Analysis Overview
SHA256
d877d424e6836255f8c4ad38414f94e74de49d270f0c6d6dd49b4f0e3a0aff0d
Threat Level: Known bad
The file 2024-10-19_42de2729a8457deb93859902fccecf16_virlock was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (84) files with added filename extension
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-19 22:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-19 22:44
Reported
2024-10-19 22:47
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
105s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (84) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\ProgramData\BYoMIwEY\AgEAwMsc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\sCkgIgQc\waQQEQIo.exe | N/A |
| N/A | N/A | C:\ProgramData\BYoMIwEY\AgEAwMsc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waQQEQIo.exe = "C:\\Users\\Admin\\sCkgIgQc\\waQQEQIo.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AgEAwMsc.exe = "C:\\ProgramData\\BYoMIwEY\\AgEAwMsc.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AgEAwMsc.exe = "C:\\ProgramData\\BYoMIwEY\\AgEAwMsc.exe" | C:\ProgramData\BYoMIwEY\AgEAwMsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waQQEQIo.exe = "C:\\Users\\Admin\\sCkgIgQc\\waQQEQIo.exe" | C:\Users\Admin\sCkgIgQc\waQQEQIo.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\BYoMIwEY\AgEAwMsc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"
C:\Users\Admin\sCkgIgQc\waQQEQIo.exe
"C:\Users\Admin\sCkgIgQc\waQQEQIo.exe"
C:\ProgramData\BYoMIwEY\AgEAwMsc.exe
"C:\ProgramData\BYoMIwEY\AgEAwMsc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMEYEcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYIcsAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwgkEEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMgsoAMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuoIUoow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCUEQMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqgoogEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QgkEgYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkwYkgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XScwsIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWwcQcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkIUQYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOQMkQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMUUUAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYgAUUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeYQAYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEscEIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQYgEMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKUkIkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqQAQwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWYwAUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KigEUwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAIUQQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIUEUkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwkwQwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkQQMssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoMMUEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOUcMAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkAkIYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWQYQwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZswEcwUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owgIkEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKYsMIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoscUUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOYYkMwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\logIIEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWEgUIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkQQAwgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEQIoUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGgQMQQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOMcMkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKEsoAYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUMkMAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsgIkMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEQscwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEkEsIEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCQsgIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUcQAIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqAIkQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaQokYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuEYEAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeUMccYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUEYEYoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmAwcUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KawswQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAUAcUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgIgQYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faQEAwAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xygcwgEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoIUQEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GicEsMwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQkwsUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCgoQgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKYckYIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMcMQEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOYYoEgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAoEEooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSUQwMsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCgQgcos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIoUoYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMoEMAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zggkgAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RekkoccY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqQcgUUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqogIgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AewkQAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fagowMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyAoEwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZuoAYIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGUIwAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSMcYgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwwgAIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iegYgAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYkQYAwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUsYMYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmgYgoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKcMcsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeocsUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcwAkwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqMUkssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeYwEsgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcAIQUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSgwwYww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGcIkYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCwcsEUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv xqwxrUy0ykmwqD/z4I4eQw.0.2
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.169.46:80 | google.com | tcp |
| GB | 172.217.169.46:80 | google.com | tcp |
| US | 8.8.8.8:53 | 46.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.117.19.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/1176-0-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/5060-7-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\sCkgIgQc\waQQEQIo.exe
| MD5 | 2227b1dad1acc43bef49a1e43d16c9ed |
| SHA1 | f86fb927058c34cd513e03c361d68511c124e642 |
| SHA256 | a5fb85d8b5676553f310af309274339ae5e4aeeac06f623e2efd125f94a5d40b |
| SHA512 | 39e6ffaebe03ddf637e43e6daf1b8cf2f2931eb5f86e7d8835d8dbd3ef3707538ca724dfe2fd8c9022307db009fe3daf3c51ff1d399ac7570ef46ad0b6ab399a |
C:\ProgramData\BYoMIwEY\AgEAwMsc.exe
| MD5 | 6c32ba3674ae8d797ff24d1cd76cd9b5 |
| SHA1 | e8ad7b79a42c11f3a82c89950006fcfe075e3bd5 |
| SHA256 | 0bf672110e741ac05b4f2553f88e2656bc11abd21909a3eaba16c43021a82a04 |
| SHA512 | c0a663ff55b09adb6c7a38d9584d4c2f02f32686eb34ede430492d62facb3e0e38c135dd415fd98a4ceb9f4ea8266eb3687a4f6ba817b13006e086a5be87a35d |
memory/4972-15-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1176-19-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eMEYEcos.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
| MD5 | 8969288f4245120e7c3870287cce0ff3 |
| SHA1 | 1b4605b0e20ceccf91aa278d10e81fad64e24e27 |
| SHA256 | ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73 |
| SHA512 | 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a |
memory/2196-27-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2264-31-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2196-41-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3264-43-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3264-54-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/5016-65-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2476-76-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3620-87-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2888-88-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2888-99-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2392-110-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2420-111-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2420-122-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4048-133-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4000-144-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/948-155-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4532-156-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4532-167-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2296-178-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4700-189-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3888-190-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3888-201-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2116-202-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2116-213-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2968-224-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2280-225-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2280-236-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4484-247-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/376-248-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/376-256-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4048-264-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3904-265-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3904-273-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2616-281-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3172-282-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3172-290-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2948-298-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1160-306-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3452-314-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4100-315-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4100-323-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4948-324-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4948-332-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2948-340-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3048-345-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4168-349-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3048-357-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4656-365-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2036-373-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2908-381-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3400-389-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4324-397-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2920-398-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2920-406-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3168-414-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/368-422-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3116-427-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/5000-431-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3116-439-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1936-447-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/312-455-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/5000-463-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4156-471-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3404-479-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3152-481-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OwQa.exe
| MD5 | a86a0609dd77d3814790c0dfd3594847 |
| SHA1 | a4c5223f586824e1dc641729af1f95a07c0022e0 |
| SHA256 | 18557bcf960f66910a639923b666c6332302bdd41e30ad174e7126a035f4a67f |
| SHA512 | 9346c30564f6f9f885bf12ab1fb3b88b56e9f066fb147b952bec464aa65b7a6ef9de3ed75a7ca6b93faf3b5c581828d0d6c8867c781ef8b191a240740a35c350 |
memory/3152-503-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YUkU.exe
| MD5 | 7d6f05626fb9715ecc6e763dbd597d67 |
| SHA1 | cda0718bbb26f9e4db97f3e9d0eb912a93796bd7 |
| SHA256 | df7878ba9beac7e83498b56e6b734ff5892b2a47db227b35c8a48860e5bc8d8e |
| SHA512 | f1be7dcdb6aec7f8500361a298ebf8f64dd210521260f34e246bec17962297f1ffb2d1ba93657955f71145cb55dedf7d47e0951c45960c0577aa19f1a28c8288 |
C:\Users\Admin\AppData\Local\Temp\aYgm.exe
| MD5 | 2f15bd6246c6bff2fc282132d43288e6 |
| SHA1 | c599983cea472484ba4e91edf7eb769e4629f320 |
| SHA256 | aae20ccc9b9232a04d9d38f55f71a913fb237bdb5d499c3b73007be8678cd244 |
| SHA512 | dad389524047bb31a162b123be1cbb5466da515667406b546890d3317730054c9f8f88861c5e147c734c29b11b8050ea6f90287caa10ca671a2ccfd2816c8fd4 |
C:\Users\Admin\AppData\Local\Temp\QwUW.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\mQca.exe
| MD5 | 8818c2a7c3faec7e5c34e9d69c4f220c |
| SHA1 | fc8771917239ba74adfac8ab0f537e4c3e060f25 |
| SHA256 | 7b2999a39c06410992a1d7ecfe337ee932d54787289b2600db9369d6d3299e81 |
| SHA512 | 1ed33db3be168bffabac24dc0993c98906238bce5e3e6a14684970801f42ebcbd75cb371997b994040e70b5a221e3ed2eeb59b3fd9022b0a5077804655109bd6 |
C:\Users\Admin\AppData\Local\Temp\wUwS.exe
| MD5 | 3e75425bd68d05744aca49faeee60c7e |
| SHA1 | b20975871856256216b067374ea1cb6304661299 |
| SHA256 | d087fb1ef3b3655a7509e7dfef48a3fe48c722409bb63e92ae604f7594621739 |
| SHA512 | aa3f2b020d34146aa07ecc9f5c8e494d6fe688d0353bff04d5e03038c5c69e18db49b787313bd17c5580294ed8e90d44e2d5ad513b29a0f9c073fb3066a50e05 |
memory/4244-567-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/440-568-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CIME.exe
| MD5 | 8384107e0bf27db07489f31737a9914e |
| SHA1 | 1c36db98ea4269fb755526e72b66c846b9df7f5f |
| SHA256 | 361157c9b8b7b2db5cec3a46e19f7958a2996fecc1663ed1803a6cac53a3b603 |
| SHA512 | e8a776ac2039d56280133b25ffc1a1a78ae5d0a47aad404d480102ccbeec0d19419ac40ea01aec89009374b0cc3e930bffb8a28037ad29ef71ec3a7975ee659d |
C:\Users\Admin\AppData\Local\Temp\mUIG.exe
| MD5 | 408e3486e386a2c490fbc0b53e94a7d1 |
| SHA1 | 8a0d8dd8fbb3a44beae34e4d967c27b03db0579c |
| SHA256 | d4a5576d00a207c4fbb0ef702419759d00242d45f87e8d16aaefbdea068a8677 |
| SHA512 | 30a66174c69ed939f2793082ebcc0a8ab6e15225c91e6643ed51bcc910bb89c757497fd6d40acb9f5f9cfe48cf9272d55d8d71591420bef51a2333dd53339f0c |
C:\Users\Admin\AppData\Local\Temp\Swoy.exe
| MD5 | 07cb8f7cfbee71fb6960cc58899021a6 |
| SHA1 | 4bc65537a3351c3ca27962ef349a0024bfb3b8eb |
| SHA256 | e55a382b7da239a3c82d7f7c3fcd52c576acf5eff9e1b64c672f6dd25ccd01ea |
| SHA512 | a59f57e2c4ee476ab02335293bd29537e9bdc978308fe20ce2cd1ea26635b4430615e6f7fd7863a34b05f3dc0104a9fafdfeb1cdd34c24ffc1d3bf44cabdfa5c |
C:\Users\Admin\AppData\Local\Temp\iQAS.exe
| MD5 | 6e6cb830865d2b04a6d41f3b9e3d6486 |
| SHA1 | 1987229fad000a84909a951cec5dc6479c75493a |
| SHA256 | da10311cb9a48406cd9890060811dfe6a755d2c17b7b430449ca7e5e3a4affe0 |
| SHA512 | 8b9f672f4ef907f0140c9c390cff497492b14f1a5e499996b5399a1c228cba4fef51eb33020bc459ea8cccc5df5360170cbcc54a9bc72f6d118823636166b260 |
memory/4244-631-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iYsy.exe
| MD5 | e98ad13494843f687475b22f744a7005 |
| SHA1 | 10d0e82078e8d9f7d3d25e2323eaac68ea599fb8 |
| SHA256 | 521f654dfbb9469cab6995abf0226377a2981c2767a1494ed24e89d93d3a7179 |
| SHA512 | 9d433829be923e6dbd59fb51539bb55930ceb126663952c6e275d4fee7149bbf029710d098133f3e5f9d1253b197d263f8690731510a86425e06fa4b599cc980 |
C:\Users\Admin\AppData\Local\Temp\gckQ.exe
| MD5 | ee5f3a8a7cfe2c3d0ab0555b3b1625e3 |
| SHA1 | 107ad27cb0de0f40bd9cd1aa148ec07f91e8a20d |
| SHA256 | a6194953a703f4f915067722ade4e9c2ca1fe5934b70e69017add8a793eebda8 |
| SHA512 | cff060e8b747a263584127e6f0a7cae5ab2d10871cb61445425d581672554938f4de966dd32bcdb55c69f37a20a2dc3554f542d4cced49ff6189891fb67ebebe |
C:\Users\Admin\AppData\Local\Temp\EIgo.exe
| MD5 | b94522454fc4bcc66abb5283d6c8a9bc |
| SHA1 | 68f3cce8a92087e6b689a0f71379dfca1a724373 |
| SHA256 | 9a1a3689cc9bd148c2ea99ace37cb50418f623a0ceb93c4e1be3652cb93f9c3d |
| SHA512 | 8490e168228922ebaf1035c10aaddcb536dc20278b8698954670b393e4c26462635a85c7cb173e498ee75c7e7b3bc461b1f858b3f912eeb2264ced84006eda81 |
C:\Users\Admin\AppData\Local\Temp\cIUG.exe
| MD5 | 14c69dca47bca3dad0a668e541684313 |
| SHA1 | c61817cd6fb6884ecd87fda140038c820ffc2aef |
| SHA256 | 247f7239b869fcb383a3f4b54ef6e4c39aa4b36c8fbba7da8a4f82c3b1aee698 |
| SHA512 | e46133b920f0888e6d0dc34c0b3c9fe6ad24cff19ca798c67a750a87ec78775df186552fa02c409b3d2646ed14d9748a404e045a3dbd9e4ed5d0ee1fc881eb3d |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
| MD5 | 24f511749d692d38178f2217f6ace9bc |
| SHA1 | 4e5cef3f63efeb2799a2714aa25f12cc1ed9ab0e |
| SHA256 | bb9d577c3ba236c9af16dfe02bb66982360709dcbc419c05c7f3384514344ee8 |
| SHA512 | 08f7034f2266d25d90c13537afa9d1e0e314a990c096f159fd724fb7827f0fc8a2a996c5e423589f53775aa833c769860f5bcf11ed220fd81eedfecedf4b5a62 |
C:\Users\Admin\AppData\Local\Temp\ccUk.exe
| MD5 | 7a1d432d57311e7464fdaa3361875978 |
| SHA1 | 48518b179ef09331a5e069758dbd014c11a797bb |
| SHA256 | 2b8434847ec38232ab78754a05b5b9036cbbbe39e45b175df0a81633e16d26df |
| SHA512 | 8d14eb30a7b619a85e33146c770bd54e495333cd389e6997dc36022c5a7c709eab2ff7c66c695b658eab3851b1eeaaefe470b70ccbf1c6474e9e7821b9a1f429 |
C:\Users\Admin\AppData\Local\Temp\AIAm.exe
| MD5 | 8e0cc9996b57beba4a4930d6135ebd72 |
| SHA1 | 6fa3839cc3245ae8d2d473dfb388e49a80ec8904 |
| SHA256 | 7340b142e511c408e7160af5b64d339f3bc59a072344151cd4c0ab4ba8f408f7 |
| SHA512 | 18094a06dfaa4af3eae3badf1a6422adc4e8f66e70261708510ed591a6ffac009e228a55044db249ad2fb2bff694376f6215e4b5522b217a230a6ce3f54c26be |
C:\Users\Admin\AppData\Local\Temp\uggi.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\Aski.exe
| MD5 | d61321851e233dd54d2f199f8ee3b9c8 |
| SHA1 | d9f3112d176a0f3cc7dbf2ea7ef27e77c8bdafd9 |
| SHA256 | d54dafd8d636a999b6bd20fb3ba62bacbf5628e6c681b1d4a0ee431ffdc24254 |
| SHA512 | 543d2b44a4b6e77254da60e2caa9ad44030720bb8ffd528c2c739e4954442cf00bf397a191723f1331d0dffc93f5e1de698a580ffbe2bebf2ac1bba80746412b |
memory/3584-751-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eQwO.exe
| MD5 | 6e1d25c7d76bc4a82b09df32c884daa4 |
| SHA1 | 618135248e9bcdfacbd11d54ea35a32d78aa0a89 |
| SHA256 | 290371be71608c0d01499ffcacfabf464cfe27241cd07017b4a99483c5b0c6c9 |
| SHA512 | 64cb0b7d252a5de49b31abb691ec58d856ee9f90274bde3d2eb23cd8af9e8669eca828d3fcb1def1960effdb6d6922ab4feb078aa18dabb42082572ade2877cc |
C:\Users\Admin\AppData\Local\Temp\oEYu.exe
| MD5 | a77e95aa4403ff3176e8c5a5456ec10d |
| SHA1 | 5695b55815716b7600b7e7e7ba2a90828ca1a88e |
| SHA256 | d5157c201d2dc9b1be51ae640d7ea22d1a869dfc3ebb1195d4b427bf4cab3216 |
| SHA512 | 8ef3dfb150e195db211f59f1d10c274d0c03a54e8a98b6e58d5091d754d37709b440a648464190de5de121d4221f03ed423787802b618caa655160a6f4a5a727 |
C:\Users\Admin\AppData\Local\Temp\kogE.exe
| MD5 | 248671e811aeb88a18395dd23c6f1c76 |
| SHA1 | 9b0c2d938db669634fb1553d054210111ae52fa1 |
| SHA256 | 99efab61b2695573871374858d0767d233cf4506560eb6f6ac60cbaefe9609b1 |
| SHA512 | c479210857cf51d955d588cf1906523278bf30ebe405c2b78ab39d695802202c4244cf2c9577f6692ca9313721027e85061d7a21add0be0bc73c1838ccb97bf0 |
C:\Users\Admin\AppData\Local\Temp\KswY.exe
| MD5 | 2e1544e3d9a264ec9742950c06f399d7 |
| SHA1 | 4a1ef4f0bf24f471ba93991d91df4c8fad8d3455 |
| SHA256 | 7a3a936720a50895ee14e7b00944d3a256858ebbe4a155f6617afe5146501097 |
| SHA512 | cfe873bb6055fde125fe54bb4ac50a1b8f5ee127fb45b418a0b9e1d95378eba59b2fc0490b694bb315a8d4df5e4dd13a006344f989966cbfc0e5f46a3a53fa90 |
memory/1332-815-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kwsg.exe
| MD5 | 7d86ed8958b0cb6e9fbdb6fc4591e88d |
| SHA1 | 59392135f967f311217ced537c0c99a186eded83 |
| SHA256 | ce1cd15cb961d195882898abfa19779196febeef3e62ee03ac5efbd3fbbb2a8d |
| SHA512 | 62ede90b991f962dcc3d5f091122593d1d9ee3cc140cab035870d6ee2ae3d2bd2940265bcdfe3421621e560b5f2fe2a0c0d21af492e0f6ed01fa97a617243fcf |
C:\Users\Admin\AppData\Local\Temp\EQIo.exe
| MD5 | 24e2e040fb50019ff53ee183bfde6de1 |
| SHA1 | 8fbc963d21c1e8f908299cafb3a7de06619b3f4c |
| SHA256 | c4d0fa1662bf489cabd9a2992a1ce60c3e09c2c7c162607878fd36defa7cdc9f |
| SHA512 | 4a846abd8c9fad6633ad4637ccb622c62f59dcb615beb0d07e6131209cdbe42fb44d647b42f1b1973b5f986b7ba417870d4a0b23560cf925a061ad047c3ffd2c |
memory/3664-836-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\usgk.exe
| MD5 | 0da8cad301ba9a11e1bc83c2c6550635 |
| SHA1 | f7e07b83bdcd943e9f8567de4d535b38a339d416 |
| SHA256 | a4cb3d67c229b5db7ccca9933fe65392294c1315aa75443d792f5ef5992c8aba |
| SHA512 | 51d6a3000deae3ab3032d1d4abca8c7a45546054d316d3db41d9703b17ff9d6691b3529fca882d984367f9b3b0f7fce4679b5b572848791ed52b610c6a3382bf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\128.png.exe
| MD5 | 8361f045c9148ec62f8d4e552d0be2bf |
| SHA1 | 5a661c214b6973497827fc002a78184e74cad6c0 |
| SHA256 | 431eda1bdb87c34a5baea81213d8ddb0e0bd06265860c8ed4f1ee7c86f144042 |
| SHA512 | c305b8574ffbd3bf73f9370013cd5eba597ba44affa94d7197f72ef13b5e049214b1d8ec7b4af4dd6ccc789e99d6fdb2864a6bdc405cbac2a36cd462ebc67377 |
memory/3664-880-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UYwg.exe
| MD5 | ef21c5e93d218df7d401a9c82f95ea82 |
| SHA1 | 65e2c245768cc968a50777536df1f2f64bfadab5 |
| SHA256 | bb699ad98b99f4c990e728f0ba907f3335dc51615837cdf26f1ed0dcace88dbe |
| SHA512 | b22baf97b7519246734ca550fbfbbc177a81e1a8bac971423a116aa594d51bb87880a99d327e8f4325b5541f5ae5e4d2cce55e5d4d52c67fb0add8fb99259e41 |
memory/1860-895-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IUoO.exe
| MD5 | 750570f5efa1d68b5db1ae1e6d6e3937 |
| SHA1 | c53f5f73a4db98176d40313b41ce2716896e05a1 |
| SHA256 | 22769259a386da7d5a764db2ca9e0c210748b24a62fbab91a549bf5f0a29e8d3 |
| SHA512 | 1fee307df633ac8ef4b5eca12b0628b172a2fb56016843e8ff9b5226217cde63c7a157c601af5f532340608d0075a28c5db9758e8eea7cac7687147597ef92be |
C:\Users\Admin\AppData\Local\Temp\OEwe.exe
| MD5 | 03a53d7541ccc12f4af195c4ff755da3 |
| SHA1 | 0f02481bb8c427674c6b912999b4d5e934e3ecfe |
| SHA256 | a6e6649e796502bba3880bc56e8711a48330287b98fa9969bd6105c3f5a26090 |
| SHA512 | 2fb6d9da4129547ba74ef488a29cab6a87c6445ac6a159e98c28750cab396c507aca0ad291d99c27d9fe40dbc1c09cf6633a926a98092e20b4f78335ce7047cc |
memory/1552-933-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MQog.exe
| MD5 | 67969fa819369e3d32e93b9572620755 |
| SHA1 | e1d16b1bb36b1f8e019daeec3ff2b7c9a62d6a5e |
| SHA256 | e577cdf49f9ef615e496c9f63eb2de6a474d4c6420b4535a23dfc2eedd2f64e3 |
| SHA512 | 11f6e369174047475615e68fb23a84b57f6f62ac90afb709190f052472ad153d127409e40e4283df0cc3f9d6cecee4ac430a2c446ca831a8a83ff6f2f4fac778 |
memory/1860-946-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WUYk.exe
| MD5 | daf49f4ddcf4f94d6a2dbcc3abc6b8fb |
| SHA1 | 3511d8ca05a1ff6b120a48bdbed19f54bd120463 |
| SHA256 | e128913225ca66b8d25471122edcb87153cdac4d9f9dce032553a1925ac76c6a |
| SHA512 | 99c9e86e805c02234bac67d6c0a61eb41b05d8c05b48f986fcfa6485926e5619d858fbb2997aede40a3eaaad34ecde79a995ae82922abcbe37ccfa1704d4b4fe |
C:\Users\Admin\AppData\Local\Temp\cYIC.exe
| MD5 | a1fce766fab642cab8f1a5bf91c54339 |
| SHA1 | 5ccaaf02c036df99ca4e2c9fba36b36ba97193cb |
| SHA256 | 7ba828f7434a71c0bed626054ff9ba5c0b2b2133ead06f4583f8fb0170549873 |
| SHA512 | 1fede765589d8aa52115e2829db30911530cdf292e93dc9b1f6a1c5229a9d54114834484f86fced2fbc6ccd0c29fac1b02cf5f02e192de6ecb13bd640b867dda |
C:\Users\Admin\AppData\Local\Temp\oksa.exe
| MD5 | aeb25844281bdf4fd4afa3e1c7f7bfef |
| SHA1 | e7de26d784a2f7370678e8c9b13a0155d7a8bfe7 |
| SHA256 | e98c31af4cd2dc12033bf7578f46a8d2ffd19023da47f8794712551f758d099c |
| SHA512 | 67c5e8c00be7d6f2803f1194c726c8e9c059ff3343298dc9bfb470c8efd75dfd22d63c054639b4f2e8563858f2c7a41b903b44cfd651ec2daf58d0c866667c82 |
memory/1552-996-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2456-997-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OoYI.exe
| MD5 | d6ffbe44ac8cff420a0623c8d7a581dd |
| SHA1 | 48442a7d9510175492d12a9a877d42baaa40e024 |
| SHA256 | e5f3587703e9d02699510747952574970a7a5fbc6474668f65b402b1358f3bde |
| SHA512 | 81663a6c6a06b2ad003bf9a896cb12b19eda1d57189929f1da2598cc3852f51b80c46cbbfe2eafede5468cdffefe3b69f815845c9a7183c1c42d7e7a60ee10ff |
C:\Users\Admin\AppData\Local\Temp\Occk.exe
| MD5 | 47d062a4b9096c047f103b7b306055e5 |
| SHA1 | f988f32e6e7a4335a8dd79ad06adb9882da8e669 |
| SHA256 | c98aa2d43839fc25cfcf6afc1d45e89df984d4ae6c3e25cc1e477fcdee2332ca |
| SHA512 | 834d4a19c92c4347f8e7cbec660485e0d30a8b9e40f9ab3902fc9ca88d3bee7e3a7a53c29c9f81725124bc0460509a8cc15843fd756cb322995710c649b3b0b9 |
C:\Users\Admin\AppData\Local\Temp\Mcoe.exe
| MD5 | 29a115d50d5e43aa29f6d8c12392e3d9 |
| SHA1 | 93a03e1e96e8654bfb1728eafab988dde280333d |
| SHA256 | 93e3308c1922b77d96314450aa588ad533ba81db0bb1dc9e4ec6216e5e46f0e1 |
| SHA512 | ba9cfab804bb113d6f4e7c12240fd1a28fd0cd9abb1699960aafcfb2b2088a68d555077ba3e576c66f1e84df102458f6e22b6b3f2d0987accecf7f7c5b447be2 |
memory/2456-1047-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\akoA.exe
| MD5 | 6aeb71e2a54f2ba4b9bd17c643a2270b |
| SHA1 | 8acd6048d63228a4cb8594468c378d243e651cef |
| SHA256 | e89c319e0ad36c420313fe3379f53cfacbbee615c65725969edb5551540e6a1e |
| SHA512 | b442414dc1e3a835dc9930ce0c99334613fc487a893268d89a45a585d894157caf932ec7346186b034502780e057fd061843b243ac2110cb2857352de659b79b |
C:\Users\Admin\AppData\Local\Temp\eoYi.exe
| MD5 | 9bc0c284db3f1a71643a868f502baf1b |
| SHA1 | ecfeb878d9901f133a1444056c7c035c87576bc7 |
| SHA256 | fac44d046e3e173104a7c172be0c6d1b51bdb4c5aedcedb18f31ad25866136e1 |
| SHA512 | 79e96c17ae81dd799798bb1fe367dec3bb68a43fb6a8a20e4938f1768aa815f90949d752bf4ec2bf41e6fdc23c2449999403b1ba5977b210690560e56a5c80cd |
C:\Users\Admin\AppData\Local\Temp\QgUY.exe
| MD5 | 8a09da336a18e1f7f198f263e3ca79fb |
| SHA1 | 5f36c2f82ff1c8c8618aa33c15ecce16529c33ad |
| SHA256 | 57168e1008394aee04c682c67fd45a4a469651d8ab5be3e2a76fa245a6f5069c |
| SHA512 | 44b4181272e6c2a3a31e8139209e642ffc9ceed35d0663f5166f113f3edd91672c5f4f2524873dc3d238c08cdcd861060c307bd54f70d8125855daec04219d31 |
C:\Users\Admin\AppData\Local\Temp\mEkW.exe
| MD5 | d948001843c10ece61d9b496f3541b04 |
| SHA1 | f7844f6938c1f1ec0cea09ccd97a5747705dc401 |
| SHA256 | 7ddcc4dea924a5c6824fa214df1ad3834b9ebd7e23e222674af18f2c64f4b18e |
| SHA512 | 058fa51752c429ae7b02393174c8cf0ea40cbd24022853455c30bd22b787940a34b302efd2b9487b55f8cd1678ca583af579f8b97b174cfb9e07a225fcc0ac2a |
memory/4668-1110-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kgMK.exe
| MD5 | 9c34e835a1b40d80e1adcd47252f47a8 |
| SHA1 | 67f2e6d2ed5e16afd2f0c9240e1e2d39b0a4a971 |
| SHA256 | 772f6e3dafbc6df280f2d196b4ec8b91e190e8b491e76b343e9626d1e6aa99f0 |
| SHA512 | dd4a1c27e7b2f64d38c90b79aa152bf7deec93a3552777ac42263523229962e62074a8e75dcca2a0e3786dd65e77080cb6c04523d3ede1e3d63ff517f76523e3 |
C:\Users\Admin\AppData\Local\Temp\KYcc.exe
| MD5 | ba4bcfb49c9258a55ec60472b7fd6984 |
| SHA1 | 1c36f62c881c6b998202ba69f152d49fc8e8b8f8 |
| SHA256 | 5ae74cae5c00088206f6177845a7630cd60cf82ef9eaef0e2e92bf1658bb05d3 |
| SHA512 | 6c005bf91d1e964bbc347678ed8156283db8846b3e0d7a975c08ed16f6621be65abf2d289e6cc2de7a2766d0af37d77a74cbdc95a6d9e7220ca4236f6699e3ad |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe
| MD5 | 216d7fa2aa3088c04974577c02a2a68a |
| SHA1 | b280d9476fd1c4d81dc7e4466ac0d002dc30d3df |
| SHA256 | 0cd1b4e4e6827f44ae56b6540f2fb3938fc46e63cf1e0f8246b76db4015157dd |
| SHA512 | 7d9953c9096cfe768a3139984bec7fe7809565f70ab8b3632cf427e98d81c13eced7a3f034c41af3746f8d9cb41f429351ec8c59b185994ce437f55cffdf4c0d |
C:\Users\Admin\AppData\Local\Temp\EwEM.exe
| MD5 | d04c11574feeb21cf9811fe53f6c348f |
| SHA1 | 12378e25f8856a6f29bf596c92edfbeef53ab2c9 |
| SHA256 | 476700979bdcce0d340d5ad4501d56982cea0e02fb060800f3699ad60fa7a445 |
| SHA512 | 858a830bc12f5e4d59cffba562901912a5fddfa09482af739f1a6f331d22c1c012fba9f5ecfb813ade0e8b31871efd5bf364a36f5e01ca0cd8f27354badbcb9b |
memory/3036-1173-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oUIE.exe
| MD5 | b9fa92500d7eb3c5017c3f41977a4517 |
| SHA1 | c0c7411b9ee1f5d39a753ff93767f3d9a9ca127d |
| SHA256 | 0ceb3084959652fcc1b538a4b49f2bf3a7d0b52e081aef46ee1ea75a8f125992 |
| SHA512 | e946b9c47ef38d24af9b899ceea295c23aeafefcd2fd78ba0e97ed723a521d221d959fc2fd50217a31ba64f8dda1e4d2a491969bf3e072374fca1f01538bbba4 |
C:\Users\Admin\AppData\Local\Temp\qYAg.exe
| MD5 | 9ed215c6d356e0209036b70db5238faf |
| SHA1 | b097395aad7c53379122f7eef0d84455daf3934b |
| SHA256 | 4c7699cf6231e6e0ec2bfde41e8aefefd459a401105ccb9b3b324bcce3874177 |
| SHA512 | e2f2a6a8aed4e1189afc496a98fed59f013b8681f6ba9287b63d96babb4a9bab31badf205d0a5d8c9082d44fdd86ba6f828e19cf693b4a476aa4e4d9148eba73 |
C:\Users\Admin\AppData\Local\Temp\QwAA.exe
| MD5 | b3facfb0bf92bf61645ef78fbb49a2eb |
| SHA1 | f3f26e5845e8fc6d17bc7cf8b886a8ab2c6dc926 |
| SHA256 | 9c772012675443c3c407d999e6f2de6d82b8efcef2d377a43dbe0afd59913552 |
| SHA512 | b10ec6b7c5d5d1ef48db64abcb3f6ee6d0aa3eca74dfb40f0ba9667cb3b92171fb7ff14ab128da9f98d8e12348df301f15991aa9400d1dd3a3a3dec5e17a8849 |
C:\Users\Admin\AppData\Local\Temp\uMIk.exe
| MD5 | e2155a6ac26950cefeb394ed83ff49d5 |
| SHA1 | bc4ec2fe8708b0668fe698b6406393fbcc82356c |
| SHA256 | 3d2feb703b95e67019ae3048a1c1328a8b973d0af288a917816041d676691ddb |
| SHA512 | bc88bb6804b2a00f78a83324b449f2ec7a2883c69d9d9c88579f28976b66de4ec71ed7d4315971315169114afd6241add892efb6bf9b9b3fac2b909b4c91ecc5 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe
| MD5 | 8f3d6a7e934ba9d5ced473091e778764 |
| SHA1 | a92ed9288ac4ede4652fc1a44069343a8b467f40 |
| SHA256 | 0981dcec9a51e440f213dca48c1bdb31bf4d8c6be58a4271dba30f4bd5e87440 |
| SHA512 | 4c8639827cf2f528720ad965633631d551dc3b1ccfaef13ae5b03e6b3951b4bb9f209039dadf29e107d426b75915aeb88bdb659e57260a9d9b9db84775a572db |
C:\Users\Admin\AppData\Local\Temp\iQcE.exe
| MD5 | 83669ea72ac016e50e650e310fc841cf |
| SHA1 | 5247182999e3b12113499ec98ae6c2e557d934b3 |
| SHA256 | 295f379206eec8af5988c495d0005d0a50fcf93336ff062bb608406b965e93ac |
| SHA512 | 0963ae3c7be0c8c2e4e5c88e2dc64134b1abe8e5f328befd32f944068179bfdb173bcb21e09c2436cf3cc5a04e702defcdf2583d061da090e6b44c600748018f |
memory/3476-1261-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1996-1265-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SQMg.exe
| MD5 | 25bfed6d23af6a6c6c873490b111444d |
| SHA1 | 14c0156024b1ea20ccac142db815c1da09f286e7 |
| SHA256 | e8e4fac377b02782e055f1f529cb673554d99925a8936cb21e78a8b23bb7caab |
| SHA512 | d132c49c0202d91e8f8f869a7b1dc381029e82e370afe2d98583036d78de83812376981b5abb3ba498c70393ab66e5d7993bdafc469a079e5f2715c193a304ab |
C:\Users\Admin\AppData\Local\Temp\MIce.exe
| MD5 | 8d233a18fe046cb3d16a7778fbbeb1fc |
| SHA1 | ea116db9886d32f1bdf7359a88dd38ef601e0f37 |
| SHA256 | 15d01e75a2c172a84bfc1203312552997a82c653bbb96df6007169cc9bb8b002 |
| SHA512 | 55db5b889bb53fd355ed53e91f6e82cac199b43bf96c6a4d6d6eb8b38189eb9bcc26d0e3c970a0a20a922fd9d2e152885315ed595fb7e6e10e4a3e599be6c9cf |
C:\Users\Admin\AppData\Local\Temp\ywEK.exe
| MD5 | 846b1e1df48b670227a65d6997a344ad |
| SHA1 | 76ea6dfcff99f2bc15686de8eabf64256c8b21e7 |
| SHA256 | 70e63d852611144a96fc283ab0fb7821061e0e10166a79bf7186d86b2150ad64 |
| SHA512 | d97a15cc94415ee3a6a0269cf1d052e1b3069a68672500af1e102849a2a5dfb41e8e2077f2331701de175ad4bb8a003fbe594cc839ff568263a2f2b4658b76f1 |
memory/3476-1325-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YYoK.exe
| MD5 | d8b5282fce78610c8a1f05080823ccff |
| SHA1 | 45fd7117b1d716b2f3b9c5e6d5b6098f316caddb |
| SHA256 | 036f41032ae7cf606163c21694ed1b7300943227d16e3b50f62662c9651116da |
| SHA512 | fb339bd86d98df9d2bf05f56a643e9902d0d8ce9e28083490e6847a253f347f9c082157dd65569bae61e107ec973da48a567b88bedd498882fa114af735a9aaa |
C:\Users\Admin\AppData\Local\Temp\sgMg.exe
| MD5 | 9406ffafe8396285d0885f897cb391e5 |
| SHA1 | debae73231a34a50c7a408c24fe06d0068f4eaa7 |
| SHA256 | 4a02fa0bd7d804f418ad79bc4ea270e9770c120e0befa7c145074221862d1b97 |
| SHA512 | 57b843c41007a1fd38514fc923f13bee1e849ad25419aaaafff441ed7027bd7ed415e938976ebb59ba65ef3d54ab250513ff2737ddd898387e17841cbc3ae380 |
C:\Users\Admin\AppData\Local\Temp\yMQi.exe
| MD5 | fa13ec5f2f1b06f955962b4300ba5711 |
| SHA1 | 6593f137e5a56145ce782d3c3d2fa1ebd7642a04 |
| SHA256 | a5a5c8419130f3fd80c2b4e4f622c00523af34b12b64453ef70b2b601163214f |
| SHA512 | d14428becc9c55745019fe0e81e67ea1285f94796607c72fa867fea419fd8446d5e0a543c5984e22eabe5b093121e7f0dfa1c84347f469b5b86bf42f68bdca9b |
C:\Users\Admin\AppData\Local\Temp\iwEM.exe
| MD5 | 023093c3a03540bee268fd25b6f62b13 |
| SHA1 | b0bcf5707434303b5c41664cf0eaefb4d8ea4e86 |
| SHA256 | 3b7ee6f29b72e0bff35c88941d711608d91433f8c524d47187702e171e9c383a |
| SHA512 | 09355565fce86d6333e673281db8618a79eafae6b0ede1c1ccb49dca38258ef20c3f4f2a07d694e991df44bf7e2bf000f30856b08b51df497ec79de1ce103cd7 |
C:\Users\Admin\AppData\Local\Temp\eIkE.exe
| MD5 | d1bfb835fdb84064c4e6a1c67f154768 |
| SHA1 | 2d304457439f8dff90d282618cb24fb5b7ea4057 |
| SHA256 | 9eceaed668e5738e3b786d96cb007775842e4c4d8382a9ab2cc9957830db49bd |
| SHA512 | 537ca25f522ea07c1678d4bd3d35b6ed4e57bbf649f107711d6aef52738c78168fc486b711aa39db78a93110ce06fa5aa014c80036820feb6e3ada6e186c5137 |
memory/4156-1392-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/4144-1393-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ooIS.exe
| MD5 | 627d2c74782ec57249f659ec12febf62 |
| SHA1 | 9b07af56ce6508f738e5b1942bf4786fa0d83c74 |
| SHA256 | 4a49c9e786e897f4d3ae5e998eec6f2bfb4f15533fbf24a7c7cfdfde4c6e6660 |
| SHA512 | a9c254ba491e6b35033a2f1c3a73c57257cbf5a7db42ef5273416d468358c8e8204c57f63d63065f2f2229a3f6e29c1ef20fd1a50a9ce2ed1aeded31626730ce |
C:\Users\Admin\AppData\Local\Temp\eMMI.exe
| MD5 | c3efc4c885dc45c65a40f597c54c5223 |
| SHA1 | af96d9cd83c6ffa49976f1aca0a75db85e9ad8ce |
| SHA256 | 3d30f24ca949e499f6eeef47edf8015c32c012f7d1a6c7eca3b76dc9c82d4dd0 |
| SHA512 | eb443568d6f65a8602486124ea7fb582f9b691af65b05c2436f650daa639b2c0b5a85f26885ee68a543e68a284ed2963a571d61a7b06d94d70d6671731611966 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
| MD5 | 0c18c489e362f5fb3647430dae6f27d4 |
| SHA1 | 9149c4e2498a64768c9532013ff06fb10cca111e |
| SHA256 | 8449f6e2daf8d3c11e5d785dbec032bb16f7d25da0e40db3e0e4a21a4ed14d7a |
| SHA512 | b18e059d13b302fc01a6511fbaced21874249d97687b915861c8736034cb3dc671abb5efc6f2ff41e74d3e0e4041981d26387b2383e3cbd649780e795d141cd8 |
C:\Users\Admin\AppData\Local\Temp\uUwI.exe
| MD5 | 1354b1086d464e27fd63a51831f93994 |
| SHA1 | 0e1135fca56aad8f4345c2d057dfa22f8f36cd8b |
| SHA256 | 14ac3209d5c8dba475aa37b6fdeb51d560236eb0078f7bea71acd242fcf79f89 |
| SHA512 | df9a7157f2725b82da276f4421191ba6cd8dbb05558f98edc900e8daff0c1273f165bed356d8e2cf51fdc4aa53d61dc4c1735e50da8aaa3f0c98c13da0d3a3c8 |
C:\Users\Admin\AppData\Local\Temp\awwo.exe
| MD5 | 1c48cb2d2aefe65953a97aab9a832fd9 |
| SHA1 | 76f5304ca0d200f1faa744c29a53da93a0afcba8 |
| SHA256 | 9b1c6f6a95d6e97ddb19e0c014f0df2f3adfc8aac9b4489c2f92832fe74c9cf1 |
| SHA512 | ee4692e4e41e9d4d912a8315be957c6ce81ad6e94c1669c183d9d59daa8c7b72b92b7422ce94a019ab430fcf96afcf9f45b890148570f33d9af15254bb3f4cb6 |
memory/4144-1471-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AMYA.exe
| MD5 | 12e024f21f47c999c558ee35c2253085 |
| SHA1 | 06d5affb1ca41b336489eaf20e0eb743aa8e575b |
| SHA256 | bd2afb8dce74f0efa049bb8052429452b0977898725d691061dab0581a3fa05e |
| SHA512 | 0ace88e89c3d2da115e64ff56e11fb17ddaf4684a1e1b2e0ba9cc0fb77aa95e7c96ff171febd9cefad51c3505ee277edee5ad943affe28da56c033159fa583cf |
C:\Users\Admin\AppData\Local\Temp\Yswk.exe
| MD5 | 7f6ce05c3ca0afcb9ee291cafac61103 |
| SHA1 | aa5e421f286aa5837aa775015c366ddd16237816 |
| SHA256 | e65c844e01635ae1f3b1cebb670a4d5071f6ee937b44826a69b74a2d07d4d1ae |
| SHA512 | 9f676ea04b2a6244c4c54131c4fa33b43349b814d565bc2e92f9a4cc3595a68db61a349bfa723e654b9822f78d4cf22d314020532feb928c8d5222c2f83b2388 |
C:\Users\Admin\AppData\Local\Temp\IQoI.exe
| MD5 | ed09b1dec4be44049325a724aea6fca0 |
| SHA1 | c18d75e199e7fdf755004077f81332bf16029c88 |
| SHA256 | 4b0be36fac9f66323a66080b23496ab16fbc80c5b558d7b61d2365a494e72708 |
| SHA512 | 271e03e975cf8778e025b86b07f1d71f751302e47be709b1835ac890b8cc3d47be35641f8e0e0b75098b0c4c8b048bc098ea3cefc29ba679fe61e7ae5f17a8c6 |
C:\Users\Admin\AppData\Local\Temp\YQQK.exe
| MD5 | 857435086faceb66a5665b6534988301 |
| SHA1 | 13d803d3f54ecf6fce6662299f639b472603b236 |
| SHA256 | 5f2a503f42c2914836857131652c146b63fb3e5f911b9cf025119941942a4dd0 |
| SHA512 | 33e85e20938820b592c9f47fc8e33c9125db73f121931b1232572e66d17a91346aecfb963461a802d9080889af5bc64d6b299a62fa266216fb9c959e78ae79ef |
C:\Users\Admin\AppData\Local\Temp\mwUK.exe
| MD5 | 977647e67b85c4e7054b4f45d3802123 |
| SHA1 | d3c638fe91479fd67be63a5b2a526e88903721f1 |
| SHA256 | 64b51616bb5c1b9f599176289adf77df2057d992aa29eedf5cbd982079d8e0a2 |
| SHA512 | 18e46b0472920349627b2805be0b0ff30bd520d525beac63fab3ce9f90ad751665cc6ce6c3be3b76c38b630fdf3c433f0847d6db4106a3ef53a676a89036ddd2 |
memory/5068-1549-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OEwI.exe
| MD5 | 6a9e9863016d615fe90fe9657253cf31 |
| SHA1 | 1ea94e9f648e4134ab7b3de42adb620dbef819dc |
| SHA256 | 7bc18fbc8ce593377ef4d87ab8946b599e598400a99fba43612ec9b44e8887e0 |
| SHA512 | 6a05b74765408911536885be37c42b9815814ce17d196f89660a8e602c38be5e12b59e0cbb8329829eec2145dede1a820e41574b8900d55966686f9e0680251c |
C:\Users\Admin\AppData\Local\Temp\MAwI.exe
| MD5 | e5638872402d89a0dda941e8da002e72 |
| SHA1 | 3539f1495cf5c16e47f8f05c2d7e6a6a3d57c9c6 |
| SHA256 | 0e32f0ae6d85ece7b6d9f1f835925aae9b35d697d3929aca84146e6875a75d32 |
| SHA512 | 537505891ee12367481b9e0a9067ff1d206099fdf5bb955b6c7e503f09b22e41c520b7b4d2d187d7db9baca9ee6d2aae90f3d84335c2fa00ed94abfa80aca8f7 |
C:\Users\Admin\AppData\Local\Temp\ewEk.exe
| MD5 | 369e413aa927233597313a745f601042 |
| SHA1 | ed948bde356c8b13aa6c4c865fd304f564400608 |
| SHA256 | d4b1609dd2bc44e8b46617a77d294110e30954fc468935036e647a699f1a7942 |
| SHA512 | 0da732917f7a5aff025fffb279d422ffb542bcbc51dfce25a6afc643fc5f26d2f8a00e74dba524d448ba63b9193ba405fbf74b14994742f09dba896640a1e8e8 |
C:\Users\Admin\AppData\Local\Temp\ukoY.exe
| MD5 | 6b72e0462c15261cf79bf2b99074deaf |
| SHA1 | a084c5653972b67a9214339244dfe19f2f1626ce |
| SHA256 | cdc3292c06c4cbe13fcb4271cb463e656e873681f98a8ad7b8ecbeca3a0e24cb |
| SHA512 | 566060d517e4a01bbe2539ede1d8a4873edfbf53b98d31d959161279f419a66b4bb3b45bf91880cb46def6641a928b85298191ade4b3f80003120097eebab33a |
C:\Users\Admin\AppData\Local\Temp\owUq.exe
| MD5 | 111e86353ff2ccfa1152c28bb2e26fae |
| SHA1 | 51887d867276b20ab8102c55b333bfef720e6edf |
| SHA256 | d7bea2ca5b475c4c64dc9d7a79cfd82579754a42bd11a6b578327a21ecd306b8 |
| SHA512 | 1faf90957b8c0644606c0bd2c0023954e89da744c081e8c1455f7e14668c202e6c8ceeb34678efac7339ace857baa48bf24912a5416ce6c6113b3ef25726e80d |
memory/3304-1627-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IgAu.exe
| MD5 | cd1bfd51c63d41165ccc953ed259f174 |
| SHA1 | 9508570eeaad815d1153fa07aebbb8c8fbee0ebe |
| SHA256 | 04a3d67b2349590718606755e8a71af32a4b78f98e58a321bd37e52e9df40d65 |
| SHA512 | 056e08b0104e552231d8a73db9d300b2474f12bd4178ca755d2d045b4b7dc77a3e3ba67ea8af486bbac030b3cbc89215dab86d1e284871a239b43d7f587823cc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png.exe
| MD5 | fd3df01386b414d40985625b7f50542e |
| SHA1 | 0260d5cb2c3d6096b4f1493e89cbf9186267176e |
| SHA256 | 3420962f64c57a613aad4273e14e721d57f3816452092ff43c607f7ab0f97656 |
| SHA512 | b6c56beba6199c5ac9cc9eb332a918b32ec2087515a1eaeba5f2a167dd0403e1c6a626e17c0ab67f89b85096a520aa6b586fc8d100076046b0b39ff7463f8ec6 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
| MD5 | dd573cd9585b68a3bdab744c9d7c6363 |
| SHA1 | 95cf72c8b799f3303c965827503aca11fbd3d01d |
| SHA256 | 19739c77e1a5d19541ef34cf3ae52d200c45ed91d64c86319979d609ecf01af5 |
| SHA512 | 65be91c969c051bb830c6b288c6d2df97a6bea4132b8c85111c81ae96ad4d748fcf9a64fd4197144f68992f8179a5bf803e1ba18d70a1c0f1b85ee47436018fc |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
| MD5 | 32461543b0ea8799d8598ee64d288508 |
| SHA1 | 71c3f39158633df35341a1eabfd67eaac24e3ff4 |
| SHA256 | 473d9865487c7bc80f59494c3936e17cf38a8e61d4ff2e3f98697176166bc134 |
| SHA512 | cba896b6f212b1d46a08e90797e9a1d7c633b3fb6e0923f773436f6836a584c3bfe28337ae43aaff00e1f042f6136dca54e5352ea3941140d73fd7dbfacd325d |
memory/5004-1691-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3780-1692-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cYMk.exe
| MD5 | 32b126cdf9f15fbd7261ef5959de4d39 |
| SHA1 | f1e385aaa3d76900fb0d20cf893185b4b7a00640 |
| SHA256 | 919139eea615aba2377d4884cc8c86305e0a928408b5dee5f6658619b74f4647 |
| SHA512 | e0385418d58b80611876f7f099aadd2654234bbf1ff65310b50605e077a15adb834fda4c1b4f80814a139f7ebb2b72ffdb1684bcf261c3608be7a0db178c4a79 |
C:\Users\Admin\AppData\Local\Temp\OkQq.exe
| MD5 | ca82af1a764aef733b19e8a4888061d0 |
| SHA1 | e798d6df1af0c89c66d45747d14736919b4c8cf1 |
| SHA256 | 333f035c2bb4cb037bc472b35a6d7819eaab0a867d3b94a44d2d706ecac20278 |
| SHA512 | 13521c223bc194e9b42cab950dabbbeb96d77b462dc4780ac796917e8f6fdf310c85ff70dad9ec880ad7dacc6c5446539194ff5f7e37ea6cdc513caabd50a5f9 |
C:\Users\Admin\AppData\Local\Temp\SgUQ.exe
| MD5 | 51c9a57daf1fc940a0163607bb874831 |
| SHA1 | fc0307d41ee6b83b405d49525c10d90caead311f |
| SHA256 | bab36078bbda539c036123244e3186e9c6acdbaca77d3e23c6d62e9d5e412a42 |
| SHA512 | 98603c30f2063391f5c87b59385b4d784f01e6ff138ea2842608a9dab487df4cd3bda893d6f0b9a768c34a942d18eda6a36fb18c624d241a03fc9ec34c19acf6 |
memory/3780-1743-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msAm.exe
| MD5 | e0555086e3e9fe77d942a482887c6063 |
| SHA1 | 9032ea1bd1cd49fcfc95aa46be94e20938f73d33 |
| SHA256 | 26bee786e37b0b732f8fe616136d2013e686b170f25ebc91a921be1c1387c2b1 |
| SHA512 | 7f7edba0af2a2f970ed998b007d7e8e5bb9e40153c1b096b1bbd9781eab0f4b6441b9cff4541c7e546d9937fef79f698573d3148ec9bb06ab6b18ec24d171347 |
C:\Users\Admin\AppData\Local\Temp\sgMc.exe
| MD5 | 2667e866628a7699507c2923e9268e7c |
| SHA1 | fb534f7e22d0a5a8bcc14e0b28a3492fe01fc422 |
| SHA256 | 96d5b610275031918039046ca007fec5b8f567add6d6c275a4dd57af8e2fa399 |
| SHA512 | b9d508fb58d5fa5ec4762d8ac144ee27204ea297e02ba49118a3235589e1cd45d7e9b784b98fe9f2204c23aaff72596418bfe0de811ede4f18ca998ff4c0fc2d |
C:\Users\Admin\AppData\Local\Temp\ygMm.exe
| MD5 | cdf2ea1b8ca1dfe548e505c63d7f419f |
| SHA1 | 2edce34253918c0b877f8e7e0e4c4a2d818ebdb1 |
| SHA256 | 399ccab4cf100e0051193bef5ec8cc9eed6a66f04fd7d70be19f3b21ed119669 |
| SHA512 | 452a927e08812c5c1425480d4deffdbe758d2e8a3cb20469022fe006dc48c045a03f8df9a37a5929a8fe7d41903c616a263cb95099e28ae66dcd953b08d76217 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe
| MD5 | 149f41d8354f7ab4df14a1a24290c3e4 |
| SHA1 | a67a4185348120a58f11eae7ad11ff6d24b78249 |
| SHA256 | 5dd126824e3b4829ce162c1e4b610cd8f5bb9d1e7c7149cba7f3bb9c50b88ed7 |
| SHA512 | 9485e65cb613480e6f46b7e7c0a2f7d135bf5d7415ce5c2e32fc5b3717a2e18e746468477a358d028076384421d09fabcce3434027a86272ad5d2659cbda7dd6 |
C:\Users\Admin\AppData\Local\Temp\GkMc.exe
| MD5 | 05f2ed6f2f7c9ee42f6be22fbef9ebae |
| SHA1 | ca313ff02b3c2b5a3e9836ba62d9bf4cdc947132 |
| SHA256 | f0cdd12d4fa487d478fefcfa07635f4bea3ac31d77d227dfbe7d2743355fac0f |
| SHA512 | f2446957fd9b0f0e6b93d5b229ea99745f6967cc503ab8488a7224207c64670085866f1ef687b5f2723da7af5b2124cc27e8435405f1ba6d7c34e6cf57a190e6 |
C:\Users\Admin\AppData\Local\Temp\eIMy.exe
| MD5 | 42d00b1e1327906ee6a645be9f294544 |
| SHA1 | c3a9ee15d759ff3b77658e7401d2e3bf26f132ef |
| SHA256 | 051e1617178dd834115f46a40baba599bf01bc83e86f020fcd65a2d9f2b3d71f |
| SHA512 | b8e8f2c2a9010a3b7e6245d77e01e2ad524774ebd7c65fd18b30be9210d3355a5ab387395fa2873d81b0c5802b620281411e2135a4c14cbc075b0652b7ac68da |
C:\Users\Admin\AppData\Local\Temp\ykES.exe
| MD5 | 2d8e2f5e0fb88c92aaa66ac15661bb47 |
| SHA1 | 04beb581a8724090b67bc90229da1f9e31d6337c |
| SHA256 | 81005856a542a369c841b076b8dfeb4eb91b612d20af40d60be677dfc34bee93 |
| SHA512 | da61c66432330203adbb2a81e7cdc87483af22d41af8a64240caeda3ae818218f7ef93ff5529877896d4dbe7e14e20079fc7b7d1307b278f2cd6d8f05151ddf4 |
C:\Users\Admin\AppData\Local\Temp\IQAo.exe
| MD5 | 44a168fc9574e1f4a7316f79d89485f8 |
| SHA1 | 8583722dfe9f18da0e80c4902a8bc73df00add0b |
| SHA256 | 0de3ac48f00568632d83a46b079d6a6a6289bbf328c6c75df586d1fbdfa9bdd7 |
| SHA512 | 007bc53784dab784969f2e025ca87de0bfdb29e13bae5b88d2292011e747544c7990933576f1f21c18915375448761cdc0745c6a0af32f16101c9c4a5c1709c6 |
C:\Users\Admin\AppData\Local\Temp\OUEy.exe
| MD5 | df8d222bba3f0da7b886f149ae2d5fff |
| SHA1 | 76a5a5a39f0ca0ad73c4b355008f0122d8df372f |
| SHA256 | e659a8f7968015f4de5c7be735182711f624e55afa6dd1b265b42d9146b3204b |
| SHA512 | fcabbc6390ccfc092b3870912e4fc51e0f1dc89f6d44307001084ba4f81a2bdd20a2bfa8eaf58d85003ba2c904fb457acd9e6ba02a56e7d25f0e28608a9df57c |
C:\Users\Admin\AppData\Local\Temp\OkUa.exe
| MD5 | cfe407e023c6e4e1ca3e82d2331c74a1 |
| SHA1 | 722a116a3b6e45586e0520087a5d263664271c66 |
| SHA256 | fe2e27aa35236ff7dc5ada640933d5d57439480ec0c5cbe778cd5090854b7a21 |
| SHA512 | 3bea7e5b4be476fa65d9c438ed337c3f935083a3fbae068afdf0acd8f03a9b9cbd710dc5fae9ec529a18d01c59a1988f6748c6063670294c58c934e4538be6e6 |
C:\Users\Admin\AppData\Local\Temp\sAIo.exe
| MD5 | 53d9fa287a22ca172966c52af3329f63 |
| SHA1 | 5a26f721b8dab4770f5dbf89a36e5d3dbb9e8a2c |
| SHA256 | 2d65545d351bb2d8d7dc7e146b616e95f736df02d892f2a04d33c6f09d815828 |
| SHA512 | d647956ee127b1525302624f3916074c8152a5433f8790ab769fc00ec3adfdecedfe81e25fe9ff4d1722be811d5c49adc1cf838e46f5cfe4149426b1f8f5f334 |
C:\Users\Admin\AppData\Local\Temp\Mwka.exe
| MD5 | acce691c3678634d7bd4814e44f96f20 |
| SHA1 | a54009eec6c5243e1b8285d3f750f10720b0c9ad |
| SHA256 | 668bc03196a49f9ddf65c23cbae97c86eed03976a75a224186a39c63e0e1d4f8 |
| SHA512 | cda6099ae88f57ad188ac90e6dbd80187674c839d69d9744495d21d281a636aed8463e6cb9de057a042abecedba8cb6044e68847209c12308ab66359008b0240 |
C:\Users\Admin\AppData\Local\Temp\IcUs.exe
| MD5 | efd5d3550aaa0f62f03aa45963f84f9f |
| SHA1 | b2d89c5960ed8d0091523dd514892b7243b1f48f |
| SHA256 | e15711b1f1d98752b3c41ed2d5d666dbe68cacb55afc37ead6d6155482dc6544 |
| SHA512 | 5d8095dc075f6eb1765b29ef3dcec4d64de5da66efa1035f67ef4728ff6517c69e858a3c445cc8481185f8c1559fd898dc4f949dde615eb972dc91e574de7dc2 |
C:\Users\Admin\AppData\Local\Temp\Uooy.exe
| MD5 | 263099dbd821abaafd005b38282326da |
| SHA1 | ec5b8993969e61a02a5b8b732298981206371f93 |
| SHA256 | 797f022b36da4226b3000980c04ab175b01b61e680e590d4a45e54032e3f1a06 |
| SHA512 | 42d9c0738f23e0516ab324d95ae167cb9c715b12a01d18183dfb5616f5722f4a986844b4612525c14c0d0be5010667fd6bdd963a2d631b1b706f473f40fccbf6 |
C:\Users\Admin\AppData\Local\Temp\sQEu.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\WIkq.exe
| MD5 | 318e7ca87a90491f3852973ff9de6551 |
| SHA1 | 92af63b9bf891547c804618c209627bf5c09fb32 |
| SHA256 | f6881fbb7d60a8934ca4be44d25e9b1f4c88967001c4d65288073acc21975a84 |
| SHA512 | 2c24a4524b578eb8dad12312953698294309bf4421fe21cc0db0ae9bc70147c853ff3c73bb447eb4f342f66723ef2bce15676e9f705bd7bf4058366b84491bef |
C:\Users\Admin\AppData\Local\Temp\cswQ.exe
| MD5 | 3c4e885e618f2b41de93fc003101ae99 |
| SHA1 | 327f7ce3c559cb871406fb334264e7e149b11dac |
| SHA256 | b4c0fc9047650eaf679c9482892cb3c1e151497963fefd649e406755320e5c3f |
| SHA512 | c75e04b31a40a128a026b9179490b5d2e25fe7b3562d0e5d9415e7b0aa61d9dbd45ddf565d30a0e48f5191911af75455dc76ac7be5e0b5155d609a3c96353926 |
C:\Users\Admin\AppData\Local\Temp\sgYm.exe
| MD5 | 6d4d6ced89003389b4c9b88fc03c5d42 |
| SHA1 | 5f85119389b54a09da96b72576b1d8eaffd0acbd |
| SHA256 | 3674556a73396c7c05f7e6d39ba77ebf9964301f7b46f2bbb7e5e1a6598559a6 |
| SHA512 | 1b41c62da52f0475d4b3383572e3e7afbfd55110cda0b2dd91ff468122df0290605338624760e3c0c9f4ba650eb5e0d1d6f733d7ffa6db94c518b7c8d38ee324 |
C:\Users\Admin\AppData\Local\Temp\SwYi.exe
| MD5 | 5c9144e4ff1fd08b9cf388eaec42ccff |
| SHA1 | 6fa9ea95f3f85bf3be104704dc0f33d12d23b422 |
| SHA256 | 0bc75f841991dcc741683d4122b8ffda08a2ef0b84f41dcedd46538fe3fa1592 |
| SHA512 | ef821d774334f1aea92684dfa00c58e9432d3761d6b12a2bf618567a47f6b2790df38c9685d1a4b67a4d0bf0fa706eaed6ea629616cee6d6bf35ad1a70899bb5 |
C:\Users\Admin\AppData\Local\Temp\CIkc.exe
| MD5 | c76a8e1f8a4d0008668a8f0db50be25e |
| SHA1 | 803781e523e4e473c7234a8d99779c9aafb55719 |
| SHA256 | fe1292f901dfbe6afb56b881dced002f4db697b952aeccd29f0eefba22de8c7a |
| SHA512 | cd4fdb86c05904d0daebfb0ec19b83ddb1d6b2dbd97ea4c450bc1d29e5a954ddc5f27c89247ad290844d86eb293dd2792fe40bbef15f829cf2c3d69924cd3e3b |
C:\Users\Admin\AppData\Local\Temp\WQko.exe
| MD5 | 1696309d562c02e6c131b232c439952e |
| SHA1 | fdedcaf5a1d8179b37e4247e251d01697c261dcf |
| SHA256 | d2b13f59a1e96bcfab595fd4ee4489908d9b6fe170789200fd52e62ebf5b32c9 |
| SHA512 | 4891dc9fd6043b0ca5d448d8dba7fb14c169ca2700f131506f80bdf2db7dfa1d4770914dcb65be2892dc4dc64a33e1984a00c5f0721aa45312901fb6d572edfb |
C:\Users\Admin\AppData\Local\Temp\iMQi.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\CMEO.exe
| MD5 | c225a24e7c6da477face6cf0f79a276b |
| SHA1 | c0514c03202a0d037a320063f01bbf223a91c3c0 |
| SHA256 | f4e59105690ca37b6b038e9bbed4d5ed95f06e4afd3f919a51826c1116b83b2f |
| SHA512 | de51ce229e4d8e10fe346e7f0af120c2fc59a722be93254daf1b3867aaca9b7298c87d695c85689258a3073107ba78cf541bf84ee7086706c2ca1348ae234811 |
C:\Users\Admin\AppData\Local\Temp\MMco.exe
| MD5 | d164e1aff6bc5a008a85db1b92f7afb2 |
| SHA1 | b25c7dee0f70097324ec8c8e138a692cb7e7b374 |
| SHA256 | e294f07321b6eb372f16ff2de318c9c31845b5d35ecdefa518e8939bf41d59b1 |
| SHA512 | 149bdad5b9eaf6bc4c3fa77e90e035c75ad5a24f69febdacc53726ce3b76a959c03006a2593b885cd2ed78b15d89e614be6ea1eb6fd18814c6216e375337c11f |
C:\Users\Admin\AppData\Local\Temp\Ckcu.exe
| MD5 | 07f9a0d4029c2810925122e6850c70f8 |
| SHA1 | 179d6578722c70ff467ed072f807d2dba3dae185 |
| SHA256 | c99a75123b804aaec7aec00d3c84dd83bc7fa958ce0f8c0edee439149ac9527b |
| SHA512 | 1b4e60cde813e42264affa397869680f74a0cdc946ed19057ec004fb67f13554ed2c9c36faa7ce61b15e02b0c100bca6f8938d01be21636bcade817ad52138a3 |
C:\Users\Admin\AppData\Local\Temp\coAw.exe
| MD5 | fe679381f0b235d1712271a9148210ae |
| SHA1 | b063748abf6ea82f160549c305cb844a254c6c87 |
| SHA256 | 3db3ace5a274aad6a93421132c5ae5d9bc4e4854b9cf71fda23472e61db55cc2 |
| SHA512 | c0a3f39c225b853b3264c0c302cf264f93cdca47353606a8a344ce092a516ab87d1e3ce237af6f80b81b978d5910f2643d9040434b4e2480a6b76d71b9593d35 |
C:\Users\Admin\AppData\Local\Temp\GMgS.exe
| MD5 | e6cef2f657dc7cc34ce0f2a7bd5571e7 |
| SHA1 | 656f32bd5d43069faecf3ee397f2cabdb9a81932 |
| SHA256 | 2d07551e93c4610911a9ec96299e30e782f00643ecc70a24d4931bd639b4c350 |
| SHA512 | 212238cde80b956f7156ffabac50d5348493bee22479bf3b4098ff38644b2f2a2099acc1c02abbd02d28a9b8bd27d2fbbeac19acdd0938b1a61599be5297fb22 |
C:\Users\Admin\AppData\Local\Temp\IcoQ.exe
| MD5 | 64286894e59fedb34b59083e827a7c6a |
| SHA1 | 080b2df8a2d038f4011c1cb9fea3137e46c77a10 |
| SHA256 | 464e5d42124f1cc951749ac3de61f1d94e23654fc9de53f07d025715201c2c9d |
| SHA512 | ec2a7aa562b53dfc5e1fca458ddd81576f95a905f807dbcf7f56adb3ce26e82cd3146803e788e74107ac9e1f192188b57cfab5b3d439967b1add8bf829010c5e |
C:\Users\Admin\AppData\Local\Temp\ysoE.exe
| MD5 | b6ebdee21fb9ae6d999154cd60856d81 |
| SHA1 | 9c4c48498314676f60a2eac06145cd51caed1d1e |
| SHA256 | f98a6e9571f87e0195cf4db8d49811a27984bfb9ad3859c6f08cbd9ca43f41ed |
| SHA512 | 529836a97881bf9a6cf9a157a0aa08b47dcbf2922f0ce02920274ce19a4682aaeeb6313a4fa6f48ae29efcd81cd8f04604643547c88ee614f5ad43175dbae035 |
C:\Users\Admin\AppData\Local\Temp\EUsC.exe
| MD5 | e44fc4443714d8c98dda4bc59f7415f7 |
| SHA1 | b5c9e7137423dbe59515580a6a363ecc07d48860 |
| SHA256 | ce72c3cb55add6206c5817012da9c2b8b8ef1392eb46100035e161cb52642521 |
| SHA512 | 706e35e8222014e039848489e0ae8f1183c5d234d3c91976be55fab137f225fd2ab9ace71cf79455967d33c4d06139174d7a8453b9cd3d03528d19988d4e12e5 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-19 22:44
Reported
2024-10-19 22:47
Platform
win7-20240903-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\VogsoEsg\OkUcMwgg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation | C:\ProgramData\yCcwwMUk\rosEYgEg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\VogsoEsg\OkUcMwgg.exe | N/A |
| N/A | N/A | C:\ProgramData\yCcwwMUk\rosEYgEg.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OkUcMwgg.exe = "C:\\Users\\Admin\\VogsoEsg\\OkUcMwgg.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rosEYgEg.exe = "C:\\ProgramData\\yCcwwMUk\\rosEYgEg.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rosEYgEg.exe = "C:\\ProgramData\\yCcwwMUk\\rosEYgEg.exe" | C:\ProgramData\yCcwwMUk\rosEYgEg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OkUcMwgg.exe = "C:\\Users\\Admin\\VogsoEsg\\OkUcMwgg.exe" | C:\Users\Admin\VogsoEsg\OkUcMwgg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\yCcwwMUk\rosEYgEg.exe | N/A |
| N/A | N/A | C:\Users\Admin\VogsoEsg\OkUcMwgg.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe"
C:\Users\Admin\VogsoEsg\OkUcMwgg.exe
"C:\Users\Admin\VogsoEsg\OkUcMwgg.exe"
C:\ProgramData\yCcwwMUk\rosEYgEg.exe
"C:\ProgramData\yCcwwMUk\rosEYgEg.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bocUosUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LmIEQkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEUIQAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqkwcsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eCMwUEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScgUAscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JoQowYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rGgwUoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VwwQsooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JQkIwAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ACAccIQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQwQkcQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CkEQoAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkEMUIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\reYgccsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEYoQswA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NGEgYQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1276669138791286998-979422388-876549899355978172-1822352357-1127100639-1487302504"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2037747958-4144575171845098960459820952326897355-17666886611042313507-1171442823"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hgQIcQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GQUoMcEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6528396181496473665727454720216022391165456713759143520-966189933-1652463829"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eeYoIQUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQoYsUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUEMwYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HokEgUAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIQYcQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tKAwIEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "681336078-65019638920982151201964400777-17217551331924199421481780999730980037"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dOYAoQow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1042997096-516617004163162028-20160761191901375771212057288-8860014321278254428"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgAwYwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "739632581531254283-797654873-2007830605-1178978717-1178516220972300797613388718"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cKQccgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CeUoUUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1541765976-570379439-1339695259-2119368392733705666-994133011-1682956091-588490014"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1216194823167837033112022861535497101-571060911-1940317682-9381008091956973694"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\agAwkUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QqkUwswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQUUMksE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKccEUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "606737339580104541-1685783532-3672092791368211710280996060-19078684391049564856"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsQcoUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "29017990-1023847137950859282-11755990851162749091707308367127990205983370353"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PukAsIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8955199043047717581821860521196334413-1025626980-882465454-2136429117-2016410465"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qGkcooQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQsosIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13114131661268720813-555736107-6618682771478062019-19409476071502726111-998491498"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSIAYsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1983244138-17358775642018182908-1568794851-63616139135726426816182041781311024515"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gOMgIsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PqccUwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2062967144-16849107671883805374-1385274508-840450009267701683279668518-2129724311"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMgoIswI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jWwoowoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-187263425213645253151138062622749164495-1388196213479767165-38214256788131803"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JMgEUowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WIMIokoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8099304311736569787-1905922725-1235171276951096935706510329-1641107383151036039"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GaYEMAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9573115011775184418459149331-3458323371223989501-964778975-1110442879598762905"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1535397125-833333543731506230-14990446331993824003-1523723054-81264760-1188107504"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1412933911955229264-1769817057-181710216714480320714949676-1334195503-2053261918"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eqIQAQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1619487503-74623452947234972-817862345-4944592331661618584-1794416524-2046061820"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FCgAEkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19902824681273445615702556776-64096474967486525643114210-19300626981619402844"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcUogsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1266467191-826835699120659232-1674933768-1276580962-1785693164-14257076251417822294"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LWIwIkAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1262328289-7630784341162974781-2125072566-538265264-715226857-347482537547161316"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\voUMYIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cecskAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2695727149291204221619377474-1917605647-122262942806709079-1259966595182562075"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2092315065-2130065843-573849790-1684289913-1447962795-182424985-12358029851445147065"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-509200737-2738782201072871397-1821652361-875069304-135721244920674010351629045101"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EuEYQIgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "61387281-2096027031-6990688671626198111-933427385100592557356658878-2005425352"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14290061891296424608-15122797301657480933918015620-1598107233-1450402847-1331434398"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18062455421141796824-1448826874668951409825538300354983947861533651993929253"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\maccwgAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-132132130215404935961182758831915922276-294869475-18347553661348759584421261299"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKAokYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "207345819711727384931158258574163239064934727007616624012571369853027995654021"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "365087462-1367314340-1161204755-4520056552985289711623863139-421034504-1917600460"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "427013058-1460676152-1541276598-64847716-62940086614478505011997270930-234982203"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcsUgUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1817152280-1490206482876288898-689326898-1171837036-1404516003-13859402591997278340"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-825466984-47523446267165738-157004025121354679771041614567-1034037104-1818719242"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DcMIIooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\poIgsQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-960842707-1561382727-1621653201-501757395229470280-647827218-366604084-1637494977"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIIwQQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1710386864-1319239381-1151654892377033348-1694358809-1714987296-704821021210873840"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1159446744749788011-14144112982095493479-1951565419-126402085914861422411285918200"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1494105666421071921083315962-819010737-1254652355174456427011168796821872615587"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\auowEsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13534597181060348617-3290449291501092322-8198834011288126668-43776816-2066521171"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgssowAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5874456538079263-19894365121708522927-214592684570369701-560730739-1426396390"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "187100493-126484442818148895916842940083291534562029039695-1956378876-1983633352"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19318112681536561053537774916-848667261-100598715817791207225312520071863260296"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "652596762-848094263-1844088863-515648418-830992270-3166244991236496997568956055"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iYUIwYAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "177521597219732350071318346891-747631141-16607033962027746533-1401393157226709542"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1205688171-933602758309345762-11005497140471281022417545854111442588531384"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VqwcEAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "272339226-1338152575-1102194219-1498945359-8250342361585049320935394464-2095077317"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LiEoQMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13956951736693513993753051141497458290-852886117-173821344-10334257982570719"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1216676625-3636180701717949227-2081069370-19358371755333739302119710412-2049668540"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcUUQQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1234284599-992194387185557687266105870670285032003043522-1460053495-1927947489"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUAAEsIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "939406398-2074939340213790622812469869871390160041-6736360061317043079-1651242772"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "430060869-1606806033727389354-304433002-1647361948-6944797-1947567212-750343117"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2121477529-1610229841-181116917147419745911392728311150387339123559222841581931"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOQQskUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "445280870481225466806981541-1409266207-1790934729-7719104581301281638-1915779496"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-43858177334131299515171622211298573789948369654-989837943852047052-1569180533"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.46:80 | google.com | tcp |
| GB | 172.217.169.14:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2376-0-0x0000000000400000-0x00000000004A8000-memory.dmp
\Users\Admin\VogsoEsg\OkUcMwgg.exe
| MD5 | 33a741f62b7c5a29f7b2369034c69a74 |
| SHA1 | 1ed582cbcbb559f5f6fa2ef1d5b6ccdb3c8e6628 |
| SHA256 | 6da442604152f75a558d25220c7bcd64f98b36d801130854ec267ab9ddc694c3 |
| SHA512 | eb96ed624b79e5345e55c9db51ac2ee8f50fe6fa44804519fb363d77f996cecdbc7f88007ecd4c58afe78f5ab3c9b72d52730f95ba5f36c6c6282284e5c5c21a |
memory/2376-5-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/2376-12-0x0000000000390000-0x00000000003AD000-memory.dmp
\ProgramData\yCcwwMUk\rosEYgEg.exe
| MD5 | 5678da8e75e0a14e63d5e6aaebf77938 |
| SHA1 | 1f6b175ea98b40c19fd92fde7d06bb59922b599a |
| SHA256 | c7b106e692cd16e4ea0bec9971a31c93e06545f0a8d7361e4a82cb6e38c28637 |
| SHA512 | 3878e4d9526f42c1bfc9d4d47f13fe8164eab0e3d3aa191606dfca78c7d331b19d751ee0a6c3047a67665a8f4f950541f673a65dcdf7741e2c5b9830348a32a0 |
memory/2164-30-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fsYckIYE.bat
| MD5 | 9e86e9893b91e8389be2519a92aa05c6 |
| SHA1 | 67228d3b76e2b9465870db4862d29942986a3924 |
| SHA256 | 0bbb2991175f90f11aec233cd24100f8915efae7048ebc30c016157f86c774e2 |
| SHA512 | 9dd27d70fddfc932e50a637e99efbbce243a670b7df31eb760a7b4ad6a44d15572eb205075e9d7a600d1d7f7f8f50196c279ed483c54cf184f8ba2833fd6bd23 |
memory/2376-16-0x0000000000390000-0x00000000003AD000-memory.dmp
memory/2440-31-0x00000000022B0000-0x0000000002358000-memory.dmp
memory/2848-33-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2440-32-0x00000000022B0000-0x0000000002358000-memory.dmp
memory/2376-42-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bocUosUY.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-10-19_42de2729a8457deb93859902fccecf16_virlock
| MD5 | 8969288f4245120e7c3870287cce0ff3 |
| SHA1 | 1b4605b0e20ceccf91aa278d10e81fad64e24e27 |
| SHA256 | ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73 |
| SHA512 | 9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a |
C:\Users\Admin\AppData\Local\Temp\bwMgsUwQ.bat
| MD5 | b867834bba91c0a985331b76ba033559 |
| SHA1 | 2da936516b4e2cc4e6814220e52a64d82966721a |
| SHA256 | 8dcb42f9fedc4cae446ee4cd03d8b6580d01dc7202799cdfd0b6992cbebd9f26 |
| SHA512 | fe2dc2f3e481efa1744b83b23c6af392232c57d8d2fb26e0671324174cb9d3b85a2751f21436a291b7cd8f54cbf297efb0f4c6788b91d131152722b6567b7866 |
memory/2600-54-0x0000000000320000-0x00000000003C8000-memory.dmp
memory/2848-63-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\wukUgUYI.bat
| MD5 | 022b4dbee7e9112eaa957e59d93a4a47 |
| SHA1 | 81e9358c2119802e964bb08dac44621287dd89f7 |
| SHA256 | abd134d322d85ea696d55bd02deb87bdc28bc7d5e6371991adaf9920eeb3fb06 |
| SHA512 | a15e619238137ebd6a2005bfe6a6ce6e42b0c194ee26b3058153c0b049326a9961b9845b3e9e244fd323b6e7f256c92bf83f6e0f0b7e033c01fcb1452f3fd203 |
memory/1164-75-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/108-76-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/3056-85-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CmoUsMcY.bat
| MD5 | ca29d8c37d52182d24cba5d51c786aad |
| SHA1 | 040ff3dc213256b7178a6bf3c05882e2bdd41982 |
| SHA256 | f729cd8fb2a9f113b3418917750206d325e01f7ac32a96d650bcae6add21bdc8 |
| SHA512 | 7bc846cfe2aa97dd917fccfb9cb10ea2b75cce9fda69b9c81cc29f0d315de7588895369bbc78280f2f252d4328bef512c42935f8c79143469b434bb4cb54e446 |
memory/792-99-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/108-108-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2688-98-0x0000000000570000-0x0000000000618000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EUsQMwsM.bat
| MD5 | c591a85a6fbdd0c440a6acd74cf5842d |
| SHA1 | a8c5b513c6594f1dc79e727b62957cd1cf38be38 |
| SHA256 | a1b2e3475525352630aaaa30e51594a74dc9f5a4e8e52707310b07d25fa1cfa2 |
| SHA512 | 12ccf9aed92c6775181e7de848d950ab997ef4bee419dc9f70acf4f6f21bd1b7be296a768dd3b1519fc4bbaa2502c58e6375ba0ca36cb3d5f1300edbc1efe364 |
memory/2344-122-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1144-121-0x0000000002380000-0x0000000002428000-memory.dmp
memory/792-131-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\awEUcEoU.bat
| MD5 | 429a107e3b986a754f11eb96ca9ffabe |
| SHA1 | f87d924d761a923aee568f29ed8b1d7c8d7e85f7 |
| SHA256 | 8dfd14dd4568b60780792ba1dd5dd319c6d309bbb6086891f1904413b173c138 |
| SHA512 | 560984b441167aba7b00865bb062aaa8f10f17770e82a1b79a6d55e37a6d903954664d47c12ef696bf9121963b47485059bed538c8cb66ca13664f7c40ad391f |
memory/1880-144-0x00000000003E0000-0x0000000000488000-memory.dmp
memory/1588-145-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2344-154-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VOwIkcMw.bat
| MD5 | c3063dbaf09b8b65e3c31c8f2849192f |
| SHA1 | 8165fe70aacfc96832866fd0a30f35f084f033a3 |
| SHA256 | db2b34e24b82bb5ce93e941a5e2e7fe5b064167673e1f48c8a611e629757d1ba |
| SHA512 | bcbf0f688262cf7080621b60c14f75d15d6be5b4e738eb8482eaf713e48dbf0a115011b042da431d5f02c0d802ad50f2000d809a124a9feb38e53686d27a0e19 |
memory/2620-167-0x00000000022F0000-0x0000000002398000-memory.dmp
memory/2500-168-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1588-177-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lisMIIMw.bat
| MD5 | 8d4df712ee500329231f162cdc96ac70 |
| SHA1 | 05e6cfb43cd298571a3ea8c9a43d226e13261ff6 |
| SHA256 | 81becf332328b16951aa8bdfedd68549904add31121a79dfa28597eda6b84ed1 |
| SHA512 | 2f8277e7da0a6024a54ce561981d1dd2964d49c7ae6a765d74f1fd21dc82a22b75c469bec8e811e2427fc327a1136c6ce5ca4ecbeee7c7afd123add2c8ed124c |
memory/2412-190-0x0000000002310000-0x00000000023B8000-memory.dmp
memory/848-192-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2500-200-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LAEwQQcA.bat
| MD5 | 340e93a34e459c593bf0e377de9c2171 |
| SHA1 | 2cfec4608dc46caaee7fd00ab55a0085410b6067 |
| SHA256 | 68481951fc563a84e311ff7f92f98235f916f79cbabc7695a4cb2930c3677fc7 |
| SHA512 | 5b75a296e5dc94eb9aa6b8fa4580709d9966d6479796e08dd7d44a6bbf79d1e2edefc9ac22ccd2758413c3635db0fa81d26d56c6533cc960b05097e3bc8065cc |
memory/2792-215-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2932-214-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/2932-213-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/848-224-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tyQQwYko.bat
| MD5 | 4913833295e4114dbbe0724d944a953f |
| SHA1 | dcd97c97deee51e3f90cd67d8cb0af6d24c06a94 |
| SHA256 | 695c25d5687ddc5b66cd4a4ea92578b4e13803857ade850f0e58263ba4d648bb |
| SHA512 | e7d8a800edb968c77f3c635fc7c29338be0e2039aa53c4bdaaf8e6c0eed079a14abf5eeba6250a1220302c36dffd720ba83aa0d9083d6301cb68db1c1572b05b |
memory/1304-237-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/1304-238-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/1328-239-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2792-248-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\buMAgkAs.bat
| MD5 | 6ba5f5c303b4e1f213b7fefd284675df |
| SHA1 | 4cda1c7ff706511665aed6b5134120dd263c430e |
| SHA256 | b192e466c398319ed88763b699c5a46f1b097ff6b6339a840b81a0610a92ce74 |
| SHA512 | 3fe3c028ba7c4175b515c15d862ed83a9e17886a048f9aaf4de075094d5eca4e2bd89187a35fef8d485ea74374767c29225af0753f42416dfdb8a94fbda5cd85 |
memory/2176-262-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2396-261-0x0000000000220000-0x00000000002C8000-memory.dmp
memory/1328-271-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wYQcAEcU.bat
| MD5 | 6fe10fbe00305520692bb017f8f98e37 |
| SHA1 | 3bdfb52c22775386ba1a55b16f91617ac3c1c7f5 |
| SHA256 | 7909b196f2787d014f521145e4aefe3903a1d9a87dfe1f03cd69c8aa9e48706b |
| SHA512 | 9725f056271c96d7073aa8def79c7204e15d80debd63a619f30c70845781d6adc959eca9bdfed1ccc2d2c6d8fa980f09f60ef9635a9d37d4da4b50b97d56273c |
memory/1636-284-0x00000000002D0000-0x0000000000378000-memory.dmp
memory/2896-287-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1636-286-0x00000000002D0000-0x0000000000378000-memory.dmp
memory/2176-295-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wukcUEQA.bat
| MD5 | c83b2335e7c3e81a9e90317734d843f5 |
| SHA1 | 83a4ede2e971e22d90f3cef2e6913dbfdeb7e0c9 |
| SHA256 | e9334cc16d11f24d10aebd470af38a8501011cf2f42a37ad9e31b466934931a4 |
| SHA512 | 7b7093cebd0fc09d58ee17d1761ed48d133a41443ed6a3874874b1aa4a73860c30c25663c97280ef769bb7aff9d1df49ae5c2a216defaca0185e691d0f20bc5a |
memory/2608-317-0x0000000002380000-0x0000000002428000-memory.dmp
memory/2920-318-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2608-319-0x0000000002380000-0x0000000002428000-memory.dmp
memory/2896-316-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kcMoYMIU.bat
| MD5 | 728b89a5ce615137dcfa243865ef013d |
| SHA1 | 755b29da4dc25a29c1d57f78544e382f4681d552 |
| SHA256 | fc985f5c9648912bdd44714a1d95c770fa30f5ec9a5bd99a00b48d1d4b6e6056 |
| SHA512 | bea81216e3cbf8c8126c13d67ef837b3cdde802e19850937404f356c5a439dee7ef8d37d66df46fd2956f74f09445ed700c6bbf65e2695c12a44710a03271edf |
memory/2920-340-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2020-341-0x0000000000510000-0x00000000005B8000-memory.dmp
memory/2748-343-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2020-342-0x0000000000510000-0x00000000005B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuQoUsUw.bat
| MD5 | e8acc6fb325c93d899fb85ce3ad54af3 |
| SHA1 | 1aa6b2216b97e093b4acf16f0ebaef4eb90a5604 |
| SHA256 | ec827d37194c14bc2006640aa143b6868e15c3c4118855fefe631a3b97a03503 |
| SHA512 | cf0d0ef496bc4bd8ea95481ddaf3d962916c076a8ad03c3940e422a2eff56f8babca18ee5ee3ea3d6ba91b2440cee84c0313f395e97817c75bd883b7e5470803 |
memory/320-355-0x0000000000410000-0x00000000004B8000-memory.dmp
memory/320-356-0x0000000000410000-0x00000000004B8000-memory.dmp
memory/1436-357-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2748-367-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PEIAkwIQ.bat
| MD5 | d397abc69c5045a546c5efe44512e726 |
| SHA1 | 4d4d3e94d4ed05a8dcaa45319bc08bc0af422cdd |
| SHA256 | e0f1d8cb035e393db14b013c25737c76d367c8c238cede5d30b600cad7182a20 |
| SHA512 | b61a2138e2872750580d439515ecb0a523cceaf604269cb49912739e521950ec5492dc2373400f57f2a34abe758e682acecbc4c4aa8c4daf134c2f9a160acaca |
memory/1436-389-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/880-380-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RWsQUMIw.bat
| MD5 | 809a7b6458b716ed16f23ccc5c0fbf4a |
| SHA1 | b03e3b0e4c084ae120f9fc879504e79c55e1fcea |
| SHA256 | 25d069026b9bc04b00c52a28cb2f95d8cdfbe5ce0dc2649fd4579a676f6f09fa |
| SHA512 | d6c3bca3a472abcd2491674d5d23451736b0e0c39e5d8b18d38911ab7157c90ad69e5562a737f296e0306650d461a3aed5e7f80aead7bedc8f9e3097f58e7b59 |
memory/1144-403-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2728-402-0x00000000022B0000-0x0000000002358000-memory.dmp
memory/880-412-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ruwMAwMM.bat
| MD5 | 13aa90112e1f6f23871bd8fe38c0c456 |
| SHA1 | f91c02adb3a99ee3c4be835c6292418d5f42ccad |
| SHA256 | c87e999b21b74ba67ed6cf2bf33d0fccaab8980916105bc5d0316b1e56ed877a |
| SHA512 | 1f2a9ce09b4aced0417261e42c1bbc0d68a36b7ef0d4500fdb4ed479db0b860b54aeaeee14b056a8f0fb6ec245e464d38dc594c79ce150d4eda78212949fba63 |
memory/2732-428-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2648-425-0x0000000000270000-0x0000000000318000-memory.dmp
memory/2648-427-0x0000000000270000-0x0000000000318000-memory.dmp
memory/1144-436-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ukosoMMY.bat
| MD5 | 3fc4038bbee3d972cad06e6d225ff033 |
| SHA1 | cec2747a75bab51f5c5847bc2622303438e09e47 |
| SHA256 | 9ac966bf53d665f395521d567f8d663484327b66b501782938349b2423ab1933 |
| SHA512 | 40cae175dc6fa7ef57ba2daf567d7bddb70922efa489df5ec4abfdc6690aeda156e5562dfce985227f5942193471e63d1159a9f230b936704edc37924d4c5945 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
memory/1808-465-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2732-474-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kkgu.exe
| MD5 | 87b26a3f0b9e557b4115dbcf1426f46d |
| SHA1 | ec6e4933c3be4584a0e474a97a550212223ce28d |
| SHA256 | 4e77830c918b32ed1bd5d259cbb52a2b6d1f0e82cf7edc2d3eeb4e98239af3ca |
| SHA512 | 3480f4eea2ce4b80189f246dcdd8ab6bd3219fbce6add810ac82177d9b8ad17a594195541ffb432da8d81bf5ce0301b20d4508ff8c95c8e61e09250b433148a9 |
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
C:\Users\Admin\AppData\Local\Temp\AuwkwkIQ.bat
| MD5 | 17d7c6b835892421e67c31005af86ef5 |
| SHA1 | 005b3c3c51da376bf09b8dc95168991823fc1608 |
| SHA256 | 477a682e9891ae8e379d28418598de38136681ac7b36f9017c4c15a63ce5a106 |
| SHA512 | 116b923014d937c68647f1d4727bbc4daa654a62450c118498f8787fc59cb8978be5bb85153614b300d9519288a398d8304c32c7a91718799883d82cb2feb009 |
memory/1620-486-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1808-495-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GUQI.exe
| MD5 | 89ce6d2f0df61406a60b96a5642b3fbe |
| SHA1 | 6a6e18435a73b392ad7e5158fefd9bd34ab47c0c |
| SHA256 | c558e7db9029e9b3c4247bb3bf21b0cf4b283ae6307db7afb6f074ca2aadc9e6 |
| SHA512 | 0485c69019be392e5fa1658b6825f9cab9f52e3ba7e9cdc6aec056d1d45984973d9cd108a58ba1b3f21bf2afd68c86d19edd39037e5604cc55f514e308c21396 |
C:\Users\Admin\AppData\Local\Temp\cmAkAIYM.bat
| MD5 | e7b8af4385b7f0da9bac8d46d607e63c |
| SHA1 | dea27189b252ca016ce1ef88ae97106be8055402 |
| SHA256 | 21fbf33f0f992b3130f9e1f5158692490a7e14b7efca0c5df5286f001557e8ca |
| SHA512 | feb013ef02c93a310fc42eff6d8fee63704222d73195b54781e042eda118dc5f33aba809cb990d36b47e732c00931b1830718e3c4f2b5caaad3459569fca5430 |
C:\Users\Admin\AppData\Local\Temp\oIYA.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\MwgI.exe
| MD5 | b488c00d7b45d3cd78c01e03a2659a2b |
| SHA1 | fee5949ff12048bec2325964944667c347785784 |
| SHA256 | 9aaccc6d8c1fa8650141b2861e36c7036a5845f16dc09b78cd25ebc73e9c9bf8 |
| SHA512 | 19e1a91cc4e79227cc86ecab9049d787803fdb4599628d345700706b7c61e0e68970575f642221eff02e87f520af491efd64f404f8249c5683a563db002404a3 |
memory/1436-543-0x0000000000490000-0x0000000000538000-memory.dmp
memory/2400-545-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1436-544-0x0000000000490000-0x0000000000538000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wwIo.exe
| MD5 | 08411e12a72bff07d2b4efd6223dda9e |
| SHA1 | a257f4a434c55a70695580b96f39bbd5124ec1ea |
| SHA256 | 3dfca6bc4a7a4aa7673777212dd1a558fafa225d3a2cf874ebbd913225c33ba4 |
| SHA512 | ea1a47bb10a079dfb77c71d52b55c7079cccbe630ef17715d6a9bb33919229f363026b627e8172369e1d4c84a2f5e43616636f5e7c9c333f6698073c5da27f55 |
C:\Users\Admin\AppData\Local\Temp\YckY.exe
| MD5 | c6b8c74e3b323a8d7448b7528910f998 |
| SHA1 | 151f18e4a5215b47f66f27be4f1ea4e68ac049fc |
| SHA256 | 6ce5ce6aede173310fce0853cf27ab87f108eecad6b92659e2f89cf0d020b91a |
| SHA512 | 9f5acfb6f28b15606cfbce02b05edff8adfd5009274eaa0c3ad7716fe3c3d5d4d752191e96d2ccafe6dea4b8296fd67e5f6100f7205495b73dfd0efd48e08150 |
memory/1620-567-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SkUc.exe
| MD5 | 2d2218c93e07b13761af71c1cb0783ef |
| SHA1 | 5455224e34abbf90b198bed35fe6061365f02484 |
| SHA256 | 362e3623c01e19de51a0aa61b44a533e42424ad9272c3ab15b0317397596385a |
| SHA512 | 64182b2abb4adafce779d578116e338264e16527540eaac14bbb32e9954421089c163e3bca03a48b7a45aa123ecce0368449fd56dd1318261618c9309373677b |
C:\Users\Admin\AppData\Local\Temp\YCIMskcs.bat
| MD5 | bf15a938e093bba9cb7ea0ffb1133815 |
| SHA1 | 081785a0afc3558e6fbb6e6e67ea4842622e96b5 |
| SHA256 | fef4bead09b9941d1d88b0e72ac6bcb9d2072aa294a6d6796d47d8eb7f920cb5 |
| SHA512 | 62fe0c4c331bf4944bc6e7b41ac1001d8ee75e6d5dc1a4698e51d47ac4856adb9550235f09eebfc1ce48f515d25dac739b28976ed60b046f5fb414d3ad69e2eb |
C:\Users\Admin\AppData\Local\Temp\uEIc.exe
| MD5 | f52835925335a8309bcd91aab6911247 |
| SHA1 | c2505b494ff2ade057ece8f4dd37dee51a16d6d7 |
| SHA256 | 6e76a4f9335b2bedc430985712e36cc0b2e25e90300cef33fcbc1f4544116533 |
| SHA512 | 7b9a816e4d51730a82b20580378176e4e6f0a2b36b3bd00cde4a2fdeec5c359c92b191719ddda590cfb81b770adbad09c7656359fcbdb3d758c68309d90441ee |
memory/2176-616-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2304-617-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2400-639-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qkss.exe
| MD5 | a4cc6bbba10905bdb316643139422163 |
| SHA1 | d3b2b3aa5b04c61846ef14d8583a097c7f9c8a84 |
| SHA256 | 3370cb79742f1d831eb4accb14440044e7328f339809a047a60da411b8b4f5e1 |
| SHA512 | f855853331354c9b29126d5511a7c4107b95a71eebd13e55105517d547bc10dea16c69cef69a9935dcbeca47d9b8a8993c9df6f953db6efdad2bc939e5a1db00 |
C:\Users\Admin\AppData\Local\Temp\iwAg.exe
| MD5 | b6d05a00cb3f4e56c4ca43ddbdbb7a6d |
| SHA1 | 9cd53cdfca6421a0b018dcc5040a1aa96c964ff8 |
| SHA256 | 8dea1f49ffa5faf4b433f2382a44fe0292b833779d08302e4880126690c77761 |
| SHA512 | 678383d4ddaf5e27dc23848ad26fc79b2cc03635f1d40b7c10e07f178ec8da8fe86323cb53b322a35b51daee20196d75abea8fa7a1eaaaf6e30564cf86d8f2d9 |
C:\Users\Admin\AppData\Local\Temp\oQoC.exe
| MD5 | 838c0917b3fe06071bf514f241838d3a |
| SHA1 | 093c8cfa8a0853729fda28dd5f20e3e1dab4bb25 |
| SHA256 | 955f466b4b4fd79b194abc4b9d0fa09c9d97c4d59567504c57de56e6d2f2ac3d |
| SHA512 | 6ef84e0ad76e17a12231c5b181b4a864eb7156eeaa4b4694e0ffdea881daa872238cab8ec4d251aace0207c2ce9b215dddda7fe0a7a77e7dde5802144bc426e3 |
C:\Users\Admin\AppData\Local\Temp\WUQA.exe
| MD5 | 18e2e79dc2068729c736b9741ac72971 |
| SHA1 | 215f06ffcead601ccc01e41dd44dd484e16234ae |
| SHA256 | d1047881713dc770bfa6bcfad7a868f92f7a6d4259df8b0a821ebdf8b339c9a5 |
| SHA512 | 41482cccbdf741e8386a418ed509af894c32dcae78bbf91d12df8e95df8db36c41decc0847911f65c4e3009a611d99e1eff1d773cf6dcf6d74c8f00c80af9cae |
C:\Users\Admin\AppData\Local\Temp\UgcC.exe
| MD5 | ebfa67ba495d256ec9df9f9602b28b49 |
| SHA1 | 6ab0abaf137c24a435c5af6ac08b4a637cd7385c |
| SHA256 | dda057879a85b469970f5918d022a660c38972dfc685e2b56d2a24234f3a234b |
| SHA512 | 63dc2d082a973130961c133e1f5d6013c7ce4924832cb1f71b359723adddbf758a63bbc32c81bbdf41252de8e3a6022c30fae5aa5291b3f654b24200ccfc5a9c |
C:\Users\Admin\AppData\Local\Temp\eyowAosg.bat
| MD5 | e5d9d76f0f784b0d67c9454d908cf4c7 |
| SHA1 | 0ce876c8504eff0a89eed6fae94d3e3aa062856d |
| SHA256 | 7c81ccf83cc3291e4d1361a522d27ea16d6e75be89f2f0c2b77a175e65728188 |
| SHA512 | b2620f6348b5406edcd401d52cc0c7179f796c6c21165e5f93c0115b5e106e9d01bd4991caf3ecacb2056b25894dcbae5d856ae11471c39f24550e4a6eb9ac0e |
C:\Users\Admin\AppData\Local\Temp\YEYU.exe
| MD5 | 2b9f90d72db318964cd3112d93746cfa |
| SHA1 | 3f8e282ef34b116e27c749efe3aa407f0376e122 |
| SHA256 | 9fded62ade0af513636445226ef83a577e9904d66bdcc5cd5342c5e7e803af9a |
| SHA512 | ce175c08c4cce891bb13e6f8fee9a489ab4bf56a14d22cf6f25b3dd8efc90b0bebe5e8d3691c6e6c33e3b6e11eabb49a291ead0d916d67cbb93cd976373c9299 |
memory/1792-714-0x00000000003B0000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Iswk.exe
| MD5 | bc68ddb8dc7300d1327f38ba3558cdf9 |
| SHA1 | 61d1307f6663df418691728c5066a9315d9b2f19 |
| SHA256 | 3a5289f7cf73b782b5e063d493235f162dfdc8bb435f03f09c15963588c84824 |
| SHA512 | 9de4fb5d230224a533129dd08d040c4d8708e2ab536c75e41a183ce59804ef0d9a9616947e8b1fa58fd50e6490eecd6cbc5130e5956cc4898fec36812bdb6c65 |
memory/2304-737-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sQYA.exe
| MD5 | d017ecd4d83f64be1229fe647e372687 |
| SHA1 | 715b3630f67d35ab34b78695703cabac883a40a0 |
| SHA256 | 546a75083344ffabc1576451a578f1316b6b34d30c1cd53cb3b5aed3acaa4ef7 |
| SHA512 | d7607c70673994b186d635af392ab748c7a0111f1310e6d657c003c1e4825af53f8680c31ddc0ad294010668847d68fdb899d6657d7c955fdebaf539b8fa7251 |
memory/2800-729-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wYcM.exe
| MD5 | 4d60a2078b2a73adc1c488431a31e122 |
| SHA1 | 9c6172b44560ad5e35622605fe12a8b7e866a586 |
| SHA256 | 5fbeb9b10a3d2d25cad7ac33c22cfba4add355fee76a64ee65596a6e099b7f63 |
| SHA512 | e7b49950759e349d04ae3e9262cbd55b679e16f9e29fda589b66c26ba7a96002461b12d33c3c066921245865f56059b84c147eb0510ab5fb3d111d1285dd3b9d |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.exe
| MD5 | 8a12539d1e81ff3691cedc115ea80003 |
| SHA1 | bd53c6136334bbc5f467223e383f0318d6dda3f1 |
| SHA256 | 9ede210e7205d6457abc88740cd2e38297fe1e9f45403542e0b9d696aa03a2f7 |
| SHA512 | 3a0d38f6b403051a00a878949c04ff4ba45c8dc6cf01c2299bbae583676b400701e13eecf1dab6265760484d1650a3e0d87095b3a7d8463d69e8fef35f84063f |
C:\Users\Admin\AppData\Local\Temp\hEQYsgAM.bat
| MD5 | 0efff20550ea627ef33cda38daceaa4c |
| SHA1 | d97723ec68fec62360f1836fff4166e7f7ed764d |
| SHA256 | 94ed573d7003024af2c43e72b38b505427fb38bc442b9e60b50e938ae0085afc |
| SHA512 | d9705a4b8b905e8e9e8aee11d4b72c9b47d996a426db31e0334952220598a4d1c4afa2a218f5715bd0b923c5cf52c71ca6d93af49c9ed7b69b5409815371a63a |
C:\Users\Admin\AppData\Local\Temp\WAUG.exe
| MD5 | 6c3f57c1efb169d2f917a7eef9467405 |
| SHA1 | d0013003e59822475647af1ba03361d22d719959 |
| SHA256 | 567765ffc64577ead74d6e1911673411013ebdf46dac8cc36ac5cef78ed83f9e |
| SHA512 | 1259c71d5a04ba32ea37b29859116fd187638b27a5e5299b110817f7e3aca0b6d7fd8f437192201d0c6d3436e3f28a0c3a5498514982be81e3456015c2f3c170 |
C:\Users\Admin\AppData\Local\Temp\agQE.exe
| MD5 | f6eb75f81599e314e301cb30d1e4521c |
| SHA1 | 9b1392bb08236cf77c050d81140061e08b1be202 |
| SHA256 | c3f126ce20a80ef5c9ed5eab6851c5fff9fea1d410519af6ab84b87eec12790c |
| SHA512 | e1bacabbc0384d513b15f84b04b3ae0b19405c81fb205d63637d470aac4be7e4906804369613e9ed6622dc7bf02255b98c9820cb50f573dcfa9d83ec5ce5a741 |
memory/2800-820-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\akUI.exe
| MD5 | ea829fa9e62bf708e22c29f4ef9d05c8 |
| SHA1 | 81d7d81ea72955c488743d0e65eace6985d8253f |
| SHA256 | 397698e4188e82abfeef3d91625e0a05742b6223bea684e8d6f3e04b5dfb24a8 |
| SHA512 | f8fea51b4c4bc67238fe8a19d2e7eb6ecb066abf1f83e610b3bd84f52a9b6fa7a8ea488dfd941c279b9cfa206746f8405d8170adf91c8e12048c49e3729af888 |
C:\Users\Admin\AppData\Local\Temp\EAYQ.exe
| MD5 | bd54b3364afe8412a32571b6abc2dfa4 |
| SHA1 | 91f7594836acd5dbc6414e3a9f3d5a989f1bde13 |
| SHA256 | 34f6b30f4ae63d87252230b5f83474e7890db720dc2c2ef62f21de2ce2b3105a |
| SHA512 | 4d1d13cd767c1636cbb3091ae0f0e7e8a9c85f2dded97d446a1ec64408fa82645318ced7dc1ce6afa620bd3eefd4d452b81f4d97003aaf182e62e500caf4c234 |
C:\Users\Admin\AppData\Local\Temp\gsUi.exe
| MD5 | fc3ea27db9101f5fcbfb6e5edf8e03ca |
| SHA1 | da727ad8d66711610853201135288c17b22afa3e |
| SHA256 | daeb12b1d50476441539c20cd5a7b8eca44508d7aba082749515f5d2449d7a3e |
| SHA512 | 470f024b47fb88ea95131e95e9dea17ef4dbfefb87609a9c41d6088173b2ee3135a0c45da03dc67a619d27618ee477d3b1ab1940f82a87ebb58cd695e25e6afa |
C:\Users\Admin\AppData\Local\Temp\YYsM.exe
| MD5 | 362764da0661a238ced2d02ce179f179 |
| SHA1 | 25e1e49098f19644eefb1415b142f90b0bdcc9cd |
| SHA256 | 374b94f2a68f88ec82a6b0c8ed4c574e3c0b816ef08321f6ecb7ee7db3829c84 |
| SHA512 | b29a16bd2c8908c7f0d1e8d1893de1430bc7e85061b7b025a6b19b4b580383b795dabb0f058208f2f61220e78fa351982a90ab91dc54510d785659387bdaad1e |
C:\Users\Admin\AppData\Local\Temp\IEgG.exe
| MD5 | bfedd4e568030ade8570439ecd4af9c2 |
| SHA1 | 7d1b2e347c2c34914e84e7d0b5e4f4739c4640bd |
| SHA256 | 005c71cb5718748d3480635da07be636fb25375870875ba5e77b4aa48f55477a |
| SHA512 | 1bcaa7acb8ce9fd2cd389f8bcc71414bddf7b1cc355f46dedd4f8b84eaa7c8a9fcb814cb65782eeb7e8dc8681ae8aa8dece0a66ba2b46b5e6412a4d49df80048 |
C:\Users\Admin\AppData\Local\Temp\YwAo.exe
| MD5 | 0ad5662a21e7b829342c0075d71c6434 |
| SHA1 | ac3b9c68ccf96724d26dc9b208c9abd2204089b3 |
| SHA256 | f6354e6fd7c19db9ba5fa9d2cf594f975693890ac82e82ee889908a37ddd2c1f |
| SHA512 | 423f0aa24de8daa9fd8944496e075dd07546121c7f01c31ab9eb68a536d7d28e93cb084d495a1f48b6dbc4e0bfe1975ef36803b24aa4699265b0e74e64ebc8c5 |
C:\Users\Admin\AppData\Local\Temp\dQwIocgk.bat
| MD5 | 36de6ad8f0011d07b767e2d27445aa0d |
| SHA1 | 97ef09c0227123834c0260116ff8b3f0e05d1661 |
| SHA256 | 5a5f7756ea9db97d06be822bd63d1c294fd274a3a5f88bc70d68c3f65df5fc36 |
| SHA512 | e57da02d7ebe8eb17e4d064f4445eea1ec7ef96778b2e07d0cff50edb03202914c2c992a821eaf352b087761538c4f1274da5894abcbd00e8641823d864c90a1 |
C:\Users\Admin\AppData\Local\Temp\qIMk.exe
| MD5 | dcc0bebdef1cb2fc9930e6ad2f6b37fe |
| SHA1 | 791ac51690b85ff91be7ad8842838e4f1cb99be8 |
| SHA256 | f4d500ff0adf1394aeb33fde3a2de4cbcce18e23b9dae4d22124e7e70abb39c3 |
| SHA512 | 56276cac6a0cf7c3ac3f79c59ff78fa8f69d49390f3a58d264a0e5f1ba83575fa3169f6eda48723c92fa76707ef850eb91ea97aca684481065d66aa2f6cdcc71 |
memory/2744-921-0x0000000002380000-0x0000000002428000-memory.dmp
memory/2608-922-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\goYW.exe
| MD5 | c8a47ab68b2ee7ae2f968c2bb9a466b4 |
| SHA1 | 55a0235791ac0fad37d830be76baf3b793d31f04 |
| SHA256 | 90c91e827c6bbff0627c808e7df606d67ddc3bc65060494c5d3c36b3b2f3731e |
| SHA512 | 348dcc52966a6507e2328df350c615f8abc72df278b46d12fcd04e8a52b24eb936805aa3ec9d8753c37894ef5c89e44600663c4fb5d96fb510fedec99a7d4aa4 |
memory/2080-931-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ksAg.exe
| MD5 | 45866893c12f347deeb323d4dd2219bc |
| SHA1 | b23d63479d0af6d2cb3f5ac1ccf0a393105b8eb8 |
| SHA256 | ae5de11d5df6b18ce870c70a86ffef6669a5ee8bb23b10e7b7aa3eeb0701647a |
| SHA512 | 40cfa656a7346f2ef91f9e282ae9a4967554d0c38765826ec38171103e6605b9153201bfe0815df8b3086af9c88757e47e9f309d5a0b70135d68df6b85331d4f |
C:\Users\Admin\AppData\Local\Temp\SUsm.exe
| MD5 | 6c57388af5657b02c14f832c1bb48e11 |
| SHA1 | 34489cc8dba9f33d2727d7dea343fcc8906d7b6a |
| SHA256 | c698a3addd2a536f0177d58c23b38a5182ef4c094aef85fefc1b24dfcd46ef17 |
| SHA512 | c9ae9bb482b5b738bfad6003131f77d538b721422bcec2323abf86778f715dafa4d16c6c8ce62d1504098b47c104d617de649221416eb01ed0729cbce4d34b05 |
C:\Users\Admin\AppData\Local\Temp\WUMM.exe
| MD5 | 185a43222f47e50f2368ec9b974a60e0 |
| SHA1 | ba3f02714b80e411b5e52d9e46f974884705758c |
| SHA256 | fa6c48d94e3a3715bfe689e36adc95cbf997e5ced005ddad86769b0f8e5adee5 |
| SHA512 | bed5d8058fceb6b2ad3c6ac6f8fe1fd56fa185ec00a1c74487263869d1d50f6f19cd6ab0b51aebeaf498329b54f6cde6ac65b9c07ae8f3f38e2489a4cb78d710 |
C:\Users\Admin\AppData\Local\Temp\KMoa.exe
| MD5 | 74a0dc39645b4df75451ec348cacf89e |
| SHA1 | 2b57626f655d6e5b943ff477b82787114cf796d1 |
| SHA256 | 8b3d8a24a9ecfcba7fc39954b8553475d902a37894815c10c8cbe63c8b9904d5 |
| SHA512 | 04d5fdaa42f3c3c7fe37431a68efbc88a70b3485ee0c9a68bbc0463dc164f78a5816afc78cd3b3746bda3ae4c80d06012781d9b43a1373f15eeea2149c051d2a |
C:\Users\Admin\AppData\Local\Temp\rWoMMAYI.bat
| MD5 | 59e36ec4e5ce622421e4b2d09fed5526 |
| SHA1 | 96e0dac861339bd9284d236dc7038b83336aec18 |
| SHA256 | 9f7526916dfd4ff5b650ed89f1aa7ad4f2eabe7153111f92b654c2c8bec56e57 |
| SHA512 | db91358cafa7e814ef64623d8601356c817a713f64faa9d5220984e896afbfd9f4ac3b7d48518d0bb8b7569b53c82b1d2ec9838d811f96b50621596bf19a168e |
memory/2272-1006-0x0000000002340000-0x00000000023E8000-memory.dmp
memory/1224-1020-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\okwC.exe
| MD5 | 6475cd01ef532e68aba5e67e90525dab |
| SHA1 | 5e6396c5f5a95ddab0a3f3ddd419734b010b6924 |
| SHA256 | 9abd320c01edb4f6a2b896a6bbbe7552f7f9ab725db59151cd1a7b52d09d31c7 |
| SHA512 | 3e0f3b814552a098641921e7db55e6e50a00c3aebeea0b13f0a3299ad685a927d6d341573203116c36478a84b599d1f83d82f60b8912fa6e26ca6a3b08a1bd03 |
C:\Users\Admin\AppData\Local\Temp\AoEs.exe
| MD5 | a887995d7a7b79e26053cd339746954f |
| SHA1 | b3e8c494f76498005f6e92bf065b3c93445fa75c |
| SHA256 | 5a8be87b37c637d57332ba807ecc4702fb5b43931cfbb23abbc56f902aad0dd9 |
| SHA512 | bca36380ee1e44997bcc1368e107cf1a5106e05327d6758eac4cb171ec9e7c7336d13fe62c1a9426da6943c86275c763d3159b8d8273fd19bc3fb9fa89038e6b |
memory/2608-1042-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SoIK.exe
| MD5 | f51f0042ee82fed4c0140f2f00f976a4 |
| SHA1 | dcf2d6b480a3970a9c09050add32223331ae8cbd |
| SHA256 | 08a7f4d0672a14e4b543dcff39ce8e471f49eb6b53dc4f9e06b396d995f14cec |
| SHA512 | 9ec1641cd3c52252a6d0721a36814f606df14ab2b603825619c761879454c70832f7bd42db4772b73124cabdc81df5314dde541bb6c32892698eaa61dec65657 |
C:\Users\Admin\AppData\Local\Temp\IQQc.exe
| MD5 | 1e0e5d6ea91784846ee4fd8b028676a1 |
| SHA1 | b3bdf5f60045da48f94b5e2039d0cbcc34a44e66 |
| SHA256 | 2d2d3c7e57e09f8118f944ce175646533558172075371a45e367bb646c3e6d0f |
| SHA512 | 867d070894176b40ee70803676a3f8b6d58cec482ded1525707b34afc1dd1c71f604c921a14a2eca9b49e41fd4e7e95783fde08fbed310ec594922fb81d38e1b |
C:\Users\Admin\AppData\Local\Temp\CYsa.exe
| MD5 | c4590f00f1350faebc144577251d0dc3 |
| SHA1 | 5ce8f178947b9d451379d8fbaace1bcc6db2d14f |
| SHA256 | 4ae624906ef3354431dbcdf0ce472d1d3445c4d64ce3eea47ce89f53f600549c |
| SHA512 | 77c768caf306253b0f044c737b470b423e41c1f942b2cee0b0b228c7d3453bd29686a5c153bfdf8334f0655dbfabe24749c67be3b407283429e988471fa1b278 |
C:\Users\Admin\AppData\Local\Temp\dQQkoAAE.bat
| MD5 | 4813b768af405fcd30e15b0dfaedf919 |
| SHA1 | 13068d8c0d636fc93aa1cc6627fe60fea8d91bac |
| SHA256 | 37e05848cb88320d31f4bd6670dd334f26ba52d88c3d3b07e99917251804efc1 |
| SHA512 | 70b4f9b0dfefa8a7ecf0f6d553e47af5f046f1094a9439cdbc6a533e290a4e748220c82c250ec6f8627659e80f5aab1cd3b557160ab44e968b2a072f0537e6e9 |
memory/2424-1092-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1892-1091-0x0000000000590000-0x0000000000638000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YkwA.exe
| MD5 | 2d626e873bf94f25ad1035afbb886aa4 |
| SHA1 | 18021a9a48a82469ee3918c4e91232d0269c4aa8 |
| SHA256 | cdc928c1fd85aecddecc9286fcfd0ffce8b7758c2011ce39bb9d1c98b6c34b53 |
| SHA512 | 6beb85cad2258e31184c8588607d727c1f1eb4ba361aca906487d025b90dea1d873c263110147a6773a5c8ca6e514fe7d6f7bd61486000ed53853066d0d08259 |
memory/1224-1114-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe
| MD5 | ab31c6ff081ea20551503ece796f8e8a |
| SHA1 | e96d6b50fa0c49d67e0aa063f7b196c6a866ebef |
| SHA256 | 8d91ec5085423083de22577680ef247c809879a141dde29c6a1d29ddc3fd0ff4 |
| SHA512 | e5c95d3d7cb54e2a9b18f3b84f143c2d1206713cc3b3d9a2763742755e7b3a005ee01186a0f446df6382265bb9537247e91e4b2c77205995079d016cf230ecc9 |
C:\Users\Admin\AppData\Local\Temp\IYMAYkUU.bat
| MD5 | 902d2c8ebc60724c47ab116cc2915981 |
| SHA1 | 9862c05ac1315dba47af6de0e091571ac91a6d02 |
| SHA256 | fffd8292f3b31eecd866aa958b3613cb6e2b217ae0c9890b979e0c1f4e1595b8 |
| SHA512 | 7befc0ab796ec8b1ea253be36ca3fbca9fb8c5b978bb1ca1f38656f8051b3c69b94f64ba5004f8d25497d49a107f93f8d89ca2e3ba9a81afe783600ef8190e8d |
C:\Users\Admin\AppData\Local\Temp\SQoI.exe
| MD5 | a6f4cf6e4073a1858b0baf5ead117bb6 |
| SHA1 | 7cad891a7bcb4e123f4d0bb3e8d1a3866bca5fee |
| SHA256 | fccb20ee918641f0b1faa4090921ff44e710e7c8433006001d91e2387a3c549b |
| SHA512 | b9ca420ca9bec260ff7da0317c9c867c1ac416a2200009fabc3b6ec419b48b9fc8bd1fb1936df624914ee7e7c6077f4719d96aa9383e0f3752fd3511fbaa3e61 |
C:\Users\Admin\AppData\Local\Temp\UwAq.exe
| MD5 | d07d1b1eb2b6873a572b9e6cfdcb1d84 |
| SHA1 | 2e0a7cf42d9fcd594929125bbdd62c6163aa729a |
| SHA256 | b56a47fceafd43cbff11c3f6473b707905da4df62821f2afb4921ca845ec115e |
| SHA512 | 3f8999134170b36817c79b64ea3d22a910f14c68b351612cbd575e922b2881e4dc9c4020b850946683b8b6df393d7961720564eb332a0127be6c9a9187d8dee1 |
memory/3064-1151-0x0000000002330000-0x00000000023D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QUMo.exe
| MD5 | 56c548d56d812fe8df330ef6fb980536 |
| SHA1 | 77081f82a6d4f140e38a8625e576728ce46753ac |
| SHA256 | 2b05e9013d07bce454e3f3c80c557e2b108f96f6ba858c3f8f70abd8291eefe7 |
| SHA512 | 4520e8e3f86f3a35a26fb64a929cd381221d6b55c7b99c0c36ef720e94e0ac833c3c5696a320562d9201e5bd81324844972b60e9801d9adedec96f89db81ff4e |
memory/2424-1185-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Owcu.exe
| MD5 | 0320fe349b9ba0726e6d5674b15d2483 |
| SHA1 | d1704279efd722193c7b9a025e3df621c2dc2cc7 |
| SHA256 | 92957133de8a9f4de166957657df87d6d771e81901a8eb02ad2c9c91a5d4e064 |
| SHA512 | 7bcdaf3ba8cba44e3084cd8f548049d8147f4fd90d33602f95c2ad572cb8979ce0671789ada04318016b1cc03c6a5f81f3537c353a8d54788c244bb1baf90938 |
C:\Users\Admin\AppData\Local\Temp\IYoo.exe
| MD5 | 3f343796df2dc70658f78f50c2a58d6a |
| SHA1 | bea7d11ce145e95fca7f4c9e7d645ae46d49ae35 |
| SHA256 | 21148e9d384633e4611dc96159724b2a156a53f4889d92fe1314f350c6531a72 |
| SHA512 | 359cfc8125106f60938ce1fbc9b9cdd41c534c1be5771d2573f09e6c84b93e5613b6a733d73111ade79c71279d4c488d90577c666ef2ceecac083e1b36f5fdd5 |
C:\Users\Admin\AppData\Local\Temp\ukEi.exe
| MD5 | 640ac632967cf76b0d85080f7b874384 |
| SHA1 | c6a96f562decd5ad07a5c4d79ee0ec3e00695f59 |
| SHA256 | 7c229bf315b0074a88d89994a70bfcfa8377b78c89365258f8f1db489b4f31e8 |
| SHA512 | 293a5e12fb50b70023ce97aa12582e7cb975fa7582d23ab424a45b003bdb06f2d372d094df97a452ebfdeed1dc41bbba709f8426ce1e48f68c1b54bbad3e9a24 |
C:\Users\Admin\AppData\Local\Temp\UYMEwUMc.bat
| MD5 | 470f1f3777b4671dac2ba38745fcf6ef |
| SHA1 | 663ec5ed771db01cbababb95fbeaa4df7ea9432b |
| SHA256 | 337db9316e8824f8199e8489091848d0d25f4497ac345d7f24203c0d956f389e |
| SHA512 | 97e1aff87135ea19f28649dd2da1ac14fd0d356e466aa59255bd10555263bde721af0699478a398d7590593fc7126a4c2b9e6fd5eb6997e1fd4ce44590d5bac7 |
memory/860-1249-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2568-1248-0x0000000000190000-0x0000000000238000-memory.dmp
memory/2568-1247-0x0000000000190000-0x0000000000238000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Aogi.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
memory/2604-1271-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UyAQUUgU.bat
| MD5 | 3a56aba0b371ec5efbf21da19b8f78e1 |
| SHA1 | d30051c4d87c9f32df6c694eca0ee94e4c356f84 |
| SHA256 | ed5bae71227d2d792d595d0c157a1484aadf33f847d5240c0327d25e81b75d42 |
| SHA512 | 1ee2d70211b361678da4bc256d6bd2fa8a15bda64acf1ad1eff21a63da72ff57419914776c681d8341c42ad5904eb1e47494a8726cae6fbfa95b5dd32bb7edd5 |
C:\Users\Admin\AppData\Local\Temp\wYIs.exe
| MD5 | 795b9acf00ec954d1955b001c6cb2356 |
| SHA1 | 1feaeea15d1740fc5b0d7533cf1f41fc950506a2 |
| SHA256 | 205560b5fac3c90a1d489dead526ef59dc42cb138c65592ea3612a248daef5f5 |
| SHA512 | 4c5ecc90ef08164b4ac07953e2b724d5473194536a078c68aea30c7c74803e4354ba28318f506ebc27c50111e3dbd7223d6438828ec98f896fd36b3dfc8693e5 |
memory/2064-1281-0x0000000002320000-0x00000000023C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ekom.exe
| MD5 | ce0225283c7193e1806ae0ed35872703 |
| SHA1 | 7e32657a44228805b29db7df16a1c72da0f31f40 |
| SHA256 | 590dfe8d6ea274f291e986ce700de9a383363d24b937c837aa1ff2e839cdd3ba |
| SHA512 | 029f1f7d86d93e3b0f9fd3fb054d21d5c9417b6914409cadb003cc5cd5f53dfc481a61c5d7b54b677e2671d26209e90a18b90fc2029fe88a80943c273f1bad99 |
C:\Users\Admin\AppData\Local\Temp\egMi.exe
| MD5 | 978fe7ab9b9197ced08fe14e37e1d7d5 |
| SHA1 | 01842c999cfd7c200b60c478394ed24abbc01c75 |
| SHA256 | e5669356794b5dab0dba9f31eba72cc6cc56f68823b57ff83e8da54c6de18f6d |
| SHA512 | c1e01da7569c45276ecabd33a16573d5399041c36602fcccce905c552ae3c91bb29d2371048eb4dafbe9200bb72dd4f3290051b877006b9070285e52b043fe17 |
C:\Users\Admin\AppData\Local\Temp\IGowoAoc.bat
| MD5 | 485f45fee04e21522deb0ab969b4b24a |
| SHA1 | cb9d1aa034b209ad8f85703222cee58c83e338f0 |
| SHA256 | bc7a971c76ecae2ad3015739c75c6dcafc8561f4dc3cb950cf007e8f57f8e7e0 |
| SHA512 | a02e228733f8f2f72ab8a20a1952f89ed65ea87db59b1478d06fe1aa1db628a732930ece8f64fa4e126a8621de0506bf1bd2eb6c5ffb7a25e34506a6879b1fd6 |
C:\Users\Admin\AppData\Local\Temp\sIEU.exe
| MD5 | c8f6b16b87a497b559d6189624ca8c05 |
| SHA1 | 4e74c4cc86f1057d082f3dadb62e6dfa30cf1a97 |
| SHA256 | 405940c2c059c747abeb773f6868759057a5794a303711c93df9ce81a4a87c5c |
| SHA512 | 94853c42717975dc8c1e6c7a44931623350a60acc42ae12f4ba68b58c9899b2ce3d5841778e657bd377fc559c74f1ed2e18b05a9983a18e010b52d63833864d4 |
C:\Users\Admin\AppData\Local\Temp\yoQi.exe
| MD5 | f01d2aed2fa4f162c4803ac90867b77e |
| SHA1 | 0d2ff39b067125cda0debe81b717ea1a62551160 |
| SHA256 | ed625ad24bfe16e961a688fca0cc828e3323736ff6c8c07ab9e52bd9e5c4ee0a |
| SHA512 | 974bb5ce7aba40900fcd5d44ae16da04d2a6015c31eb5981deb3b23b25bf18587940b644f40b33ea9f5967ea7c367bb7294930dbd718523e72c4b82d4290c350 |
C:\Users\Admin\AppData\Roaming\ExportConvertTo.exe
| MD5 | b0e74b30a1c62d44295bc62da64e3651 |
| SHA1 | fd2eb850af64d453beb7cded6a92fcb51fe68aeb |
| SHA256 | 2ccd1dd44343416b81509b3df210a28c0e5373f6dc3070a8165b6af499071044 |
| SHA512 | 397d02604331da457da8c42ea159997d0fe56a30d6e51e40abc33abc0a69335c8799a3c4312e3ca73d142a34a2b110abeb31965b639ddc32bc5faa8edc5bc522 |
C:\Users\Admin\AppData\Local\Temp\Sosk.exe
| MD5 | b81726a5d72d10674dd5ce80badf0b80 |
| SHA1 | d30833b51fea927b7cc5bafa6967c01166e40b07 |
| SHA256 | b10ee67c6040b8451242d02e490a17c98fb6b7825736eee0bd0657ed3280c589 |
| SHA512 | c5686bb1772e68af0deb0b70421b8685bfc0f0e606baac34a22cebd4971dd1f3d1dfc7f94fff8585cde62afffbeea9a533aad605e6ff0deb95bdf703a6f458a0 |
C:\Users\Admin\AppData\Local\Temp\csIK.exe
| MD5 | 3061f3a88857cc7789ceb347faf52ec3 |
| SHA1 | f31cccb86d0682f0e4e1d7b5babfe01eff9e2d6d |
| SHA256 | aa2921f6020975b0866b3a0dce123dc7923fdb9690d397682ee51b7270cb5433 |
| SHA512 | f5612db3c6c4556b9901acc8cf6a4982cdda402ca7dc1298cd8017faf9d45306070fef619df8bb8cc3d7079afd517fae7fe92011295aa1ad38071cb72c8290e5 |
C:\Users\Admin\AppData\Local\Temp\WCsAcQQU.bat
| MD5 | 4903078b8fe7693dad001e96965cf2b2 |
| SHA1 | 1708bc4677715bde518cb2d604bce1c2b855eb94 |
| SHA256 | 0729460b79f1b36d76bae2552c70d742e0c72178e655d0b69de0038c43595f03 |
| SHA512 | 89da79421ed787a148c61a82aeb58654abab15b943a5c074eee67918ae875d76cfe7a180de7340db30f541ea11ddaf16594b21823c17972d090884c0b64b6059 |
C:\Users\Admin\AppData\Local\Temp\QcEA.exe
| MD5 | 719d346778948277f0170c46fc27323b |
| SHA1 | d14ec2a182d78493bc1419341560f9134f9c69bf |
| SHA256 | 26cbe866011d21bc8f78509e6db32bec64ed2170e5d8bce6c66ee3fe48e574bf |
| SHA512 | 4cc35d3ffddda513fce2db951f992a6ce4347fab3ea74009e2d0e2272b2e0e20d6fe17f8a5007ddc74e3fca124e82249de67df4674a32eff9aaca10a3688cb63 |
C:\Users\Admin\AppData\Local\Temp\AMQo.exe
| MD5 | eb69832429f8f83c98d39b6c17d266d1 |
| SHA1 | 680a37ab6b64c52f6cfbedb6859b9b5ff30c9e20 |
| SHA256 | a3be11ef142bffa8c3ca0cc30fd331f7153cf72eb5dd5e13f0e55a15fc6da3f8 |
| SHA512 | 528076f2f159bd2c9be21b5e8715ca34f3514d130c57496bd831ff40250fb84aa9caf7e8c61ff49cc4800ad4509bb4f498576bbc6bf872b29fab820bd3f03b46 |
C:\Users\Admin\AppData\Local\Temp\qoEi.exe
| MD5 | ae9650604e9fbc98a3655be3a256e476 |
| SHA1 | 715d68c76d77897461d54129c690a9fe59959e1e |
| SHA256 | 768e61ebe2f827c81ab5caeb643ec9ffc873cf8a65906056a77faf3aa55921f5 |
| SHA512 | 50576d1402302fee1804efa0f1c0a8d65a56e59c939233a49085ebd7f1bd89d68054435cc28e76b5097b0b09e5f363d830bd0e7d5dede46357d4fb3655fe5bf1 |
C:\Users\Admin\AppData\Local\Temp\EwEM.exe
| MD5 | db274575d000b91ee530fe948dd27d9e |
| SHA1 | 5ceacec8e7df67bcf6e4ba5d1cc5d95cf7f0a898 |
| SHA256 | dd9a040e7f65acd6cc43444805b478081bcc7394e8b4f8b564f1ab70ab518140 |
| SHA512 | cf4391ebd8c2ca2d1b7df33a24c20aa0d9a6fffafe3bcf45edbe6f026d5be1024c67e853f73a7ff017694a86806201ef4e7bfc0e31545034b1639a3601531875 |
C:\Users\Admin\AppData\Local\Temp\QAkE.exe
| MD5 | fc64b316b429ce3546821de104e745e4 |
| SHA1 | 628365465bc59bb4d45a7af78cf8d40bc25d2fef |
| SHA256 | 2e1fe9bbfd707e0d43c1fe684f81603e502421dc6a744ed5c5708f1eb9139fea |
| SHA512 | 2ec79bfa9563d9107a0967e2e137901cf0d32bfedc53df8a6c796540065f66afc7def524ae55018fbf154cbc58b4b0a697d8fb9eec634d866d2d878435205436 |
C:\Users\Admin\AppData\Local\Temp\cMYk.exe
| MD5 | 3c59321041f9002adf3b1bb3719e41cb |
| SHA1 | 2161248d7d4a398cd6bdb1b70c10f5f1cd92d6e1 |
| SHA256 | c1c97486382665ae7aaffea8e4582303402d032e3dc4579dfa0f6aa0eeda2241 |
| SHA512 | 8588861b48c9e70835199319335491c06e2f09699c0a3e3dc20dbfc00a4c71d4e588a5227e14ab4e5baca13d7905f41c7008b5203463c323d13f68531d02838a |
C:\Users\Admin\AppData\Local\Temp\XWoMsskw.bat
| MD5 | 74125d2a357e5ed93a5f7bed859ee096 |
| SHA1 | e205abec75aa1c0c4c71aaea9fdb50bd44523ecd |
| SHA256 | f679ea03f5c2516e3ac3795fb0f60a27313d44b4feb993151b8b5d2e22490eb4 |
| SHA512 | 3fd7d03ef4d72d33e36fb2839da72e620d89d4bf6f639444d026d181d0611abb2e09ad4be12775638fe324b960d720f0a0924eb94ed1ec9316ace38630907fb3 |
C:\Users\Admin\AppData\Local\Temp\QoIG.exe
| MD5 | aba9536392ddf0f476154c17a8c74c0a |
| SHA1 | 1cdfd6cb19a5c940327d81771f8810a1df6af262 |
| SHA256 | 6a598e8cddd8a2de4638257168bdb348008be296e037d254d9a1df6073010b73 |
| SHA512 | f32989f072c4188465bbb0e5126e5c8e5777c2e021815141176c43ebc1e0dcc716e858d80b2b8532af80bfd2260f0e23d26176f5946a9c977ed079cc9eca3e45 |
C:\Users\Admin\AppData\Local\Temp\Eccs.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
C:\Users\Admin\AppData\Local\Temp\WYoO.exe
| MD5 | 96fcb0abc4c3442ecb2448821156bc6e |
| SHA1 | edf62718d868fa00ecc3e3847aa4ca4e531630a3 |
| SHA256 | 9d976c0972d3d907c0201af986be0abb821216f686965029d6e6d7d9d931c8a1 |
| SHA512 | d39515fc7f26080ac9c3b7b5d2ae674ac872d2bfaf6c77f0e07da7bbf7d6e685f082f09a09ca364585d6927b5d52f09d0322569a2931de3fd3757104bca77505 |
C:\Users\Admin\Pictures\InvokeUnpublish.png.exe
| MD5 | f5e6116d65d9b928a3d6450cec373b9a |
| SHA1 | 8b8c37231e822d3ae3a15ae0837dc26db9964bc7 |
| SHA256 | 210780867ca76a4dd7b2b774f3ebd24ec65ad8d5545703f4306632f8c9a35f52 |
| SHA512 | eea1ab20f7874be7a96512e86437f1a5011911f7886b302f9b3d96919fcccdb3455e110df93d24dacbb6fbaca6677df53401bfd3390b4523cba5850253b0bd5b |
C:\Users\Admin\AppData\Local\Temp\MYkg.exe
| MD5 | 88209f9dc8d9c9fcd3fd3193a6990778 |
| SHA1 | 44d2da83d2f7c682fdb8fbeac95b8f339e9c0630 |
| SHA256 | 9d3fe4b0258a810362963afcd7bf23e3269bc53df2e98d081ad419fa8bb75889 |
| SHA512 | fb3cd75f6b0233f829affb23ceb968dac36d842bce7bca3abd4e9da2e5e3d46a40eece44eea6314173a931ce1006e036ad5ab52811226ce3fa616e522d71fea6 |
C:\Users\Admin\AppData\Local\Temp\QYMQ.exe
| MD5 | a061ce5458a486d16b6a1844c5612965 |
| SHA1 | 9316c013172fe7f8d310599e1bedf6ab4d16e8af |
| SHA256 | 1cf2b0a1ee21332a7163aa68ac8ab30a871aed8a0949d16186020b03c23619ab |
| SHA512 | 92776c8a17690534364d596ca0d18eebb13a22d88c9d25f39f5b2ed5ffd31b34a7f1713855bf81a61c66f29b48b4365e1e49e53b89054cdd8de3d9e1756fa9b3 |
C:\Users\Admin\AppData\Local\Temp\YAwM.exe
| MD5 | a72c41b6dbd2da49545b000e5223b042 |
| SHA1 | 3ef5833b68192808aecde58f89bd3bd91d4f27ae |
| SHA256 | 2e2953d86399b40d7d4935e0c50f6fb68a43c087a7ec4b25416f1cd9b1dfce53 |
| SHA512 | 5624dab7c5820e0fc8fa840f13817c2ce0d1541831272ed6de81d0822400fbe12581a485a80e5ecadcdc49122dc1f4e5573a62cf9f750cce5e29c4c0a4657b03 |
C:\Users\Admin\AppData\Local\Temp\luokcAwQ.bat
| MD5 | e642ab31d5104a462ea83d3bc4c36be5 |
| SHA1 | c604939dad07f20e37000794b579983606f6489b |
| SHA256 | 87dad90e40f661179752db65e077bb04d6849caa1a7a5e58d57ac986e46f648f |
| SHA512 | 6cd1c828af1f5291044efefe7d36dfbcfae4038e42938c8a7d26343f046f5d029166c8f3f75b353861609273a370de2f73f078003ee23bf89ce547ec4c26d046 |
C:\Users\Admin\AppData\Local\Temp\uYgu.exe
| MD5 | 4a8187d5d39c16f50d8c956596ce9497 |
| SHA1 | f9700b407851947b003d9758e8febce197651290 |
| SHA256 | 52e1e3f6a04db291b7721793278b9a9cdcc1ea04bef095ca63a865dd8e1aff4a |
| SHA512 | 51b1e1280e35d628696377ed75b5e04019aa01fb9411470e4021e04bb3df1e11c5af4874363f81b2942fca29c9d7ea776a2b5f1925ba5e0d4b8d702ab16dadee |
C:\Users\Admin\AppData\Local\Temp\swQk.exe
| MD5 | af7071b40d5b5bbefdeb8c11ba2f731b |
| SHA1 | c7c371276f9b029155b1281b67f5b4b89f71a79b |
| SHA256 | e92e1b235acc64cb538fe12be242741221c1797b9f84a678c25686127b59bae4 |
| SHA512 | 29ebf4f1f34ca59c674629c145e0d8af5a538b09477f17dc66deef1cc8f089cb8c52248193b900a37a5367094d67948528dd8e9c68830ae74c560369652fe2bf |
C:\Users\Admin\AppData\Local\Temp\haQAEsEA.bat
| MD5 | e0f82a974aba209cf5375d988b13a57e |
| SHA1 | e9cc9cf85671c16cb6d6eeb1bebd55a8861b099b |
| SHA256 | 5cb88f13ab3435891f98742297894e05beb0b4b3cc6ab7e3583f8d3409097003 |
| SHA512 | 5716448ee701b2dd312aee7619b94e9316e7e049d121a21b1bbf21d77609fc3e0a728ae8d3de287599a878dea012e24026166bccd63c97ae5a0056a9f7a1cd90 |
C:\Users\Admin\AppData\Local\Temp\qIcq.exe
| MD5 | 3fdc942d2d934adebeef754202d9894e |
| SHA1 | 47868775297efd92fbfd08e3a16cf8055c3c4405 |
| SHA256 | 68fff03587896090553563d79472b08e6af4bbb42c6f16d939f251b7928e5f16 |
| SHA512 | db59bea4c047c978c50e0de27eafb391400e2c0127039ad26a34b549ac2da8d270673aadcf81207b32b25c4b5c4f24008fd9f7f605a36b9b22ebb63607aa49bb |
C:\Users\Admin\AppData\Local\Temp\GUYo.exe
| MD5 | c5f7aee1d4a08b4535ff020cea787a27 |
| SHA1 | 7cf2cbcfe1f98140ca73b4dc006275ee2d5f23a4 |
| SHA256 | fcf95f3756242dae4247137d90bc674db6186ef08f04cead7bed1d38543ade89 |
| SHA512 | d97a547cf3ea24518c1d9a1d866ed195761b38f460e92f51f3737a2bdf3a5758de515d66df3dd03947f7d5135e6f095944ecbfd473993dea783548010bd04a0b |
C:\Users\Admin\AppData\Local\Temp\Ikce.exe
| MD5 | 4dff9b04e762f4c0b020acedfb2b52d4 |
| SHA1 | 48420b9801cc839d727521a699ffccd023555bc6 |
| SHA256 | e7af62e7f79f2a21a89f4bd084bdf1f7578cac2c746d377fd665b2010a0eddd0 |
| SHA512 | 63ccb35140bff6e75f4ec2f87c8fabe70155eb84859eb8aacf5e43298259d7c60ac95a1f89fe09890a931a49400ec0f9dbe48099f49daa775e9b4d2ac843af1a |
C:\Users\Admin\AppData\Local\Temp\IUga.exe
| MD5 | 8906dc117fa3c9947703306561f16c2a |
| SHA1 | 2042cd9e5a6203d36d26a768c8fd4729061eebcf |
| SHA256 | 2b4d35a33028bba20585b2b04e15a6931f9de0f4df55210e483de4873aa7ecce |
| SHA512 | ed111cfdecd77e7e6522db272e0f90a5723dbf5d8f3d8798c6b5bd760811249a949fd37ca0ac4f5a4bc9f855bc08cb403eadc53b8d28832d52f0a3a8f13c353f |
C:\Users\Admin\AppData\Local\Temp\fcwYUYMc.bat
| MD5 | c3a2466b395288bc75c47bd9d095936b |
| SHA1 | ab28518b24ae99f9642274e5a935af2232783416 |
| SHA256 | 23b45e609178c0172c04e778a0d6d52593188b6513a8b3ec3a0a02eceea6fb5b |
| SHA512 | 43e17bc713f320683d9802101949d7dfcd1bc223a6ad5bbabd3a8b24f1c94039d992cfddc8cacdd8102c1429668091db628f672a84b1356a8a7203068b0571bb |
C:\Users\Admin\AppData\Local\Temp\wYAQ.exe
| MD5 | 1118ca1d459ac651ab03d1097e29da96 |
| SHA1 | 5bed6bf5aee3a850227bdca71a9a33fd762dcc5f |
| SHA256 | fa7b2f4c8a284ab634c36b5b48baf7585d8e4c05d525b28cd9ea2cb1d7fabe3e |
| SHA512 | 198c883b54222c9f68bfd8e56f0464f0cd3449ce3b0647c61867be4245a4191a8204d6508696d8ddc1b3ecdf7d44818fc6becb1fcaf4f970edb22a28d5f0c696 |
C:\Users\Admin\AppData\Local\Temp\mUQA.exe
| MD5 | 81543f082344abf560fbd891598c08e5 |
| SHA1 | cb730d2a846a36029b0c7eb82c96f2b28adbe37f |
| SHA256 | 7c9929ee0381fc4795f147551dc78d98d907c6b24d4f548dd973ff3155cbbb44 |
| SHA512 | 2df50113568c49b4233155ff11f877e9e1aed8e32a4488ca7dab3286cff0d4c48787be45ac8f70cfdc33cf2aeb863e61cf038f7b5e9da8d0e04e8528226b7c63 |
C:\Users\Admin\AppData\Local\Temp\ugQi.exe
| MD5 | 1896ba77806b3f3cdccbbfd6c532e3f9 |
| SHA1 | 1dea35fb9d7d2a2c09905d40f0405c1e6e368e29 |
| SHA256 | 06b8f7c79e85d075bba1aae8d54c9d11444a8135e6f5d26ece800322321a0248 |
| SHA512 | d8009b0f4a3768f30cea48f30757c801474ca4577652c2ee58a33affea2add5d58767a269771bce81fb6e591a9825887cf60744cf801c54d4166d1b96ab0f7ea |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe
| MD5 | 7eb3d07582635ef58681d3c5b8c986bc |
| SHA1 | 8755938c8e01dfee4ce3c6acd3f3fdf1d0aee1ae |
| SHA256 | e5d22f393e11cc73f0fda09673d40c5e17f6a4bb1bacbfc8105c4972a6d0edae |
| SHA512 | c63170b2e26cb97fdd411173db0d796811e8bb9eff439e48a3172c9ee0dddf9e00d5a33787a03f60fe4fc2e2bf4d498477f67fc9d0747ba94946cfb6d4ccbf5f |
C:\Users\Admin\AppData\Local\Temp\MGEAAEsA.bat
| MD5 | 082d2e5c17db319e37e977834d265938 |
| SHA1 | c2fda2078d4807dbbb8d1d39d4e979839fe50d32 |
| SHA256 | bf7830dbf675f1c7006ee36b05ce03bc46d525b3597c30d2ee96d9d658a1a046 |
| SHA512 | d283e0e74acf797b891c8f88dbc8a305be279fe7f70f333772a64958c16535461b8ff3ab489c6fc7d652d72d00cf41f34de0c10fbac6a52a74f57ba2c9849846 |
C:\Users\Admin\AppData\Local\Temp\Yowe.exe
| MD5 | fb443766ac9b445ec3bba68babf47d73 |
| SHA1 | 3e19f140acf662546b3f7ec7fd76083280e0f267 |
| SHA256 | 472f8e9b6646cf6fb02f051e9e6a2f30c862d6c578db074770e0eaab960ae472 |
| SHA512 | ec2a24654ca7633bf889f22caaf1d00cda4d630f2e4b9228e832e03711baa8e47da7aaac0fcd99c7927b0f8c1c6acb1d1d25462a5793c8b2773297d36619d704 |
C:\Users\Admin\AppData\Local\Temp\msoU.exe
| MD5 | 8ffbaf324ffd2be237f4e52f6fefa4db |
| SHA1 | 4b01822bc4b9a65b756a23167b2a5130d355c343 |
| SHA256 | e1f7b0009ebd3fd0de10d1c7848bc464b1577b095c8dfcc7d71e501bb16b2dce |
| SHA512 | 6c0fe55e7cbb5156d72375f50bf1fa74ab5b8868ffac2bbac02bc25f49dd21183133a1606b411bb943d23edebb86ad23750330e2d11255980560cc3ccb9d8c38 |
C:\Users\Admin\AppData\Local\Temp\KskAIEok.bat
| MD5 | 1215fae24affd2796e085681cdaa69cc |
| SHA1 | 0c6de2af10b266545521515e1a5db2967228f3b0 |
| SHA256 | 2745248db94007d8b4ed5c2209469320b729877043392f1eff20e002c27f6405 |
| SHA512 | 4a716fc9469e349765bc88b5449183938297cf17a2d214ec6ae646f8d1d5f0d606ee0fb8a2632a11c16ef2af9b84190698fc0914195cf03794dab8072daa86b0 |
C:\Users\Admin\AppData\Local\Temp\aMco.exe
| MD5 | d61347f0266c87d479a5fae8d42c30f8 |
| SHA1 | 494cb01bc81d6164fdc4db9e047727f83317e830 |
| SHA256 | 49f2c5d22261cd50c763c1a2262e60757b5591d6f4d12ce00365321cee51da8a |
| SHA512 | 27f470387f2ac40e3e477e0e0f4b4d8f0e879e15125844ae6e02438b6eaae17572e1417f2e658e7e7241321ab772f545ae37eaca00eccfb76b7ac3a8c00c981f |
C:\Users\Admin\AppData\Local\Temp\swYg.exe
| MD5 | 541db9212638b09fecda770263a759cd |
| SHA1 | 4356a56bf3f916626de4f2f0d1f5930f80a2a8f1 |
| SHA256 | 990a5a64c14fec22f5e9ab484716c92df8a92b3072759a88031d85aa69704e76 |
| SHA512 | 7011122e78d033a81a3c5ac44464cbf09e69c4576c0e32de5f0520b60e5a2670df6d53b9664ade82701f4fb8a79d22b2445ab8e2471f49fd920893c3f36a9153 |
C:\Users\Admin\AppData\Local\Temp\KUIe.exe
| MD5 | fb7c198496ca75052bc6b7b70e0959ff |
| SHA1 | 477509292dca65bce84743c91276d57668a5de38 |
| SHA256 | 57be59d6c45610070d55a8cf1acb6563de79363b617c94154dc8580af00bc0ac |
| SHA512 | d63b56b82565275c7dd707343328dc40d63a3259e5a569785b42d49268af39c9f5750b7a254f9e2e6b3666fc11dfb7f15a1eebd5343a34c0d22cae50a6487452 |
C:\Users\Admin\AppData\Local\Temp\cIUAkAgI.bat
| MD5 | a5fa6a465839796ced0a88fbf8004e01 |
| SHA1 | 5f2973d8107ef375c07946a911d2fc401872b3e2 |
| SHA256 | 73ae0fccc5352c7ff513197301d9fbf7b1c0c93ddd68a591377d0adcd9d1e4b5 |
| SHA512 | 16be65440bddadbb6ee48492e9a9b0bbd918929f8f45d744a03bb3752da5b455eb49b334c47ca572134f2478f5e65a174f2af82a4bec01242df6bf5103a92aaa |
C:\Users\Admin\AppData\Local\Temp\KwgU.exe
| MD5 | 8d2253e75edd73a6d194ee4bd606d9eb |
| SHA1 | c1d42b0dbc15df12bd1832379f0f554df89ade87 |
| SHA256 | b2143b0f97252a216a4026e67ede290ab36fc02e93e36b055b4510563fd085c1 |
| SHA512 | fb1afa22d95a0ae4ae5eb154efefedd7edf52181f58bb1fa6002d752581a7ae374eee7dbf44e2d6bb7f8378f283193304def2be8d74de13ba2b389ddce378316 |
C:\Users\Admin\AppData\Local\Temp\usoA.exe
| MD5 | 0764ebcabd2e3da541f558e0a393e698 |
| SHA1 | 7d7965c71742521ff64c32ba4e54997ac92a9ecd |
| SHA256 | 82d91ac5974462cbf4e2198dd62cf9956a1a951065b987842871ea32154a9970 |
| SHA512 | 0cba30be019f68b806bf3978bc879a7ed8f383b4a82e8c8459fb5abc9a4c363e0b13ad6091fb984f09d2adf132ba40d791b82167ae28627272076145b3f1344e |
C:\Users\Admin\AppData\Local\Temp\KAAw.exe
| MD5 | 85f2b6f629922889fa5f91abb52d2161 |
| SHA1 | d632e638585256a28f123e0db76d8115d7a0fb32 |
| SHA256 | de0b013840b7be22b970de0366e2d039dfaae09c30e10ac92d569d8a93456a58 |
| SHA512 | 5bc87c5259f0434ba042d669df03969f41470a60293f3612bdc852175da9e30f93f6f1575021b555b5c5d204c9892a0291f2fab2809bcd2c104be0421cd2c13e |
C:\Users\Admin\AppData\Local\Temp\UUcI.exe
| MD5 | bf9f7ebe7b72d225120b4e7380dc1101 |
| SHA1 | 2484c0bd8d0d8b9b3383a1b08a8f7c36c72a2b8a |
| SHA256 | 2e1e87adebe9decd5cee9497784444c71baa6473e926a6042b3314c40169fc26 |
| SHA512 | 6b0fc95be7e62d7a8cc4af586060d7e59ec77b754847504b7ee65866a269735eb437d322422d95f9d0431230c107da219b116b463087c912bc438b32dbc7b477 |
C:\Users\Admin\AppData\Local\Temp\uWkYUocg.bat
| MD5 | 03820ac87e8063e92c450f2636e88ce8 |
| SHA1 | 49c4315a98063e86c11c15a39befb3ebafd1ce9f |
| SHA256 | 16f81106ef5b32e1574313ef5cc15a154721ff59ecb6015762d910913750a270 |
| SHA512 | 613f462b453eb2d272da62dabaffbe77fdc292bdad5c87762c907df0ff10bb074d8138cb11e14a6ad6e1cbacc9b01cc2fbc5b592bffb815637e098594baf8934 |
C:\Users\Admin\AppData\Local\Temp\GkQG.exe
| MD5 | fa96f5ac1afab6fd9acbbff32fe21f37 |
| SHA1 | 8fa81abf449ed13a5accb2617e2836a14446d28a |
| SHA256 | e65ca2e9631b6f226257d83ae7912d5ed04eda42d7af8a8965c51fda1178c6d5 |
| SHA512 | 743c8d77ef63b9efac36465903fca4759637613b5ee8c26c8c118031351a39b2d937826d3523f5336d84ea9627c193711aa988f7ef7450646566c90391927ba9 |
C:\Users\Admin\AppData\Local\Temp\mgUC.exe
| MD5 | 69af87d2585957c6ba6d04abc8b5f00a |
| SHA1 | 6af9515efc20452bc48329ce41c862724571f2a3 |
| SHA256 | 8ecb02babe006a12c80f762e9114252b53e03293fc959c11bb8cdbbdcd2cf4b8 |
| SHA512 | b1d6d4559c48005a701912dfc4e8fd94f45c9ca7de532fea415f031e6db5d6aee7e04060b6f46c3ff581ef3bb80a0ec3257465ff2bae837b21b8f967fb8e0a43 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe
| MD5 | 357abac5a728ee3491b07e7a84e9b63e |
| SHA1 | be56c796edfbb4fdd32ae960b7a17e3fdd666bfe |
| SHA256 | 51d92ef6c758acb6ab39e7f9d8d5b93741faf151947fcfc5c257c0aa103b8d9b |
| SHA512 | 03357e768c6b6cb191bf6fa265d8c1bae37777318e9d2db4f8e2577e8c53d42be42ec616d3e0405c88a01becd7201531d6440344c68f282d1c4942a3d7847ebf |
C:\Users\Admin\AppData\Local\Temp\UMoE.exe
| MD5 | 2e868cae6dcb87d116a37dcb17523594 |
| SHA1 | a5e61381f804091bb4c3dc10f5c1828b46c07018 |
| SHA256 | 4da76ad8d19f4c5d4330b3294879adcf47b6e1455684758deb541a47da44611a |
| SHA512 | 254fc19c17ff18d16e1e299275ff7b529d5e63536d97106cb7c7279e81c5d752e400537eb2967f130bb8d960c30d804bee3728580c3dd0e851cb082f62bd61a6 |
C:\Users\Admin\AppData\Local\Temp\gYkg.exe
| MD5 | 97b12ac074bc9015aa68b41f48c90c22 |
| SHA1 | 942b9ab5ddc8572a36dc1eb30736121c91523121 |
| SHA256 | ca5e2e4b47e097f6201d7e2920e93e32c05d14b29774c914e11ad3dc28f971df |
| SHA512 | ef1a3de9f0d224de092c6b4c87b802da46b98909d8c9cd8e47645260b22a4f7c3b60827fad465809cc16d29326478ad152f6d455040fdf480efda2e83e920c81 |
C:\Users\Admin\AppData\Local\Temp\bKkUYQAs.bat
| MD5 | e8f13b34bd846e8c998e94ae6679843e |
| SHA1 | 896a7a9fedd250943c0096cfce0806abd070537c |
| SHA256 | ea4666d34299294bb7e38a2168390ae4659bbd6fd9d18699af5e10b39ec41e94 |
| SHA512 | 8330f706152086f24e8bb3c799d758c243d5574cb834c2452dade731958ca50e38ee4aea10b774af4c4b48181347e9b1c59015431e3d8140bb4eaad34391e1f6 |
C:\Users\Admin\AppData\Local\Temp\AQIe.exe
| MD5 | cab8b4133432df0d0644a327892043c6 |
| SHA1 | 111c3fa9792335b39d5899c617fc669f363b00cd |
| SHA256 | 89937297a3edd94e9a8a5562fd79910941994aad8cfbfe71455b1e47c2dbd133 |
| SHA512 | bed8437bcd837536d402f46f0c45bc35fe31de1b8b25fd3c220fdf757b43ca321f84bf164c8609cb9cf7f518a4fc093f274bea7a090f8e93ff96470ad2703f3d |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
| MD5 | 6c0394babd99636c1a37899edb5aaa09 |
| SHA1 | 1720cb08c1eaf646db5036de7c405828d042c71a |
| SHA256 | 6be64d95bb5b9abb2ac89623bc2e76ad81cc409dc7baf2f00ac7e53c0e4e1cd9 |
| SHA512 | 4b66d25516f55abf0749568a06d6054f9200e8de2115eca961ec75411f6c38486462ac14f721e8f73a798903a5bef326015f67a22fa8aa6c67d2711757942d8e |
C:\Users\Admin\AppData\Local\Temp\aIYw.exe
| MD5 | 165a1e2e89c7912962ec230d4d288e87 |
| SHA1 | b980cee962ad62e638ec6c7eda9cdb63580475f2 |
| SHA256 | b1b48ceed0fa5ca360c8e671653ea3fb092261c379caf395cc30d305a7076699 |
| SHA512 | 18c05d48c73db6e8d89a01d55ce23839fcea46b811fb3945c9c9892693cd3a86b21b3bc770a431b2f4edb6b230eb515cce394b40836b3c8aa219bb07cb4507a0 |
C:\Users\Admin\AppData\Local\Temp\ZgYUQQYw.bat
| MD5 | 3e441bf2ed1ccdb53de3f7b76b87b163 |
| SHA1 | 9389645269d57d81b46da402be3201e02456fe72 |
| SHA256 | 3debe749ab10d8c7444a4d7b4eb965c53d4abaa1790ea1abfedbb00565a770c6 |
| SHA512 | 3c491507e107024dad1a8830c55fa1d6ce259fe49e40689f04df94e424601a73cc6bef786ac47d879695f4c83f2dae737811c748e441e35e575a89a38a26cb36 |
C:\Users\Admin\AppData\Local\Temp\IQcw.exe
| MD5 | 8b72f56e511ff8ea90dc21ae1f2e8a75 |
| SHA1 | f3bb1a55dc5a825d1ac928fb2b4cbc6b89836381 |
| SHA256 | a98f60831dbbc27ebf2b3f02bd9b2cca8d141f6717f946a766963bd36b680348 |
| SHA512 | 13c7983f06157c05cb21942b4c65bc461d4db9f05fada033c3b7aaf27422070475f0ee171070b7f99f6c2fbb3c6aabf3cfd6b3924e5b8598f9dff26310557540 |
C:\Users\Admin\AppData\Local\Temp\UQQG.exe
| MD5 | 79c58814f98663f16fbdef9a86785041 |
| SHA1 | fbe39a7d1ef971023bc1b37a1adbbf5eee1ad648 |
| SHA256 | aff8e1d3c1c41cc01b0821f6f1d6612b5424958cabe0b7b5908b333a5dc643f7 |
| SHA512 | 3ae7982958552fa93b2d97b62290171634344d5a0c67536085462915e67a0758d1b27deefe6184897b99bfaad819a18d1dec6aea1f1b68bca8be090e41f964fe |
C:\Users\Admin\AppData\Local\Temp\wUgE.exe
| MD5 | 235061da0bbfcce715b5751e62ad68de |
| SHA1 | 2fdf4c0c03c74f177fda6d5592e4b2e9c7d93f04 |
| SHA256 | 57df79ae68e83de8d793077512d513251fd8f3b6523b584fa6dbd5f6a7d60fe7 |
| SHA512 | 77f017b9ce35a706d2beaf07e601e172f09c8345cf4b6c0dea6f6885b00dc8731526d2f5a7ac1a5cf3ecb8d44e2ce6d8c5a3ded320c14b64e01c6701d4871493 |
C:\Users\Admin\AppData\Local\Temp\IIIW.exe
| MD5 | c2633fb0ebd93a9d797c0b8548ed7b34 |
| SHA1 | a036ab1d2e1b46b5cbb9fbcf6eaf4471ddb0e5c7 |
| SHA256 | 832d56bd702a8dd36fbdae569157042f1a524da601d83f2318db517d9158df58 |
| SHA512 | 8722a22b604ad37fc32a36274a097153f4a67bfa69cddde1584bf71e1a4f012e04d4b809563f8264c5eec11cdd28d09d45af8c635077772d5e90cd0404e8363b |
C:\Users\Admin\AppData\Local\Temp\bmcAkMEk.bat
| MD5 | 3d32721a6a6e268c96644f64e8b96225 |
| SHA1 | a1c5da54ceb5895b5a98aaa05272ef416c8925a0 |
| SHA256 | dedb08366011dca4ffac9be2ce574386fa715c77c44f279aa2587973ba92af05 |
| SHA512 | ef1ccf024aedddefb2d34bc1c518999e439ecd2c5219d522c19275decbac98f67570f83b6663c33bc722a4cebfee2ecb5b04ce8890053cfa05a67127ab358c28 |
C:\Users\Admin\AppData\Local\Temp\mYMe.exe
| MD5 | 5fe16b0e580b27cf348f2a828f1f05bd |
| SHA1 | 627420a53329840ca02e9f7c35386cb8d15a34f5 |
| SHA256 | 5ca3625de41ece78ca8cf40fbe1a02cfd90b3a966c1926bb6dde928a6405985c |
| SHA512 | ded4436f9283ef95ab7a744b06a54168489c0336d728af6ae93d5e285ad0a56565f3838c3543070f6aee72034ef2e1c1b2b55f2250dde2493819ab84ef3d18e2 |
C:\Users\Admin\AppData\Local\Temp\yAAO.exe
| MD5 | 7b22e944df1ec4f5dddef006fb516ab5 |
| SHA1 | 4ea614a0a4ed5435fecc3615085c76cdaa795349 |
| SHA256 | a0557d4a229cf9d054e5f8c38c0b762c9e9248ed80f3b120a759eb8421d1b2dc |
| SHA512 | 40efb6eba50dfe0cc30fafe3ead3223f9864a36e732e693add4a3ef8db0a1bb220aafa64c0d46acdd7f199cc5dbe0c2e7a529960b8875b0cfc4f64db9201a6db |
C:\Users\Admin\AppData\Local\Temp\OQsm.exe
| MD5 | 17dda546d40b6bf301ee9e268788b120 |
| SHA1 | f4e99b3fba23dba09876142f7b77014c08f7d0f8 |
| SHA256 | 83d9649a3208988501cdcfb9eb8755e763fb3e9fba8a7f5fbb4d19ceaff83340 |
| SHA512 | f5f86c3a3c4d84cd9d692aa14ddf5555113fee1b644734626416722aede05bbe5561898e94db1346e989b5b1e627db538a3eb4e4ca2fdd540e7dce167ba42986 |
C:\Users\Admin\AppData\Local\Temp\Uccs.exe
| MD5 | 114b58e03666fe207e92d1e9981c8ef3 |
| SHA1 | 90743eda1395f6134fa366614f344f93a32848b9 |
| SHA256 | 35d234b9591665239edbc3e0769e24c2f0d1a5511d0aecd4d06995ba974d4746 |
| SHA512 | fae04dc13a97975c397add1289e3ebe72543e6c9982edfe234780672334b345a14fedceba18c5266663fcaf417fe8c0249a2e0a58f71a7a38736fdb04406290a |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe
| MD5 | 440aafa3b11385096db58caaa3aca6ee |
| SHA1 | 4f05ad17b7df16fa911b3c293633d71a219e48b6 |
| SHA256 | 59d61cc83bcbfb352de6ec9f9ad47043f292bcd7b5d1c03cde001d8a86234bda |
| SHA512 | 3329dea78d226608cbf7301984c8763fbf85f0777a677e84058660197789f62e8b78c0a281ceaa22cdcd658d4cfd73994eb6bd402733f9bbf93f8284b0f045a5 |
C:\Users\Admin\AppData\Local\Temp\uEYsEgMg.bat
| MD5 | b2bf3cb5a59281b3e08719642f8941ad |
| SHA1 | 4bcb8d5240ef326c4168038acd0dafceb59b8565 |
| SHA256 | 198c6eb37251f31bdfc863a5995ad7bd97467b378e2b1f88d201408ca3a9be5e |
| SHA512 | c884ac4d44e96583a4e96164a25160b9ece292d74cf95d72b0f2ba1942498ed4b35c538d9f1159d059ccac34a13750c27cf7031f02dc7b6e2e459860908000c2 |
C:\Users\Admin\AppData\Local\Temp\eYcs.exe
| MD5 | a1dfc3d56867e5054dc76287693c1da6 |
| SHA1 | f8ad443a84c6ad413c28010b0793fba47b828e75 |
| SHA256 | 4402b22eb40798501e949982b550cee1b26d50869efa0f7576f2b8902924436b |
| SHA512 | f8ad4319d9b9b8310f9ad28d9046af4dfa759d26de7f54587122c74246bf4a1dce66980830fe170000929d6937ab695c3049323bf4b8bc44adf9b88b8d1e741d |
C:\Users\Admin\AppData\Local\Temp\UQAI.exe
| MD5 | 93eb507f692b065cc08db37303319cb7 |
| SHA1 | df88f2398fcbce6d6256afc828ad9e7c85d52532 |
| SHA256 | 5e517cdbee593aaf802a990fa963dadef425dfb1e3bfc48e431d57ff3582922e |
| SHA512 | 4d00cc75cb351dcbe30827321e3f49be1ac7c139d20365d24035524de9fead722c19ef6f981c228533b5804ca147098aff2db960bf9276680fca499b8dd4a4c5 |
C:\Users\Admin\AppData\Local\Temp\GAMe.exe
| MD5 | 49d0805c0a876283e1efc4cdc61e032b |
| SHA1 | 94ee8f51f4a8efc5e8daa4459a07e1ee0c401970 |
| SHA256 | d052ca460904c94ef0c7fa7feeb257e5179dad44ed28ca401657dda1fc573f4a |
| SHA512 | fc9d9e03749a822002f6f5314d9fa4da114c8e7bffe2057acdeec5ee662c2340858cef7a23dd49cefb5f3dff97ecc43fd2c096f56ab2f5d8f70b3aa82b307720 |
C:\Users\Admin\AppData\Local\Temp\YIkG.exe
| MD5 | 325e8daa28174d1927bf07b8ebd5c7b4 |
| SHA1 | 5f05f6c365f93faab85f5270e6f49acda67b19aa |
| SHA256 | e3760305fabbb044f840520806c88e80a20473498474d52c496823a6faf891bc |
| SHA512 | 201b9bb86adf855b9f2f796a0a972e7a672f9793caf2c4b672fb20f785e17e91affd7d81647c0d8a498bd3b1d86df948e6e029ff3697d35b31e0287785e32ada |
C:\Users\Admin\AppData\Local\Temp\sAsYsIwE.bat
| MD5 | c67b65cee9eecfd33ec891ae2666af3e |
| SHA1 | 835fa24dc98e7ca076469d0714c5139bc1e9ea2e |
| SHA256 | 6e27c629b95cd74b6a217a9a2a407d71554093a32cc0a4fb894964a7c8979691 |
| SHA512 | e4c267bce887df646667071d9318076f2b9c4e24e29b9ff62a2616cdf5cbc9eef3278b1fc2da40b90252340086624e9b18fd2c63a9c03ec288336ab3c06b0a99 |
C:\Users\Admin\AppData\Local\Temp\KAoG.exe
| MD5 | fa49f9210a4132f34b9565cc8033d0b9 |
| SHA1 | 210c3d9ff4b9478e4529fbc7e3740152cccb9ec9 |
| SHA256 | 9f9046e40abb4ce014466e09f5de06bdd1c107aa487064b6684c3f217157f319 |
| SHA512 | 1a1122dc76693ff1e2f4e4ce93bebdc365264d9422dd54dcc2c2edaa1450a5ac0646b7ff384db208e6ac062fd0911e2f5d76b62105a0a80bfaa6b432b1f9ba51 |
C:\Users\Admin\AppData\Local\Temp\WegsUAkc.bat
| MD5 | 7d9990847901bc835c4ec143265a46a7 |
| SHA1 | 1afcdf7085bc51f194fbff5e9c5b2f38dc6b1766 |
| SHA256 | f58dc154251dc0cc0acf7ed53fac7212a60a673d8614a23bbc15c46861212e83 |
| SHA512 | 02887a6f08b009da8fda519746352115b45465da0c4ed6a8e6b833b47e234cc6f8ca35d9df606034924f7797e166ccf5eae89270a181f0d14abde8034905f507 |
C:\Users\Admin\AppData\Local\Temp\QMcs.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\WcYC.exe
| MD5 | cf6bbebf75ebfa8dc72ae1f12a8d4280 |
| SHA1 | 3dc037c58a7baa18947bfe69951032c5a7c20303 |
| SHA256 | 678e53247622f81e63e021d0311a82b474df0db52c8a4dfdf1435799811da0b9 |
| SHA512 | 4aa6727581f38e7597c3767996325a9dc03d5421b2cac15bcf378c33422d8eb57f9d3070d294dad93551ce3fc9ae5e7eea8d517122f282246aad8db71e4b7705 |
C:\Users\Admin\AppData\Local\Temp\EkQM.exe
| MD5 | 43ed0716f4388368e9daca2ad557d500 |
| SHA1 | c98ee02e93d6329a9743d26b76f2cc43b9452bc9 |
| SHA256 | 6dcaa5aaa67cb546da44312eb6958d32a12d5766f6ff2de300e8fe06f7e2f9c6 |
| SHA512 | 10f3f91dfd8f4aacc921446a87a8af7aa9abd6e56e65e23289c4989ce3835603145972f406acb277270ecea84737e5cae85f27e40a2ce382df93f5ec5ba33db9 |
C:\Users\Admin\AppData\Local\Temp\ySEsEMYQ.bat
| MD5 | dcbded3ef5f1d057b50a446813f828e0 |
| SHA1 | 3c2d8dab6e19708d47c4d48e6b0d5a1127d7d15f |
| SHA256 | 116a83bfecb4858cf63e71124c7481350a9a7d7918f421a9602ed368a11510c2 |
| SHA512 | 04661eeaf121a4fa55eb6df8ca61dd02adca5b1baef6633c83351f5dcceecb9f08c7a7840d0786e0886ae1eb81d9cea073639582a836694724a699a30ca84bcc |
C:\Users\Admin\AppData\Local\Temp\AcIc.exe
| MD5 | 5ff5ba5d6e823de844935ce328b0f009 |
| SHA1 | 4c11814736748e76578aaf98941956b4d3202f70 |
| SHA256 | eb77fe226c1270ad41c09083b02aa2c50a4dd452dae82c74da9e05e1eff41cbe |
| SHA512 | 103bad3f4d7810cf62a269ce9f181c4c21367b5b227cbb1a46469de579e70e5adbd4677c396d7f8651afecb12626c191f17148843092f305b7f3fe1402f89fc4 |
C:\Users\Admin\AppData\Local\Temp\Mcom.exe
| MD5 | 1a2bcf67aa96fe7a69f008231b7e11b8 |
| SHA1 | 1c992ac2a068bf33de513444335fe537a0ce7ecc |
| SHA256 | 0e7f1cd9e91f90c6a4f53b647c826e4414943f6662d1452e8265c8ce98841411 |
| SHA512 | 4cdeffc65cf3bfe4a9251cb1530f306998e8c6e072279c4136361420494385a27d3e7df95c86f54639a171875eac324e009669426290db1ae125f87b670e12b8 |
C:\Users\Admin\AppData\Local\Temp\Egcc.exe
| MD5 | ea627756c45b1fa59afecfd2dff083b3 |
| SHA1 | 9c297f83ec25403dbde53ee7c419787919559960 |
| SHA256 | dfb8bf03961a024d3a654f974a0ccdbb299220df29f4e91e25ae666d76dc78d1 |
| SHA512 | 12fbed2fdb3ccc6f637ee2a85ade35f16abae96c6a9b2ebfdc1a6b83494a5cca9743f47a2615f0f1f867c97c34539652b1d32aa89fb75962a975a1388a5c6b5f |
C:\Users\Admin\AppData\Local\Temp\Skcs.exe
| MD5 | 8b0390c220e70c7332afd1806ccada44 |
| SHA1 | b68755aa574262b7b05a923afab0d567625b8dcf |
| SHA256 | c7a6a930c75aa0ae0e4286da0cdd137bce508fd79edea119bd65b390746e1b8f |
| SHA512 | 4ee9880713a1085e75906ed8ebc94c90c6d00f5021ae78fd361f85fe448f4638adfd598eb84c2a753cc8687cd50c9a6a3a182698e838c27d24dbb34fc7603866 |
C:\Users\Admin\AppData\Local\Temp\uQUY.exe
| MD5 | 66f5ae9d011568af7ea2e5d0b626678d |
| SHA1 | 15bc46bbe94b8e735fd0489f6c6c285679867123 |
| SHA256 | dcbc5c8f2c3f20f09e55015d633530e92769f99116b3710163ee60268c33710e |
| SHA512 | 7487b3efb177d2e250a15c5232ca13108d42ecf939dd442f4fa2e7dc63444993b72eaf702f440fd79c1229eb1c131cdf45eedc5cca9a237b037fa64e5cb362ae |
C:\Users\Admin\AppData\Local\Temp\uYEY.exe
| MD5 | 57f274af3b74b7d19b42be4d94edd075 |
| SHA1 | 80d91ec4d8ce3e3c3106808ee0a7706dd20ee846 |
| SHA256 | e2b8750718e144407fe9ea175c7ef4d01ffc562ce12fb23c0a36b9ecbe4ce0dc |
| SHA512 | 636bf6aeb2eec7829390bed4a0fda4ac75430b24b971cfbae0c91952263e1b0fc2d1e3ae26e1a2ef8fb1403a437b5aca5b0673bdedcb92a1d5d1a66644107fdb |
C:\Users\Admin\AppData\Local\Temp\PGcowUYo.bat
| MD5 | 28050c2882a81cc23f42038a31ab862c |
| SHA1 | 3c9a85f74815ed26c7d18aad531a2cbbd7db1777 |
| SHA256 | f7d4557ac0343307283815fd2025e34353ef1c4f6048776b3f35bd087946848b |
| SHA512 | 20f60437ad141dc3345d7b1ac369274525f37eb9a10a2319d092c2afd91e5e49c6cf7248fb538abf002d49053bb01cf0d15b6129ab7eb22f494b6c9e95f9198d |
C:\Users\Admin\AppData\Local\Temp\kQsc.exe
| MD5 | 24cdd4cb6f3d58711e39e6430055aedb |
| SHA1 | 8bce0ee1044383454c9cbf44253394c6033ebcf0 |
| SHA256 | 0c4364357ca99ce211f914e6290fbe00ccdc60f6491ab75ff5b83404d3785c33 |
| SHA512 | f82d623f3525de445cfe80d383e904f33a00681e70161dce591059250892d6e79d4b4c5895d4bd96304774639662d456847cb446805a87088e01dff3398db5b3 |
C:\Users\Admin\AppData\Local\Temp\yIog.exe
| MD5 | d6655d63b5574dc074ef0ae54b5e03ad |
| SHA1 | da3ef3b4101681aa32eb3d17244a55e517362798 |
| SHA256 | b22fc0d7ce3a28f9199a8feb1c3ac182fd5e6da44ae270edb9b4945fa8d1a0df |
| SHA512 | 94fca2f289644663bc6da5a3fe1cfe4351003c7055df01b302c0436d47e26d9dc4958c069c7d83a0f0a92991b481d9e98607d55290fd0d0e4d041b2d329745ca |
C:\Users\Admin\AppData\Local\Temp\PcMAAUgE.bat
| MD5 | f0cc1355f173053f7d00fd8c49d125e6 |
| SHA1 | 40c46287c4d80f41b7e3019a040a8227b3429947 |
| SHA256 | cb1d7e25e1c99a6214af0737ea9e0b5f5fd5406f34c100b641c281272cc7df8c |
| SHA512 | 6e7d66a3df02b25fe48771c0997a48a0b2592e1be89aa944894604e7974fb19e80e42c196704cfda8cdb22ecb9897b77fc020d7b42bcba2636fa7a642d1c7b60 |
C:\Users\Admin\AppData\Local\Temp\kAoa.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\uwsq.exe
| MD5 | c884a591be0a0acaa678e93fe602a32a |
| SHA1 | cfff29819cc14cf873e5c17c5fd9e6b1e8e77fc1 |
| SHA256 | b58ebddc60116fa3f1c9003d67a6d97a6de09d6ba43b14564580872c8f9d3ddd |
| SHA512 | b61bac1031b0289914699187d7a4e4711ef228914d8a8b54ba288da19dfd55b94d4e96ac833fa41fdf58995f2f88f3152e038c6610600c2be9950ede64c8dd5b |
C:\Users\Admin\AppData\Local\Temp\bYQIUwUM.bat
| MD5 | 4b63575c8e5d5a22d00d89974be8dca4 |
| SHA1 | c1d7c4c51be803977467ee3a0b2a6ffccc9fc52c |
| SHA256 | a8baa3949afafeb53705ae18c7f86664894c8906a519a6394d6b0ef5fe0c1444 |
| SHA512 | 0f863f07b06ab80ba80e7a5f9d60fdd7ce6ec23ba1ead319c16864e9dee9f6e0ba297b78aa35e6daa86f5704deb207fdf8a173f1eb659548f711befed8331f98 |
C:\Users\Admin\AppData\Local\Temp\SSEUYYYk.bat
| MD5 | a41e12fa1ce138c0264ffc3c0ebb4a21 |
| SHA1 | 70035955dc4b3c12417ae2e6cd32c11d2047f24c |
| SHA256 | 9ef82225fe730eccc5f52337864c2ffa117f06868e7fc023e25e636f77a59b01 |
| SHA512 | 0edd2cd0790a0c5117a0aa8d2d43040705154b3416214212cdf6c7187ece6617dad35412b56b701fc63aaefcc786d4f02e1eeb3f9c3e5b46ec89976f2cb67225 |
C:\Users\Admin\AppData\Local\Temp\sKQUkQcA.bat
| MD5 | b0ef7678a9f037ed08307b1b6ace7654 |
| SHA1 | ac7e5b275a74db32a83f08c79c2d04ac711ae6f4 |
| SHA256 | 064bc4912a148720bceabcc8ff475a95325ddd12267b8305bcefa95a756f6459 |
| SHA512 | fd656056c9e3b4f8a1ed9ce0b99e327e7da100071e7f4d251f8fe6205f0bba4a9badb1235a8808a3b4f7daf3a1d1856fdf41ef07eff4295e6763574ca4db9925 |
C:\Users\Admin\AppData\Local\Temp\EmAggEwM.bat
| MD5 | e51c65b2bc859ee8497a92bd3c03f6b9 |
| SHA1 | 520ab05b87178f8d4c202cdc861df76df53e456a |
| SHA256 | a298f6e5e4c7b5d41af74a253b985eaf9da13e575fb753afc0502a49e775c255 |
| SHA512 | 77c50f48ff3ec09d29412cae0089011008e71c254b8573da3be976244cc05ee1ca79ef8b38901080d479a4361887c8f07b4adbbd45177baf98c508ff9f19b972 |
C:\Users\Admin\AppData\Local\Temp\gMMYEYIs.bat
| MD5 | 11deb8520649e9678bf6b280a9bc5be4 |
| SHA1 | 8f9d13fa6d11810d82fa18daf74a553470e5fe54 |
| SHA256 | ab337714bdd0fc171b7be0440d309095e6e91a9a9e8d1cee452fa0b5cc670f8a |
| SHA512 | 4e861178653685ffb89eade551e01912d6599e24c0324beebaf745c60e6cfe04e122d75bbda6d971fc338f45778a7f3d1db00036acdd991d4ae88287b0ea0408 |
C:\Users\Admin\AppData\Local\Temp\zicQkAMU.bat
| MD5 | 1b76a8fc1635d69b8e1fc9ee249300a1 |
| SHA1 | 2f60b585728670c4837a9ed755f9d239bd3bdadb |
| SHA256 | 9789a65978c965ec6ecad55fcd74c98729555f77c0c2c1a06afc5eac80f08cc5 |
| SHA512 | 0d6a9710c7e14ea214c1e1f07cdffa838a9c7cfbd2f44943927e087670fa64cb1b724f98d71f2e83f09b721740ba47191a133b9d55fa5414f8aa6f99b7f5d921 |
C:\Users\Admin\AppData\Local\Temp\ZiAckQko.bat
| MD5 | 1911cb59e504c7e53d03fe8b9b529a08 |
| SHA1 | a431fc450b68dd2142996b1720a01084c74f5823 |
| SHA256 | 8d3f2320cc511ef55b8720aa0f969c46626aadc946f89d6c035e1bd4c2441d2b |
| SHA512 | 9c034d05a8189698d8e45448681e5d986d7db106199bfe6669212fdd2defe36b4c5c47e3624e3094c9eeb5260e7dd69d25646b3c775a18aa3380eec37f96c669 |
C:\Users\Admin\AppData\Local\Temp\BCkMokkU.bat
| MD5 | 91388cbd3dcde3024a6f57a8a4bc38e9 |
| SHA1 | 472ce4b87674f6c9f6bdaba54f7adf75874ea242 |
| SHA256 | ce0469b405d2ce3fcbef6d1f1b713c6431f84a7ced3a9898143441e2daeea4c6 |
| SHA512 | f7f9aadd7e300d2416af28228627fbf34f85bace1f3ead67b1bfaeac5146b6870e5473761080a82343f6868218a804e4663e0813efa8d1161b8ea676fcc096c6 |
C:\Users\Admin\AppData\Local\Temp\RAkIQwsk.bat
| MD5 | 34c5714bee15745895980e418d1f4460 |
| SHA1 | 7608c4a9a515c7c449f561803e6c7a6f3a5f2e0f |
| SHA256 | 6b77c0d234fbb31caaa7001dab702a32e5be15a9ec4edd75435e28addd5de6a9 |
| SHA512 | 35202c5d5a7b3cce0febcaa141249908e77a20a9992968c0c36e3b21db9cd0b1527d8654404d50659459f9bd2a756f835bbd9bce66096eff7c81b3c568a52e3f |
C:\Users\Admin\AppData\Local\Temp\MSEUwggU.bat
| MD5 | d7bf1570283ba8ecd81cf41cb3030a0b |
| SHA1 | 04cd9240ffb50aa011c90a0c015655390d0f821c |
| SHA256 | e242df649f92dce08e6f6b7ea216701b434e166a19b066b62fba66f4c09f3851 |
| SHA512 | 08b3d59fb43ecdde7d6266ecf76d816322572c3d7b9e42b2542b432be1caa32bf7860b1b7519c2c52de5aed7094633e37f2554e3353488c1382a2659dd3676e6 |
C:\Users\Admin\AppData\Local\Temp\SAIkcUkQ.bat
| MD5 | a3c8e9e4c40ed2fbcfee4bd0e0b1ac00 |
| SHA1 | 31338bf6d8a77d53f8ebe895976fcf848e6609b3 |
| SHA256 | 7c4587967f7312acbe6914f91cddfb881b025231a6cc14864df3fa1274eac101 |
| SHA512 | d04aa4f1ec4fe384d8fe13b09abd5a0b3a7960ec91050de1723c39a3d2334277618d4e48c1810b51515c92a437faf85be579a1e5cc957a619a1f8a192f1730ea |
C:\Users\Admin\AppData\Local\Temp\SGskwsYE.bat
| MD5 | 13e5025cb202836179508262cf5d1c3b |
| SHA1 | 0097bac912d384b399f49ca9f59336db609c296f |
| SHA256 | a23fbb7da133c7941ffc7fd99c22a7a48dd14af9e896e487c91d92b785bf1b08 |
| SHA512 | 2d08f9479a938ed85bb848ee4737fa89cf1c4cc7fbe0e288ced4dc56f5b8c9a23f251e795d2aac59f0410eacb4ab721be189b54ee0c5d396d61d8592bbc7c19f |
C:\Users\Admin\AppData\Local\Temp\TgIAowUs.bat
| MD5 | debabef4e128515aafccbb188cadf0d2 |
| SHA1 | 2b0237245dc13366c1014919b19a244743e250c3 |
| SHA256 | 49cac38b89e3de3121506d98053e95f29da0c3985fd7f9f7dca6fe4873db0921 |
| SHA512 | 0ef031a6f0ba4d588ffcc6b428d0a971d19967d658be1d7b92206d9d5284128dcf539e70eb96c178b177266d5a2efe5ba9e5fc7b1e63731de3f4d7fc5e8fefd4 |
C:\Users\Admin\AppData\Local\Temp\PwcIokYk.bat
| MD5 | cd240844fe31d02228682803c4f95cf7 |
| SHA1 | b36d015065635a22731e96cbbcc8d312bcada4ef |
| SHA256 | 63dc154e89f8a35c1ca512c5ce0d69553289557dc0bc2b0683f2e95156f49636 |
| SHA512 | 2fbb9a9c6c11bcfbbabcc3123acc672a88d7cb6d175aa3bec7cad233b85deaeadd26499a07265f6a2bd7846364be339b8b8d07f788d69ac20b8a85567cd575f2 |
C:\Users\Admin\AppData\Local\Temp\hSIogsgg.bat
| MD5 | ff5b4ac073fab8015c421de30cc84ba7 |
| SHA1 | 27c5f73840e4d64e2dee9d3622d9e442afe42096 |
| SHA256 | 623b89b01ac4697a044f21a6dd4d1934c3ad09986b7641756e59ea2f64b65da6 |
| SHA512 | 942c95a96e77d364ec5ed9ea08e29fec6c0e823afd1d6742f6d33ac39fe8f4a7056f6b5142cb9ef40f0f1894bd139f73818a3ba31f2be702c00163e6616f33c7 |
C:\Users\Admin\AppData\Local\Temp\LGogoQMY.bat
| MD5 | 07ddfbe81985934ae56cb923aeb4fe9c |
| SHA1 | cc74053e589eb5f13ad2ebb1dc655fdda794aad3 |
| SHA256 | cb26c97e0a94a36daa97fab507bc382c6f7a2673624d1a25dcba64ec8ed838a2 |
| SHA512 | bc6e6bd63d167c059fe192bbfeb2fc96f6873d740047c7a22e757d39b6591ef2cb0f173734a60ab695e5aa07a9922bcc72146446d810bd0382e72efe8142cddd |
C:\Users\Admin\AppData\Local\Temp\WIMkUQwI.bat
| MD5 | 0cf8d92b8399fd79b0598ea29d85454a |
| SHA1 | 5c6ed49cb9b0a2e63c64e555349c2ddded6912d6 |
| SHA256 | 0c0c3a72bed9824db48bf63e9ad9241360f70f05206586c4258f7b34948a0731 |
| SHA512 | 360bccfa5f0b62ef445facfd892fbf21fc8e1ef2952d57a6cfcc5c1ea7392b70259ed2d303f8388dded96c69dc98df34c795bb820befa4c7602a809a42ebcb7e |