4d344cec4a6603745038763b9fb59617aad9b9 |
C:\Users\Admin\AppData\Local\Temp\NIoG.exe
| MD5 | dfcbc9b1eb3f4e51d4b9dc79bf29f5c9 |
| SHA1 | 679846a6e159a15b9f5f7bdff2559960876c6af8 |
| SHA256 | e92e3b30d91c9df5b22ea0f3216d936ac14c15599049ffcc8d39bced4ed84f8a |
| SHA512 | 47d488d8439d623e89aa956dbaf7e3220f2756499e6631cb626b6452f5863ce048f154311cb48b982eaca43db56eae906d2578f8784052d58c2641ac01da3c54 |
memory/3000-1113-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2400-1116-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kAAa.exe
| MD5 | 7794241cf60fb52bbb8750d224026a40 |
| SHA1 | 9e0f78bb8a90eee978b498ab8fd684b820ce1bda |
| SHA256 | 7a0d296d56f2efe10d2210101463b87a8dd1f8a33101b5e0963b9c3a64ca01dc |
| SHA512 | 2d881e4953dcd4fdac92c71d488057e110752cffc3b0a5999e33568fdd9e1e8dabccdc043f2e5e8bf42ab6a626b487870adbfcca469c7eb0652fe1459009e034 |
C:\Users\Admin\AppData\Local\Temp\sogU.exe
| MD5 | 2dd1462cc0f6e874b6703ae325788983 |
| SHA1 | 25f6c1e9d2484d8c5649ff76fd907b7f07529a70 |
| SHA256 | 8cbf4e9a82c8e6ca5d76ca41acef33db9ca3b8d0103cd148e7f4421629b82917 |
| SHA512 | 6f8c17fdd405dfe08f65b494036c4ec1f4d66b63c1bea0b926ee8e3d9414dae8199e0aa047000345988ef5dfd72891e8b0d326a2c05df131c9866fb41c6013dd |
memory/772-1115-0x0000000002280000-0x00000000022AA000-memory.dmp
memory/772-1114-0x0000000002280000-0x00000000022AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LwAw.exe
| MD5 | 76aced65db0b1e8146834802fa1c928f |
| SHA1 | 5c7d42647648472958587621f77f42a6022c49fe |
| SHA256 | 2d3cbfc435560f55ba0142a6e2f2b0ef2915ec4a7c250baf37caaa401c6727eb |
| SHA512 | abf5bc28dff39d0342392d9009de90d59cac04093da76a25751ad0357e386d41adcf71cc300da700bf5d64c110f7c7deb855a9dedb29860d4d39b06615251b9b |
C:\Users\Admin\AppData\Local\Temp\wwwo.exe
| MD5 | b6b117160fc7e4b7b8b5a68c2f4434ad |
| SHA1 | d778a4842089a9ed937a3c7cbba69135bd1f6fed |
| SHA256 | 8d0cd700a7280ebe08ed383564c745aeae71f7abf8c45be148e9e31179cf4c26 |
| SHA512 | 1893a240c217b11d10283fd8d1b1554ea10a5d5223e298c4114465c8878cf1fb6ca7a91a83fd6c39a481f66480a7c41d693e441fad219c739dc21a4b64c745e6 |
C:\Users\Admin\AppData\Local\Temp\dUgI.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\HIgI.exe
| MD5 | 893aae0a648989ec5782e996ed948a39 |
| SHA1 | a21c83a2ac75292b34e3b48c1cd66b2c1e803db6 |
| SHA256 | 200f3039f2cfa9d341be0fb54af14ef66f421e3efb02edece823f45a2ed73c81 |
| SHA512 | 987f43d1ff682c347e1f42ef9ea8e37f4118f97afbfadc43e9cf3d186ef7a1fcfaa6d6eec20b29fb11202968bbc1dd9f0d7e610c3b633ea173875c2cbbf58c3b |
C:\Users\Admin\AppData\Local\Temp\WIUMMEYw.bat
| MD5 | 459aafcc0bdd5cae34e974761f5d4cf2 |
| SHA1 | 695c16265906a69b094dc66328cb9a0a95b924d5 |
| SHA256 | 0adf9af416681d68ff638ac3b4c4a05e86acab60c365de65765929e54560c855 |
| SHA512 | 9c1ff7c3bac9d6c0225fabd73997587334227685da34798b5bb8f5697e4d25e4569f641d9b505b073e6441ef3c087a1b653f1d7d0a4fe8cba6a0ea8cf087d177 |
memory/2116-1193-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rIAe.exe
| MD5 | aadd9e433a88cbcb47be105b579ccc8a |
| SHA1 | 163b4a6f1ee1268e6ae156fd72aede47d56a2daf |
| SHA256 | 5ccd09c17c84f06bd7d565300f7eae009f4c24e05b689bd1a58889a29ffe8762 |
| SHA512 | ad3f57875d8102ddb480f9d26fce3c5bb4284caf2b1617cb34e9bad4f468bc2fff2b5e44558cb3a87d84d1de58d774abefe41a638dfa3c185f77836b6f40f572 |
memory/1960-1192-0x0000000000120000-0x000000000014A000-memory.dmp
memory/1960-1191-0x0000000000120000-0x000000000014A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ssog.exe
| MD5 | 264545ee5e8fbe4a56825e4f80f46781 |
| SHA1 | 6f964df11bc47c1ad7b68367c69b718657028361 |
| SHA256 | fbabd2774063403f7581910c6b35db6bb10a607249ef214cca2735409511d35f |
| SHA512 | 1c2ae2ed70b558ccaeadef2e2b1316dba931108d040119cd15422f4fe7e1e4c170fde4d9922d726da256b63d2ba2c5d3098d3de1fe9ff3dfcb8241d105c24cc4 |
memory/2400-1215-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sUkS.exe
| MD5 | 1a4bf1937b00ccfc5c7cd350388d4b9a |
| SHA1 | c436b974fb31cf30d70975496996cb9f72050c26 |
| SHA256 | 018edef025337e16dcc5324b5bfbfb4fac43472c934c2b185417edad36af710c |
| SHA512 | 12c2efb45bbcffc206903bc3a3b9df50b77857e38eb49176d43b3e8120b3a9ba56534d1c55d21bf5f1bea24e66a4676f9eb74a6147aac7695e6e2bd50ed08580 |
C:\Users\Admin\AppData\Local\Temp\KacAYwAI.bat
| MD5 | 429a2b4d178a80fb94d4ce5dfcd9a0fb |
| SHA1 | c7bf20dc75a465f93ee5d71503afe992d901e598 |
| SHA256 | 4dc9f2be8190ef319aa848450a950cdbb323e09ec38023d27b3a5d4ec4ea8ede |
| SHA512 | 62fb46c0f2ae48aa8e9454ab6ce70b52036d50837d8ecb6c2aed8bcfe1140027ef62b4d8511d1ab8e2a28d8399a9a58d288a1b09ba99ef4847e38a5527c06964 |
C:\Users\Admin\AppData\Local\Temp\PQUA.exe
| MD5 | 2f84852f37db1ec33d8c9afcd886726f |
| SHA1 | 237f5d53bd7cf895b8029d41616da34ecfe12998 |
| SHA256 | 5ca4c4ee688d8366913b2578309577b9f35520daf5058377056c6196321a2ceb |
| SHA512 | 2cbf92f6c6b21e02bb7613359737cc7bb7968ac9241557aaf89694b6f866242fb31ab177dc1ad993ed237b17782713f57972731ee699767b6a816ef724c74ba1 |
C:\Users\Admin\AppData\Local\Temp\HkMK.exe
| MD5 | f5feff36c543d62bb0c91b9dd74b6efd |
| SHA1 | 309c085598318cfe5bca413b323012ee49ad0c81 |
| SHA256 | 78713f198e92e9afcdf712eb1e98a1fe0676b8c02ddd1be88a52dc5d362b2b75 |
| SHA512 | 9d7921fe35e4ba6183af593da0fc40cc29d59f92a74ecfd5d476d7e0bf006798d4f686474cbb7ff5f97d3466e2ec8b11cf9ee11c7c298a5046ccb5f6c039a944 |
memory/2060-1287-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cQgE.exe
| MD5 | 82d8921b633468cc9ffae686b4f7afe7 |
| SHA1 | bcbc2d0bfb8e19de467db200d769d98103eed17a |
| SHA256 | 180757e34e128ee9abc3f169d419f772935982f50bac49e4a2bda9166d900b1a |
| SHA512 | 3d68c35dbc03f8f1a88e59841415050f59d664337925b1d7b793b86ac15ee4197801c4f99e18c578dd1c81fdc8394d88418cf9e88a4e502d0b077ad5a157ecbe |
memory/1780-1286-0x0000000000160000-0x000000000018A000-memory.dmp
memory/2116-1285-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SEMi.exe
| MD5 | ee7613172ae93dafbbbf93ce45de29cf |
| SHA1 | 6ac81e7596e61f24c1d689f2ed6fb397be15e32d |
| SHA256 | 95ffbd04943c0270cde39bd4f9b60f4459350a858f7026b0226aae959d47267d |
| SHA512 | badff1410e4536969fcfc02b08e3a0018328654b4bc0fe6a73686209ecdcfbff25bdf8797f0743c354380558e4e0255527e9eaedd7c7295d8f60fca2c6f1a7dc |
C:\Users\Admin\AppData\Local\Temp\OIkm.exe
| MD5 | 945da243ed8aab82ca191c5e78137dd9 |
| SHA1 | 066dd2078060677bdabef79b967194ca5ef2ec91 |
| SHA256 | ee02bcd3b170c7e775c38b9de920fdd69de851d4bff42f83e65b24c643cea54a |
| SHA512 | 22a07a66ce48e8faf83e2fdc502503717cdefa1ae9931e2e8912f419590b307d26999e187b4df2b61ba4e97f0c35c7c8b80fa15cec01986f7593c7d075a9a22e |
C:\Users\Admin\AppData\Local\Temp\rwMy.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\OQQS.exe
| MD5 | 78cd9cc35d09e8e63712aaf2de4165ef |
| SHA1 | 6777164a9a166dd76c97f373cd4a9bb7e3f4ae86 |
| SHA256 | d2118e117bc4877e9886c862e1df26fbc60689bf7a9caf2c1be3bfd55bf750cf |
| SHA512 | a5707b1d66e1ee8269de9ac02584a0f2322b8ef0afb44be02d19f77acaa9d7ba7d7409628c2f04f21ef1c0c304930bfcbc0784b7fd2f77d2ffd97e238312e6a3 |
C:\Users\Admin\AppData\Local\Temp\HgUssYEw.bat
| MD5 | faf90a3a82b01fcf6d1ac2243466253e |
| SHA1 | ce9059c68daa197ae6939d3c7e1d118556c54ef5 |
| SHA256 | b89a38f797b619b8a905160ea5080d2b3b273b293dd63237e80ad47e127efaa4 |
| SHA512 | af98f36561c014047547797588288fa96d727e8ce384b2c747a8b56942b5ef52abc168db4d61a6450e1cb4ba444889e63025799655169b45cef1ff73d966d1e3 |
C:\Users\Admin\AppData\Local\Temp\tEMq.exe
| MD5 | 64b0140b3dbe8abf2de1a076f32e571d |
| SHA1 | 3eeded7f2b3567661191ea6bdd8e58b9306f087b |
| SHA256 | 578325163b2861943eae4403b466e99e0151cf78d6d4f2b9029215afbcaa2ae3 |
| SHA512 | 7411e463d826f648e64e558cd2b8498ad42fb01db3d6ac7f7277bf4371225ab02a907ea99ae80d246440f62bf2382439b705bc4a88d69c93f5c5ad5bd710b7ee |
C:\Users\Admin\AppData\Local\Temp\ZgQm.exe
| MD5 | c802c26409300949cb85c1ff0aa387e6 |
| SHA1 | 959981ea2d55ee9c0f94ba3d137598100eab0be9 |
| SHA256 | c8ae828fff000f5b8f95d632938d673f3b229e5accce754033307b32110f9e19 |
| SHA512 | 763ab67680661887ba2d492f7897a408be59c911bb4cff20070167f614af624e694930345bf35e7e7ec1ace9370cd0cd789c1a6d1c3ff5f9bc262601883926ad |
memory/2060-1383-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2020-1398-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1948-1397-0x0000000000270000-0x000000000029A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NwwW.exe
| MD5 | f930ade0df1ea5543cfcbe44d709eff2 |
| SHA1 | a1b2c168d63c631aea482000eb010942bd327d09 |
| SHA256 | 870e87ef2289c204e83362e0b6f931ff7a31e5a6398ea1e40228f35910642a0c |
| SHA512 | a445116e1a4d98d52f95c98253c1eea0192d8660e53a74510793ebe905e5cc5a6efc2f02f758f65e582c4c23606f784a503cfd361ab16aeeae3e093e647c9efe |
C:\Users\Admin\AppData\Local\Temp\soAu.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\eYkq.exe
| MD5 | 9224f98af10a0816c6f8b7705515e01e |
| SHA1 | 7fdcc7aa0882c05f0c82ea5668d206e1e4dbf6f4 |
| SHA256 | b0d6d6a6f87a80d6fec6474b1a7e35d6bb5b60bcf56070c2b6172106fdb4d3df |
| SHA512 | cc19849aa9ef94716dcc992d8e109eb78a959afb93f2def5e1a16e50c6c64839f8cbcef6609880705c79010ad03d2647afafb28a2920243ea3e85e5821497020 |
C:\Users\Admin\AppData\Local\Temp\cEIa.exe
| MD5 | e78aa1acfe882b9864f449dd1efb907d |
| SHA1 | f7f93bdf2c7f0d59feba283d1f048e3b2ae2d268 |
| SHA256 | 670076294f2963170d8364747c16f5edf1e96f0dbd788f60ce203c78c1932bc6 |
| SHA512 | 9244634e00648b2886d757ce57f916b57984f8d76864c21690497dcca81dcab081efe559e74608dc1c12a2192fd6cdc10e112fdf60d7ff92dd7b2d1e765ff060 |
C:\Users\Admin\AppData\Local\Temp\oAME.exe
| MD5 | b1cdcfd0829517d4b1820e84e5ab9856 |
| SHA1 | 9ecbca2c7f2164916360b819d702bea2a1ac8c56 |
| SHA256 | f0c2057e2b0ca957faac4399255405b9a471b6d1e1ad5076916dd7e4b31c57ce |
| SHA512 | 0ef25321cfe754be9320d579707c907cb71dac6edc7be967007aca50509ee86cc2d2b92f007f87d9d20fe7beb59768cf8d551c4ac921b0c39113e2a0b6ece575 |
C:\Users\Admin\AppData\Local\Temp\DEQMsgEc.bat
| MD5 | 32542e920d03c06fec50fe5064036c17 |
| SHA1 | 7de8166091f1072e57fd84e8ade0c5a395f01b52 |
| SHA256 | 85c906b231ccb5faca2f3ada71f8e46900e8f118c97fbc1db84eed6808ad66ee |
| SHA512 | ce7f2ec8d1d8a970768d4038d6421cb69cc882348cc2293bed2d2dbad19884239669e807f6553555fea5455ef689142a85a729d55cb7a9476551142f6358c6db |
C:\Users\Admin\AppData\Local\Temp\WkQQ.exe
| MD5 | 94b96fd884b2eb6ca0b1ede5f3828857 |
| SHA1 | 7a0d4c8ce088fff0af8928741df2ec84b3207620 |
| SHA256 | 6a3938d171d9abdfc1742ab7afea1895a1f0837401817df6152b145ff454784c |
| SHA512 | 3073457a089d30ab10f67c5a4b786f5332839dd38d42156bf6d34436434e2905ac7d26c68583d3eb26bd8e0d7c6d87be197c8b263fe93dae8a9e1da69d9130b6 |
memory/1636-1465-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2964-1467-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1636-1464-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2020-1474-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wgAG.exe
| MD5 | 3fc003938a5235a7ebca2af19003f34f |
| SHA1 | 71c3c6632e74979cc7fe86f77b41b2c1a02df6c6 |
| SHA256 | 34eae06c0e056c8ea481d8f9ae9d84b2e06345b795cd6ab53ea8b3eef3a73e2d |
| SHA512 | 9fed42bac915749c3a5b0fd83ef43a63277280c65260055dae6c6d04586d8e670e9b39b4483fe7c73e635f6d4e3969719cfe02b1df1d238e22102b535e0f9517 |
C:\Users\Admin\AppData\Local\Temp\UwYa.exe
| MD5 | 492270ca99cb3591435880cefed80ab4 |
| SHA1 | 4dd7d00117e1eea4db83b9dc339f3724926e510f |
| SHA256 | 0599281fb889be5d3fe3dcc7f11255c99f2498582b45c1d974064c20af081857 |
| SHA512 | 76a280b2c3ac861200ccf3262bfbc328fc6bb19d650afc7c997021e6829585fa29f9e6831594135002a4316deb3cd87c35b3462a88c3497c0678c5d40c45abc2 |
C:\Users\Admin\AppData\Local\Temp\bEUa.exe
| MD5 | f022689022dfe3c9e8f2c2de7d2b31dc |
| SHA1 | a1412330bbae3d08bb9acbc42497e7bc489aa1db |
| SHA256 | c9d30d0399e08fd83dd64631d293ee7c51b9879ae658608ad5dff9100cb89f4a |
| SHA512 | b2936c999e1ccfaf944b1cd4aaf7d35fd510471c3f5621c922174b146fc40f54a034c8c7843d4c912db95f76ab643077816c6312dd7222665698213d587d1e84 |
C:\Users\Admin\AppData\Local\Temp\OAocYAQY.bat
| MD5 | 53706e458c8990b1c743ec834b1939c8 |
| SHA1 | 90b38adf2cfa74d5e8c8092bc3af077060e76773 |
| SHA256 | 1c3f05fd59c155c6875dc5aa81b15cd14704e8921a23cc011cfd09cfc6a1eb28 |
| SHA512 | 8f66c1505b3a8b0ea9d11de5c36cb0fbae268688481b3a41dfc4cfce0828d02941989e741edb104e4524c6810b7f9faaed2d917c80347dea1fbccd433bb8d47d |
memory/2448-1532-0x0000000000340000-0x000000000036A000-memory.dmp
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 7c5b758e13e92e52be581b5cb09580d1 |
| SHA1 | 4133c86b76b6fe103c783debf57053877fafb704 |
| SHA256 | 6ca05a63b8ceb3fc34cdc2e4d129c7cf1d532c87c16a11d124ef4823291451e2 |
| SHA512 | e957b2a035f302c5cb0cdb20aa40b3138ce96abb7f633c343e15a26699a0e20cb01787ec75bb309c21cb5d635f1ec2de8f47cea4a29b656f292924fe097aacf9 |
memory/2964-1548-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JkUq.exe
| MD5 | 8e9b27489b68d37e948a3b849deca894 |
| SHA1 | c2b058cec3a112d571e092f881c5b837e910f9fb |
| SHA256 | 5a9306ef62bf31a561755863f21fddfb34f9c0ce5d44d3aa23b4a2b48322ee1a |
| SHA512 | 41641c6328d0f3bc5ce82367029144e3fce1f7870b7028bf6ecaa49a4f851dedb86a8c6f0dac9f43aaa6ca20b13a308f1a9cfdc33f4c3532a7fdbf1521af1681 |
C:\Users\Admin\AppData\Local\Temp\HYsc.exe
| MD5 | ba3bca8d979d43f5ac7ab5a2874158a6 |
| SHA1 | 415aefaff782068b17df894f8d620239fd1ba2a9 |
| SHA256 | a6d4ed22da6e507c3ff743c68834655a1fadab76a4298b2f3ce42a0b7ac4a711 |
| SHA512 | 7ac14ca4f393696fbf8d282a5abf180bb9d17de2d308e07da41c794394c64aefb4c0b1f70c214edcd45f351942aa99214a77de9784ac22acfd992e32e6273051 |
C:\Users\Admin\AppData\Local\Temp\IkkUMYUc.bat
| MD5 | 8d30b0e6a87075208c3c4be6519086d3 |
| SHA1 | 96d0fe951ad1165da9849fc5b3005c7cc4957dbe |
| SHA256 | 878fcac4183bacfa1618d1e4d90914140a90b1956ac5f976a18d88e03cd93306 |
| SHA512 | 6554f76966e4ac84b21be45cf0881ea4c3c06200bdc920db1d26add2778d30e61340145b344783eba5a73b57daaab4b73c90120d9ab923d336d5d190ba65244c |
memory/2444-1601-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eMQK.exe
| MD5 | 6a7592568d0eb1be3bd28fd0db483f0d |
| SHA1 | e9b8e4f30029bc2eaaf97c7cb73729c07cc04ce3 |
| SHA256 | 20983f3d5a67d8bf6f486e308816414accc94f59807c18db23b32c9b9181f594 |
| SHA512 | cc7c4969b021026cbd8954afabb8f3969b52cb555be671f26ac813d499a88b0e63129b9538592e936cd811660290ca07845e6c179ba5d57c6f524926d0ccc233 |
memory/2336-1599-0x00000000002B0000-0x00000000002DA000-memory.dmp
memory/2336-1598-0x00000000002B0000-0x00000000002DA000-memory.dmp
memory/2508-1622-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kosY.exe
| MD5 | 1ffe2f725891dc865e8e06d0d61b5e9e |
| SHA1 | 21738dd85786367ae85e8ab08b09781d17c0f2e9 |
| SHA256 | 2230499bce4e7f37c77fafab3f8bd24169bea85ad10253be40f266608ae889ea |
| SHA512 | 5738d1574d1d4de83b507ddd7b4dc02bd9be2c39b77a11105de7d0a4239d48be1b7fd69bcbd9004c96ef1f976c78703bebdcd7f7fdd0950d7ae7a62a2aa958f6 |
C:\Users\Admin\AppData\Local\Temp\GwoG.exe
| MD5 | 896a63af3ba20f46cc9e770ad96276d8 |
| SHA1 | faf95a2bfd016831fd4e73ad42a61b6848ae93db |
| SHA256 | 2ee361ffa1f8d1e47da0fe5bdb5c43a4f26ea4a6c89700b7272a77dcdb993932 |
| SHA512 | c6fc8428c455def5476ecdd7991ee59562271b5b66009b2e4ff2cd1a336ef8a2225bbaceef215cd2508a95f5e4a9c5e7dc12f68e9e55bca61ce4ba9bcaa8f024 |
C:\Users\Admin\AppData\Local\Temp\wkUQ.exe
| MD5 | 5c9b8cb271c4c363e04b858c3413d823 |
| SHA1 | cea3f113d7a383e7de3e1eee7761c0194dd493bb |
| SHA256 | 6dd3216f300d0bd274e10cc4b8840a477efe8cc3bdd51fe9667418bf9697186a |
| SHA512 | de9d3c397bdfc66387b4bd265be99b767e4bad3a42a38768c33c35c9f44e0e5f37fdff1d403651585948e7f12252288a7cd74e0b014588e1e8c4ca3c4cb5ec06 |
C:\Users\Admin\AppData\Local\Temp\iGAMUQMI.bat
| MD5 | 58694ba59727b286458de82acf595f2b |
| SHA1 | ae3bb5dac66f9fb8bd178d8b8669845ffac70451 |
| SHA256 | 837e07c45bcf9237aa708a85853d214548b4753fdf984581a4710e3ae0490700 |
| SHA512 | 5bc662f36475122b25911fb152f1e086fb62762503b938234b6271b3b7d8e2c496f387e911b4b678dfe829856f2277bd5960e06cb1d8046a33a2494b0020b786 |
C:\Users\Admin\AppData\Local\Temp\posg.exe
| MD5 | 4bb82c4464f8e6862ba9065995f09fb1 |
| SHA1 | bb70c0f691e8762fba91e601be0e568ce8b96b6f |
| SHA256 | 1b53c97fc032281a7374f7c456c3987e76e07c64cd4206d57a3dc749dca064c9 |
| SHA512 | c0e1005724cf5d0f0d906eda02e2e0ad2861da76dfe16a7eea15d0845f9d2bb063e26b2d003b92a38bde6ba27dbfd7469f4e3e86d9e235c95a65f978b7d5b08f |
C:\Users\Admin\AppData\Local\Temp\AsAg.exe
| MD5 | 0db1457857463347a1005cb96cb1c174 |
| SHA1 | 062ad38a4305776a9a80fb4d9514f7ca355a61ce |
| SHA256 | abe9f2ed13c67951b615f5579540fffccaf7681a7f33a6c77247b269e859054f |
| SHA512 | 4c32e10d11faf95913ce00bfe644ae74f161b0bf1ac475e819d8cb5de9ccaba2ca16616495bc7b489bb36e8ed990a5cb4d14370b801d3addc1befac24e34b9fb |
C:\Users\Admin\AppData\Local\Temp\rEcc.exe
| MD5 | a944009a4dcd24a3a445e3c7c681c074 |
| SHA1 | 71311b7d187c556332638d5a38c2f4a5b75d0ea6 |
| SHA256 | 4da48db0140289a1d1852008a6560ac7372b6e74738ee9af28feca3457125a79 |
| SHA512 | a34d6780b797cb99e60c3212688794cd5a622a3523f8ff26b8a303d151a5899004be3fbc84a5197286febab4e8c0ce87ffabf22a92e49b96579d6ba77d847cdd |
C:\Users\Admin\AppData\Local\Temp\QKQosEwE.bat
| MD5 | fbd5529b7398599088754cc1dfdf4639 |
| SHA1 | a200082f8469cdf3f569f8d0f3ce7f761545388d |
| SHA256 | 9b5acec8ae6eba4c35a687c3680cb0c9c02a62a3355c999ac05ce41b1c9d7370 |
| SHA512 | a839180a924c45bc38ef9157c63ffffcd53bd890621dc659227a0eac582975f27fd17c3064348ab671d6bdc72c0cf61f3083e4dada4ffcae090ae7e94e09b67b |
C:\Users\Admin\AppData\Local\Temp\BkwW.exe
| MD5 | 9342ae4fceb6015483309ae491e71192 |
| SHA1 | 004c79cd3ecc3ef64be839a59a077eb7b02c485a |
| SHA256 | 9d314272aea883a2e33bd05c64c2cc5c0747c443acf5696757506a1c37338163 |
| SHA512 | a442edb2f466703db67b79740574f6147f94360168d95bf8c31ddf20c21dc53de49fef959d5db1b57711f0bcd028c7ebd39d5afd069cbc2433e8ac4ddc456fad |
C:\Users\Admin\AppData\Local\Temp\KYUM.exe
| MD5 | 772f6714db915116b9e9889af6de9d50 |
| SHA1 | 12842699c8f9dbf8ac561fe83636c3655d9a9ad6 |
| SHA256 | dab7f321d8393b5ad877cf927cc91b101cdecfcbedfefd31864b291cf7cdca40 |
| SHA512 | 022e8c380f55178d44bfa3d5e65c5ee8aacbad0e03af09ae311da6a08c765b00d034db92a882a0cb0150df46ca8a8395d91cf445cde87c1eeaac55d92dc4fcd5 |
C:\Users\Admin\AppData\Local\Temp\HQEa.exe
| MD5 | a0dea77825ef515829beef14b2d79f81 |
| SHA1 | b5076bf99b117275fdee294c643d7f6497454d89 |
| SHA256 | a541b057f68c15ff221edf5934e3484f413edc1402de7cd1574531e229739d90 |
| SHA512 | f9bbe57cfca840c92ff8f024be4e8e51c1e4cb1bc5586b963fc285c0d26ec4f907fbb3fa4bef7acf039247dd596498971f0413d58963914b1cb2263beb733f59 |
C:\Users\Admin\AppData\Local\Temp\wacMookI.bat
| MD5 | 7f188de5832cce36a477c596d42ac636 |
| SHA1 | 305f1ddc895dcd72b73d0c8739e33e8b4743b8fc |
| SHA256 | 80f1ccc6bb6f254d25a20aad75156f4aa47006ae2dc8853a043f6e3faa65430f |
| SHA512 | 19756a0fdbb77e9a594fb57cc954e1d79c7051d9c02c1faed3504f49ded5953dae5dddd774ff138e8324a9fea738ea26d75418ef4efe7ca308efdfbd49ceb001 |
C:\Users\Admin\AppData\Local\Temp\tIUk.exe
| MD5 | 2c760924c6a20b0b1d00e586dc62b729 |
| SHA1 | 0ea102dc2983ea3b3b8574a6667c7fab0acad843 |
| SHA256 | d2b3631a4f6396c8c72a933921337be7621bdbd933cc439f84d0573cd7eab28e |
| SHA512 | fd1f619f88060044735c31720681de87eff3fc4724d8130dd8e1e0a582cc90f32058c719b87b5007a8b433a2d9dab0ce9ddc579a436436ac716851abc06b0678 |
C:\Users\Admin\AppData\Local\Temp\MwoK.exe
| MD5 | a1dea05602ebe246a5d1291c0cb15c53 |
| SHA1 | ba5430c5e070f58403159c2d1ed3bfbe6d1a9ae4 |
| SHA256 | 55325f8e377a85c6fc13c1f8c22ed516d9179aaac143ab0b0d769f303d56b81a |
| SHA512 | 49a71865db42489b46f642fc4422dd8a7af5ffe24576a7e8dcd703ea8f7364696161697cc972fe215c9eada35788cde0f2da7ee02f331b561c4f7864f241a4d3 |
C:\Users\Admin\AppData\Local\Temp\NWkQMAwc.bat
| MD5 | 4434f36a4507ecb30ad36829f52cffef |
| SHA1 | 5e3d787f6ab7d2c5dcf6715f939883cb6fe6336a |
| SHA256 | b809c04e7a4849a6025730bb95f3bc05c4aa8dd603b88cc7da4e0c8be3f288a1 |
| SHA512 | ba55f7f4297837920f84e81b495dccee5c6d401dbc9cb7c40549a5a892d85036018ddecbf4e536e551abb2257c52265548715e394244ccd3a4830e045625edce |
C:\Users\Admin\AppData\Local\Temp\LQcA.exe
| MD5 | 7fa0ef24263517b1489648af3a36e65e |
| SHA1 | 71c981831c63b5a851ce0bca191b4b864c45f957 |
| SHA256 | efae8a0d36b64c807ed631987e357a30907143580ec0349096a1583a8f2a30fb |
| SHA512 | a198e82b3b9af3abfcfcc03ec27488bb067ff44ea4d58da83efa6427e1f1ccd94bbabdc08a2a20b1b475a1ffc69ce4eebc24d72f1f0ee5fa5f26605f130ef86a |
C:\Users\Admin\AppData\Local\Temp\jEcO.exe
| MD5 | a7d0a7efe038e5b6ec3b77f6f7c8790d |
| SHA1 | 507d5709b009856f2879c761f843001ab2fe877a |
| SHA256 | aaa3ec7eca52400c1748c3fcf78c4128a4207a14a7669dd1f159c9a1029107be |
| SHA512 | d186d4373919c6c84ba1e1dc1951afc744407d0f63e9c3d4e7a77b698d1918a7e80dd6cea5de409995eb7d49e36852e1847b91619eb8801a22a0f80a11fb61c3 |
C:\Users\Admin\AppData\Local\Temp\jEMu.exe
| MD5 | ce69428f364eeff84d4b61806419a015 |
| SHA1 | cc2e07e5d0b3148a65fd6767d746b3b066e46943 |
| SHA256 | 1b9dc4056a6a5352a7b6498c4da9960514af0a64c53c1a0c9a3b5ea630721dcc |
| SHA512 | 6dfb520513875ecb6d0e55cf9a36508fd791d47ea1c9e30f0e6cfe1f1c04e34a2921bb5ed6b1fed952cd38683c788f211597aa7ebc89890a499842f56013abdd |
C:\Users\Admin\AppData\Local\Temp\nEwgMksU.bat
| MD5 | 138aa86b767b4739f059fe160f7dae9e |
| SHA1 | 02e2ad6061470828816ba834b450f0509c541f41 |
| SHA256 | 3508b6c0d15ca9c7d32e3664efd1e9ffffd95be1e67f792bbfba47c30224e578 |
| SHA512 | 4d664f5b9181161b73e0cae9b874a6dc1c83ce076cb78e8b4e60a509688e1b5b516b41389cb6c7015aa64674acfe3690ed4687bdbc9bc4e1a331125e2bc1aacd |
C:\Users\Admin\AppData\Local\Temp\YckI.exe
| MD5 | e09a0f48f9ddead641d5f4fd39b6136b |
| SHA1 | edd2232bb0c97250fb235afddc213a38713f2940 |
| SHA256 | bfe2a0cfabc23d2e6975b77d37205338bb5d98892961ba29ac6e27c3ce378378 |
| SHA512 | e1bd23bc7e081d991bd4de46e28f260249a573a78af332352ae198e75d24b05db8058747d7c49d282aaa1c4614a4b25870b14ce80d8472a006e1b57b5f2f90a5 |
C:\Users\Admin\AppData\Local\Temp\QYUo.exe
| MD5 | 8e9c60c2ce5522fafe1f5c637866a484 |
| SHA1 | b21dab49210e433a5e530c15340b758ffab0e128 |
| SHA256 | 5ed241240250d2d8c69c52d3f9bd69d5f1ec4a29c5dab309b7f1a15c4b75246b |
| SHA512 | c88a244d00cd430736e7202748a7c4718e2445fdfdfe8b0255ba1a12bbab84c1fcf67a97f4207054d54acbbf732910ec4d783bc28b769592e511f2e5b049900f |
C:\Users\Admin\AppData\Local\Temp\nEou.exe
| MD5 | 1306ffc92aca112ca19a36445c1cc128 |
| SHA1 | ccb54e724a4065db23722d419ba20e34917c2f00 |
| SHA256 | 8995b874a5adc5704fd8498ff9b243a7e14101263fd7a20ecd758fbf597d94db |
| SHA512 | 41d15e5f5c9f9f9accb6ca8669a13ac94505ddf5c0979c07aeff9db8d9c039cc7ae8707f91dcc5da1584aa048e075def7387649fc11c0c419e6f515897819c6c |
C:\Users\Admin\AppData\Local\Temp\isQwkMIA.bat
| MD5 | 7653e0dbe9d3a3c89954a33959578908 |
| SHA1 | 1d4c0cb36fff147779f774bbac3cb3f3ba15da15 |
| SHA256 | 358169596d84375e5bead2658aa5bc377dee10a0b5ede2f9e04137a4d70f7ddd |
| SHA512 | 02f7d39a9249a8f646ac50c35ea3fe88861b73be93e2ba4762092d1b8e68fdab8f6f08fb6f42dc92da8d8082e00d4a87acc9cd156399eb5b51b0575d93b97b7d |
C:\Users\Admin\AppData\Local\Temp\aoEw.exe
| MD5 | 6f3178eba53e3a722363c278a3ba7bc0 |
| SHA1 | 60fe6faa965bb8c9da58a7d4de27ef0163a2de42 |
| SHA256 | 8d819653acc1465be91647b90e5f22c5b6dd624c8537705739bd41624bfb2780 |
| SHA512 | e4b34023a8ceba0206371eac2eb924b9b7d301ad57e87f17da7a0dff14c09c4371bdb85c00d04a189a639625eec7daad11dde956dcd91abd3a29104990b42257 |
C:\Users\Admin\AppData\Local\Temp\mEwA.exe
| MD5 | 47f1626d56279d81abe016a81e3b4fa0 |
| SHA1 | 03bd07299ac7f8a79f03d3361f32256fe1f448cc |
| SHA256 | 30eb2f9e441aaa7a46910bd157e5bae9d83f2546075c86a14f97ce266da4c6c4 |
| SHA512 | b3878d297cf74489e6ba0a214351a9db6e4e6be02369b6034c312416666bbff75eced1909a7d4c7707d4f36d813b0e1c30e8fc3a88853c356629d2b021afcf0d |
C:\Users\Admin\AppData\Local\Temp\iogK.exe
| MD5 | 876d1fb104dbfa1cec94a2a831293d59 |
| SHA1 | bbaa7cad1f6cc2d9a141147585f830bd7c98d061 |
| SHA256 | 00311ba7316133600c66e3ee8239b9794bb292c78273a1e468ea26f1f7f67dc7 |
| SHA512 | a426a9a1a69d917f9901e958d3905fb5cfb50f347ebd4875c5fa9165e64e3181033daf17d703b477aae582bc5d2e2bcb90f836071b530a831fb3181754d7419d |
C:\Users\Admin\AppData\Local\Temp\QqUIMQgI.bat
| MD5 | 9a3f2e5b20790c0e462e9f10c0af2321 |
| SHA1 | 703e90c12ae65661d15caddabf445dec23adfd34 |
| SHA256 | 22ce64792902dc11c3f4f0fbf322c3590d80c2b39c16b7f7e0c88d6de798e6f6 |
| SHA512 | a6cdaf861a059ec09f59cef0564265bb77f1f3e7b19321736fdad76d0ca4be5bd2dabc576cafa122f43f667a539dfa4c54be7257ab37200269b233efe27d7ae8 |
C:\Users\Admin\AppData\Local\Temp\WgUA.exe
| MD5 | af9ede30bd8142c6c0c9cf3e83a31319 |
| SHA1 | e034f1c6167c065e845b6da895a9e8229b15e1ba |
| SHA256 | b508e25d3f942075ac0d9234a05a130d8240fc0eac3d3ccd7080bd4f3c0e8c94 |
| SHA512 | 2ad2b9441e31fdc6ee6b57b24571bb776b9db0c6635f61a3157c17f72c796241de07b7c011642dc3a1e7b75d1076ed6ac13e39d7bc4ff0e8bc10d3ff8cfa26ca |
C:\Users\Admin\AppData\Local\Temp\HsAq.exe
| MD5 | fbbecf4f4b9a727629a0f989910e271f |
| SHA1 | 784cfd65e921e26ce1c345439c0fea3f1bacaf46 |
| SHA256 | f5c19412b4591d50c478db800538ec20b14bb32f1d738929bc88cc17193bf348 |
| SHA512 | 555a27f4450ca71b0abf298df7dd4d0a99b2494fe31eb251666947fbd6e8cbb35c2647ea0e9d24627d07654773873ffadd16c7783c0396d4ababa3740812cb58 |
C:\Users\Admin\AppData\Local\Temp\mMUG.exe
| MD5 | 6110b163842016057c10ff89d981bbe8 |
| SHA1 | 9f32f30720e9ef975b659804fad59d52dd1fb161 |
| SHA256 | c74967ee122c5e267ae2836f488d46a0febbde17a7fdc37e8d8a9d0b471a34f4 |
| SHA512 | 83e36a170dad681d273075065b0ad0a5b950731b64f241875e6820f637108ef40c44ffcf9b180eb1d77daf216f62812faeb4d9a2bb4323b286e8986c9f8b917b |
C:\Users\Admin\AppData\Local\Temp\eSwUUksM.bat
| MD5 | 826db50e50340dfcaf2e47a19db3448c |
| SHA1 | 2f6e232e26c054633e9314e311592093d3e74090 |
| SHA256 | 06f57d8033c880c62484ad6429fd83eaae88fca9efe511b1bfe82676a8ed8962 |
| SHA512 | 5c1b63b3a0cb40020bd6c97f4f71224b85dd27ca943b48d69fcd90773ab65056f44500be3ed26824a50d2c16a9cbd55fc45975e9148a51f6ee6818bceeaf423c |
C:\Users\Admin\AppData\Local\Temp\kkom.exe
| MD5 | 708d036ebbf545ddc199f2d6850ed18a |
| SHA1 | 274e01cf6ee828140dbaecfa8116f35a6ca1e9e3 |
| SHA256 | 3792ea4359797d332b7a8c0bb0771f16d3566137f2b9ea1a4c294ae59178b15f |
| SHA512 | 03e14d1426c05a646155983b776eb56928517b64a5a24bcc897da0d1b68ff7f218b926497bc3fc5027bfb47b2ad2ff9c7fb75a3f60ab37cc59050701e59c89a9 |
C:\Users\Admin\AppData\Local\Temp\ZMIC.exe
| MD5 | a70f811cb1671c928efe08bda8210bf3 |
| SHA1 | 16adff2bab374b29a6b684c969ed9220a5a9220c |
| SHA256 | 4a1aed66f6a2114e234e4a199cf7714dfce6be5621dc1dddbc994e6da3bc390e |
| SHA512 | 05dd8cf022ca5f3dca40d490aa270ebfe9a581d7517074bb136657f1146c0bfe35e6ca6efd847e0ec0d7687ffc89e1660682648c96eea3cb9ef6f8d70475c13c |
C:\Users\Admin\AppData\Local\Temp\dUIc.exe
| MD5 | d6b49d9c3fb4c969de0035a73ae84ab7 |
| SHA1 | 4f0fb54f7882f5d496c70e10b3d2ccc7a0a1d7b8 |
| SHA256 | d64d581b0df2a76e327b09bf62df368321aa18878157834f5898eb24ad72daba |
| SHA512 | f9cf64f425cbf20b52da9c50adb318d36b0bb6ad5058f66c071822f90a88e1468ab9077a5fe6215c5db75ba7c5333c0cc67b02d727dcfc8bba6550a65d80ad6c |
C:\Users\Admin\AppData\Local\Temp\uOwMYsMk.bat
| MD5 | e2be59bd2af9c2505c3ae49920265377 |
| SHA1 | 2c996cd233723c60746b9d2fdd585e52e951d3fd |
| SHA256 | 78df05aece1da8b9bf2483320c997a72f95bb1b8949449c5dc4b490f42982f02 |
| SHA512 | e3063078288fbb5c54484cf0719b7eafe672b055b4f4ca90ff6a881e0f1e088c77bb5f794d953f6f2504788b988da27d519c2be651c4da52a29076a395d67abb |
C:\Users\Admin\AppData\Local\Temp\noUI.exe
| MD5 | eaebde258a5df7208187e4684477c45f |
| SHA1 | bb533ad6d8650a2c8d74335d5eb98227b89d7fbc |
| SHA256 | 37511dae71b308934b75cc9ef17590d009473841cd2ae0b3575fa30f74e40515 |
| SHA512 | 843c590f1827418c11e6bbf0dac4ead37befba8bdd981a45b716fd7ebc732d08bafe7ba02affebffd7d156d74a6bed23ffc7260e241a5e610c09873100bbe5ff |
C:\Users\Admin\AppData\Local\Temp\BkUI.exe
| MD5 | 26c39179c0b66e08bdb10926623e714a |
| SHA1 | 791baaec4d847eecd8416795990931bdec3752b4 |
| SHA256 | f47408a4a9a946e22b1731eb2e7e4dbe8064d2f6580988e8e9064aacf7ceb186 |
| SHA512 | 74cb03360a48e21f56ad42289eeeb6988b8cc726d078d395bac59d410a4ed86b2a98d626c829810f5350c077cd345d1000e4a1e57c1df722eb6986ed3bba5d1f |
C:\Users\Admin\AppData\Local\Temp\lEsA.exe
| MD5 | 6a9399a1e3a47d61daa54427a676afe4 |
| SHA1 | 63f40e93a23dbba12ecab68f98955ddd2b017915 |
| SHA256 | 83c257ed5007cbf6fd7af7db0e8b1422ef2db882e9cbea6ade9e1933199f6332 |
| SHA512 | a9d506b2e06a29a915d8287b684a0db2a654b847f6b80b9a43db6a789fefbafc844ab5cff5cf69858a9b60a8eaafb795a3edf886654b1eec48b276a7d765e885 |
C:\Users\Admin\AppData\Local\Temp\pAYE.exe
| MD5 | 2889e1a16c0231681a34a927b1429fef |
| SHA1 | b8fe17dce02b6c5db88ff6b60b554fbb71db83a7 |
| SHA256 | 7282c02e43f08859c329b41c344a58cdf34a1ac9c0817ef7f769920aa53f11a4 |
| SHA512 | 631d9e5e8e454a27a0c16c42652446372e5997cacae587f793e2a37134e16a0fd5be5830e5198f4a29507416eb24712bd88f6454665adfb2b0b9bd7e61098c43 |
C:\Users\Admin\AppData\Local\Temp\QygEkAYs.bat
| MD5 | 8a80f4fc9fef5e4e1011adfd64f2b100 |
| SHA1 | 489969c01511a3442acff127b0223f05752a3d80 |
| SHA256 | 5c1c80dfac9d54a992371fe6ee9445a5380fa09b4fc7213768428c5a7201d417 |
| SHA512 | c8ac945534c7304fbd4b9540e4cd1829ea8ce94d5001ef09b97afce48311144f3ef914dfc9be6629fdf6b71de8757f629c240c6df555965cc428f2820357b4fb |
C:\Users\Admin\AppData\Local\Temp\ykUA.exe
| MD5 | d1bc3df2a34542d1286f680874fdd0d7 |
| SHA1 | 6e8aba61815133a0296c3e86d710499a6e0e1ac1 |
| SHA256 | b15285c427757103d46f79f918f9953f644e0d96520c2d014c0cd1e536f4d376 |
| SHA512 | fbfb5a5f5c9f6a7fb116b2596a2db55e14431389d46e8c5183ec7a745f46da8a70f12db0e8fc8a56511e9ccc8bdbed8fad38177040b761c0dc79789baef5cac4 |
C:\Users\Admin\AppData\Local\Temp\kAwQ.exe
| MD5 | 2e2b3bbcb2ce20372f0f14f9a5a16b31 |
| SHA1 | 3954f3b62f81c4951ddc0c2ac04b8a046af4efa8 |
| SHA256 | ad3ab8caa6aa8ac1fcbbdba628104e365088ad468396062876af890bd2ae7432 |
| SHA512 | 49e8dea4a34f372177b0c5b038f1d35bfeaadd0fb4c94ab2cf51ccf91fab3b6379660d22d4efd8ee3f920bf3976b76788e93012557bac0156d7c780e567ed91a |
C:\Users\Admin\AppData\Local\Temp\AEos.exe
| MD5 | 0f6f0f0d2d986d38f1712df49d4ca507 |
| SHA1 | 8a6c3917c93de131f3acd8455c0e614a22284714 |
| SHA256 | 3e2ff083a99cba17733279e948f5c522df280434015e4ce1ae11db35a306b26e |
| SHA512 | 5297bfe720f8ca2b641730947855dbea097a716eb682f89269129b20adcd19c005b044e682a7a3414505e015b1787d8f705dba0e51a888ed4783d641a4de39b6 |
C:\Users\Admin\AppData\Local\Temp\nCMQsccc.bat
| MD5 | 02d767e73bb3735d3fed83d8c6d4c563 |
| SHA1 | bd1cafc42111abe9d46f0556aa5583c0541fc0b7 |
| SHA256 | 14b6bc3774fa6b08812388c08024f8b6b8b4cc438e5b2d8947d70a3894c93bce |
| SHA512 | ec6499a84e22edc699f3e55ac06aa919d492cafcbf93580a1e60c866c2dd9134e4f32eb429815ae4c6642060e287c94d61996be016946471d2b9adab26227666 |
C:\Users\Admin\AppData\Local\Temp\VOcAQEMc.bat
| MD5 | c07462663c46ee72d05c86c5cfabd3a1 |
| SHA1 | b5e84a0d82380874e043d23ce8b5adda66106050 |
| SHA256 | f581b8cf745edc9db38663152e839a1039c0bd4714c56382428a30d8d1f8b2ac |
| SHA512 | 2f33f6ee7940c88624caf91dfb0a140b11f649dfb6ef9725751510fe65082ba8cba0f903e3afbd5bc111d3bd91e0e63e40260b4da0a76ade292fdfab0e7aff87 |
C:\Users\Admin\AppData\Local\Temp\nUsA.exe
| MD5 | 15d944f2c1bf658a474deea00ba4e1ba |
| SHA1 | 32fb755acec99aa2bb9c9779fbf879dad330e30e |
| SHA256 | f1e9b176d6547c26236a7daea2ea03bf5c4c80101397348de46e808a21ba5f81 |
| SHA512 | b468dc49de705d1b1912bb93a920b94c9cdcb2c4682036a103d064ce82f740e407c2e591708babe55f042ec166d8eb66e973ab179419f7483d97469cd9140477 |
C:\Users\Admin\AppData\Local\Temp\QIAk.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\dYEu.exe
| MD5 | 274374c039882d80a404bfd7e0256716 |
| SHA1 | 42532c54ee436e20a1a07d194750eb5798cf5822 |
| SHA256 | 6865ad50bab53199ac6892c9e4781e23960e1e1d74a86239f2c1ffebd1d5e2c9 |
| SHA512 | 7d0992f12a7d660ec435e38fe35e29b62a0cdbd344c18b6375d9f31d2abc674483a1be589b3aeea196fb9f3de6ee0dba9b9f96600192ef8b31e3180aec8cf5e7 |
C:\Users\Admin\AppData\Local\Temp\IqAMoMIk.bat
| MD5 | 3e7a76f1559fd028e9d90e6fe00c56ce |
| SHA1 | af3cc87f73bb5c3cb3d1d6e3726112c282c96828 |
| SHA256 | 8316d685cb003bebc14b887a63163eddea7336a12b54f30bbc0334921a532aef |
| SHA512 | 30cd323c88d29f5b3c34dcfd2264a41f2ef670ff2a8ff8fb95c76549e77181d73bb9c5e680037932bb3113de42e3e13cae44d9d67c9693f534964f26ecfe113b |
C:\Users\Admin\AppData\Local\Temp\isUm.exe
| MD5 | b34f0003cb5114bc0bf7f70389ee7b63 |
| SHA1 | 75a035f4e0cc1a7f3ff7f63424912237614b6b2b |
| SHA256 | 3192f892869749119b2c30c08a79faba4010189919a3996d4f8d6b531aeb00f4 |
| SHA512 | 66db0e4d7a1b81207bfc9f58440e45be3a3f526c52fb7e45807c18073a9c3175e488f66eb3aa830599e062fc5d428fffabaddc5fb17f777af2bcde6dbd9e52b5 |
C:\Users\Admin\AppData\Local\Temp\MksA.exe
| MD5 | 373b533076d72fde88ac2cc3431f4f94 |
| SHA1 | 299b403edd831411eeb8040c21295d67e6987ac3 |
| SHA256 | 750e97362b3f5503c2eceb595524ec948afb55866623e65f1efc8e6f4c84e046 |
| SHA512 | a168091ba1b512d7848ce08ca37d0baa64103695f5caa1b46274373260dbbde47ce2bf09de36ee4e03b766c0c2a960fa4a0016fb74eb7e436fdc5977883a2eec |
C:\Users\Admin\AppData\Local\Temp\cAMU.exe
| MD5 | 7fc22846a0cdfa161c344ac1839a56c2 |
| SHA1 | d5a0906865a77eea359616d83e3bf10bcbcaa998 |
| SHA256 | a753f4c603b1458151368cb5d50d8d7ed778a47f8709600150be87e1407eb755 |
| SHA512 | 2ee3d529af5e8afc479523379627b3e16d8d9c8755f17c23aa90480445385d024c154a6e3d5c41d14c4f7fd33303ec727609b1f64054b864fd941f042207c6db |
C:\Users\Admin\AppData\Local\Temp\mMAsAgAY.bat
| MD5 | b7b57c732d5437ac16996399d590f733 |
| SHA1 | 2c46b8f9da8641e70a539199e8aa3bcb591e9263 |
| SHA256 | c4dd8573edf76cdedaf4fdc8a89a533b5ec7caa2dbd8afb9701c23c182bfd93e |
| SHA512 | 919b030e670a7322fc1b79f86f493c9661ac78b21627f1f87c1bca7d1bdf9f0c46d944ba54b0e1049e722e7b950bfeeb83ad589ff091ec2e190b422432e5a566 |
C:\Users\Admin\AppData\Local\Temp\wsQO.exe
| MD5 | c6bfde25b78656d45be935b6261f2732 |
| SHA1 | 17daadeb03fc7f2ef532de0c58f9784994eb5890 |
| SHA256 | cde3399bf7d7427928c6125dec51397f3c0ae5b1ac842b79be257a438378be46 |
| SHA512 | 41b86d8a1d6b4dc1df2dfaa164ea5eebe1602a640ac5d36cc2a9dff09a444729fbcae54d2b501eaec5c48046497bd49437fe490a5dcc29131ba90d03add0c1ac |
C:\Users\Admin\AppData\Local\Temp\mcEU.exe
| MD5 | 65dbd5b6d6ff2ef4d5fc88b100805408 |
| SHA1 | 03902016dc5b63c2ecc36f0d674bb45d6c1d6ef6 |
| SHA256 | 0e47475993da2010305eec6a6f03fc34c9146ab184630727132dc3f8b352a57b |
| SHA512 | edf4404ba691b8ebeee1def6fa95aeb0c825995b979192c19653d102488adb4276429ccc89bc50713c59620604c1ba4de2fa776b18adebb56328fa28e4398f62 |
C:\Users\Admin\AppData\Local\Temp\CQcc.exe
| MD5 | 0d793c51c2da60910f4bbdbb36697beb |
| SHA1 | ffe602e3df185e3996c72a6d0ff8e591ea82139a |
| SHA256 | a594704371452356b05e3197edb397101cfcd3b4277eca738e7c03f1460aaf5d |
| SHA512 | c78291a94d5ea978ad129080bdb837c39d9fe67a10a861021f47f826e0a4d2c87020a9e9aa43f5eb1f6d808b3afe3a6003384e62e1211a50c7c452f81e134f7c |
C:\Users\Admin\AppData\Local\Temp\AQMs.exe
| MD5 | 99695d3696fced82dd2c90e09cc9a2db |
| SHA1 | b54fbe67d0ec0a01e3ed3779cca676e9d93a0120 |
| SHA256 | 5016c748790fcf43ab8fd3b76fdfd4d54180747da97cb84f473c506a5120d367 |
| SHA512 | dc3471dc7da6484b762aae2c5b96d9e1d7051205443cd83323e5fbfe0ece904d17d8d0df03a0cc500982246b311a5ca38a6fddef3f978bf1f4e77660a4f98462 |
C:\Users\Admin\AppData\Local\Temp\CEoS.exe
| MD5 | 534d2513ccce746f8ed74a783f749360 |
| SHA1 | 98b57b351c2173f3fee7d079f1369c75aa11b856 |
| SHA256 | 847062d53efaa43b1d96d238a62655cb2611343a5a3738f118a5887a649a90be |
| SHA512 | e2ad803bb7e37ca45b28efa3e91e06409485c8383fdc8b69e0e1dce502182d63a1781d049600c07b815cf253697af715d222206bec4bf0905603b54fa1132d41 |
C:\Users\Admin\AppData\Local\Temp\hIkU.exe
| MD5 | 5c941526c2eb7d3bea4d1b857980008f |
| SHA1 | 1d1bcf957eb992cec77dbaed26aa06a30d76adc5 |
| SHA256 | d67018845793f61be27de9e48b3e75dec467d82d6bbbc5bda05e012ed9615baf |
| SHA512 | 839986b28cd56738b55679048a25ed0e4c01e1703a17fccb111155523cf99313be9d78aeeea4de272dfe19b71adad665aead9b0bd87ad065ad48000aec507e2d |
C:\Users\Admin\AppData\Local\Temp\tmEQMgos.bat
| MD5 | ed858be67fa419ca12b033313c373ce1 |
| SHA1 | eff4e140ec49b6aad8f423eb8117e0564133ba18 |
| SHA256 | 08bb194621c3d86840cf450cb67e0fdc111ab661cf9cc1d90259c8f39474e155 |
| SHA512 | a78803d34b8c0ad9114061c52b1cc25bfaac91553afa7dfb5d63a9d3fcabe64e49d324d80625da77dd695730300c61321774b6775d58e3ac47cc98368a383513 |
C:\Users\Admin\AppData\Local\Temp\jOcQYUso.bat
| MD5 | 7655d4fe0632617bd860c1358df94d92 |
| SHA1 | acb1ebd87bba5e263f36247057bed08cbad45dc6 |
| SHA256 | 6a2b4dc3df7a1277235e5028b09b56fbc414f4cf06f53a4817d668781a7ef175 |
| SHA512 | 227f0a79087e609ed86e8abf4ff96927eceab25314e6cc41bd7f4e5c340c577f5e61c9f202bcb512efcb083244fd3b8de792187bd14217f20c9b437dcec19759 |
C:\Users\Admin\AppData\Local\Temp\CQMgkgkk.bat
| MD5 | 6d4c165d7115fa64d623b613bdf08690 |
| SHA1 | ea774e20bbc32a451da5c06ead9d48aa6ace568f |
| SHA256 | 15092c6074c3502cdaf773f2c7f88fbf709a39521601a3bac946a7fe0452fbfb |
| SHA512 | 739022a81f877838422405bb4b498837349558445d1829f337b432c4c936e3571173b8b4fc79a46d81368ecd4fc0d900aa1b79431bbdd7c5bc55f1215f046ed7 |
C:\Users\Admin\AppData\Local\Temp\uCQUIkws.bat
| MD5 | 6265e9d06fcf420c8634ba1538e06ca0 |
| SHA1 | cc8af5002d167311a323e2d3b6713029dff3af92 |
| SHA256 | 3772c0abcc7fcc4bf53b29cdece1323f442dd33be72c4b091a582c6bea84efd2 |
| SHA512 | 0cb8069d25503253b3b1a5e6c7eae76a4c70db4cf0c0487d24b42451b401c4d7ad3d940ad69e6b6430d2b566a9fa3d96698a0f058c281521b7ad63134f872b77 |
C:\Users\Admin\AppData\Local\Temp\akgoAkAo.bat
| MD5 | e5ba3bd8a580f1a276621866f23bf58f |
| SHA1 | c85c917847246440bb78fbf316f45473013dc4d4 |
| SHA256 | 3a1400a7ad28d02aa03914d704dd878d15e5af760130b0fb20ded8a37bc77975 |
| SHA512 | 7c49de856d8caf57fd8d341d24072dd4e341666af87608efe05a7261e1e4af2f83999970a9278be4d94180ef870764bb4ef304adf1e51008ce074687490e363b |
C:\Users\Admin\AppData\Local\Temp\QQowQgIE.bat
| MD5 | e4cedaf7077f623038659e08ea122e91 |
| SHA1 | e2f1d6e71bc99026801de8ce4c49c4e8fafc3b24 |
| SHA256 | 929f15e29dff37e59be10aada0697df6f6eb0223d5c449e1c955f09f1ca4a8b8 |
| SHA512 | 9956349fa85894c19d4ee805de399af12730eebb952a77f9a36e04a7367e65010896b257e87491229830f7fe57b3a7313bea0a2b94c0cafd32cdd9f6db5caee2 |
C:\Users\Admin\AppData\Local\Temp\BuYwUQIo.bat
| MD5 | de21f703fe230fec78486358628379fd |
| SHA1 | 510f7ff9dd426740a64e22fc35ab4fde10d3d48f |
| SHA256 | 4ab7d3eb8736c5d6a106a0ebf76ef68375a836a8b3983a686ee30c7f2f72349a |
| SHA512 | 55bd128420d70461fa5f2f880cde7da55fe8b3624e65849edb36754ee3e0146f552a20a062a77458a9abc43cf7dad4db340e7de1d3ff9f312e24bb6389056dab |
C:\Users\Admin\AppData\Local\Temp\PmkMkscQ.bat
| MD5 | 0044e3382de048e47c55399778571df3 |
| SHA1 | bfe4fc0b7f15f42a500a0c3aa5268b60b5e79630 |
| SHA256 | a72701e5fe3afa869c8a9517e5a7b2575f14825a70d288bb025983f74ec8c5d0 |
| SHA512 | a65dd8bc328684e31e8a952a7c1ec1286f72b1cd7d3ccbb761dd355116341c3b10ff2d1e5746acdf51cc1b3111c464eccf6b623d3aa88089262036cb9e0c25d6 |
C:\Users\Admin\AppData\Local\Temp\QeQgwAEc.bat
| MD5 | d0e45b2e20e81a54f7cdfe1c2995f96e |
| SHA1 | 3c24acae7f523a1859fb0ebcd814f2b8501efd80 |
| SHA256 | c9f26749a1e34d4d55f5d78ba9016998b19261b1d7016996d48c0205b9719429 |
| SHA512 | 36c3887f5be73dc0d24537770e2353cef0c419935a057d44db7a35076edaf7ed9a9fb4f6bfd280428bfa08fc369e6367016eba086a507abb86f91d651625dafd |
C:\Users\Admin\AppData\Local\Temp\vicggkMI.bat
| MD5 | 7c38b344de45959c288997c572aceed6 |
| SHA1 | a7f9339479d22ab3b75bfca2dad27cd564a3899d |
| SHA256 | f3df1852fd7f9e6ab3eead85609964ebc7aa0960bf45570ff353954e48081277 |
| SHA512 | fb904620349eff4de6e55985776adfc3bb521b8a7f6bcef20b142bebdcbae9e519711dcd0de9a80142697bac332b652959458993693a25e45a7c54a20626a09a |
C:\Users\Admin\AppData\Local\Temp\HKAssIQE.bat
| MD5 | 483f16b0e632e4495556177917c7b7dd |
| SHA1 | def00342246c2e2ab99fca91b00b9dc0a0c762fc |
| SHA256 | 4752798bd22317edc21894691e51af226a94b9afe20990e8bba11be8fa18ed77 |
| SHA512 | 3e7ff51802487456288990c6338b961205618e6400d4695259354fd828b0e17a84e0daec94405c2f55658901f8086985cec82c167089227a3d2e7ec87a06b67a |
C:\Users\Admin\AppData\Local\Temp\WqIQMMgw.bat
| MD5 | 0fe97000683c6a1046d353b8ac288e45 |
| SHA1 | a49eb33e5de4e03cf02e7d42d6fc0244d93494f1 |
| SHA256 | 83c24a6886f1016c00bd3f241f6b733fab99f4566174dfe79af591faffd54475 |
| SHA512 | 21bd2b6a33f60d4b35f0629ee4ac363f283dbb351e5c10cd26a3441424f000bb4c23845059879fe7c6046884285c382bb2175cfff570691a193a38d3c26585f2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:01
Reported
2024-10-18 02:04
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (86) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\CCYEoIoo\bakYMEUU.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\CCYEoIoo\bakYMEUU.exe | N/A |
| N/A | N/A | C:\ProgramData\hYEYkkkU\EEwIcwcA.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bakYMEUU.exe = "C:\\Users\\Admin\\CCYEoIoo\\bakYMEUU.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EEwIcwcA.exe = "C:\\ProgramData\\hYEYkkkU\\EEwIcwcA.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bakYMEUU.exe = "C:\\Users\\Admin\\CCYEoIoo\\bakYMEUU.exe" | C:\Users\Admin\CCYEoIoo\bakYMEUU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EEwIcwcA.exe = "C:\\ProgramData\\hYEYkkkU\\EEwIcwcA.exe" | C:\ProgramData\hYEYkkkU\EEwIcwcA.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GuUUsMMU.exe = "C:\\Users\\Admin\\FIkcAwsM\\GuUUsMMU.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aoEsQswU.exe = "C:\\ProgramData\\BqowMcYg\\aoEsQswU.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\CCYEoIoo\bakYMEUU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\CCYEoIoo\bakYMEUU.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\BqowMcYg\aoEsQswU.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\FIkcAwsM\GuUUsMMU.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\BqowMcYg\aoEsQswU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\CCYEoIoo\bakYMEUU.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe"
C:\Users\Admin\CCYEoIoo\bakYMEUU.exe
"C:\Users\Admin\CCYEoIoo\bakYMEUU.exe"
C:\ProgramData\hYEYkkkU\EEwIcwcA.exe
"C:\ProgramData\hYEYkkkU\EEwIcwcA.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYEIUgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOoEgcwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWEkIwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaMUQMII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYIIAwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGEoskUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQoUYAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSQEQwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOUMkUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOIMkEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c34f4226b77e91cb46f990f28417cc51 BeW3/KVSSUC2vbP2A/sSHQ.0.1.0.0.0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCAQEIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecYgowUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cooIIYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeIAsUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oooEkQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSwUgIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwwQssAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nscUgIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\FIkcAwsM\GuUUsMMU.exe
"C:\Users\Admin\FIkcAwsM\GuUUsMMU.exe"
C:\ProgramData\BqowMcYg\aoEsQswU.exe
"C:\ProgramData\BqowMcYg\aoEsQswU.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1068 -ip 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4744 -ip 4744
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYkMEkEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 224
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOcUgMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMwIMgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGIUAUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcoQAQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCYMksgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIQwIYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caoAYEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWIcAsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiMcYMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsQQIMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwAYAckA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiYUEkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bggYAgQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKcUwQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoogogMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueIYQowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQYIwcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwYcUEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIckscsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiwQscwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMoMAMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOQcIsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aycQYUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYkkoMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkEkAkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zmwkgkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkAMQYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCwcgMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciYwYgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewwIQkIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMYogkgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmIUAoUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TisAcEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUkQkUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raMosUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuIwgYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaUAYoIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AScAwsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOoMQwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMUUUUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWIgcIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCYMIgMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqYEYoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecoswEMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyMEcwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VocYsggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkUIMwIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMQcMYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqMgEYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKcQYooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiwAwkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoUsQcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSUsAIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWEcsMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FecEUUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIUMAYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCQkowQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkwIQAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skgwIcoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqgIQcEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAAoAQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vysYAQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAwMcYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgYccAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUQwIEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOcEYcUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saEIwAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYIsIAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOowgEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buswwkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwkIMEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYEcYMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMMkwIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYkEYkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEwcccQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuwoUEME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rokcAAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcAMkAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiQcgcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYwwAIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.169.78:80 | google.com | tcp |
| GB | 172.217.169.78:80 | google.com | tcp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2884-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\CCYEoIoo\bakYMEUU.exe
| MD5 | 4aaa628ddb2438ee63baa60966fff2f0 |
| SHA1 | 423a5d5ac66f1b39f9576c85d5dbe50cd3615885 |
| SHA256 | 8a708e2c7aef0a9950779b87a505c147387f4a1675a985022274ba370d9c1070 |
| SHA512 | bdf6a93b526538b4fcb2e43368e3cba011d1b69da5c8d6878088243cae6a82786ff69e3892c637488d88b425e3215056a8eeff09bc19cf44eeede009c3e3a1ae |
memory/1940-5-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\hYEYkkkU\EEwIcwcA.exe
| MD5 | fcfde0c7e86a28d30cae365a0c782d23 |
| SHA1 | bfafcc880a07a964027e39257c383a7cb8e6227a |
| SHA256 | bd66434ed09e33445fb338c97cc4e5bdd07bf353e1a2745075c2673efad7e9c8 |
| SHA512 | 1347163619b8412c7c17c20fde13b5790a383e7725ba403b26eab9d6211a2b543c6fc1fe6fe622ef8e616b4d51722119b53856be3f850fd616c65d37989b918c |
memory/4948-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2884-19-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zMYEIUgU.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-10-18_c5753e1861dd547017dc501d1949740b_virlock
| MD5 | 01756f45662d7cff811ff986e2fd4e66 |
| SHA1 | fd67e79512c5386dda615835a40dfe5f286437bc |
| SHA256 | 1732b081443d1e292dd1a4477ecd8be81fa350cf3b3ce6dd222567b7585a8895 |
| SHA512 | c78311075d33ff2a253dcb86911355ed76ab349fc2f83bc6ab042dcea56d5d092af8abb2598372cd988210549376d023f6c34e92cb8816f4736d91dad606c2e1 |
memory/868-31-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3588-30-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3588-42-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4652-53-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1756-64-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4284-75-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1720-86-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4256-97-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4644-98-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4644-109-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2320-120-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2992-131-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3668-142-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1104-153-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3940-164-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1868-175-0x0000000000400000-0x000000000042A000-memory.dmp
memory/32-186-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1460-197-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3756-208-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4744-212-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1068-213-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2916-214-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1588-224-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1068-225-0x0000000000400000-0x000000000041C000-memory.dmp
memory/4744-226-0x0000000000400000-0x000000000041D000-memory.dmp
memory/744-237-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4876-247-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4892-255-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4916-260-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1588-264-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4916-272-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3972-280-0x0000000000400000-0x000000000042A000-memory.dmp
memory/780-288-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4844-296-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4952-304-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1368-312-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4892-320-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4528-328-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4440-336-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1764-344-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2576-352-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4136-360-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4884-368-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2056-376-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1328-384-0x0000000000400000-0x000000000042A000-memory.dmp
memory/744-392-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4092-400-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4916-408-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2924-416-0x0000000000400000-0x000000000042A000-memory.dmp
memory/8-424-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3588-425-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3588-433-0x0000000000400000-0x000000000042A000-memory.dmp
memory/368-441-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4276-443-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4276-450-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3960-456-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3664-459-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3960-467-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2708-475-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1556-483-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3476-485-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3016-490-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kksc.exe
| MD5 | a3c0a6bec05a6742f9943349483da87d |
| SHA1 | 19e7dfac79e3b0d8db7603db1a37a9cf0abad8e4 |
| SHA256 | 0ca17b804c5987be09879291415cfcec4df429c05647ed9d4fc1e82826a393b6 |
| SHA512 | e763cc78b60ef199ccdf7c582d113dd439ebeb547b510cad46c8869a96ec0ecd7cdcda60b975daa9b627b3d7fc66a874048cf2a14ef131037572579c8f9e3a58 |
memory/3476-508-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3016-521-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Gwsa.exe
| MD5 | 17e002f001eedbd1f8d970422d0271a5 |
| SHA1 | ac0a5b6d16993be5854284eccf0b9e104193312a |
| SHA256 | d63b226c9e6c338fe885bc11c656da0b272e91da7614d6c583215123fdad0f8b |
| SHA512 | aa99388e9044813ccc84c60349b86272787ad19d805c2bc08f8bb62ab37db4d3010db18957efa5c74326de5206580ca7ded8e04c0683a4187b702c1898f26328 |
C:\Users\Admin\AppData\Local\Temp\aEow.exe
| MD5 | eb79cfebd61464cc69a4d124ad8c3dfa |
| SHA1 | 677383340d46abaff2442b444e771b2c673ecc7e |
| SHA256 | d574865fcb1c944df9e9e180f5ee460bde9b80335f0f948f32e93167fb2cdfdd |
| SHA512 | 3260af3fd5c0d60db5e48730ac992cebed2fbf77e7fc3a2f9acf03e741d3cb74cd54c40ec18d3f44bc3b98e86639730f87d2a46a6af7ded4f6ef88cdd2c905a9 |
C:\Users\Admin\AppData\Local\Temp\mwcI.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\WIUO.exe
| MD5 | be37189179c6239033b76a50a6bed3b7 |
| SHA1 | 91f711d379856b3acdb8b3b0067a05313c26e608 |
| SHA256 | 449d095b8e813109e14dad6b584b2cdc694e24f4b1b93dd9eaec62cf7c598abe |
| SHA512 | c2d6d0f67d8fcf1e0b208570e88084c4927add51dd2aaaea552d0ee64c01fb5a8ee10529837e54a31e2400108438c5e189b453d90db52ec1fce05ce3b9daed72 |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
| MD5 | 33bfd5779c538c1097c5abb9c810a0a8 |
| SHA1 | 2e5d2f5184f98451baa5bf6c24f34360e85dff37 |
| SHA256 | 698f173b98893ac426ba1e089390e00ac3b5457773e0031d0d26932bc9af84ab |
| SHA512 | 8435452208d00bd60527a3c4bb042ce6d4c924661946f376c0d08da74888035c622176db7371b18337da8eeb1dfec8d54899177715dc1ae0187eae4c96c44acb |
C:\Users\Admin\AppData\Local\Temp\gAQE.exe
| MD5 | d4a3ea28413ff48517f306b54f966415 |
| SHA1 | 0ae9e7944e9b7b11a94f8331aca5213c968250a9 |
| SHA256 | a9027e8032513a0cd18b50a4c2b4d20f71478dcee34a9165db2dc7de6de36299 |
| SHA512 | d01e639ff343b5255f2a143e0c8870e757e02c150a45cd3d6ef2b27fadd93f37b7e7a8d3b132463264efc53644fb6dcac1f9eda01e2648843a93087c12167a17 |
C:\Users\Admin\AppData\Local\Temp\kAwC.exe
| MD5 | 7ea72467193cba34e2ceb58b0729c9dd |
| SHA1 | 5c71c2e31332c1b71894281b531aff2949b2bbd0 |
| SHA256 | acdb76470ef8fcc9d060b8de88513e4fbd109afeb29b0f0d469520cc8da11f4e |
| SHA512 | 941ed7e114389e21215b9562cbb5b2d1cfe87d7e9b5437c8ae153fadbb2e69bb7a754826100063f60a37d544f292d6e06c6dcd68b30b957f2d4a3b79e129473c |
memory/3144-599-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mIkc.exe
| MD5 | 675ed7d56764aa3ff4ae81d28a0e1811 |
| SHA1 | 2a1ba0568c7bd6428b0e899f37d6db98c5544f70 |
| SHA256 | 0b350dd5c437a1b175cb36578ec0c921e0b4a74982b79d25d1a35a0697ae03f2 |
| SHA512 | 16234dcb31f74317c223de9bf6d19a963247de633e655cd590b5433fe32ca7830a19d1da19a6994303d02f09797fed5f00ba939d4228c71d24ccce3e143b12d6 |
C:\Users\Admin\AppData\Local\Temp\yAUS.exe
| MD5 | f93a6b5816277864cc69c95dd9e9d32b |
| SHA1 | 2656be153989878a5dfa16fcba884ae4022f625f |
| SHA256 | 041fc1dc4a22d64a2416adc7754f4011dc09373fd5c2fa278f424fc68fb2138c |
| SHA512 | 270fb0aa88b499030c9eb4a8eb6399362273bf86f4d366101d9964062815c6661625c2b268e72e0c62470044d1a0b9ac827831438a4cff44811232d8320935ee |
C:\Users\Admin\AppData\Local\Temp\mcoW.exe
| MD5 | a8a94d61a24c2c17a3ed3693d8384ca3 |
| SHA1 | 37bf13d87bf6cd94add7affb1458e9feda17f473 |
| SHA256 | 29d95e423bc4b6071287aeaf24eda5658cf77e5ddd899dbc1607bda6a5c7c144 |
| SHA512 | 4a3efcb31b245d6678cb64c2160f3fd9faa7190a7bc80bec321df33db9262924c4c1a43f7f3d93c63fd5805b69bd0b5b5405280ab464b0f497877bedbd6eb44a |
C:\Users\Admin\AppData\Local\Temp\sIQw.exe
| MD5 | 1a08f00d662746e3c14d653cc294d323 |
| SHA1 | 4df2cc0fb897cba31925c19bd62469c55da5ca0a |
| SHA256 | b6e20df3bea6de5c146e2457637d371f4b6a57d3108c65f442b1403fc8830243 |
| SHA512 | 1d52d3f86b05033f38cf7115fad6a5ac8798223467db2bbf098737e61e23d6e8941f2b1d335835960309fea7f68b99448b87927bbe03af425b3f48c46e4858da |
memory/1712-672-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wIcY.exe
| MD5 | 451bd514e016209dbadec94d961a5db2 |
| SHA1 | b7dc88967f11c5d63440f400afe9d550fb9ed4ec |
| SHA256 | 945c012232f53ad85acdac55336bfc4a165113ad8596aaed4267aeec5a7b8698 |
| SHA512 | 68baf0a773001e82085a60b6c56bea931e2376aec1478047c94f640d25e4435d3c1cda3bec5eb8ce89e97eb0bcc7cbbbf341519127b190aa3bcf8ee62c6cb633 |
C:\Users\Admin\AppData\Local\Temp\gsUm.exe
| MD5 | 10051abba6fff77feb163748e2b24c9c |
| SHA1 | f870443e296663a9ef5596f8e634074fc3dbab25 |
| SHA256 | ba8cfebf3b5118a0703dea684d91f69c5303a7cd8870905e7f3f2ff0dc762e5c |
| SHA512 | 42050dfb36e03e3dbcd4ee7dc52d37824adc8cfeac6f7533479113e37e5585f858215d6e2ac199c4e9f92d9fe932f60bde7aecbe6eefc4c48422dd7345e89c62 |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
| MD5 | 81d886efcd3a3bdc123e21a62df7269e |
| SHA1 | ba2d94f2149a05e188bad7c770ddefe9af9fb793 |
| SHA256 | cc83c821f8e7d76baf763592b2d97bbf8b9735bc980e86b81268e298175863fb |
| SHA512 | 03a5a13716ec2bc7a46773c11c8b27b6f98d6ccf341ba9a9b4be6f10dc956f8ea1f6f4565022494bd59e5a40d11121cd67d34fc491f07cb14973019205ec620b |
C:\Users\Admin\AppData\Local\Temp\cgMK.exe
| MD5 | 42d524b09395e6e310cfe1affc483ba1 |
| SHA1 | 06d2d22a51cc92d415d462d615c7a262f482c99b |
| SHA256 | 736fb085137e85eb1fcda83048713822ff7492b75771026d00e0d3f84624b530 |
| SHA512 | 939db92c930d884a0a342c66ee1a339375cb8aea64df77ca6fe32cefd3d85751604c081cd2a0aa9a6b25fd93e5e8f44286595928bea8543fa7c93d5a118fe0f8 |
C:\Users\Admin\AppData\Local\Temp\KEsi.exe
| MD5 | 03db3b9d7d658873a7092c96278dca13 |
| SHA1 | 1a7147c8863663233a6aea1e2900c597ab2778c8 |
| SHA256 | 032c2a785be2622adac526bce6f05a35bb9f471d07eeb3e7d9f1f386c5794510 |
| SHA512 | 2415c31bde086634c68b4d59b13879335c864215af38a46af2362d2ac663f0a7db1be44df0972313161dcb7e71e81d7a5894ed4dd0cd55ebc1c246518b5433ed |
C:\Users\Admin\AppData\Local\Temp\cEYm.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\OAgO.exe
| MD5 | ac5d9ddd8649fecfab072b0ee492eb88 |
| SHA1 | 872d4d43bfbd971c87f4c9b03649db029ec2c78a |
| SHA256 | 1b9ca658a46233d6a30dc1bafd96274725cbff84af2f058d81f17e2612c6bb11 |
| SHA512 | afe68c19aeab778b949960e9aa6075ae052c09708c2e0ff146c846b19f05297621ff28aaf2c63040c19d2eb2cdbf6338a3e3b0c0b75ee488bf9040a2ab04a79d |
memory/3024-764-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\egAK.exe
| MD5 | 3714315920771ae1dc915583d347a8b1 |
| SHA1 | de7f79cc3b1dc81acc03aa8c1d760cdd33626453 |
| SHA256 | 3ce717d043a5703861f903bdb798e75e83035fbb8ed8c4cc461e51bf2a1d565c |
| SHA512 | 86e51ab3125671c2c6db1e7b160126ba0be62678cf0754ab4ccefb971a45f9021dbc06b55fd886740c683886d43e7d8b181ab178c3c9a9f8972c5bb12acd59b9 |
memory/5056-770-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Mkwo.exe
| MD5 | e8afc065e097c6f16e9411149d62e225 |
| SHA1 | 69f83d89d13c888da858d697b0f5bcf214d1229b |
| SHA256 | fd25020e196fcd0c7a9ef4adc1206031ecc3678fd0936e29df08bcb30973e2ec |
| SHA512 | cc70f61772398312f2d016f991c991be6102bf554798cc199f51c6c18c5bbd822be896daae42b444d80249a9bc3145ad6d06025afc9f6118087a17cdaa902367 |
C:\Users\Admin\AppData\Local\Temp\EAIC.exe
| MD5 | 9bc1f99a99e33b155586adf609c89744 |
| SHA1 | b6f42904f716edb3356b993da23ff32b33b3f091 |
| SHA256 | 4865186ed71183cbfc77ccc9267603c524f9a5f22512bd9171862e9f1b1c2611 |
| SHA512 | 90d98568908752551c6c16f95499a896a5dd2d8feec75c5b51ee7d60819673294682470b09ca2c44d36120ae585c73fcaf5b3f840305ac715459493cb60829b4 |
C:\Users\Admin\AppData\Local\Temp\UwQI.exe
| MD5 | 8277c39e9ffd74f86e46734640ab56b2 |
| SHA1 | ac562937a4cbfb7de4ad1d3875d953cd42fafe1e |
| SHA256 | d0f5a49b6232f5afd6e12e6345bd8442b9c9b5ff1707435d629616ca4730c140 |
| SHA512 | 9e77a56b27161f884a7a0d19a24342c312a4235a21bc4cb722f1e0e5795906175aeed6132e859604a8d0d85bec26cc492ee978ee8a43f8e53254da6f32f2bdfb |
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe
| MD5 | 67f67c3799b8d5386d274b4df0a44766 |
| SHA1 | 9fd17e139cd1fcbf1044d5752a2b57eb86d9448a |
| SHA256 | 0a70f349de6e4768972e09cdfc5988987b727ebb257bf8219737147d5042a7d1 |
| SHA512 | c33ddd8014ddc9c63b3d37724e24b06bda4a577c7a5d0e697d86e45ebe645bae00c69b17a673f09d0a9244e0a048e55f1977036fa810f95709dbc1853f1d7040 |
C:\Users\Admin\AppData\Local\Temp\wcAE.exe
| MD5 | 55b74a6aa48352276720110b120e962e |
| SHA1 | 7202161087aa3b0cc3ab460f0a45930547e59a15 |
| SHA256 | 4a97066dde71fce482989b47e86f825a1f0dde79ff0603728917fbb1e2563eae |
| SHA512 | 5571e1a8697f002bcf5aa35572f0eb2716c88e5baaa793fcd7f41ec9791d39857a33056f6c1ea8d392bb7c56746fa3e171cfd397164a997bd274641238f51ebf |
memory/5056-857-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oQUy.exe
| MD5 | 24dfa51586dc2c1629bfb17fcd7494d4 |
| SHA1 | 6639c0df7cd493c56ebda2596b6292f6aa79c02c |
| SHA256 | 94a71fe22811c91f8f7d364cd3d00b5983a9bc66372ead8a1891930cb5f0bc4b |
| SHA512 | 89bcc767ee91bc09baff941838a23ade1b6014407553f7ea125aa2556dd556e9fab5c72a4f1db2c7236e94e3ba64a8b27f1901ae12e56c6e8a3bdda7412ebbc4 |
C:\Users\Admin\AppData\Local\Temp\socc.exe
| MD5 | 7caf10e1984bd93d6843d6d9588bd427 |
| SHA1 | 5253a002200214a0474d7d54771047830c75a2cc |
| SHA256 | 98aeb02d5bda30780d9f96f622f3dc88412237148b82507ec0fd011a512af36e |
| SHA512 | c861124fd8de6f8dad3fe1c04cc924bb5e8c2b2d6fbad41bdf38df5b9573c61a3e54a2ee94d3ba73cfdadab9f3693b77d71cf426f217ceaae00bf51bc025dc85 |
C:\Users\Admin\AppData\Local\Temp\QYYY.exe
| MD5 | c664c09fe9a36bda8fc7aa50f9c4c17f |
| SHA1 | 2425d3e199db911826fb757a0ceae40ed105ddc4 |
| SHA256 | b0a071f977ecfa5382441427528e3bce3ddf292da3942956e7eed77db113e474 |
| SHA512 | ebbf20d9817995f341e7de6b3a752a3b889cd4b1eba290912ff954756c7aa28fa178472362cf836a4496d95ba6aa1c305bf9bc9181871cde4c9dfda0ca845145 |
C:\Users\Admin\AppData\Local\Temp\OAoc.exe
| MD5 | e6b7a00465b909473f97c7ec0e88d145 |
| SHA1 | be92cd6b2f905c90c0f1ab0a785169e1d048f50a |
| SHA256 | 13f0bc95d7470e51d4f366e50a13fcfd56fd84c1bfe17989f5c3d6590eeff69b |
| SHA512 | 81d1447bbaae5337c0e129b29e4c1b6caefe8b6fa2888ce1433cfd75632bfc619ec6140c32a83207bad62428d1817ee24aee5a9631420ef233fba83442d80800 |
memory/5064-921-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iMkg.exe
| MD5 | cf55ac3dcd38772d2a4214188273678e |
| SHA1 | 084c348ad520da04e2210dea0c0461c585b569f4 |
| SHA256 | bfbedce3bf2d9c3d6dd81825fbacc6c1fdc7c147c7f8d1e5497804d75d5d5795 |
| SHA512 | c74f47ecad513e1ee0767ae221916c278f10f8b4717d4d8bc7ffe6a529cafc273f36d5066e83d64616a4b476f662e70da21581109dddc765cad2064111bcc877 |
C:\Users\Admin\AppData\Local\Temp\CcAK.exe
| MD5 | 3e4a140450cbeb6641f2ddd3a025fb28 |
| SHA1 | 43c53def5226a9e2d632128d900098a8cd02aa64 |
| SHA256 | 0bfb31e75f7b12b6740a20b154562658086e92cba4eaaca8348ea47dea2790ba |
| SHA512 | 9c2be9b1b53040ecbafaf7416603decadfa6b0f7373c0df04dbcdcb61f2f4736a9cf81d1a5ca5c65dad623870e93006d0a4367ab1eb1715f3844270ee2c61454 |
C:\Users\Admin\AppData\Local\Temp\SwAy.exe
| MD5 | cb4d331b57c115c2e4c9747c326d9692 |
| SHA1 | c7eafb5644a42315936bdfdbeb3853cd81368add |
| SHA256 | 34fab833cd3e2f3fd2b487d1a640a4120a368fd1faf129c96fabe197af35fe34 |
| SHA512 | ec03b48ca976ec5c060120787d794c74660df1681a2e1e4843cb123b572bff74b994e1c5cd89b64a6d9c506d367e285f5d9a7e9e2699f69072e52fe84a53fc24 |
C:\Users\Admin\AppData\Local\Temp\OMoq.exe
| MD5 | 3ef1d4d6fc2376bd8324fa9d88106316 |
| SHA1 | 51db16f9e348cc2fbb434ed67c87f6e7dcd807cc |
| SHA256 | 725954be6e0de6a84bb04e994c31be96d665691ffdfa0a82738d13a0ebdbb0bc |
| SHA512 | 42911040978d15a7fd8a227b2661e00d211b3b4f6528a9f075bacd4c47f373f3156fcffeb6633e3d4b1a936ae5cb81ab36baf997891002ba2eb8993179409eea |
memory/2356-985-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ugka.exe
| MD5 | 92a57f5900f7eaef4f1836a9aad1c16a |
| SHA1 | 2c28314b4c5f8b239cece2311c00b7b495902e4f |
| SHA256 | a65404861f64ee5c091bd2b4e464b4de1f842aa50997f2571bc813e31dfed513 |
| SHA512 | b43cc6871dd257875a7d40ed8d724123ae83a53173952a736bfa9e124ce766ca9971d4127499ed413f1ad336e2f415313d15544cafe220219d3a837a3626f7e4 |
C:\Users\Admin\AppData\Local\Temp\mswG.exe
| MD5 | 1bc5ea38e086fef8e873e7974d1724db |
| SHA1 | 2959ede22b87e483e8de408ab891d6255d4bb25c |
| SHA256 | becabab50c86db037f9621d941718eaede122126e4cd11ff8310e77d4a3d84f6 |
| SHA512 | 6f954e239ecd912ff063ec7c071782922fb96b73aa5b7feee37807d2b15f1124af5b880fac7f61284e89927c64e1b51dbeff036b0ba4b13ec364ca0bb6f9f481 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
| MD5 | a7ef2b736bd83c4878378e53ba51d3ab |
| SHA1 | 3ff4c96b27b80e0352297be432ff5bb2872977f0 |
| SHA256 | 6f33ee12d7f98dcb198e04c0fc576590c7dcd6b2aab5007afffed5aa0004452d |
| SHA512 | b0c885a1f1f330af32b0ac074ecc45a339308fef76e9801926d92bff0e2acf08147c8517d84b21c3f57fe9b178c4ee571d8c055b2b48b131976554959b092e32 |
C:\Users\Admin\AppData\Local\Temp\wAoo.exe
| MD5 | 81a3abd6e34cc9fe47b198b88b87479c |
| SHA1 | f0533e5bf99de19812ba23216c13c0fc4508efcb |
| SHA256 | 852dc22da3c64730c70baab369a8d50ed142e99b30debc18c27d6f1fc1fc5ee8 |
| SHA512 | d4bd83631eda37939e84680dcfb9eca446e35a6eab49c4c6a2555bfbd62af40108f49e31c1b40ebdc8615c8178c8f81dfdbee16b47801ffba83b727f9837be16 |
memory/4768-1049-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\isMI.exe
| MD5 | 78094e4f9c70e3fde982a1681189bcc7 |
| SHA1 | 406d69496de5f544cbcbbd552b69bff317252a07 |
| SHA256 | c18836053e74743eb304ed2803b390d5a529e7fa0ed43c19806b578e02e359c8 |
| SHA512 | 24546b8676ecec8f9fc0c82ddec621516146840cf3c748da516c5f2a9a2c52dd7616dfca089e9baec2539b4f6ac9bfffd6cb30d0072bf97e5d004fc57de924cd |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
| MD5 | a5d30857b02e296d49e7858aff219ae2 |
| SHA1 | f4c67a9fbfb753fdd92e46b29d6e84fe72d18c10 |
| SHA256 | ba55ef47d9f0e6e2121f11ac84f2010bb76f19ec3e63fe9f311603ddbc944df5 |
| SHA512 | a4ce12d59e46f6b8e7beb8682372e4ad1f6766e9161134558c38f255d10c578794cdda938c754ff2778b4934afe747ea5686173bdf91fc568202b3180d97f6aa |
C:\Users\Admin\AppData\Local\Temp\gIEq.exe
| MD5 | 02413ccd6e608a097f110aca73a0d368 |
| SHA1 | 7e05a1e37cf149fd1560a5b8a55ed4c6df445fb2 |
| SHA256 | 6766d89848c08126d606b78f0ab6953bf6e50747a6cd76319518872fda122246 |
| SHA512 | 4def3b25aa2f6cca4906fb0a72c8b25c97511ee45086920e38363d498731c60dd7a88b8ad9670619e921be2e8dd29269910a03170032f72f8ea0c460c0e02652 |
C:\Users\Admin\AppData\Local\Temp\cAUq.exe
| MD5 | bbe08ce4cfbc3200b29178ceb478f5c8 |
| SHA1 | 04bd7053aa53985816f5ded8b26e0466defb0fe1 |
| SHA256 | 6b073d190a2036a2befe7dd6d038b7a328b048650384d68290761bea1b30155d |
| SHA512 | 6fef01317e7963214c375e112d9d5a04edf49043e7bbb8c7578c9203853ecc96e3b3e9fc3cdaa637e4f1765982a4a17ee0e726f0fa085bccfd1048f1bd2879dd |
C:\Users\Admin\AppData\Local\Temp\aAYM.exe
| MD5 | 53102eed2509aec1633f562197daa382 |
| SHA1 | f8e0100cd886c902b902c204276b677997e6eb45 |
| SHA256 | 576c2cee23f1ab01b03cad4bab42764ccdaadaf37e215e26e99558a9db40772a |
| SHA512 | 8630c2a5fe60ba17abeb83fa0254dffcef0884c951c1d4a7284ef28681d6af02b9125568e49433246cfd252c6c2ae6c744b2192f3997f32ede2f031391053317 |
memory/3188-1125-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mgIu.exe
| MD5 | a8c2b80e927ef7b825993320bdccd770 |
| SHA1 | 5c4637c66388d2657339fd684abdea77f1a1505b |
| SHA256 | 43877baf658766b336cbf88e8c079b98cf828dd9484de6d69d840e9957d58f1c |
| SHA512 | a32d3270d95238a8f5d60f0c16a8e484ce6644253e37a33d04e623a9c3d01d118b2f4dc84b601b52895a56f797daa5cb9a41045653ac6cfa43aa69e63d1c3e55 |
C:\Users\Admin\AppData\Local\Temp\Ykcg.exe
| MD5 | 4c0ab1f06939241c80682795f193bb22 |
| SHA1 | a2392aad6fb1b64816ecdd739a9b7c55174071a2 |
| SHA256 | c63913089d87a59e740a5c5e7a19eb2f1e5ee83efada96a5a80c40497d223315 |
| SHA512 | a34bb50c2e7560a614075fa6870fe5003a78bf3580a75782a5508d780dde3ae83e8d9185e5a646358c97383e710c5a2200e941658c954f625aaddc2fd364de62 |
memory/888-1175-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Qgky.exe
| MD5 | d9d1e44bddda5ab319ab3184c694f505 |
| SHA1 | a9b499856906a9591dd8948d2f903cc45f3533fa |
| SHA256 | 6901b0ac1479e4a42894c11534aca045d95f4785445bf3e29389995a6026edd7 |
| SHA512 | e95f5d5c2fc39eca21d2844d9ce37492a3b8bb7b81d4ab781649575466dbd667b2557199e87d71da098663762f7d781c2dfed6e95f3958f7d2a35e13b02a6592 |
C:\Users\Admin\AppData\Local\Temp\moYi.exe
| MD5 | 3dd1a51f9cb3a40b9bebc10d3ba0699f |
| SHA1 | a4f2f71f4e0cf228bc8bc79d9054810bdec6b9bb |
| SHA256 | 4f7e77b733051ea82bf789458ecd0003c74fa7aaa7cbe2c0c854d4dd19afbaed |
| SHA512 | 52a19788b991940c18687bf1e94ccc9430d4cb7648f33fefb0f4cdd3abd7d3a39f8ee7819417e5e14a11d65e5580fb5c046cbfab9a48a3d20ab0385a604cd475 |
C:\Users\Admin\AppData\Local\Temp\Ckwq.exe
| MD5 | c2a491235c2c8189e23cef7f4be2e9f8 |
| SHA1 | 340200b873e9d9cde06a84df1c8012ee21e60789 |
| SHA256 | 7205011bf0d7d18f2870dc8285b0c17b5e757b10794cf23d60c39382843b74a8 |
| SHA512 | 7fe00fa2fc8c8b15b8fbda275a7e287437b6eac1ca137ef5d02afd55afddda061d166338e1d6d1b597d6792c62eb3caa767d8efbc59557810accbd3a8cd7be21 |
C:\Users\Admin\AppData\Local\Temp\owEG.exe
| MD5 | cd9fc923aaabf9867457d13bb730d0d7 |
| SHA1 | d21c00fffddaac5ca8e776b869b13019d7474a2c |
| SHA256 | 775be9c0b3bc11492f69590ef92e8a5eecd86f249df33102c9bdc2df5ec71594 |
| SHA512 | e562a4ac8f9405105c13f5d7c38f2155314c7659603965302550eb7258b6d538105000e3e8bdcd493c3e2103dc51f451467f1072941e4b046df75d5bca623b36 |
memory/4988-1224-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2756-1225-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SogK.exe
| MD5 | da1a31fe616d8118fa51730c5c412700 |
| SHA1 | f74f54c8da196eccd25f1710e8f9c6cc53916573 |
| SHA256 | ee362dc8e331d336bcdaf34ec8278016f9fa92a9642798b01121715abb61dcc4 |
| SHA512 | 186eea26b95e3e5a3d8b0bba944279b02f97815cfc7c4e76aa11fc0b360faa3f05d44f9a7b3484500a912a849505d00a95ab6cad7b8c3b66442539ccec93e712 |
C:\Users\Admin\AppData\Local\Temp\sUoa.exe
| MD5 | 363a4bd323836bee9c460899112246f9 |
| SHA1 | 1a68edc47bb94595e1e7106151d87f5e71c41eb2 |
| SHA256 | 6147024258610f756dc8afea302578a87bdb9dc972d03240304b4b6d256378a4 |
| SHA512 | 3af91dbcef7692c6d62f771d4d979a348cf22f446c28c62ac011bc56307cc22680be46b51bf0719ffb20ae72559723960d49b9734a91185fff61fa15f8c9e1a1 |
C:\Users\Admin\AppData\Local\Temp\yQsW.exe
| MD5 | 21992c6d8ed721a518a438e70f876dfe |
| SHA1 | 7a3556b66ced4518fe56c1d9f8282be425848e21 |
| SHA256 | 9759b9a0ae2e44c617f45f1730771bd09681af66fbaa8f3051175475ce694b70 |
| SHA512 | 2af62c593aa82eb7709338655cf380d7d5d867a7e55f384c618cda05138b3af1bb129ef4fad8b2a2e5a7927c4f6ce1f32c183976eff9f26cc043a5dae48fb557 |
C:\Users\Admin\AppData\Local\Temp\CIsk.exe
| MD5 | 486f5cd4c1b12d6a1e46e748f4bebb9f |
| SHA1 | 4d0f0afb3b7998e44ee86775aa59a66275b42518 |
| SHA256 | 815c14f33dc6880efbbb80a43b41f42b756c8ce17b30d275d6cb89b9fbd11cd7 |
| SHA512 | a40e746d8932280e2e50f88cc8155cadc8a4cae758bcd75ebd5079cb682278f40bfb329e7ecf20675a399df62ba2214f9dc22f00cd1b5e53dc94021a4cab3bb2 |
memory/644-1277-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4988-1290-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MkoE.exe
| MD5 | 745eeca3476e228266da6bad89c06303 |
| SHA1 | 90399b2b3f65bd2086a3685f3eb03c4fe55af481 |
| SHA256 | ae32caced67a95128aefe83c8a3417bd4e6a8277fe466397157b20ce2bb67ce5 |
| SHA512 | 67ca4980517d46ccfd3a02d53e8bd344b02e0b3fd562ceabffc4a42fe39f8147d5d2fa1baee77f60b9e531a37b2a0357769d6c8e9984a36d8b7555e2046daefa |
C:\Users\Admin\AppData\Local\Temp\wwES.exe
| MD5 | abb3176d4b1825f49df85035b865268e |
| SHA1 | c465d34c165df2769605d221afb52ad7cf6ba593 |
| SHA256 | 2709d930427343f385bc65a9da0db559052a51dbbadac14aaca4e3616076ab21 |
| SHA512 | ba609ffebd66466c73235564a2c4352ececcd6f632b5f210a2bf7fcab3918ec2339c3d1ea73d3fcedbd2442137e1e72a83ca2107e306b7ea567a0a9970bdce6e |
C:\Users\Admin\AppData\Local\Temp\YsQK.exe
| MD5 | 1d5002f006b33d3534dbe76454928766 |
| SHA1 | 26de9277373ea042b3abd5f25ff316275929234b |
| SHA256 | 4929bd1ecae656bc7d2d83f6af7cd670f4b04b93bb2f6fdac6751c42034f4304 |
| SHA512 | 5b5bc6a83f220c8ac6464512c0c2afd94b37353dad6fe5e7a87c9eeb9a7f180b4b6304d5d83cdaed563638306ec1fdfeab6007c73728f0e733d173e9b227f02b |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe
| MD5 | 587e9422633937eb343bee73a60b997e |
| SHA1 | cb93b1960cfe942b742f5116e81c4520622139bf |
| SHA256 | d4bd5ecf611a070344ea3cb1cdd33578be252573ad87d64eb13a7a786c0aaf5b |
| SHA512 | 088a6b13c992a58df2348c8afc456e91f8755bfe6d0b7f3bdf251f48f831a11207393f0894cdccd01a0760e67b5e4b5ae5b1c8ae14f53d661b71d17462cce8bf |
C:\Users\Admin\AppData\Local\Temp\AoMg.exe
| MD5 | ec12daf2967c95d404b898fc76bc921c |
| SHA1 | bb170dd91e7fa3416c8b6bed6f9f14bc7eca1748 |
| SHA256 | 67fcc35d85f169d7056a7a23ea1e1728a1d5b9f3b11091b1cf213d91dc3d6f67 |
| SHA512 | ea5163682aac3a1ce59741d79d0b7b32b3f917a11e7d09b2164404c6cfd97ffd32f60557b7389648d47bd93eb46bde8ffb099c10718b266437fe5cfbf07280f7 |
memory/644-1382-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oMww.exe
| MD5 | 86c97e97ad42496d914c44bcd179a419 |
| SHA1 | 7392ee364b76e7dc7828a1d0ac49146df46582a7 |
| SHA256 | f3f7e12fc986ad79baf61aeda25a5f4f0ad0b3f372d47ae9e47a2d5c28ede3cd |
| SHA512 | fd708620db7bb30b795500576b97fa251629215adb910e27dea1ad5068522b0221c8f062ab32dbfc65434757e304beb0471ae4c5b84a9a1258dfbe0b408bd084 |
C:\Users\Admin\AppData\Local\Temp\mcQu.exe
| MD5 | 9db4d00aeb103a3453f24afa4d728125 |
| SHA1 | de2af8350a5eaf3d986f299fc57dcf09ec5fe6a9 |
| SHA256 | fa2e551703108e381afd16d3e719de98a474eb6d27ce4fe5adb0dd4e6c166c0d |
| SHA512 | 4d5cdf6829021d01cd632dc6e18902389045d00ce317d3ab91ceb8b79624016c2e5ab371e32987ea84f0662b368716d26ee593304f1a12f4f23e12bf01fe2911 |
C:\Users\Admin\AppData\Local\Temp\cwom.exe
| MD5 | 8579811f29b8282a167526ef36192591 |
| SHA1 | 326c7b7243979872514b7b3815fb87305174b0f8 |
| SHA256 | 97cf8dd76acf7db57026661f591ee3fb4cfa3924040708d5345d18edebcdc9dc |
| SHA512 | 29ab6cd3c50b32122f3dba7af52f0714f1f118b66cfd175dfe0590b8f30d3a1a02fa0fff1fdfc78dabdd0f3837e2537d7ca3ce7e2c9f6915c0c1ed6dd74b0cda |
C:\Users\Admin\AppData\Local\Temp\sccQ.exe
| MD5 | 8ba40f5a2c3b1de3c527565fbadf7e2c |
| SHA1 | 35476ec7f98f6c12ec1bc827ffa946a55cef22a7 |
| SHA256 | ddd848ecf009d6a3bc46d8554b4a5f103a68d12ff89b7d88d3e19756d66daaa8 |
| SHA512 | 63a25ed2f154acff39ea865e1e5c307d2dec70d2948ca37a7c764f42a7507fea3d4f2868029d5f93551b98c98aa4ae2ad594a468983f32fefd6986e32d901ea1 |
C:\Users\Admin\AppData\Local\Temp\QoQQ.exe
| MD5 | 29bdf205834fbf79811a69d75a0dc420 |
| SHA1 | e48d90e87efdd205abd5aef47d6d6a56a474b67d |
| SHA256 | 67ce297126412d05471f1ff0203648d0459bca0ee1da0b84a3c71e4fa41d1bd1 |
| SHA512 | 848c288421dc46651b7ae8a024685134010206016637071f3e62f5159db7d76e79b3834fe889c06ae2b1954cfc7cd458bc5eb07320d99962e7853d3bf684f249 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe
| MD5 | bc42ea6d9914e0826b11a452142942f9 |
| SHA1 | ffd3f76ff995f6a51de1961e5fc464ebcb746f2a |
| SHA256 | 904ec5bf21018c52d8622a7c07e0d8537a4693c9184cfb9deec63666dd7ba652 |
| SHA512 | 721d39f5f8809571e514c22f3c70111148931b2b3258bcb9507fa74a4893478a32a8698a4ec67f005e392e5f77ea070e388b0097d731bb609e79eaa0fb3852da |
memory/1568-1459-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oEEi.exe
| MD5 | 4d80740ffc97404e3e0587b42e0d0436 |
| SHA1 | 420d563d7b2193cba5374ca686fec381fc626988 |
| SHA256 | 76b662c4110cfa63ed3b8fe789046f0d2a587291692db4f3691074b109ecda5e |
| SHA512 | 384a8b65ac3b9df818105774f6429f9ff56a8fbaa378b84bbece84a84dc7834adeef187a899a001c8014ac30fcc7b2c4fb12fafe2e214d0d113a35e2b45e1462 |
C:\Users\Admin\AppData\Local\Temp\mQMs.exe
| MD5 | e53d34752a3835640e0d027a9bb12b1f |
| SHA1 | f5419ade1f940fdddf1da691e7b51de3a5a8c39b |
| SHA256 | 025817a80ad64842fc13ad5df52174a75d8ba4b2941c1658ea9602cf4e3c157f |
| SHA512 | 6a638152f70a1f4d0c2356bb725b5cfc4207d886ef9e4ed77b42cfaa75a4a03a28dabd949b7dd2aebb865b7ff697819f0e507953e1f10ec926dc64bcbecad5d8 |
C:\Users\Admin\AppData\Local\Temp\iYgC.exe
| MD5 | 834871371126eeb0750dd4256a671122 |
| SHA1 | 447ff2caf04748276d363240632d79d2f7dd7939 |
| SHA256 | c916cdb4986623f6c3639762002ec084f1fe81a00ea082e7d35707ad17f72610 |
| SHA512 | 1a3779673e7273be53fc0d6e50c39bb2fd6d53a6e94736169ebe5575d8c1699f8fde77fefa46e29f806fcd01857c2eaa8462411150705f29ad5a22bb81bae548 |
C:\Users\Admin\AppData\Local\Temp\CocC.exe
| MD5 | 5bf61a07e7747bca9e6ecb4d9a91c4f4 |
| SHA1 | 33fd551a0476d8541e090015ccff57e583c74ec8 |
| SHA256 | a158775055413a931b4a14a1c8759d091c0f59789e954a60145d91cf95803f3d |
| SHA512 | 155187a65e404574355a6777d5835da43212d77fd384f9bc1f75fe5053d4477069d5a0d9315762997cb5196d73b2d4353c414c26912d4ebb84c5b7feca50dcd3 |
memory/2520-1523-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qIsE.exe
| MD5 | 1b41c4180b7f370f84bbf9748137c76c |
| SHA1 | 0b40ceeab7b6e33a460de4a18225af5762ff4b41 |
| SHA256 | d167c201179429e00c235416526a4c6bc061ceb64835967a1d8ced1da1fa3871 |
| SHA512 | 87bcdf73027d1dbf7bcdf6ddcb191453edf47ee311b749b7bf5e02a4a6cefdb36d633957d6e0ec482fea3cbf98652105a36d2c3a0f5b4e346a971dc0c37bcaa8 |
C:\Users\Admin\AppData\Local\Temp\cgEs.exe
| MD5 | 365e7dd0ea3569d264882c92268b03ec |
| SHA1 | 5792fd33b69847e851f01b0dcd3e0efec3f96b18 |
| SHA256 | c64ace960179923013f2ec782c59ecf9a0c197113c3f8dc7729f5bcba245126f |
| SHA512 | b6b46e9b8c18a257259f339aabac1a76af0ebdf13c08493f174271ca3e3fe6d907acce8c172bac8b2aeb3d911c5769c1803034ed47bf6ab53ad2424cef79e5e5 |
C:\Users\Admin\AppData\Local\Temp\UYEM.exe
| MD5 | 028fcd38adab4eae2fa958d5dddc188c |
| SHA1 | ada20bea52e84edc3ec4b800e85dbdbde236ef64 |
| SHA256 | 6ae030b481cbf2d1f4631e6b441365530c78d65d91f7a30bc5a85bec904f7ef5 |
| SHA512 | 3891b157ce153c8cd876429436c7b613e2e4044ee2b5e87b2f94292509c8cac500e631117c321c25bf127ebd489a92bad8505cb7262a2652d4496d083e4a4995 |
C:\Users\Admin\AppData\Local\Temp\gkgc.exe
| MD5 | eb80285a27f8d0827856b6018a81d6b6 |
| SHA1 | 9682093146ad3680f569566467389bd5b1b00c97 |
| SHA256 | 919dba24c076cd7e9f32f9ac82f7ba061f4495225419fee2baa5825969bf801d |
| SHA512 | 31e2b8f9be91b1e4e5a13fc7102e7ed4f51166459c13a537782fae1ac9a212ba305ed3ce447f66a2bd78bcb8f9c737d8c5dab03462c21d93a044e13a8a1d0a6d |
C:\Users\Admin\AppData\Local\Temp\wosw.exe
| MD5 | 94b7f96f5ee846b73afdee6203727886 |
| SHA1 | 009b3f684e86680f52f31f8dc032ebb7169df068 |
| SHA256 | 529269e62f7dc209d7e118b9d5e60a2eee69a9f9781a11dfb3f54eb2770df5cd |
| SHA512 | f4ed3cd4fabb3654542148a2fd74df85a7bdc6515c952d2685dec3b067f9c167db6cafd88b56758303540bf38cb0c7738debadf43df55b1ff93bc55c5b59df3c |
memory/5028-1601-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gwIG.exe
| MD5 | 090ea9dfe984e286070dd3a76a7d029e |
| SHA1 | c151b999a8885ca90a3015e2393e3d87004a202d |
| SHA256 | edaeaf588e875934036d33c122d5ea728c726f1647a10432e0841ba181d78f33 |
| SHA512 | 2422180182aa18ece09573d43dc2058da49c3a1cb2bcd6b6313daa3a9f09146dbddb458a9086bdbc1709b7ec6ae4e600502f77181e7d100b3fd2444286ff5d07 |
C:\Users\Admin\AppData\Local\Temp\wEkg.exe
| MD5 | 80980ecd836a30d99f3f1594d47fc3e5 |
| SHA1 | 8f401836066c9a9cb9569bf0532b04d6b634244f |
| SHA256 | 8ccd53db3ad89eec727e61c9cbcb6b8cd9389ab7e8e9a52a860a315487699f47 |
| SHA512 | 7885a4e8f162e26625f2bd553b34f1c311148f68862b94612debbbaff88ceab937e5efcddf38cb580e5ff4d582f47d7a6c48b3ed447afff7c6d57fe5a540f282 |
C:\Users\Admin\AppData\Local\Temp\EAwW.exe
| MD5 | f01b6f6a811c57fd8ab2bbed5228e373 |
| SHA1 | f32328f3dbe15bc8964de60ffbae5a57cc753893 |
| SHA256 | 4a684e056753f39eff7066cbd8548ac512ef9836433d98b2fb0e5d6b0ac7eb25 |
| SHA512 | 97aed9104a669dca0eb6c65e2c1e6758edccc01467cf8c066219ae478f90523aab4ef9c842c7987d30f95c97f2cba2a597cb9e18188c532a0e843fd8d659b52f |
C:\Users\Admin\AppData\Local\Temp\gIIk.exe
| MD5 | 0211ae46973d577f2728c9b6c97bb450 |
| SHA1 | f3c904b16f7eeae54490d1b2f2efaf6c013405a0 |
| SHA256 | 7159f3f8ee6fa56309406aaefcbc56e2f7e6c11e8a66b825f3de3f3fc57e3bdc |
| SHA512 | 1a0fba899f27f8b5888dc1e4ca0ecc79630e75f4aa7e763288add6a3beeab044fb697130d59175e89efa32e03ef32068b6ff86327f9ba152cc6ee18fa2d762a6 |
memory/3956-1665-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aQos.exe
| MD5 | 416e6334885dfee05f8202d0ad629283 |
| SHA1 | 654c983ea0b832952d39ce514147ddd13cc5b0ae |
| SHA256 | 10726c75b3dc028d77903bf90da7dcca4fae69456700da313d587d31d40fe357 |
| SHA512 | 8b94ae2a45687a93b69ff614740b61441d4844f25b2f6a60c6a8519ca893faf0e4d5d6b62488cf54ec4ebc6aac12678673e0bf0b8ae3e41195983aa5b096a2be |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | abce14c04e1c3113e042b19f799ff267 |
| SHA1 | 89bbeb2504efcb09f1872152833dd30426f9ff52 |
| SHA256 | f57fd5afa6b7c009fbc396b2d7c3fbd22695c0e68aa09ebb85ab340962cbc39d |
| SHA512 | 9075ca467f6fb93bb7376c0ed2dc99610fc4bddd6e470395cad1652b950700a6a7348ba5e1f6eeb821448bacd57c416b7f1c2524df636404a6694da85e171bf6 |
memory/4164-1701-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kwsG.exe
| MD5 | 8d5444ac7215932657999280ce29dff1 |
| SHA1 | 388441f832d9fb48ac2e75e614a9b5dba64feca9 |
| SHA256 | 3aed4e3f4cac85ea1c132e6e08167c936ce02998752ca07b9644adb80f264683 |
| SHA512 | d600b9b771cbd603f7b616d8eaa24ff344c04917e21c180f41478d4acf08bf1e416d73251f0871a77ac897376db22ebc54c58568cf4b5d3f8f9ec9ac99256c80 |
C:\Users\Admin\AppData\Local\Temp\cgIK.exe
| MD5 | f191f3682689c85378447c96c14af122 |
| SHA1 | fc03339faaecd777391182159edcd3bc66f9b077 |
| SHA256 | 3ff89d4f8fea15077d324851d0dcd5647280ae7a81a6437406fa6637fae9a2d2 |
| SHA512 | 26efac31fd513f520360d661c7a55a9c14a95e2a6a3da0f9af4d11a29c3ba3cd161d6757649a7da17dbc2b87b9d378925a5140e9b5c490faa4a55b40763cf7be |
C:\Users\Admin\AppData\Local\Temp\IwsC.exe
| MD5 | 1dca32412223c64968733f1fa6c20683 |
| SHA1 | 95c3887bda21a883fc6add935ee3343c887e67e0 |
| SHA256 | 7221666ad95975fc3867aab7040fdb9c89b973ae7795fb586573f76bfa680ed0 |
| SHA512 | 51ab45e300bc3840cce52fcc3579a7dda5d9201dc9a8571509c3bf5707c5168cb0a122c9b77770ca80365ef99b564751a333b8c346c746ef747c89f3b54522b4 |
memory/1236-1756-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qYEA.exe
| MD5 | 9eeb76d71b5954143f17478274d4a5eb |
| SHA1 | 5daa97f24c82734bf56ba40f583977393f3406b5 |
| SHA256 | 0a7a995d980168f90305b65134141d18ae9ca80da6dd954554d2fe6e944b6402 |
| SHA512 | c0c8edded22b9f334205271d11b672ca3a951ec88a87c61a07797020936cf65383a419623c08209b7e14afa41522d0142556fdeeb355edfdd3ec2554cbf302b6 |
C:\Users\Admin\AppData\Local\Temp\EQQA.exe
| MD5 | d190ffecb84d5200b842d9aeb1f56b92 |
| SHA1 | cba329cbfecea5ac50b3853880a04fd7db636bfa |
| SHA256 | 964c57b56a552337ceb97f393f70f76efd5130d70022925665629a6111eef09d |
| SHA512 | 0b42c222395693b608a1987095cd6a431f62f9b9e9900d452b627afe62ecb17ec10cafece2994e789b74e82b49cfb8e9b64760ab8bdea47d8c2313b7117f1a35 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe
| MD5 | 1d7349fd0f3f0fe1d43bf9c14dccc6ce |
| SHA1 | 86eb484a93be30451b4aa84ccedb4ea36ee457a0 |
| SHA256 | 1456bd9384780e7a6147446662294b55b889713d3d54bb0965653a6660790c6e |
| SHA512 | 5a1998132b22053e14ce4973720fe32169819ee6fd6d551c2130befda532aaa73293c284c4282093e3b0aea9ff9ed4259073975b05175f48004e9107af1bb1bc |
C:\Users\Admin\AppData\Local\Temp\OIks.exe
| MD5 | 4094a58f94832525ccc3ea269d63023e |
| SHA1 | 3bcfd53831f91819131708028dddb88fe729cb10 |
| SHA256 | 5e0498e2cc81618fb8f857dbc90e636da94d1a2c97304ab6be14bd0cc57a6b71 |
| SHA512 | 8864d75c325365ff2fe7600e294a93e7216993057d48b14126ba998c13b3561b2df8d6fd9005af3a38116386a183a58a780407ecd3522d8679ae70d694497e53 |
C:\Users\Admin\AppData\Local\Temp\iEoS.exe
| MD5 | 5ad6719f8f82f79cb1f1a9877a472fc1 |
| SHA1 | 3c679bf029b1c11769f9be7dda5bd7b50dfa111d |
| SHA256 | e33f6a93d688c48952789b9f3665f11231084fa4edf1425607b5df5004826c4b |
| SHA512 | 1e2f82caad70a78cb38a3354d1a4771cf24735de1db2900437668472c88f56d865a57121d836e4e7af1fa159ef9c95baacb6040f4fbe0923e357cfb186dc3535 |
memory/1408-1829-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CcMC.exe
| MD5 | 002042a8d107091f04efb0c27209c61a |
| SHA1 | b48c7e2836c9af89c7e7e81ae4cab648ac68bed8 |
| SHA256 | e8b1eebf2f5c021a1193a3c3a9e8f9776962232db854b9c0dde2d5155c5e3f96 |
| SHA512 | 72a24b91a8e893e94be1c20b9de028a0f7ea45a5fd089203c1c1bf7eabfc3737eae53cd7993f2635e47a6ae4e67ea19c6a24f5054c9e119f709b4a740a60ac8a |
C:\Users\Admin\AppData\Roaming\EditHide.mpg.exe
| MD5 | e2d24d652fc72b6da374083c8bcb07b9 |
| SHA1 | 40cc2a52d1d803992789b7d51b015a8649a15cfd |
| SHA256 | cf9ad883789e34da46308d095a2422278844cab6414ec0fab2cb70bce26a5388 |
| SHA512 | 76916a7eb4ab44801791e24a3ac893c44996377e74d31d9a21eb74157c175e4d91c928587ea1487f1bb17498dbe7da30a559df55d5b30136caeaf2b24b946342 |
memory/3376-1866-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1376-1862-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qwsc.exe
| MD5 | 3a13a81f3361aed84446566575cea242 |
| SHA1 | 842a4054d6e4cee3d097872a8c7e77cb92d8547c |
| SHA256 | e98d086d2ec18aa241337ba89290a236c912dac37776b9df3d823da0487d2357 |
| SHA512 | c1d26d6c9a5742338c43df32f035f341d7134a06f91828212da4ecdb7e092626d525886dccebaab5310892d5e3ae63f15dd3b6e7aaf9f8751be613397a42aceb |
C:\Users\Admin\AppData\Local\Temp\wcUi.exe
| MD5 | 67583457b826d8bf7908d73e6de8b0fa |
| SHA1 | 412c32fe0130171a1f9d8af959faa1fe4821456c |
| SHA256 | e48655f4e1948a44720c9ef27b4ba277fef2176fc61fee28b58ddfb39c37f4e9 |
| SHA512 | 3af3435e4d694b10bbf65b8214c5f2cf6f964850d693aeaa9c34aa79382d44fb680946e4846c25aa8c12ba0908f836277c2ef966a839db87f67c9a76d4afcb0b |
C:\Users\Admin\AppData\Local\Temp\mUUI.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
memory/1376-1902-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1860-1918-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EUcY.exe
| MD5 | 2c6908efa8f41e0b5186afbc584597a1 |
| SHA1 | 5dd4c62c847c5ac0c1732d254fe092c92407b37b |
| SHA256 | e36ea249a0fa1a918c0f738aaab7997478f720c71d596c39e7f68a6929f537bd |
| SHA512 | 3c4b2ae2924f593efb513518f34fe7d5fefe80ccb7273d34f8453bb25a6b4bd317bdd0cf488cb5f71cda5e080eaf4a1a1a4793fb710cadbb7802b0cd1616e436 |
C:\Users\Admin\AppData\Local\Temp\CcUu.exe
| MD5 | f6ae53507dc6141603e651deb24dd4ff |
| SHA1 | b538798257c79650fc28f70bc17bde437b5bceb6 |
| SHA256 | 0c5d484b4e36907655c565bef6bd122a590169967cac5b7de06a0f7ca3ab8495 |
| SHA512 | 5b5cb513b1a415ca21f4ffc1f7867d2142b4052ced0796b1087ddde8bf39426e2bf3ab2eec555bf95fc1e78be1fa3bb617aea7aea3ef53dbd2ea46d846f840ac |
C:\Users\Admin\AppData\Local\Temp\cIYY.exe
| MD5 | 013a5383af407dcacb356b279d76ebe8 |
| SHA1 | cee735aa82f066c605ae6b6e70173f05f03bd29c |
| SHA256 | cd0ed61ab8e9f34bac33442577124378f1057ef5a31edc8c74fb3cb0be40324f |
| SHA512 | bde4613db245ea60d4c000eee43c5a149382475e9404dc56a22157847f1b2e360ac116d59814be3c833b203dbadd4edee288948f4c6c40c5dd76181681426db1 |
C:\Users\Admin\AppData\Local\Temp\yUMq.exe
| MD5 | a67be8326d71d77e0b80a3ee4289e22b |
| SHA1 | d0e6f45f49f96527b836eb17a030ff3d2aa74502 |
| SHA256 | 11a5e53664f09c98c8b20fcd830a6084fb86137904f558c294f6ce27b7599883 |
| SHA512 | 2f4bec455a1045faa2e28ad0eff64114ba8345da8e184b82960582458a48e918baf5a42cc0901dfa679debc25173fba59f27e44a7286a191ec3d83aeea1700b3 |
memory/1860-1968-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4652-1967-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ycsO.exe
| MD5 | 11d85b8389660f72d3ac965b713fab3d |
| SHA1 | d4af3461b7895258472af03f2ff8c059cc48eefd |
| SHA256 | 2d19bbfc9f56fa73f72ded496dc13d1ff45bf94cbc21377637618ee7e9530a56 |
| SHA512 | a9262a090439574a924d105ca42f0893b33d3a93f596c1ff2d8645ab50f281312982eb6459226b62801c8c4b672759fc66df0a35410cb4e29953a2ebaf939144 |
C:\Users\Admin\AppData\Local\Temp\ckYy.exe
| MD5 | 3771f1a7a73034ebafe2b369c26c0034 |
| SHA1 | 414edb92b939440aba4ca4d4a662ec01ace1f3d5 |
| SHA256 | 54ae1ce20ae707046bd77c7735937667c7d35f2d49fc4065d2d872359546a654 |
| SHA512 | f3f1d1a91fdd6377af0532fe8d3b63b89747b5ca278bab331f310a52101601287f69bd354090dae895d84a75b0df0aadbccaf2af90f504bcff6b8df6001385ec |
C:\Users\Admin\AppData\Local\Temp\YMks.exe
| MD5 | 35efc104130e785770dfe885cb24dedd |
| SHA1 | 7357c17be2c9f52066e202cedc0c4b97a37d86d0 |
| SHA256 | 606b574cebe5f031958acea5e63fc1c41136b17567591bc23deef6a4d0f129aa |
| SHA512 | 9b10076567107116df381224bf5c78800f523a984877f1831b9d462d00daa25e30c083fea6c1c2a959d270638b16ebbca3ac8ab955966903e83ee0298ab019dd |
C:\Users\Admin\AppData\Local\Temp\woUQ.exe
| MD5 | 14ac46ace16eddb53f665892b273120b |
| SHA1 | 890b51308ac22a63354bc62d80cadd8dfae7caeb |
| SHA256 | 0eb3953cafd3df5c9f113c824d15e1ff787596f4bf46d842fb0067ef1dbf47a8 |
| SHA512 | e72e6aeea31015b0cd5f70a22f52e71b90aba37824c8419cea87d95744f448dce7760609f7eea97955ef69f8ab27eb933e008a11b5aa39cee793e05d4b7dd981 |
C:\Users\Admin\AppData\Local\Temp\ycAq.exe
| MD5 | 0d42b09f70c7acfc6709faf3724f197e |
| SHA1 | ddb4e077f1d7e590a1852908e19874d36b0ebdfb |
| SHA256 | a6085565fe0a2d3c8c4f569d03ebe658b7d458644a23f34d885fb8009fff791b |
| SHA512 | 3629e29c1952615c9772f6f88a65960e8eb4debb5057011a6ecfda7dac28ffeacca44ca92cc95b0a4456b89bb46c73b903988fee917f965eab53f6faa1608197 |
C:\Users\Admin\AppData\Local\Temp\WMIc.exe
| MD5 | 9ef1c6bf317235cad6e55f2ed4acd5f7 |
| SHA1 | 68de1a17118dd568920f5018428cd917ccad0af3 |
| SHA256 | bd6aeff29176c7ef8058ba94ffb507b362500790cbfaba48446829e39ebcf447 |
| SHA512 | 4ea5e859db0aec101b07025e2de711597978ebada44f37b0dec74bbd37c8ea21fa586986aeca719386798f6791d77ac7175dff4e104f0a041acfa3905d500cc6 |
C:\Users\Admin\AppData\Local\Temp\aYkU.exe
| MD5 | 4e8d9e6964c05e24774aefca3a3176f0 |
| SHA1 | 94829561a1d6141d0b40bc3f23c4de4a67ba7a9a |
| SHA256 | 207f24be707f32846f0b59e874c3e63b223671c37c170f2d496bb590140f0f1d |
| SHA512 | 58b9d3a177d90a91e4d031c42572912def8581eb1dfa1dc336dce2c764af72ef08fb55f5ce909da761932490e2c423362e9128ce55c6cc899e10ecbaab5df806 |
C:\Users\Admin\AppData\Local\Temp\IgUM.exe
| MD5 | bad64d6026c4b678e391cf34912a324c |
| SHA1 | 573a957d055098676eb8e090ca85f745e82f3679 |
| SHA256 | 738eae3d54fde64d75d6f83e8dc0ae6fd4eb6a2ddc8fd593928b3255af470848 |
| SHA512 | 7fcb9c9a37d6bd85799a95348d35373376219d96ee313ebabdd74526ca5d3368b96070ae61c34a60869aa878e207938d4ca41913150c7281d02115f3b76c9d1c |
C:\Users\Admin\AppData\Local\Temp\sgkI.exe
| MD5 | 79bbb44bef830a264425b4579d4bedd6 |
| SHA1 | 19cd31bcccf6de4ec9d2cc373159684d75ef8cfb |
| SHA256 | d0281b696a24c220d26dfbde2473c198396475454522381f36cac7938c5410b8 |
| SHA512 | 924831e62d842e90cdf0490b246ca1504afe4d1fe6ad059302bddb6e7fd7fd9997dac748409df93a37427c7cec976fb011a8d31639d0b95428653899e2bc4422 |
C:\Users\Admin\AppData\Local\Temp\KsUS.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\KkIQ.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\qAAa.exe
| MD5 | 75659bfc7b0bd74ac6dd0781d87c7db3 |
| SHA1 | 563d70450ea174745b999e92f0483a50be08db29 |
| SHA256 | 44bb10f6693ddea83469bb9c411ec4ce96290e731311acc4336c965bc8688290 |
| SHA512 | 0b08f7f0db498ff38f05a69dcb82c9c6a98ee10a7f7e9dc53c16ebaaeb541bdf8fde35d4c30e7200ed75dc18241f7e43fdc404d44be47073fb0669c3da9dbdb7 |
C:\Users\Admin\AppData\Local\Temp\QIEy.exe
| MD5 | d3c389afccdc226ccf378770f19b1b8f |
| SHA1 | 1382c4b2ce9de8501eeea76a9191c232bf4c6d7d |
| SHA256 | 01092c718c6435f5607c3dc85c7132b7f5ae1385301f3359d489df35fc9d38cc |
| SHA512 | b2d6387bd8d877af7762727bd2f3c18379c9243177e70e19c45efc986d4144fd27f6916b569d0ed76cbb5820af3bcc386bc5821a8ed5bf9ce25b2f9bb5897545 |
C:\Users\Admin\AppData\Local\Temp\CEMM.exe
| MD5 | fa7bf160f0f68aa17db8b6b0221ae0e5 |
| SHA1 | c45906f387782baf8f25acef83cbe058b7c2d676 |
| SHA256 | e864be2de585a7c2bf23496d7bc4d96552e1dd8edb24682696010e1d1ba28aa4 |
| SHA512 | 520e3c04340d8b8f7d044d105e179eb03b420f490b49fcbc3544a28f3d36992ea86c49c5308fc5a928399c2d0e6fea54a11b7befbcbc95486cc3d1a70f0e0813 |
C:\Users\Admin\Pictures\UseSave.png.exe
| MD5 | b432533be40781a88aac00607233078f |
| SHA1 | e4ea3aff641857a91534a24fb040936b91af10f8 |
| SHA256 | aceab3b09c3b0704cc0d491c2acdb6b2a2c5970717c45b965ded9397828c62b2 |
| SHA512 | 1dc1389df98ad0940ee269627360c3aa91e2bfe3707ad767f561cdf4ed436135ea2d0f923be4935c532a2043b66acf7c8ebae5604c2a5f6767d134cd40192e8b |
C:\Users\Admin\AppData\Local\Temp\MUcu.exe
| MD5 | c64d1f1d29452f37f2a22a694c9f87ec |
| SHA1 | 8cc73a9ba9c4d7bffc1e63c73dffb414035003f6 |
| SHA256 | bfd2d49afa1204e4b9276dda4099f62243303f1e65f1f624a00b478f985ee2af |
| SHA512 | b896b4b75e6997cacbe0274e32313afe3aafc7b14f6e243ec62225d4a4e6da8f5dccc7821415c9d009080a186b241281c7cac15478bc4aabbe6c54dc0989fa6b |
C:\Users\Admin\AppData\Local\Temp\EocG.exe
| MD5 | 28c5f1c136b63c5a294661efc4900538 |
| SHA1 | aa68d305b36450f565dcbab59b5979ab5960763b |
| SHA256 | daba5227370c6e099112cee59e0221f23a39436564feb43348c6894a3c162ce6 |
| SHA512 | d4ce0c4c27a37d713165e56a7240419d0920bc90f8534ed90325e37f1959d7821743e696f00225f0ff6b214143565f90d136aa30d531cef22b2c97126eacf725 |
C:\Users\Admin\AppData\Local\Temp\wsUi.exe
| MD5 | 7fb2937f8cd3ba3d44126618bd7c1680 |
| SHA1 | 6920a1d12b834209a01bc75104b29864b80e122a |
| SHA256 | 4cc4994f1d78842bfbed8e23ffbe83bb0d4ced21f5620ddf925adc165d2325e7 |
| SHA512 | cf86fb70c4c962c9b059187dbbecb3d027fb9369d7524b562b8f0fd61b5699dad2b9fccd72249ca002dab0c96ff277f449d30989a2e66f5c747337168360c49d |
C:\Users\Admin\AppData\Local\Temp\OAge.exe
| MD5 | 6f2cf5bd0b758d8cd7e072d1229f1854 |
| SHA1 | 964c721198fc23a3f9b25e84d19035498ca7250a |
| SHA256 | 097abc9d6fa095b281628fe602dadbfe6a764f03d1b42a6bd7e5445499cf5bbb |
| SHA512 | 6ed05b906d490c4f2e168f629d22549d695f05b963061974118e3e905691f8f5a7abca410b49d1e5eae3d0404f1d390a09043b4e938f1accf3b7c2aba3cade0c |
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
| MD5 | 28a324f8965b2cfea87dc52718465c03 |
| SHA1 | 8237326d5c9861dbf361a87fad7c5e5f306cdb6e |
| SHA256 | 26432fd3412c5a26fdfed4ed5d963f587b2d5dbba112f8cac6f01f01164ddb81 |
| SHA512 | f7d33a00298b90b638758c34ba3c92c1f84d0268e11bff68065336dae6da8f486e2456c64382dd8213875fa9b71f467681657dc0657599f3d82bd0525ee0bb4f |
C:\Users\Admin\AppData\Local\Temp\KEAu.exe
| MD5 | cebfab08c0f3e113e63f79e92b2f1880 |
| SHA1 | db592a7b651a8cba6749602b24974090523f6a4e |
| SHA256 | aa1f59d2f5452278ae51b7e499705e2e42e465a7624686559bc982c8220761a0 |
| SHA512 | 0bb09f827c166c8b2a765e5352e6c6befb6f11f528f0c38a5c6856ade6b07d8f20c409098e83592d6d5fd3b00c725ecf1ca7edbca5da9c9b18fb9ff3a4c3bc22 |