Analysis Overview
SHA256
2cceb8b4ab66644270d945ffaef553e843bdc76dfdf0ad5ba563ec8c2c40c079
Threat Level: Known bad
The file 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies visibility of file extensions in Explorer
Renames multiple (83) files with added filename extension
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-20 22:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-20 22:21
Reported
2024-10-20 22:24
Platform
win7-20240729-en
Max time kernel
150s
Max time network
66s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation | C:\ProgramData\fasMQQEg\tcAQAcsg.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe | N/A |
| N/A | N/A | C:\ProgramData\fasMQQEg\tcAQAcsg.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tcAQAcsg.exe = "C:\\ProgramData\\fasMQQEg\\tcAQAcsg.exe" | C:\ProgramData\fasMQQEg\tcAQAcsg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VogEAEwQ.exe = "C:\\Users\\Admin\\aEgkkcgg\\VogEAEwQ.exe" | C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VogEAEwQ.exe = "C:\\Users\\Admin\\aEgkkcgg\\VogEAEwQ.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tcAQAcsg.exe = "C:\\ProgramData\\fasMQQEg\\tcAQAcsg.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\ProgramData\fasMQQEg\tcAQAcsg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\fasMQQEg\tcAQAcsg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\fasMQQEg\tcAQAcsg.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"
C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe
"C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe"
C:\ProgramData\fasMQQEg\tcAQAcsg.exe
"C:\ProgramData\fasMQQEg\tcAQAcsg.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oYgMsYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIAgUQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AcwYskkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\doQoIEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hGQYAEUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWYsQgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOQgsUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jyIsAsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eewkUYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eWcoAYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYYMwAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQUYYYkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FcooQwoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JMsYkwww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMwkUMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dQMwcggY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AgIQAoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGQskUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OckIEwwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hkYUwogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RGggYMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TQwIgswc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcogYQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KkwUQQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cuUcogAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoIYsEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wEEQQUMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PKEMAoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XsQYUUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCocUEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yYkAogQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUQEsMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3672757108709938321733643975-729135812-1807599579522960982-167600093046727621"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcYUwskA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EOsoEYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DkYQMogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2120708054-4631554841916130249-278720965-987611638-1933960960-7019249631117740292"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bOswkogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1052575784-1881794233-762170853866665482-1421496857-38955661-1158530800-991396827"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jywIcsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSQUEcYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1035027188-8671965171436015375-6497302141161943821997361751173128503-434398744"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCUIMkkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1888402554181644392380435595213343592414532997851217796335-20746938251935388731"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\awYYQAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeMUMwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1325962914574983617-2139348062-1614343110-65945666517897021138983101201239256144"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\emUYAMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-908154344-991688382-2443326931408133248-408057502-15922956291107566185-54581000"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LeoUUUAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1898319623-660438506-211309053-1063230975-1948571672-1493570633-12244514081885514548"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TyMYcEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17286538571547885498-1908407419-1679121430-2009891099334692846701771501-1141808895"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hIcQoAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "193458132-176641217-1942975891114948479979785552-198973919-790085027-1856212239"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HooMcckI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogIQMcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ScgAkMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GqskkwIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EcwwkscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "857006303-163182957716890012131343827182-1674318803635260031-45692305-510405959"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAgEIAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-70111358114844260320321778581302050557-118942985-106997015-1812028281-46477041"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pmAEsEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5171910361959399470-12084659411997540787-1988545430-2144452531-18980410002003510188"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSgMQIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "158040592111230006211056514959210910506311460079414797492871672901551661071972"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1052532305-7323066431765509440-1901970285-1739955222-246483331656552555173148433"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6620290431806452587-1810934955-2022765233245810853-1379471251-5354312191863514450"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkQccwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccEAksgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iGcwEIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CasssMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7274398851002646510-4346683436448005-1039844086-857853784-617368903-1283076606"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iqAkEEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9521917561306870056926398841-8155791401044065608235069368-515526985-1784865688"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DsggcMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NYEUIQko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15699343993849304431727911575-109585363976664152216760585041513853671-1197196295"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-489989225-1961569124-185719471-1596726211306874677391867055-416010944-1634834897"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dgsUkQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vKwUcoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19718770451045918795-18590175-1194633659745968593367856138-1533735517836153276"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Network
| Country | Destination | Domain | Proto |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.14:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.169.14:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/2300-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\aEgkkcgg\VogEAEwQ.exe
| MD5 | ce1c5229f8035385325e1a2f5b41a79d |
| SHA1 | a0f4c57569bccf192e767bc7dfb5976a1881ea96 |
| SHA256 | 5d463cf113c964813bda3a84c6bfbc0a30f88c680ac42761dc0a47cd067c189d |
| SHA512 | 50e727bb5d9c4a474aa81558521a04368343ddcffc96ab6190bbc6c31c8f334929f48bb0d581825123c2f1fbca3efe766cc310988a5b17b4fe42b07989a55b12 |
memory/300-14-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2300-30-0x00000000003A0000-0x00000000003BD000-memory.dmp
C:\ProgramData\fasMQQEg\tcAQAcsg.exe
| MD5 | 7f2c7b54358e4c3ecaccc1ebd969c3f2 |
| SHA1 | 98fb8192719ab670f859b0797f580c1a381eec13 |
| SHA256 | 54c2859b5588cdc51942e50b394895bdc12f4f58f971caf5e2ae752c681d82c5 |
| SHA512 | 3041b6b2b55d70b778b3abd4ee206488b06ab663b13a900b2bd52a12e5333e22986c2c518b150c8122aeac40b1aa93ced1cf856bacfc4a2c6c075df2acb7b02e |
memory/2392-31-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kqgogUwc.bat
| MD5 | ff48ff22110bf80f05117038f5aae3fb |
| SHA1 | dd1bda63b60a1fc38eeb3af87b11efd93265b8a2 |
| SHA256 | 918a7ca94f4de5cfa49939fd9df81712a44be4f6ae2eef57359d77ccc2280eb6 |
| SHA512 | af44617e547eecb32552205cc090b4c1f247f3871c18b3b247da10682792d001db5f221d8737e7f75cfccb91cd35f4876b2887603b108c2aeec2ab6f757dda76 |
memory/2300-12-0x00000000003A0000-0x00000000003BD000-memory.dmp
memory/2300-11-0x00000000003A0000-0x00000000003BD000-memory.dmp
memory/2944-33-0x0000000000120000-0x000000000015E000-memory.dmp
memory/2944-32-0x0000000000120000-0x000000000015E000-memory.dmp
memory/2808-35-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2300-43-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oYgMsYEc.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
C:\Users\Admin\AppData\Local\Temp\EesAIQMg.bat
| MD5 | 036929037b2ddc6a38449e89cf3f933f |
| SHA1 | 4f0e0619efaea8d6481e056d1589d181b883146f |
| SHA256 | ae7b9a8570c739aac2cf7e4dd12ed5cf57402380f549718e550efe25f0779c0e |
| SHA512 | 17057039b0f37f237fcb514df3ff79e3a77285d743cdd30fc2aaca469dd2d9d7dee6a23c28d7dcabc75e5c0eb8a55de03b51e0c2569d5fbab4b122af74ed23cd |
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
| MD5 | 9adaf3a844ce0ce36bfed07fa2d7ef66 |
| SHA1 | 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0 |
| SHA256 | d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698 |
| SHA512 | e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5 |
memory/940-67-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1056-66-0x0000000000180000-0x00000000001BE000-memory.dmp
memory/1056-65-0x0000000000180000-0x00000000001BE000-memory.dmp
memory/2808-64-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mSsMEwIY.bat
| MD5 | fc63c6c7f0de320f285baa2d385dfb3e |
| SHA1 | 1413bd4e6cfea76731ae569172e9a6e47cbb98ac |
| SHA256 | 712dbbaa8a59baa6133d9fe82f03fbdc7848d6903270d34cbe20a0c5db662605 |
| SHA512 | e9fafd366984fa4cdb3c740d16cdc1e0264bdbb5890eb9695bc56edc68eadde40bf7c0cbf342688af59b1dd992d5c9692a040a014166fecd9f3654cb92be6a36 |
memory/2844-80-0x0000000000120000-0x000000000015E000-memory.dmp
memory/1932-82-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2844-81-0x0000000000120000-0x000000000015E000-memory.dmp
memory/940-91-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QssgYsQk.bat
| MD5 | 265500f8c1329f4be760721ee1b3ab06 |
| SHA1 | f95cfce3315d2dab9ba552bd854f1083b03ae4b2 |
| SHA256 | 9a1c352258fec0e8fc2151faeb3bec8047d7bfe01ea564ddf33fff7c4b7caf40 |
| SHA512 | 16e31310cae33e1fcc41b5aa336e9dbeada1558a3fce81c9063d854a18d9c600e08881d51f8b195d6c5a97cfe4343971b4e87bf9c673983bb23fe635c63fdbb0 |
memory/2132-106-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2136-105-0x0000000000130000-0x000000000016E000-memory.dmp
memory/2136-104-0x0000000000130000-0x000000000016E000-memory.dmp
memory/1932-115-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XQUEoEww.bat
| MD5 | 7700fddc9185b437ddab8b30387ecd9c |
| SHA1 | e6ee08e3fb5911893c3738ebade22c207fc35b48 |
| SHA256 | 2f79962aef4746349e4c6038bc036a35ba96cb8d759436b60cc66f3d9c3f9424 |
| SHA512 | 4b01b604409f3e7e9beeabd2ce21bc6a8ba6af525806a30ab217a4328fec97875b4ce1c5bfd8f4e9f4d76287b30ce4939e1136ea1fd1afbdda40746d248029bb |
memory/2132-137-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1492-138-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1604-129-0x00000000001A0000-0x00000000001DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RuAscwYQ.bat
| MD5 | c321726fceaa03c17f0f6d9e6436ef5c |
| SHA1 | f1e33d866e2527adf43e14367e5fb6f5d5e89535 |
| SHA256 | ddab67a2a47afc53cb690ef878590b2ed9b2b59acec8107e2e77da1de951373c |
| SHA512 | 4b2eecf815eeba61baa7b4a2a94279e54b65a1d75ef12dc8247150a68c34306c1933f332d3efc1bbe9ce2aa0d2039e6e087ad6dde0755b8c5512bda7e135daa7 |
memory/2316-151-0x0000000002220000-0x000000000225E000-memory.dmp
memory/1492-160-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JgEcYEIk.bat
| MD5 | 964d8c414d73ce316669a863f31b135a |
| SHA1 | 804ea13c9293f8539a6df9efa35d037bda6e562e |
| SHA256 | 630b11335f014b0c2a12da65831728396bdf16418cb1424d0fcca7f7ebfdbd5e |
| SHA512 | bc3508f8e2eae0c87824a082c085e93bed8c5c3181537fe1ad7afc2222b96f11df383423946901e9abf8eec20059ac6301f308882e87ee19fbed4f93a78f40ee |
memory/2784-173-0x00000000001D0000-0x000000000020E000-memory.dmp
memory/1616-182-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XUIwwMQQ.bat
| MD5 | 61911e5f5c3a81b03dabe2ae9aa251b5 |
| SHA1 | dd01ddacf797da7b3dc555581b1ceee6ca18930e |
| SHA256 | 1886a7a5fb492a576e8233fa4727e57ac69600e8456ecb5ab379c86ad5d6289a |
| SHA512 | 143e5b01c0a625e29f22fd55665de3aad498d3e1d37d5efdd8ce193f977f7e21d46df437dffa1bf74d2c0f5cae89ab059bf90cdf1fe3f6d31cfb6ba230f9ae2b |
memory/2824-204-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2632-205-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2416-202-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iYAAEQsU.bat
| MD5 | 91883ae00f1ad0156d70fddb11c14975 |
| SHA1 | 6d800f6b302b97a9ab071277277020d03743cb2f |
| SHA256 | 59d9d07f69e8fd6d43e7608bba4e7318d385897eb0392575e2f83ff2eb8d923d |
| SHA512 | e0dc19c380be0a794e2c832d2bb87feeef5ac9e835a99d232add746df296af2fbbf964e9c2da2ea0326d07871de6c453641f753d46ae0b1e2164e7f78b8b6caf |
memory/2632-226-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kaskAMwE.bat
| MD5 | d933ae205664a67aba057467d19bb3aa |
| SHA1 | 2168579a7068cfb93b1e83dae2616711b92ad805 |
| SHA256 | 6065a970eb033df0211dd29f1de3091562411a291fb0ec878acc30b8d213cfb1 |
| SHA512 | 05de735dfebc1f7827a54769509c35ceda73360d1a5661f16b135298cbb29b7e018daa7057a8ed5809d2ee15bb2b6a887f6b9c01aa53e1a46dfd03edd1fab8e7 |
memory/1840-247-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EeIIosMo.bat
| MD5 | b1333d2d2f90e9be80d961c578dbf018 |
| SHA1 | b79806ec20ea8ccf3906bb7a07f55e22406ee836 |
| SHA256 | 48c0c3607cb366c7293d70767a67bc00d0f06a8469c2ecbdcbc561b922f27586 |
| SHA512 | 701a3570af0be2e25c3dd418d3b536f6be2323cdb839652c1adca70d200ea35bf59b94743396947d9cf27bd1a257d8d9de124a544c8fc20d1ada21b92b337cbc |
memory/1556-261-0x0000000000220000-0x000000000025E000-memory.dmp
memory/1556-260-0x0000000000220000-0x000000000025E000-memory.dmp
memory/2336-270-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WyQIokYI.bat
| MD5 | 4fe71fc7c7dc0f9d6454eafae21555af |
| SHA1 | 309b91c228b724ee991b9e651b60cf0b97359199 |
| SHA256 | cdb67867a37e3c18f900d17e54ee48fb09aefaa950f251f4e679d8d301fbf521 |
| SHA512 | fc48605aed7a13fd4f062342064ec8a1d148886649a9803afe025c3a744169f50fe7c7e03182e373935c7e751aa2e8d79f34b99bd7c92fd8eaf4e66908adeda9 |
memory/2912-284-0x00000000001F0000-0x000000000022E000-memory.dmp
memory/2912-283-0x00000000001F0000-0x000000000022E000-memory.dmp
memory/2580-293-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JYQMQwMM.bat
| MD5 | b4222d0c17ced0581582d0aeccb0a6e3 |
| SHA1 | 63584374abc737fe9cb6ed673090a76418bbe815 |
| SHA256 | b71bf052cd16ceeead2cb0c3e72f73dc3a3bccfdda1536f47fa6b4f1c36952f9 |
| SHA512 | 00af50e4c190eeac0819a2fd869f9f8bf807fb69592e22be0dfe95a3270b1c6c4db663a0888bc85bf8190052584fa94a49bee0563b928d6005d54fe2d45699bb |
memory/1608-306-0x00000000001D0000-0x000000000020E000-memory.dmp
memory/1604-315-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dEQkkgMM.bat
| MD5 | 7a4d7eb0f350449bae35ed73fedd412b |
| SHA1 | b83fb68f76f4f7d2b326eb590e67565bc65c17b9 |
| SHA256 | 027bf47384e1354e39a83b7e84b4315804ecd210b8aff9c6dbb7b08aafc40e3d |
| SHA512 | 93cad63d37686fea118ed4a3477ad91aea7bf8a1c9769ec44784371f9bb8965f6371d0bc95c7cc6749dece13bea22ebf22cb783390732582a04ab1cd40de04a0 |
memory/2340-329-0x0000000000440000-0x000000000047E000-memory.dmp
memory/2340-328-0x0000000000440000-0x000000000047E000-memory.dmp
memory/280-331-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2656-339-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nQgkYEMY.bat
| MD5 | 21dc9517810a15356f68cf837e8f054e |
| SHA1 | 6fd883eef6ea71e1fa7880ea894fad031e1cf7b5 |
| SHA256 | 4e0a1ef348c87062dfbed5f42ee99e7ca1b5481e72d5ac6ae3808d24b9666157 |
| SHA512 | bbe19ead1a27881737eec7bf09dd298e6759371b1877f72f35e7607700b161f3fdf667e7dd406ced7c367750e2125157ecacc38a7e0510bb05a5bc582ec6e82f |
memory/280-360-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LiUowgAc.bat
| MD5 | 66fcfda2f0536426414abc9dd1b25334 |
| SHA1 | ba17b621a6390955661a687f787ce167b615d829 |
| SHA256 | d074fa04df96b73939c22c849a6fe21f5e251ed00296e2c93479b8d6c6740a7f |
| SHA512 | 311a991f1e6535f89eab696c8331c88d04924b2c84d8f48d5f30d2004633f168f4652a6ebb2764347653eb1b6e6241e506774573b08e5ec927c828a4dd540992 |
memory/2364-373-0x00000000001B0000-0x00000000001EE000-memory.dmp
memory/808-382-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gwYgMsoU.bat
| MD5 | 490e70a48ed34807716bdf4da2aee492 |
| SHA1 | 6fa058b3bdfa2a8f6b89af77b2e12584edafea18 |
| SHA256 | 6393619ffc0f6f4b03d3cf5baaa580d8c42cf384b9e0e8a015f237f266bc8d9d |
| SHA512 | 1125e7812fdbaac9d742723eae4e4217666968fd44ec1420491f4b5c83d96b4beaf42bff7f9c780968ab17716d2000ca2274151edeb662b1b99606edaaaee997 |
memory/2432-396-0x0000000000180000-0x00000000001BE000-memory.dmp
memory/3008-397-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2116-405-0x0000000000400000-0x000000000043E000-memory.dmp
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
| MD5 | 9d10f99a6712e28f8acd5641e3a7ea6b |
| SHA1 | 835e982347db919a681ba12f3891f62152e50f0d |
| SHA256 | 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc |
| SHA512 | 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5 |
C:\Users\Admin\AppData\Local\Temp\ISccYsMc.bat
| MD5 | 696110c0742bf4e7fae8c0200063a62c |
| SHA1 | f17d8e2c8e245e0be43a806b12ef0df8f58a3e85 |
| SHA256 | 86154b1828f7ece469c5e46971c8b98ca63c241eb838bb5603e67cf2dce81e0c |
| SHA512 | 661e61e532792ad8618c226bcc5c87d0e2ef8aacda858a43821d6a638f508c02d45e0c6813e4828591acbcdfd6e89932776bdbda2eaae48b9d7f849b9d3fc1b5 |
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
| MD5 | 4d92f518527353c0db88a70fddcfd390 |
| SHA1 | c4baffc19e7d1f0e0ebf73bab86a491c1d152f98 |
| SHA256 | 97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c |
| SHA512 | 05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452 |
C:\Users\Admin\AppData\Local\Temp\oYIO.exe
| MD5 | 96be72a88ea4582475aa91960a21934e |
| SHA1 | 340696ece9a25c8cd26688118748bf148ad2891a |
| SHA256 | 78afe23d0554d15912ba852fd3fc05dbaf9a0d746adbd2328a21010ac16ae7f9 |
| SHA512 | 13d52c555ec5cb471f3e234065ec1f5b972b867d5be1b2220000e69b0656c4d826f6a01bfcc3f6c838e5c7d1482e45f516b683346f69d2ddda0e5039195182e4 |
memory/3008-430-0x0000000000400000-0x000000000043E000-memory.dmp
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
| MD5 | c87e561258f2f8650cef999bf643a731 |
| SHA1 | 2c64b901284908e8ed59cf9c912f17d45b05e0af |
| SHA256 | a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b |
| SHA512 | dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c |
memory/2172-446-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EgUi.exe
| MD5 | 5ca74e9ba310e49d53fb80586d01f7cd |
| SHA1 | 86b70fa9880a7517555c3e4eff7c01212b0979e9 |
| SHA256 | 1745a57300d6b761880fc8f83c98e4784cf378867b95ba7038653377039bb6b6 |
| SHA512 | 649404a0b39ab7bd1573ea7d46dd9f6700dd3d313a8861314ca7dbfd6675e63c37562bd8edc02ec7fc398d69dac932eccb00a47f5ade69566308074b5312cffb |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
| MD5 | 4b1993cfedc06f6f7a0b43602dd02a4a |
| SHA1 | 4013accbaf3f05c71530539669ce416744a70ad9 |
| SHA256 | b8f6cd1c29c74cf64c44d1e555de538b5653c7c511e33fffcc12d60e2e9488e0 |
| SHA512 | 1148b48980e010e739b9603a40eeef4c31a2a909363c0243316153c3ec1f3166a348832a53c2725337781fcde82747205274585b9b741fa0f839cb9fa10b2f75 |
C:\Users\Admin\AppData\Local\Temp\uesokEkc.bat
| MD5 | bdad788b4ff7e5a4818b256ecbbffb87 |
| SHA1 | a2fb51acfe7086d447d985f323394a4a99d606b7 |
| SHA256 | 1bd113a8eedc4c3e0b2d1a954cffbd72ac21e6c6446da900453260340ce3547b |
| SHA512 | 0cba565399aa186453dd005b3dad1bc47584d8bbcfdd589fb65a816cea48a0a9260a57d38121dc19d89c2c0b0c6d25367a8c26ebb8d634160fd28be845d73cc0 |
C:\Users\Admin\AppData\Local\Temp\MUYm.ico
| MD5 | 47a169535b738bd50344df196735e258 |
| SHA1 | 23b4c8041b83f0374554191d543fdce6890f4723 |
| SHA256 | ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf |
| SHA512 | ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7 |
C:\Users\Admin\AppData\Local\Temp\WcoA.exe
| MD5 | 49f6ea87ea69eaf2908280f4bff922e5 |
| SHA1 | 5e01e2821b4732d6067afa309fb6d81c0e047102 |
| SHA256 | 47d4dc8941aa651777f84ac175e502a57dab88473885beeaf0a92a56f781c4f9 |
| SHA512 | 8c72b2c24e854d9f1494fda1b5cdb5c902f2c70e40d7e45faf52da21f9d435a0f072c04c690a423b67c4f0f0eb734c7c3af4e3b71e550a4e0887b3e8f9c66b01 |
memory/1252-497-0x0000000000210000-0x000000000024E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WMsG.exe
| MD5 | ea85da4f0d843a1277b61d63174f5750 |
| SHA1 | 17c060d3a57b835b05d6dd4a73a5aa981f2b3175 |
| SHA256 | 43b4d5894377169181ba0127d4f8dd4c0ee750263baf9f636fe47dbd3b0daf89 |
| SHA512 | c304690835ef8b862df5b54994c3e3cfabbd2e2ae240331ab48f12a677f41b39711eddc566312164d4ce882a6caf59a6da527f2226ca49653523913568b12d36 |
memory/2172-519-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IYQi.exe
| MD5 | 787706473736473bc14e7bb4925dc79b |
| SHA1 | 35fe4f9954eca48185c0af0ec3f44379e8584f48 |
| SHA256 | c4b0d3c2be7f70dfe8dc7d4d11b7587fb160556769f3eb165ff8cfb23d5c4e19 |
| SHA512 | 0cfd2430d6ee18abbc8e9c8519d325e64fb38d5cb2570180d35e67b34604e664f94ec4c02ce5095de70b8b1840976f7c4ad9c57fb603d0ef6ee6972f06deb7cc |
C:\Users\Admin\AppData\Local\Temp\wsIA.exe
| MD5 | 0963aa1bd2b0539c8a8f138b38331d4c |
| SHA1 | b225e043d10fb35338c46010d26152e86ce66251 |
| SHA256 | a8c1d52eca0c35f917357abe357eb88417cac3d8ba4d5b8cb8c1e7e7532b10dc |
| SHA512 | c380f6c698bef9babfb893a712206dba7f704f23b4833547e11b7863ddfccd7c78768cb9e14f7d4c48677876310898e292e3d2ed691867fc15f67f53b31a5c58 |
C:\Users\Admin\AppData\Local\Temp\gYgu.exe
| MD5 | e54459b15d2e2360c646ddfbb0b86d97 |
| SHA1 | d1c7d69e34412d43e7863353164a5fa010c28758 |
| SHA256 | bc261c1f476664d512205f2a3b3c9c85c9d0b69aacd627b2193a819c832dacea |
| SHA512 | 438baa4ead3f92be970391bc30468e56d351390f481cd769f3700bf070d9a388fa2947306548b0db52a9a5c4a4bc372c49103a8e0ed51d7a22a3d908e508ddbe |
C:\Users\Admin\AppData\Local\Temp\MIEA.exe
| MD5 | d762af797c7d00a24be96691b48c631b |
| SHA1 | 1c09074023728859df8c1f37ca4f458cfe697692 |
| SHA256 | 27062fb605a10a5c689ea03924ac85e0d55c08371370ce6aa3c6377a36ec91d3 |
| SHA512 | e982745e2fd257684cee620403e19b4b578a2eaa199ac25553bc7d13ad3b1e80921a363ba2809023d80f4d2830390c629edd0590ee37a4698b6e20bd94cb2536 |
C:\Users\Admin\AppData\Local\Temp\IMUsQIQM.bat
| MD5 | 42645b5bc7e64688e41767f9f4dad9bb |
| SHA1 | 8e2f71fdee15c5e2e141a98c0abb06d1d377ebe0 |
| SHA256 | 1d76b0ac39dc280f8d01be7483de816f5f278eda308163caa7bf44d587560436 |
| SHA512 | 077bb959e285c98250a84283baeeb792d6a98d6d231b845e2b039b10be6e6986e64cec6d87a9df2a66935381f3dadf181912a9ac6c58a83ca102f30aad802450 |
C:\Users\Admin\AppData\Local\Temp\EUce.exe
| MD5 | ccdb97198473a2d0fb5ba563d3576ab4 |
| SHA1 | 0101a2e924f420843e41d3192859d7678a3a75e2 |
| SHA256 | d9f4b43bc7ab4846f5b9c1e8e7c9ba7d66e300bdf20167a9497bc7f72a2d9aac |
| SHA512 | f231eeabd6e9f3824e2edd68e7b37b021a74e8a03cdb7dae87fd49e96257dbac4510279125be763d2239647bea0cae059433615c2dd29b786964b28ce02e14e1 |
memory/2164-594-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1080-595-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IgIU.exe
| MD5 | ce922033f046e9b5c130169a83acd164 |
| SHA1 | 0d2d42b7fb044ec361d3919bab4560a3c57b5c78 |
| SHA256 | 5bacb48237712cf780ccd2e673ddbd5515b72431ad07074f1c342cc3b6749d3a |
| SHA512 | b91d885ae478fb7f8bb8e265ed1c82182ba516a1df281ac186a9c6be39204d324d0c5b61a216fec9b854a543d7a0e982d4cc3dc7684d5be7d823a97486be2e9a |
memory/1780-617-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MYgy.exe
| MD5 | 5bd5944fb7ee06292a0ee803ce160e22 |
| SHA1 | dabb3dc290b66c31b74c6afb7b880acc9bc22fc4 |
| SHA256 | 8d603b885a32ae0c640fd3b360af6a02a7ae1886c04246f93c410b0ea0e443ef |
| SHA512 | 6dfb576f67a5f7fcdbd9e3155ef0810742a9efbb5b419586e33fa6af620afaafa564b5365b16357219d080265b4efa365afe2c546a2a183bfe224f523f942471 |
C:\Users\Admin\AppData\Local\Temp\KcgW.exe
| MD5 | a99eb39f893fa1634d6abd22a44f3767 |
| SHA1 | aeed6a93dc7b7cd1d8bfad2d9b40ed43051db09c |
| SHA256 | 0d4dcda4086dd5e83b429cc489095fae222bbac45789947e0e4c159c3456bccf |
| SHA512 | fd16ecc8fc6b4625e0c5e912dca129beab94242e617b4ed01351e386e97c199f33779c4478ab8336918ea4452f063b6a42f62c3a7ff10f77c3f0943667547665 |
C:\Users\Admin\AppData\Local\Temp\WQMK.exe
| MD5 | 121173ef62956b910678c6b09f4b78c0 |
| SHA1 | ee80c34c0d0ad6d73a64348c7731c11c17957426 |
| SHA256 | 055b088206b93b2f8060eaf389b1b6dcf72e5c4d9cd1dff7f570fc833d427010 |
| SHA512 | 5bf9dab5d34b2a88ed94c2dbf48b69f372b3c114a1b62f5fa4890d236d4f410f64cfac96c62a32d8cc19ca95b22943e720c1e09012c551d81ff9fb901f2461b2 |
C:\Users\Admin\AppData\Local\Temp\Yski.exe
| MD5 | 634fe6a37769a274d64b862ac47fa68f |
| SHA1 | e2824b5ebf4da1cbb1863b7c4d7dc4f953f7eb65 |
| SHA256 | a3835f878fbb6b9a89252489b89bd7d5e9690c0df8f3e5df34018e40dd03086e |
| SHA512 | 41bac051493ffb345bb287b82b3f46c1800ad8a0f1c017821e7d1e00c4710fe50027a5c6b72a05af70cfb0a0d2397466a0b75abb1e7ea46eb0aefbf8a2a71d15 |
C:\Users\Admin\AppData\Local\Temp\buMIswUk.bat
| MD5 | 2d92f0f828361a46957aa4efa7d4246c |
| SHA1 | f1a07fc689e59d7aee2abea265aa5e338615e922 |
| SHA256 | 4bf06b210a89eb4c5f86713b7c0dc36011cc77cf54f2a2cb3dbc170455b47031 |
| SHA512 | f7b4030f0659ccbee6ef8c25da7d641cea92913ca14a9c4379b58096e9f2a96781edd593592678d7fd1eb09f38be76c9e909419d37d6901e28235997f678686d |
C:\Users\Admin\AppData\Local\Temp\SIgW.exe
| MD5 | 19b5ac530642ad71a6c3243bbf336214 |
| SHA1 | 9ee095af9254a6fb9a57e4f67db2961f8494c4b7 |
| SHA256 | 4e013f5cc34bfe9b0773fc6cacefffba5281929355bdc3baa5dd9f5ecaa36720 |
| SHA512 | 0c8fa4d04ec8a47e64020068f486aa1a1e3c475ccda6de1578117be0fa5097af3442627ab6fc552606a35092dcdf941c6f56d37ccd88ed27f629925016fb3e20 |
memory/2956-692-0x0000000000170000-0x00000000001AE000-memory.dmp
memory/2360-706-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AoQq.exe
| MD5 | 951d6fcee379d9921c5192cf8c6f93f0 |
| SHA1 | 1a6c1c937c69bbf0f36edc019064cd36c018b1bf |
| SHA256 | 32b40bc8f9f3beac2c1ac6bd0ee877bd8c83ba10020fff9e643d510ebc00f91a |
| SHA512 | 5e5424568b57d011d249b0cbccaa30a737a3e804e2ac1e37e9fd52ed518040d6e117831e11cde12f6eac845041ae161e3e27b024356f7d38b7e37c858b1d932b |
memory/1080-728-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sEwQ.exe
| MD5 | 9a920f3a0bb5e31509f72b60eb87f955 |
| SHA1 | d346e4c20954bad6b6b3f17eb03031d5767e365a |
| SHA256 | fb82327ef465726df30d6900e953912dba23cce0e3bc4777a167cb5ecdd24969 |
| SHA512 | 8a0db8d6e56e306a32e15e6de324460a6904f743924ae12cebf8985cc32402ed34f637c431d87a8781e3b7c9004bcf914898e4b1f857db0ae613d61cc0d3a7be |
C:\Users\Admin\AppData\Local\Temp\SgIm.exe
| MD5 | 50f05d2e58fe72a27f335b2410a908a3 |
| SHA1 | 4e99382a7dec59cc2004de9b40a72cfbfc2a353c |
| SHA256 | 2ecc2db4c1de2bf19071fa5b335f8db89b7e3a02df8082f736ca333088bad164 |
| SHA512 | a93e6cf5274fed7763b2986a72cc5ef90c3937eec7cac11e3199bcb69d9e2a004a1be8d1955e3484abd4d5f54a6ae0e8dea81a9ce68f340a0e03a7c21c46309b |
C:\Users\Admin\AppData\Local\Temp\gEgo.exe
| MD5 | d6d2b36af108c8d444ff16742d7a6073 |
| SHA1 | de37f6b9da115b432ffd8dfe08b4c70a621bacee |
| SHA256 | dc56a71d0569886f83d2131f483e418c4950ed1e0f3112256d63b67b0fe43dea |
| SHA512 | e281449fffe7bfdb99326c01bbe2a9a9c66d40920a2f6ea035c3464cac28cb0dcfb1897dd92a7c0c59a98766ca55a1aa06886310d11b78e7ebebaed4019c1cf5 |
C:\Users\Admin\AppData\Local\Temp\IQou.exe
| MD5 | e8e0efbb989c4943892f24cb1d5f8535 |
| SHA1 | 8316f5d32dc5675607b760ca8596140137735c32 |
| SHA256 | 6a51350d6159b6acb3818029be0a1037324330a88639c4c145c4298336d51dbd |
| SHA512 | 23c133a460b9c1c4a7e34121cb70165b880aa8a757ae42831d4363da86c59c53444ba41efd1af78b2cddc674b99c2653f32052219aa8b8bccc9344e964ae74c5 |
C:\Users\Admin\AppData\Local\Temp\UQkI.exe
| MD5 | de5c491b7f5f9c57ffe3d23136e71b02 |
| SHA1 | 2a872b41627ae08106d181f6b1f81acd100a5d59 |
| SHA256 | 1a1933f6ead1fbcac91d771bd1a454927488df9a6a1729dd48100f72ec74aa02 |
| SHA512 | 367c0f6e287454d69830c556b6000d977eba1fb4b4beab9b26eb6daf5e238be1be53b2d958935e0582a3e820fca1a5b07957da2f828dec9c0dfce56883fa95a3 |
C:\Users\Admin\AppData\Local\Temp\goAW.exe
| MD5 | ecc784fd943f40d4d82923a6aa539f7a |
| SHA1 | 9de67c245bc965fc0c86a275fd1815ee15f96bd7 |
| SHA256 | d8b04685d1bc6068d976c18747dfdfecd6993f524aa320fb410f8da47e49c69e |
| SHA512 | 6efb7769ea4e902e4bfedf80cd5c2a55141f1868249be64933e0375d0c0550d205ffff5471d21f76a8888b195e709be380764816981f6d0f9f586c47e21c922b |
C:\Users\Admin\AppData\Local\Temp\xookgwkE.bat
| MD5 | 9ad08bb27bc4bf14286c00b399bc3c09 |
| SHA1 | e4d2f8b93ca367f6f135597a3ce5f00cb723f76b |
| SHA256 | 3430bab57c6d995cb462a6c58532acdc72572341f4fbe78e3b95e9b4b1076e32 |
| SHA512 | 2e7a9d67f5180b22a63add4313de4d9db59d0f648e8ab7acfcdaaf85cfa51f57eaf2ed2279bd043e7fbdd0b694f61174fa6ffd3496458e7f0a336c892463da71 |
C:\Users\Admin\AppData\Local\Temp\YwgY.exe
| MD5 | da98e00a4fd8d3c0002764b9c70a62cd |
| SHA1 | 9b9caee5dd3bc3864757eff1c7c86433e583146d |
| SHA256 | 825f3588cac974da4384432af86183df053580ddeb36c77e1c116debc1e571fb |
| SHA512 | 7390f2d667ca5f9963aa1845d7df3e2b98457735b525f1086447d4d7ceade79ad8420bd2b7069bd27daf29b04463a6218a292fd26ac9c648ff9348aa2000dcc4 |
memory/3064-828-0x0000000000160000-0x000000000019E000-memory.dmp
memory/2068-829-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2360-838-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IsYE.exe
| MD5 | 6dd48235ee030543c23aa73b9a06b88a |
| SHA1 | e6ced853ad930be0674f4faf734015abc1f2278c |
| SHA256 | caac1ecb2a9d2946d03093f3797d6c9ebe9a23e20c64610623a9e94ce50c6eac |
| SHA512 | 39f3d7c0a0cb97a4139a6a00e354017e928dfd7a8e382f041c9c4aac2db76ab4091c26634457fe54218848e1f7b57ac8fed4437c663e169de05a7b8603b33c9b |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe
| MD5 | b430108058e7716d079dc471fd6c4533 |
| SHA1 | e0040aafff07e8b3d301e2ea30b2ad628fdc1225 |
| SHA256 | 961da70472c6ae19d6647c8d3dd146e368a690d328808bba6d3ded48fe7ff9d7 |
| SHA512 | 80a1070ab655cefd891d3a9915777001cfec10a50241d4c48e5aab6549e6d744c033a8382a681172f1c644b504124c04f1d0ef25e42b97649f522c7d9596b4d3 |
C:\Users\Admin\AppData\Local\Temp\Agow.exe
| MD5 | 33e87adbc94f6a6a654b4551ea2a32e9 |
| SHA1 | 1d8affd5b6b22318a68934509559a327cc80c434 |
| SHA256 | ea66863cb7e060e0fdcbc0bb64a0a11e4d66629f0f2e913c90147484e25f4f79 |
| SHA512 | ab4343920a67e6dbdb54005279bef67323d75499b442e3fcfd00737cf782d8b598413353c77bb9494c698179d217116f141303190b7fd1cce484c9afc05994b7 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.exe
| MD5 | 2f7a32d04e2c141f23319f2cebf2a141 |
| SHA1 | 8f5f368d54eead5f9cd3f67c127ef71fb5f0fe7f |
| SHA256 | e4cfeaf339127faec242d8a2bb8e101c64eece1e9aecf70ed63de2f67cce5c2f |
| SHA512 | 2683dca0f2407570885dd9549db91d38975282f3cbcdf99540e764b444c581924e1de41aeac1ea8cc958543ebdd557a8908b8e17a901ac0f946a20109beefb62 |
C:\Users\Admin\AppData\Local\Temp\eIki.exe
| MD5 | 74660d0496e8cce9651e79d8135d56c2 |
| SHA1 | c56caac0af56dca7d6db622834ed0d4b323b5904 |
| SHA256 | 567398a5cc441c6c4be556691cc39c6336cfb6e90ccd9af859c812ab07f3073c |
| SHA512 | 78e4f061d7afb41a586743f1bf17bc335af2d8cc0174ae1dc2171376f6d0fec35bae9ddb92e83f4144789060b3e3825abce3d138b5cb98b95eaff96df254de68 |
C:\Users\Admin\AppData\Local\Temp\pUwEYgws.bat
| MD5 | fb2352289035c0e87832d5fdcde19e10 |
| SHA1 | 74e925611c068f0f5436fab0341611500b35d2e8 |
| SHA256 | 5529808b886b27c365bb956d29a2e04b03ff5b09123790cf0459d914bb0d7eec |
| SHA512 | 12aaac0c04332f0e76f7a237f99bfbd8e14e185268badde29a27452d832db0e6948b69db3b54837fa6fb8e7b53e18a86243e3cdc13d72f8c440a76764abbf1ec |
C:\Users\Admin\AppData\Local\Temp\iQQK.exe
| MD5 | edc12240b9b5e5e9f94833eda1f26ce1 |
| SHA1 | b60539ca45f425b994711d9c613259d73956b5d4 |
| SHA256 | 87118ebadcb5028621b39d9f39552e946b38351d01dd27c53844bb4badcc9ab9 |
| SHA512 | daee1598126b76455f1218cee56f1de022df1b693caae55a66821a9995f01f91808a66729fa79a23742a9e1b8c8944f12a0ced0f0812085841c701263b3035a5 |
memory/2700-939-0x0000000000430000-0x000000000046E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wQAY.exe
| MD5 | 48835823ee3a4ba30ba27deebee8784e |
| SHA1 | b5d32d8891259192c4d38d2cb61ca9dd1339e1df |
| SHA256 | 6c31ff7df97b4646a8e0930228f2aba70a9311ca66cab6bb7fda507d946c6209 |
| SHA512 | eb8b5e811dd260ea6b1b723fc794c5f3581b8c85747cd3723957e42367bf54c1fabfd5bba2cd9a6e962ab88a810cf0faed4c34f8de4bb0cc4bf6742d3a68b5ba |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe
| MD5 | 3f939cd25d006f3d22794768bcebedad |
| SHA1 | e02ff344ce424d5a9788b5344389d441a20c94aa |
| SHA256 | ee979cb963a7da020c886d430960697e72ea339e1af3bf5d1287f449c3fccaeb |
| SHA512 | 0c4d005a03bd4ff27e76b4531b7ec213f27f38183f5c2c7844b92be37e7c41e5c8f5e902f87926484f8c12d71450178b0ad645ba1bc9597b4183231690514fdc |
memory/2068-961-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uMko.exe
| MD5 | 0417ce5a1920124a966c538a34d9b162 |
| SHA1 | 374fa89d48621afebd69af8b12708871800666ca |
| SHA256 | 5251abb2463db429ca1366a03f41dd9b9d049a8416ad84709ef3319574f4ff99 |
| SHA512 | d497fa09061100c5c49bfc4fb54cff8eb1d387160b3c3b4e7f399746b1361b945b2bccceaf96cf0847f458a94bf4cddeb5b00bc17d59f945ebe05e470d60c3d0 |
C:\Users\Admin\AppData\Local\Temp\EQcM.exe
| MD5 | 528ae28dc50a4780566470dcffb59863 |
| SHA1 | 8e34dbf2da12f1e27563cefbb04219a46a62c23c |
| SHA256 | 25f793a8b8d6364430f902012dcba0e242150a458bac4853b2f0353968188cfb |
| SHA512 | 54d2f2b97463eca9d9ed59528d095393c1b45baaa32800e9a604af6f5af3120c3c01f56931ea48f6fb5f94bf3cabec46bedc3a93b5ec067873c4b00fec670b45 |
C:\Users\Admin\AppData\Local\Temp\coQQ.exe
| MD5 | 7e64f2a2528cbe32ddbcf2affe00da7f |
| SHA1 | dde59c9e2202fc31bc401efb82bf2aa3b179e5f5 |
| SHA256 | b7903b907f5441e54e85604887e00e720fa641ffeddeb5a779d9cb17f2702dc3 |
| SHA512 | 441598719808c8a13440edb602572a5165e27681e10df955ccf70317d9c703febc792fdf5155ec91b312e26f6d747f52e2c06caedb41adb8a179579a205990bf |
C:\Users\Admin\AppData\Local\Temp\SwIEAQYI.bat
| MD5 | 6c4c005fc3a435a7c137d9ee5a6ad3ef |
| SHA1 | e78ad2f86750b88582dacce936bb6434346c4834 |
| SHA256 | 910752803c25c74dd0c39dd62edfbe5f73616a9b9e66c7551556262d959f0368 |
| SHA512 | 608b7936aa3c54fe9a456eee1a1edd9c4c898b32bed0aca8753355002805403e3e47d7c1cc0606cd29cc164742428ff6cbe0e528f4e8101206c9fc2ed677d4fe |
C:\Users\Admin\AppData\Local\Temp\OgkY.exe
| MD5 | d700ef7117596dbd0b22ff76ada50166 |
| SHA1 | bf517435b4aacb3fea952fd670fb3e259693efa0 |
| SHA256 | f066a9a6a2fb9f13a52df4a5480924855920cdac09897bac2b4bde29fc2281fd |
| SHA512 | d65a796b2e45c6cbc7e1c079d7e47884e78970701d0a1454b854d6f7146e731e56ecf86798aabf50812af2603bb44c446d0dfcf25cc9c2bfbbe2a7adab0fa765 |
C:\Users\Admin\AppData\Local\Temp\QAAw.exe
| MD5 | 1b3338bdc86a81a3a34e5753cc5ab87d |
| SHA1 | 6d860f98e04a6ecb846ed20ca653be25e0840e5c |
| SHA256 | 4db97ed56d5f9292ff0adfab50bafcb09a2be4f81d811150e7a62172625c1e0b |
| SHA512 | 30abdaa1a29e39ac20d2b134afd003bdb7abde8296484fb356fde624acda56a843cf7658a70e6df0d08028a064de764dd78fb440d863d44b9f0501b03a3e39d7 |
memory/2976-1036-0x0000000000360000-0x000000000039E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mQEi.exe
| MD5 | 8fb77cb9f8bb3831cc80456bd934796a |
| SHA1 | 7aaf5599eda42cdc3d37724fbbda82df3d7e9ef3 |
| SHA256 | d949c3445b71e5c64d986e257db7431326a07eaf9bad20b51f9e40e60b802c3f |
| SHA512 | 831c68f2f5973aa2b013114390834d8b382f192c6d74b1e28bec9cf0b19f2ad8be9358b79bc5da79a5db144be58b3f45ade9800501d0a5d3675247aa0c951ddd |
memory/2092-1046-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EAkc.exe
| MD5 | f025fc99544acb50171362947cae841b |
| SHA1 | 4945996828d2fe0b4aabcad428543fd6066c720d |
| SHA256 | 683871909c9ac6d392048b74c63bd477926faf2d213a7129119e82905cb1d56f |
| SHA512 | 41bc3bc85542bbc03c35ccd04898c70a7183eb6e767787ebf7b86057f8dd6c3d21f87b62129088c5db75a6caa38b63e797fd7b80659700e1e092efb542dbba91 |
C:\Users\Admin\AppData\Local\Temp\gIsI.exe
| MD5 | e8b946940f7238f1fefe3cb158bfeefc |
| SHA1 | e873e53a20f93ef55c9e50b67e21836d8aa01c1c |
| SHA256 | dba83fda631be4f7507507f7ccd8f64734a038bfbf9ef9f962b9739e6d2a65d4 |
| SHA512 | 5a78e01e05bc8f8c61ec4333314e6d01c0a97e11df8160f5e6ed4c5f2d30256a951151bb0695760bca5e016d542d569d0141ba07a0f3c531e7fc993f87e8d1b0 |
C:\Users\Admin\AppData\Local\Temp\CQcI.exe
| MD5 | f8cdba3f2430365f62848f16f6ae3eb6 |
| SHA1 | 9f4fbb1aa8302c1481d7fce004991da66502c716 |
| SHA256 | 60b6e744552b9fa1940bf1b1bf2b3fb6107b3122416d183e62eb84f0cf4a7340 |
| SHA512 | abf779103ca909b6125c61e9509b9dbffcb2312a8c91df353b401237f8127e2ef7e6a3b210cc59ad52499546ea0605ac80960134f7f7eacb1efd8a2bfc7f8bcb |
C:\Users\Admin\AppData\Local\Temp\ecYy.exe
| MD5 | 5fdda068f292ce6d188207c25b0cc512 |
| SHA1 | bd81efbb7977d356f07b1bab770ea871b4a1255e |
| SHA256 | 13644239434a7f264a39e3587612b2357df6e241686bd26454327ff920a6b720 |
| SHA512 | d008d7bb182d90a930752b3587e4ff06b6977f5771b9a3fa53004471757aa62f47429b5045d726a654051c8fc6815b03f688c2e060dc790f90eb6580a28dc752 |
C:\Users\Admin\AppData\Local\Temp\cQQAQQsk.bat
| MD5 | f47e0ab01a031e31c2729e9054b88b6a |
| SHA1 | e7bacee61ef556c672018afe964c3be3f7273196 |
| SHA256 | 2e0a4a98e7382276d67acd3b0ab115fe9427c1fa49d599306bad2fea11bf906c |
| SHA512 | 2b2915bc30817fdacd53c5e9aa8d4afdb11fe3deb4bbe7790cec0a2e3e743b8f951525df68b3cb6f7a24068d1ee7d2d2f5d8ffa7a9ca11256b32e4e05eb70fd2 |
C:\Users\Admin\AppData\Local\Temp\koAY.exe
| MD5 | c58ab1fdf8c5f1b1a83f1bbb6428a2c7 |
| SHA1 | 02074494ca7f5d19eabed0bb984ca3881fe8f06c |
| SHA256 | 80e55d58f1629a7684c9e41da340a6fde8001826754f53dbbeaef3b78581f0c4 |
| SHA512 | 13946e6a4814a62a04df4654ee49139aebfa54f0dbb8be48a2b0a735b235d2ea68f55273d5d3b817149a23df5a60ff6da551c7235a307425b9e0dcb10d72006b |
C:\Users\Admin\AppData\Local\Temp\SAMm.exe
| MD5 | 62e8d08a17c9f451c781a954e935a493 |
| SHA1 | 02c71b49f3e4e4e4264b5c5ddd31dea842ac8a5a |
| SHA256 | 175fc99e228542360cdfe72bc3450d75b33669abdb2204c9698262bbd0018f24 |
| SHA512 | bab816a4899ac9f1718d8906887bacd05291bdd293deaf6b76ee641375ff1788fd929eb418907bcf2e25b24d4d44a93fbd01108b6340e9e6b4d72fff562816e5 |
memory/2924-1158-0x0000000000160000-0x000000000019E000-memory.dmp
memory/2160-1167-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uUMY.exe
| MD5 | 8e8a631b06750ddc1d76f9d03ec01b7f |
| SHA1 | 014e5f6e586c86642ed71ce65e1727239795ee49 |
| SHA256 | b1a1d7b32e8ce206ec337f15fcf758095e935c68c6bb41f54c39b7f754fcf581 |
| SHA512 | dcb07df1a785fcaddabe8688e661f71fa8e1507e1a686324a29f2d001e009d06bbfa41e9712b4c420b1e94eb1414ba6356301f62203ed4f19423da42e46edd23 |
C:\Users\Admin\AppData\Local\Temp\OkoG.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
memory/1960-1168-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\owcY.exe
| MD5 | e5bb2e1bc04d59483fad9cb104e413b1 |
| SHA1 | fa8a2ebcd00b5409b5eac47aa20c25e77da7ff27 |
| SHA256 | ad0b555b864bc34bb98d38d884f5f51029ec59619c5ac3d58fe9221db87d3b75 |
| SHA512 | 88704e0a06531066bb931ef13087ea8de1053bfc4809a5d5099c82ee3b05e9c7a8b08f2acdfde9384efaa5cb0353d9cf7446d354dabb3816eb84c1f4972a94cf |
C:\Users\Admin\AppData\Local\Temp\cYMa.exe
| MD5 | abe87d14104752c2071f1fc3b3acc183 |
| SHA1 | 9e1c1042d2f8256a801ad1a97f80a83eefe7f777 |
| SHA256 | 394ddd50f747739d6ddd790bf30bf5fd1e44dbf4359db9d7561805c324162c04 |
| SHA512 | 3dfbb00dedd3e131e415803fdc23642fa8d2c4a7c4409ecf12edb6f4a2857cc3f8cbdd92ee62819ba47b39d8b5535c9ec2425f6674b8212f08a9f195a06a5dbd |
C:\Users\Admin\AppData\Local\Temp\WwgS.exe
| MD5 | 7430482bd7472c603c80be63ae1d6d85 |
| SHA1 | 13bbcb7f72f8c9ce9bcb1b68bffbf9af3574f090 |
| SHA256 | 3bf1f37098962bfd32dc1c50b26a1962718a29c5359a03e088c1306654e5ef7d |
| SHA512 | d27a8d19ef4ac1eda2d75e4564c9c76c30c9f6d630c357d30195e3f258fc3fe275e7480aef470e2dfb8a3cfb3bfd1c6ccca56370ee2642b9cf4a1339375cf1ae |
C:\Users\Admin\AppData\Local\Temp\gWMQIgMA.bat
| MD5 | c706c9a0b8ee719c3ef0d21cf75137cf |
| SHA1 | db42fc803797ad7d936970a4bed248890b52a271 |
| SHA256 | 7edb4b489d232359bdf90c62be59ffe88fde53c5097775f6f050fff7de79a66c |
| SHA512 | c100a5ba0619a0db36d168773eae8484d7e1f7b417eef6bf6baa68d6007fda946b2c506a776022a196168a446fd9def5ea066a4112603d9a76304754ebf33d85 |
memory/1608-1230-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2152-1231-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1960-1240-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iEoM.exe
| MD5 | b3f4243b76ec129c049fb9c93da2dffd |
| SHA1 | 7229395e3489f7636612c2fabd4e0dd04b6eb3be |
| SHA256 | 37eb438ce23c6ae206da54a3df4b38793b4b8a72c1f44c217c19daf68d0c6e2d |
| SHA512 | a5decae04833b7751422a8d1a422f3899e1608782c2cea463368863d24020cf8100bdf55f529b5570291afaadf3d236758798cf1873e7b665cebc969aeac4950 |
C:\Users\Admin\AppData\Local\Temp\KoQQ.exe
| MD5 | c39742bcb9debcb47d862376ff6873fd |
| SHA1 | f17b40be844443a24a4581fca74ee7ef070c6d27 |
| SHA256 | 1ea4786723955ea4602631f1986b3a50f2c740391edbd400e02bdcc6dedbfeff |
| SHA512 | c8750ec47771a4255d5dc6602b6083f204dd799253ae41efebe343ffd378be99323c0577b12296aae7cee01d2b7dbe2155a29bd5a36730d38bb6d4829ea9bc9d |
C:\Users\Admin\AppData\Local\Temp\isgo.exe
| MD5 | 4fe01d140279ec2017a8eaa20383264e |
| SHA1 | 331edbcaea6b74dd9b384ca2c692b9602d8ec712 |
| SHA256 | 3d2ed861ba715109c2d7cb6cd4577d6d904084c5a8e30b71127da0afa32a8cf8 |
| SHA512 | dadefe17a8a2000af9d653d6532fb6af8a4b3a65fac5cfaee6f97140682770bfb39b5738a0e385f4f35f9fc77ad08a51cfb3e05e17af2f8610f4290ad0b454f2 |
C:\Users\Admin\AppData\Local\Temp\meAMQsMI.bat
| MD5 | 9d77d0e1b70533892a139532bd6687a5 |
| SHA1 | af13e9cf848d2d21fe1f0845829b93119ca4b1af |
| SHA256 | 7bd0bfd5691538979f6ae67ed519800195109a7766b7e3d62bb226d67fb6fdfd |
| SHA512 | 4258d90df5c706d6b84d5b29f194a4e48c0b01ccb1ed7e4a5e2d55bad13b22603165486febf6f8d1a986f893f7832cae7ebb7ef305adf79bead7ab4d42d88adb |
C:\Users\Admin\AppData\Local\Temp\ockw.exe
| MD5 | d5216033a4db3561a4d5d3a414b9327c |
| SHA1 | 1f89657dcaf380fd84a622ba1d5ac0a037477ed4 |
| SHA256 | eff81279c74e241a17f1d15084ba736c0ec1111d03e5221a8b63cb29cf16b00b |
| SHA512 | c0c9d4c24e2be6f91cc88990d83174ae675a63f6f8ef00c39918950919976349ce8a39779aa29f3d164817d2cba0045990311b650a63b248e562eadc8888a157 |
C:\Users\Admin\AppData\Local\Temp\IYMA.exe
| MD5 | 7a30ec541ba642996bb324011e47f235 |
| SHA1 | da88a83a0e6825508c94bacaf26194bfe07cfe4a |
| SHA256 | 2bd3371ee67debb238882212ce437bf45679e07e6cb6cf65542f8bfaa17dbe05 |
| SHA512 | c82d38ba3507ecbd6c0c8afd82db817e3ae3080c50179e39f0a900369c0ec41b9baa3d634ea0febc3695a1bddd779eec0bc8d18641cd163eb8aaaa941298d59a |
memory/2152-1336-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1836-1337-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1712-1339-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wkgq.exe
| MD5 | 9e32a6cb98aa93037140a0d9f992c581 |
| SHA1 | fc27b30cac306f817449add350198656f22735ae |
| SHA256 | f858f577a417451d59bbe1ddbe4858bcf37fea72f7e08bcb67b312ec12e7667e |
| SHA512 | 557f9c6cb9c0af82d31b85cc8db527af2ae9b77f3eefeab6d6aa407e244e58a65fcbfd9c8e3f3038547d94cad59cb6941738f3cd05390551b5ab2b231fec1943 |
memory/1836-1338-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MUQy.exe
| MD5 | e7f089e94dffe30a4ea40ffb6f36757e |
| SHA1 | 22b9599b787f8bd221f35cb32e2bf1cfd8991070 |
| SHA256 | 9cd85d2cec7810a4ec79f9bdb22a56b566ba1d9eaa1cfa1dbe00a5cc1d5e164a |
| SHA512 | 988ed0b51202334fc29d670feec5c12af84db2ffb08583a4776f723afad3a8b269efbf04a85b6f7bf1fb4e1a1d3f18ab08743ad1bae1f572652427e3641de2d5 |
C:\Users\Admin\AppData\Local\Temp\EUwm.exe
| MD5 | 29c40c4650b1411294dc9dfb91aed9f2 |
| SHA1 | 538cd8033c693938b81be2b77db27542329fdd19 |
| SHA256 | 3f7031cca39cd493bd41f6ca0a39ed0a1cf54c91f7fd07abbd45b57a17fa657c |
| SHA512 | d29fca4ebacfcc328560e1926ad79f5700e1664dff8cab3f93e655db12400aa07eff75fcc0b7ba1e95f64c903da829aa511170a9b0d8ce3b61d29a9e2b950665 |
C:\Users\Admin\AppData\Local\Temp\ggIS.ico
| MD5 | 0e6408f4ba9fb33f0506d55e083428c7 |
| SHA1 | 48f17bb29dcd3b6855bf37e946ffad862ee39053 |
| SHA256 | fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67 |
| SHA512 | e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914 |
C:\Users\Admin\Documents\SwitchUnblock.ppt.exe
| MD5 | 57e9671995a65d004eb8864abe5974c8 |
| SHA1 | c86765e8b1079f86cb5b9eb20a6588b23dc6bf3a |
| SHA256 | 9bf36b7b488631440198436af749a5fcc19595d50ca7658c11a75d7401efbefc |
| SHA512 | da4b47e63eeda1d622f19b698c3b3925f3b2f7bd797124eb7604c6bb4b79e6cbf132143d7da314c934f31c702d2ea3e98f97871733b29ea25ccf5e15b94ce353 |
C:\Users\Admin\AppData\Local\Temp\xEMMIEgg.bat
| MD5 | e774041dbf86062f5809d77805841f6c |
| SHA1 | 7a620222fc9cd7f6de04797f1ec9c3f62e76c7ef |
| SHA256 | fd8974ac1adfdef89aff17ba84284c04af8bbb65a0b44b90a5f0100f26a7e99f |
| SHA512 | 6dc15b2fb3adc2cdeebd483a7cde2e9e37283e9e690ee61904cf8f4d7dd9d968f71f32697d77019878ec6930fa03c5a47a0238c6a29da310aed1e609c2f87962 |
C:\Users\Admin\AppData\Local\Temp\Mgsy.exe
| MD5 | cf71c863a5b187dac1b68642b41869eb |
| SHA1 | 493ec3e80fe7d9ad89ca0b42783b78669ffc827c |
| SHA256 | 82e6206938bc2ad37c5b574b888aa32c4f4323dd97a10d506b561aa1ccda0c7d |
| SHA512 | 67a0a9914fb30b223138b6ba01a570dca18a1042e3532c1074631f34d169719c847fb253f8c08dd6d4243f425e8013cb52f7e3493842733221609dfe97bec0df |
C:\Users\Admin\AppData\Local\Temp\YIkm.exe
| MD5 | 8804bb4e0fb023422225f5cd83145109 |
| SHA1 | fa75cef3a9d14f380f3ee9511ca2506758d0c7d6 |
| SHA256 | d568c51084a08eac7cd7f2b48ebe56e771f92d34b36ce8dec7fd529c0724d6c5 |
| SHA512 | 285a55486b73e44f0c501737a47f0ace7a5d8717e96900c847599c109dd9666986dfa4574c8db796d355880dfeb626e416636c5c4e4003a9d58fb0d7f324ec0d |
C:\Users\Admin\AppData\Local\Temp\gosQ.ico
| MD5 | e1ef4ce9101a2d621605c1804fa500f0 |
| SHA1 | 0cef22e54d5a2a576dd684c456ede63193dcb1dc |
| SHA256 | 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0 |
| SHA512 | f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32 |
memory/1712-1434-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Gcow.exe
| MD5 | f4a841356b69ae13e17a66ff5907b3fd |
| SHA1 | 9a1e4184381a7024d8adcf57c73bb97a34fa66ef |
| SHA256 | ec1c56a81109225755efed8fdbfbd4b39394727e837e9bb9257c92adf05dea37 |
| SHA512 | 9c1163578391ad51a414e43fc9776fcd1523cd74b3f7df543f88d7951906243daeb476797b806dde4e1bbe1045695cebc5a31dedd8d15aecab4271c4590302b6 |
memory/1604-1436-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1604-1435-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gkwa.exe
| MD5 | cb3c7e90e122be0927a3fc1fc0f0f0a8 |
| SHA1 | 3ab87977796ede50242d954904c0fdad9ff89ef6 |
| SHA256 | 04fbba2a8ee2d2f4d4d0b62f7147949231a941923d922d5307f0335801de506b |
| SHA512 | 1578e5d5e9904920b61db3c23ce3b11cbea3ce142a6abc57e890520be7e619ee3e191855d669a8fe8ecf45f1e7e5a06cc1123f54a84946a044a970b6d3b19a52 |
C:\Users\Admin\AppData\Local\Temp\ggMC.exe
| MD5 | 60287c1920ad46899ec44c2a533ec198 |
| SHA1 | 4a14bd9f964d126858e594ec3c2f5430d765f091 |
| SHA256 | 64db2c8cc0e70bc0fc646a67df7c0a8b99449253e32d4e50a2e9b126eb249da6 |
| SHA512 | ab78e2ed313ea4ccec5dae6a9417ed6c55f9483caa288f07bdf4d68f08760135e234f32e1db0ffa176f16562f3adc366312752834f577a09c19d51f6b6acd134 |
C:\Users\Admin\AppData\Local\Temp\MUYc.exe
| MD5 | 81a02a5b6a76e71fa74b4146866169cb |
| SHA1 | 7d04ab32a09f80e106e974db82f0640a126fb478 |
| SHA256 | 166394571e89eb33cde735a91ab0839bf9a6e2521dde7ad45e5160ce3dfac39e |
| SHA512 | 0c4fe36918cb328e1a7c53e3191036d5f25b8984a5af00c390c454e61f930bf437ca1c4a354a602584f4614e5e4360a8aa4211cb05d92d32d1779f72fd4fb406 |
C:\Users\Admin\AppData\Local\Temp\mQAy.exe
| MD5 | 3f5771d6d13c712c600831cbb7580537 |
| SHA1 | dbe0a94323edb08620acbbc0b412eb40d5a70a6c |
| SHA256 | 677b018d0802ed97a08ae90e2d08e1c8a7fd11d783f8d65efa3665554755989c |
| SHA512 | 050a30beb775b7742235dc3a04af9cf802ab5928fdb3fa473e375f8ea6bc41fc8d3cf645b32790f03dfb0a41e19d794c975aa0530e70e580f969ac8f2da4ee38 |
C:\Users\Admin\AppData\Local\Temp\AMIO.exe
| MD5 | b6406bca6a393f3c665b37b1c7d26508 |
| SHA1 | a8842ff0f5e0b3d3b8e3c8a12cb1fd44117aa144 |
| SHA256 | d0474eca45c5dc45a4cbe048fb069d08e62d219395d372ac098061f9209afa37 |
| SHA512 | c18e4a047806541846f71c0c4ba66dbc1d1ba07dc86613eee3892bb93df998ca172b47f8f0961a85eed2d97d091460bcf18aeba9bcd6c77f7229629fa8b36317 |
C:\Users\Admin\AppData\Local\Temp\FcgAoQAk.bat
| MD5 | 08fbc246331544033b1650d73878c1e2 |
| SHA1 | e115b6869d558e3f68e2c9b874ebec944314841f |
| SHA256 | dd080ee7be3a1a51d07f65fb04f8c96df9026c6584cb3d41b0f64de722963c66 |
| SHA512 | ff293cb44f9e3cbb6e80bc8c4467d8f4d4b43d40517d0fc7161ab46aea70ea4c97c0fe10f8c49b0ebb1018f814fc9d362580e2247679d687ae917ddd5e32525d |
C:\Users\Admin\AppData\Local\Temp\gMYu.exe
| MD5 | daea10bcea732ddf1f0b38c73361e34b |
| SHA1 | 2b1c74902ad6f807dc48fbb8ef77462d7c12a383 |
| SHA256 | 4484219386c50dca05738221d8627bb128f547e7bb70b4cf0c6a0e38513e30f8 |
| SHA512 | 1d141bd10f3d0de5bd924d0dddd541fce3d505916e521d7305bdba92491ab9124266cba897ad248cccf16cf8313b4ebcc15199a2f199ac35419701ae34338fde |
C:\Users\Admin\AppData\Local\Temp\WkkC.exe
| MD5 | ea7bbc4dfc82d3d529ba6c57f461c863 |
| SHA1 | 147e6cb93df74b937f6be6ec5fb40ad2f7952333 |
| SHA256 | ea4ab1f8885b9dd969f240ae642b8f0db55f41fe1b7fcd3fb3faf460d8e639e0 |
| SHA512 | 289f2dfcea1637c41c0190d37f3214f5e02fe6de418ea5b2a530fc156749e336b16a251c6ed7089e314663ccba37b0b0b12babc5ede92e8ebaf8c9a331fe288d |
C:\Users\Admin\AppData\Local\Temp\EIMc.ico
| MD5 | 964614b7c6bd8dec1ecb413acf6395f2 |
| SHA1 | 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f |
| SHA256 | af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405 |
| SHA512 | b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1 |
memory/2392-1576-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2492-1575-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2112-1574-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2112-1573-0x0000000000400000-0x000000000043E000-memory.dmp
memory/300-1572-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MUcU.exe
| MD5 | 1482a01c669faf7332b4f58f98d79226 |
| SHA1 | c02b5a5294a724aa7d07b73a86bc54e1f35fb9e8 |
| SHA256 | 0b6e5c8281a2cf2bfc33ec894d58c9c0edd2ba6c5d6c8f578e2826bbbb6a8360 |
| SHA512 | 767c344894b699846c42c9a0726ecb6f95a6c871e8006372db511d4dd721345ee534adccdea3abc678d604eeb57d1b2daab391abdee181a2767e4b66bd71c7bf |
memory/2932-1558-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SMUA.ico
| MD5 | f461866875e8a7fc5c0e5bcdb48c67f6 |
| SHA1 | c6831938e249f1edaa968321f00141e6d791ca56 |
| SHA256 | 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7 |
| SHA512 | d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f |
C:\Users\Admin\AppData\Local\Temp\SsQU.exe
| MD5 | 04473e3ebb8a7a1445edfef68d667cf6 |
| SHA1 | aa711b637a6e7db7a90456f4be0638e1a1cc34e6 |
| SHA256 | c183f9883cace88cc1487982e57e2f08a7ec36bdb7feea2a6c76ba3d71ff8bc4 |
| SHA512 | 11e646d912e444b4cbd5d04d48bdf7da116ea812ff2cb9f0bcdea3cc179ac361d5c3ce311e79d8414b93242d8897d345f258de6515e055d6b8c729f60f0b132f |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
| MD5 | 2c0549bb304ac8c4214e74b0de914cee |
| SHA1 | 09e8c3bd5dda376b8034ad0a1152f77245116a97 |
| SHA256 | e723ea8539f0fae8fa1e0215ace165decd2f612aec4591b8b5b7a7036b5876b6 |
| SHA512 | 2a17ca3a5fae0a246a8e67e734b04b210b838b23ef0123ee2bd233d3255fb80a514004ea2b9e58619293f4b81c4b3dde7814f972a614b6b2cc8ff42dd09f1de4 |
C:\Users\Admin\AppData\Local\Temp\rqokEAMU.bat
| MD5 | e4661a5e800a3982fbcd094ed795c3b7 |
| SHA1 | dd8128b4a3e30f91df24df81059490478d53b52f |
| SHA256 | 7928bba8b917685c01b09417c5787882166ef5d8ae9ff19b2e2a62e2de0f44e1 |
| SHA512 | 1800c25c2d7f84dc860a805f705e8a60c51183ad3e572527932a1d421d3c6febf62f2dd60eb71aceb36c1b372553303335efddbc6be7eed2c7d93fa8f0817528 |
memory/916-1615-0x0000000000260000-0x000000000029E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aoQu.exe
| MD5 | 205f0f832ef1ec225672ba408312a11a |
| SHA1 | 4aeb2a0701395d9d64651d33506f6e58a0a9182f |
| SHA256 | ab8c810c08288727701303e75ec68553a09bd970ef8dae5f706673ac4091cd5d |
| SHA512 | a7e7ee3079bcd078e6b2b843c02ff1f50474bd745b67f4531dd153b4f8b8da09ca1a649e2acf281f122b6564fb19c6871adae283a16359f834ffe73e7663e67c |
memory/2492-1637-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aosM.exe
| MD5 | 3669023149f290e6bcbe2cdcfca4338d |
| SHA1 | dfc918c83d34c974941afc18b38b557d67f0e75d |
| SHA256 | 25b726c584fb6a36820de4fcaa1bf9d1ec9e20a599de9f5c8e41ebd9f4e8e2e2 |
| SHA512 | 78d6605f9db0312d5deaea4e71114dfbfae63cb281a81253f72dfbbf729e10c2cdd0ff5b2c6a6e109948eba7392174d1699be6bcb47f5d4ad51110b56d3665f8 |
C:\Users\Admin\AppData\Local\Temp\AcgY.exe
| MD5 | 4cb220d8b95aa1b1cacf3ae3c7fa37ab |
| SHA1 | 1116ea6c0f06f7ccf7031d6db228b0fbea9ef91c |
| SHA256 | 377f49adaa2b384440cd0a9598fae93b5ecffc18a1e4039b96be4706950f6d3a |
| SHA512 | ec9feb865655d043ab2703495a8045dd15444500d679ffe76daa952ceca2921ce602df6f6a8e14243b7542a978eb0779077da38065e13200283362ceda43bf38 |
C:\Users\Admin\AppData\Local\Temp\GwcUUUkg.bat
| MD5 | ef67c957dd22e0be3b462717e6286105 |
| SHA1 | 8a2c7a0b98e90811dba3d8caecb9e43534d9900f |
| SHA256 | 8e6444e8c8efb1963934e884c07952455902c1321f9997f872f3d3ee19c5748c |
| SHA512 | ac4592c1375ed680624643700e9b3db29b37c6286ba0739933755f530afb2cd20fca67a31f129439d9b83774e87cb2fc48e28c6348f941f2b6ab0a8d9357360b |
memory/1356-1682-0x00000000001B0000-0x00000000001EE000-memory.dmp
memory/2364-1684-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1356-1683-0x00000000001B0000-0x00000000001EE000-memory.dmp
memory/1580-1693-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ksYg.exe
| MD5 | e3b8b886d185cc2059a342557daa5af9 |
| SHA1 | 2bd7853f3b7ec7a5e7430a66a4759c78a0adcc90 |
| SHA256 | 02da39f889b0076d78681be6ab2173cce1aaf7d59cc2b757947fcc64d2ac6a2a |
| SHA512 | f7444b188087316c4fac56fd86630fde5342e2a30431f29d6d0afef4e9340eb2526326f11982a875630462b4e077a21819295a5b561ed3d61d26c4e3e1fa2ddb |
C:\Users\Admin\AppData\Local\Temp\msAI.exe
| MD5 | 29c9a3f2cf1a0ac7b094109bd9c0b3bc |
| SHA1 | 0af524300b2d1e92a42f8f087ebbd7e2ec3bcbac |
| SHA256 | ec3259beada6095ab894cde42dbcca99bd39efbed8059b23bd3b7c94d00c7174 |
| SHA512 | dfb514e7a29fa374fba9ec0a38b243131509c08cef01e21386702e4c77bb010e44127d7aa0c4392e18a2183b04f9de6f2ecff89ecc8b1f4736b455e14a650047 |
C:\Users\Admin\AppData\Local\Temp\ggQs.exe
| MD5 | fd4c9440e86ba058f00bbca23367ac66 |
| SHA1 | 9eb6167e8ba98eb0cf051d8393b0cc40a817a99b |
| SHA256 | 575360b059b55cf6b6693a9f5e2438f786a00f75f71fb5a7e82916103ff89c4e |
| SHA512 | b057885828b574f3fc39270dc7871e05ea251106e70368e534495c8f99588bbfc7977153d23dc795cd828339a4a0495eb553ff1765644ff671bc62143eec7422 |
C:\Users\Admin\AppData\Local\Temp\gwEEwoMk.bat
| MD5 | f70d187d15c26bd4453d256bc52b781e |
| SHA1 | c93f439d4aacbcb725907a094dcd79959d3faece |
| SHA256 | d23fd6277b775f31495d9c5daecbbc0eccad8cd6d40dc099c24b7aa14a21bc3b |
| SHA512 | d4ddddc4d37db94677a52338de1031281630167c35cb8e4ff7954de310665bc9d985b3b75b063e08baf10e3ca332648d219efa5eb4ff957793b22b1dadf9aa07 |
memory/2356-1752-0x0000000002250000-0x000000000228E000-memory.dmp
memory/2356-1751-0x0000000002250000-0x000000000228E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CQUO.exe
| MD5 | 4929faadcac18ad159d50679b3eb2775 |
| SHA1 | 3b778c52369ec72cd9ea241e562fe0f53ea1354f |
| SHA256 | ef0b96909b9fbae585debda53dd91bb5113988b45410c716e944d2b22a89763a |
| SHA512 | dafcd1e138a4e7f0aea297cbe8fa849e84eb58754a0ee40c34ecdff37f3e07925b92aa35640039c963e53111d140d06b68c28385bc4e82ddab0718238346aa07 |
C:\Users\Admin\AppData\Local\Temp\Kgce.exe
| MD5 | 3a270362f6fc9b49b8410286cfed4287 |
| SHA1 | 2c7a98f47be942734db23cfabe80216e0d940d9e |
| SHA256 | 89fbd4b1fda14472f5768accad6125979181be552599dde56b4b5704cea47a58 |
| SHA512 | 4038c1cedb24bf1ab7c51bfe5e0e9f2742d1900611b9eb11898e17853cf90e7f9e2f4a88a8b645799937e9d747af431b01290bc01c125ab1a5985e17e7c29a61 |
C:\Users\Admin\AppData\Local\Temp\yuUEQkso.bat
| MD5 | e8471f5fd6377b60eb6c07b754f1c925 |
| SHA1 | 2494cdda1d1e6b3c43e8add0a34cc2d127e0b5cb |
| SHA256 | 94d4f11b95b78dee408840dab12f3d2c60b912d5a741fd003bae4dbd462f8738 |
| SHA512 | 51e6d64b4830ec8a9125aec7b8f6ffc6c30197794a692e57c0d01e06160ca3fee530810d0d09dd7b054398340cc06365ec3fa3a7c8a8b4cfbeffaeb982fc5f9d |
C:\Users\Admin\AppData\Local\Temp\SMku.exe
| MD5 | 5dbc773cc826e2e715e52315fe02dfd6 |
| SHA1 | 2c298af1b14742ef48885608b76c189722c222ad |
| SHA256 | 72afe028c802dba49a2065c80d34e7555b6cb63ee341698f3517a365a638a333 |
| SHA512 | c57b42c9fb269660d36cf7395862c60c0aae982252085ab232db10128fb0a871dba5ac134774e3a5fafb0ffb403fa0e63c762675f675f7ddaf654c723407bc23 |
C:\Users\Admin\AppData\Local\Temp\CggK.exe
| MD5 | 92dc58979c135a1f59dec41ed8fa9a46 |
| SHA1 | 2352c63a3fbdbd1c3225e037bcb6713798ea956b |
| SHA256 | e562fc892fc70ec096f05541c1849a5b69db089a3b7529a3c3cfc75fb5cee8f9 |
| SHA512 | 7047f4f8d17d212b5c0447dbdb54641a7ace5bb790dd8c213b863c47bd36c053c63d2bcb949b382c60a0320e467c2a402d89d547290a0c164fa4169e9705faa0 |
C:\Users\Admin\AppData\Local\Temp\GscM.exe
| MD5 | d88c2b77989b37cd8f9443f4d7a1ffd5 |
| SHA1 | e112b4a3b895e58eb615e56231149a8ef9ca05ae |
| SHA256 | de949a6e97b966f437b2af43c3d8152cf8f1bf27924eaf19055eacc142eea793 |
| SHA512 | 2ee4d03c8e885b45ff76d0c8cabf28650a73b48520a46757f3bc90ea60e23d95e8660655eb0c5fc3ccfefef2f133f938d179c8a7e89c10eb08140baa5cf7ec04 |
C:\Users\Admin\AppData\Local\Temp\IkEscEgg.bat
| MD5 | 3793ae7ab8e0cc15dc159c2cb9dbdc94 |
| SHA1 | 7eeb56c11b2e3f3f4e2951341e3e129725b5aec0 |
| SHA256 | ecc383d9741e22b849b2e42ec601362312c8e67ce279a5fe7bcba84532ec1dfc |
| SHA512 | bf641a128d2f0db06dd8d261b1001f38fc473d2fa2b69df97676d52cf101fc77f8b18e9b6740f487d24a967e70d5717508a489e11592f6badf169e68aa53380f |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe
| MD5 | 6268e4809b9b9a01fdd307d33874f0e0 |
| SHA1 | a3a960e65b2392195beb8e604bd7081336ed6f5f |
| SHA256 | d1b3ee3766566f3986260be18e235e0cfeba5bdfc7d0c6d52d5b31bbea48d767 |
| SHA512 | ac7ec585a362f25ce58c4c5fb056c17be5ee359ac19b71130e99d9331b038dcc8298b483dfef14290321a6bbfcfc45cc0f4233ca8070cbacca14811134e06b70 |
C:\Users\Admin\AppData\Local\Temp\ocUY.exe
| MD5 | 98eef1aaa46ba339de0e19e428d8eda9 |
| SHA1 | ca8dbd3646b2443232b18aacc84bbe4e3b71c9b8 |
| SHA256 | d3f4ab312b292d4dc6e00a25c3aadd0d36353c0df23e071d2043a2d716c82bcb |
| SHA512 | c2d9edc38909bd78a129bad41fa794b9383a656f9ae3b6b0a2ee3ad51196a3157d8224b30efad07a95ba73313e4731ab80b56c62babe2c776751182acf82521d |
C:\Users\Admin\AppData\Local\Temp\oQUg.exe
| MD5 | ea44c1a07acf91984e33e612a83956bd |
| SHA1 | 977d59813d65eb56ffce760eab2d135c3b54eddc |
| SHA256 | cc0ce644b0d4f40693da576af9d8411f4a4d132621f32a3410cbbf7de2e4ed55 |
| SHA512 | a13d0ea0352814968c80c51ea00e8c983bb087d2ebf8847abc4daf0751c92b1ff501bb25fd90d7780837d88ec9115c07718398a56f7c6104e54c6d0b9798bdd4 |
C:\Users\Admin\AppData\Local\Temp\luAQggQY.bat
| MD5 | e8345006bdf4029cfdfac62c22c661cc |
| SHA1 | c541e194478c1ed2fd412538bce3696919de1a43 |
| SHA256 | 01c8fa7f741f63a5311f80dad9486879ad51e22518dce0ac05c3ed54f21e44cb |
| SHA512 | 203becc80c5c3c57ff2ae3596279364cf46d560c592d399aa1f9812ad53406d8093e274b0cde6a27db9a0b5731dcb71f3fb24ab7771f9f5a418af7c1ff4e0827 |
C:\Users\Admin\AppData\Local\Temp\AEQu.exe
| MD5 | 0a736999948e16021eeb0af53475fae4 |
| SHA1 | ba68bb8640d0f671274ce4807eae43e36d8d47c0 |
| SHA256 | c46884f804dc6eb3d111a3f9258454e7483934069da78842384efbd9a723ab64 |
| SHA512 | 04929c4f80624272513f43f9debaf21223a7cb5eab6b2c846870b8b110d41239e6639c5aa09e449483f5a961b13c58e0f5538289fb35bc4501b76b0fc0ad1866 |
C:\Users\Admin\AppData\Local\Temp\GIEG.exe
| MD5 | b77f192fb2205f02857dda71103c2f72 |
| SHA1 | 249712a1b7edbcc8c1f4430284bb598f8d16f265 |
| SHA256 | 6b20e8594c1d467680b26e3b3e99d23902aabd97e857585b2727eeb6f85035a0 |
| SHA512 | 92ad65eaf0d6d445748f232b1be1ace5e42c5f16c0ef7b2c1324c7eab922885b1ceaf93387bfdd99f19c9f92a35ba1beea13a2a986f66daddc67ccdb68f44a7b |
C:\Users\Admin\AppData\Local\Temp\uMwq.exe
| MD5 | 14bb62aff73b20ef9c93b45e717efbb3 |
| SHA1 | 15cfa284af1ae61dd0c3f0add07c2ec44632d81f |
| SHA256 | 911154594b6a1b7f798a3edf5246737f42bff22f73bd7e40b814384abf9c51d5 |
| SHA512 | 23ed51a362a21289d98b94c8121d9b81254e70e1d549e3ab31666c1e7bd0a37ae3c9ed5d270384740119d4febbe480ba6bfa37fb2ca9843df9f823e8eaf2b5be |
C:\Users\Admin\AppData\Local\Temp\CIIo.exe
| MD5 | 06ab5894cc7720c52a839c008658ec1f |
| SHA1 | 22095b95aafbd4dea4f17c38805fd6c22bfd78cb |
| SHA256 | 757b55ce3ccd940390c6e87af61b05f1722284f00fae837ffa0756ec5431e8c6 |
| SHA512 | 94904d33308a86bdb86f61cac6545e6167f81ed7e8e14bb29851522a56fbd178ac5fff8f59278735ba461b971cdeed73dcfa84cc5bd29e1d03e705cd1d980549 |
C:\Users\Admin\AppData\Local\Temp\VmgUgQsk.bat
| MD5 | aecab4d0dfba2c77fbba802a64acc550 |
| SHA1 | db5bbf084140dc4670d10d8ed69e7d239c802e2c |
| SHA256 | 0797aa1792ed43cdc8677cf3bcf7c1c6ad4cf7d0e998c21080da64418aaaa10e |
| SHA512 | ce306c56d7001e62835c846f46a17d843acb136cfe2f3a4f712b0bc9cef6049defaadc40a94e80943de4b89c6452d662c2afce52a7a426b35fc96b3d15d2c765 |
C:\Users\Admin\AppData\Local\Temp\cIwc.exe
| MD5 | 618765840bc2e82242954593e4e5695a |
| SHA1 | 5126e871490358d16d43ec9ff55564a00425fb19 |
| SHA256 | 587dd830e570679574d686e59e3243c3e5f2d023f9fd2da8674de9e4ddd7021f |
| SHA512 | bf07990acc0ef454941c360f99668173f47e4861ae922a73d577d499e9c8051f9c3ace192666273c737f21a69803d47451883b211dd57c83521293bda9620fb9 |
memory/2280-2052-0x0000000076D40000-0x0000000076E3A000-memory.dmp
memory/2280-2051-0x0000000076E40000-0x0000000076F5F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GEMg.exe
| MD5 | 9c3437bc3e4acaedb61ec19802f8ec9f |
| SHA1 | e75d0479e82e1622d9c2811d7494ed3c4d0b4f2e |
| SHA256 | dacc77fc0d8d555d2aebb72a92e66e712c608947606db31f4811a3eeafe09f51 |
| SHA512 | 4b59eb36e84fdfdfceac9eca2362fdc9e1febbe3c6e01d2ebca4ee348484a30d8834f954dfafe63110461c1a37ad431b2524df4e3536a9a6cfc5f557a5077700 |
C:\Users\Admin\AppData\Local\Temp\YcQK.exe
| MD5 | 6623c8771f4669289961468f78414996 |
| SHA1 | b15391d05fc4312e3923b35d25fb54feafb3c254 |
| SHA256 | 6e6eabc3ae243177e71dd1871cf3b4b2c7377a5649be39315dc548d52049b2cc |
| SHA512 | 8c7e626cd779d7a8e32658ac707d68d08e6f5df788a3c155b4ed01721ba8b8b4344fb5cc05d14929fbf5bcd448a5c71eec15e2efe1f8fc3d83d4bd3d72f1c76f |
C:\Users\Admin\AppData\Local\Temp\GQUw.exe
| MD5 | 31f52d8989d4b1b8e257be9efde6a743 |
| SHA1 | 7af42575ffdfae79371fdf9e6603721a65067b03 |
| SHA256 | 3e40d7ec31c11910dc0d5a2a1889211674c6b97b7d53ad7166581a0fb848a9a8 |
| SHA512 | b81b2b5dde004bda818aedff90dbbe7233577aff5d705bcf2c571aa24574c715282cfff023e8e9968f004697fc7c417adec37569a5ce6ab369407312831d5ce5 |
C:\Users\Admin\AppData\Local\Temp\zUYkYEEQ.bat
| MD5 | 1a1c0f517a6ce67beabcceccdd2ccc96 |
| SHA1 | 72cb0af6dc6c2a37454cf8c16ce92d2d5cf60c19 |
| SHA256 | 3d935c1812a448efbc4a9afce92e725bcc29a75f46c76518ea739e679187cdd0 |
| SHA512 | 0e29ae9224bb2168d5418ad0622a78719485a5e4b73ceb71815f50505951689b3879aefefdf1631fccbc3119d2d7a7e2b32287ba430679caa63b7f0ae490922a |
C:\Users\Admin\AppData\Local\Temp\IsoW.exe
| MD5 | b0bed29b746bc2ebde7fe9eef89d2aea |
| SHA1 | 0fdde87b64a39b6a626559dceabffb366e641ee9 |
| SHA256 | e468d28d06a02c37b2ae517d9865c15a4f972a8ee5a24a9084434568e756c8f1 |
| SHA512 | 49da2ee91615a4ed9d97bc7b3a7521c73085a398c8d595a3d7493e414f6bba5625307780008edb963be4ebb1fe2c46996abc88a002b79941cda7cfa22d65cc1e |
C:\Users\Admin\AppData\Local\Temp\EUEK.exe
| MD5 | 0334a19e88c4daf3264d903df852b669 |
| SHA1 | 24a03b659d5bd3db737eee76f34f37e162013179 |
| SHA256 | 6d55daa895222cb08b6006f56957e5bb01dc8c13d270c823c1fc2728925b2cef |
| SHA512 | 42d4e8fb4b4bc465dc3b5759ef9a3363af737321c0ad7211bce2eb2501bc4dca65cd0b9512a66caf23831c072deeea250ffe7090699ddfafee191038e65e8258 |
C:\Users\Admin\AppData\Local\Temp\LqEkYkAE.bat
| MD5 | c8e5444bbc07ebea5a518906e67824e9 |
| SHA1 | 85c8db6bfacb35c287dbdacb32c5a8fa30feaa44 |
| SHA256 | 19473d3a63fb2c4621f3aac26abb9a15553241cd1754fa4c39305a85b47db1ab |
| SHA512 | a345a060b14514fede825ea24a649cf2103909765a13de56c251bf186c8cd9fc2e0f6b9946698829e5e07162c0be9fa1365db3af4d89c055f3ead8d3c3554afa |
C:\Users\Admin\AppData\Local\Temp\mQQq.exe
| MD5 | 500529c0b691bb85540f5759bff3b77e |
| SHA1 | 0b6f3fef44c1a59fdd60e81b98d03a270cc2dccc |
| SHA256 | 584e2a51c7b09c8f42cca0948c7eee025a8f29ca343aacbc67f55c47dcebbffa |
| SHA512 | 22a3812500ed0017e7dbf17ed41b86ed1fee876e91616b64ac18b20e86463a3ef7674fc2ed98a921374e17dabbd5bae8792835726aa4c01289cd41eb5c86ed35 |
C:\Users\Admin\AppData\Local\Temp\WMUC.exe
| MD5 | 3feccf942250eb43f4a0c95a42f0fbbc |
| SHA1 | 60fed69bc66d8c877db9e522b39e4cf8d4a26ddc |
| SHA256 | c680b07f7bda9ca56a18cc09c76e6c1d01fb50d0b05c597bca71f29ed4e10966 |
| SHA512 | 53e160f6827f8b5268c906973e8a7bc055a1940b8a7d81c800218c94a05003d99e153f61c1d27e17435a03cff1ed0c164fc8243d30aace671b90ac6186955047 |
C:\Users\Admin\AppData\Local\Temp\UAcG.exe
| MD5 | a604ef1032b418ec86c5075b1489df1d |
| SHA1 | b000b6879849f539d94f3459f3afd2ae1527b863 |
| SHA256 | 8dd87b655bc7f01423ca0a6f07ed92bd2ecaf94f76885a3d4af00f9ef1557a04 |
| SHA512 | b7c336f1c7055eac509c2d314ae26e5add6fccf7477cd454be46a9ae87ad04c009f66e6de94c8818d0bb6053cc11f1e800d5a52dae85eb9213064e7ffa3e8ffc |
C:\Users\Admin\AppData\Local\Temp\uSsUUEks.bat
| MD5 | b701f4c02a991debe7955344e72b17bd |
| SHA1 | 5f56320ae7c233aad3395ddd8c00fc679137f4b8 |
| SHA256 | 4c56e642e699c829f22e2014271e36f70de044fb49618a219f55dbb4af488c4a |
| SHA512 | 7221d042e346fc4bbe883ff153e727ddf577fff46ef3ca7d2c2b1a255136830d1fdc6eb1ef15e57d850447ef391586ae47add4f640cc6b92499c6b5c993d29c7 |
C:\Users\Admin\AppData\Local\Temp\KcYk.exe
| MD5 | d8efcc715304fb011d862429c9d97b08 |
| SHA1 | 4aee97676a90d525b8635377c80a8a458d680549 |
| SHA256 | 26228524ea2623468980e50c7e8473b33ef930914bd2dc35efddfbe65f83c7ad |
| SHA512 | acc0300fb6160f8f66cfd2304dc1943e4f59e5cd1615939cc5bd29c93a599e4763768516daac3203b84e252cf58167a2c3b6dd9f8268090efaa7923f4f4668c2 |
C:\Users\Admin\AppData\Local\Temp\WocY.exe
| MD5 | b06fc88f19d66a7395c609d1d12f8f80 |
| SHA1 | 2dba41fc7bb49c26e05c9c482d39017b81840766 |
| SHA256 | 0b825c517c889cb0dde6e9cfba6ea5aab87524855bf4ec597b78690d943c4e52 |
| SHA512 | 7e41bd5e69455d55fe5a1062d733215d490d498ee02dc03b19f3242de8b62616cf426e2eb508ad23a08b4b532da81003951c3f73ab8cc7778083b65684c569b4 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe
| MD5 | 0448f4e28479056f155a20f4bae42dc2 |
| SHA1 | fb37281707b27f1c98f2cd72d602b52986858e0b |
| SHA256 | 82fdb4546e1ab4c7938f9dd15bbd852da100b8a59a8d85e5e44cf46f7fcf6629 |
| SHA512 | 08083da0a52b5b9eb841948a65bf008208833bd2b04adb720932aa6d5d9832d2adccbb1f377549344b658fec0b3dd64039194659a34ddb17295d9823b9229acf |
C:\Users\Admin\AppData\Local\Temp\ESwkscoI.bat
| MD5 | d80f845f27f46e032d924e9dccc7dfdf |
| SHA1 | fac46a97ddeebe725ef471389a73cc4d43c30b99 |
| SHA256 | 637520ccb7cf8d13d77efad888e35fd30be6635f51f24bf371c25dd82af8eda6 |
| SHA512 | b1e32452a4d34f75d044050c1e113445dc2a6139d6e6ed12551a3ecf1b87e01a2db783cdf58f872df419f8d9a3aa5b584a60a511a9d62a6a30dec24c84192e77 |
C:\Users\Admin\AppData\Local\Temp\awoU.exe
| MD5 | 8f40d4b30f4a8f446169886a77926e80 |
| SHA1 | 62f4c0f81f571a28395acc94ea39586145491437 |
| SHA256 | a2c595c0d824cde8b04bccc94f03e8c2b0b3ff768b1204af936312b350e20799 |
| SHA512 | 385dc264d116c8589a3288bfc42797d832b17d6d77f847acd0680c240f1eee97c3d78b8bcb830264274ccb0a5be5dbd44b0833410a5819eb54f184557bd35d4b |
C:\Users\Admin\AppData\Local\Temp\QAkY.exe
| MD5 | 8e95362a68e49c9cef6f7396d8c55b76 |
| SHA1 | a7b78c81d68cf51c5665128514fefb7d132bbd8c |
| SHA256 | 070728689bdc87c8abb5054073999f1f84f59581609840b79fdedfa468b7fb65 |
| SHA512 | 9c0a9764daa86d3c794255cbce7faf81d601ff30199efba58c10de7db2c554e8a1e0fa47039618bc924b43aed7bd0d6e761e1f366a0539c72ec79c887936487b |
C:\Users\Admin\AppData\Local\Temp\cEse.exe
| MD5 | 3d473592c1ba9b8a5140b9612018a73c |
| SHA1 | a475c0abc976c6b74ca80903efc0838cd20adbe9 |
| SHA256 | 071485a071f0f985afbef29ba12e0411e3adf882ee81bc01565e46304ca7356d |
| SHA512 | 29e3c53f997407792b13b0c7f575ed7604370d3424cbe34085b89f472c72bbdd19593d3bac68263e1442a93b7f37333351a83a85809c2d0ee2e4a70213d1dfa3 |
C:\Users\Admin\AppData\Local\Temp\uyMooooM.bat
| MD5 | 332665c2870ed5224951470500ee0a10 |
| SHA1 | 8adcced3772e3675a6296c42d59bf29d40ef334e |
| SHA256 | 9eeda4a204312eb25f15e2af259a6bdfa3d94b4e275f3abb1eb407394acdaafb |
| SHA512 | d68c1a1c38464ea79a5dff7dd9890226dbe0e8612046734933dafef5e80a05a3f12803ea630bf9f78df2bf7928510990dc476d3a3a4e032729b31cbb4a3675ed |
C:\Users\Admin\AppData\Local\Temp\WwIs.exe
| MD5 | fed0ac9c89753f5ed9410a1ee5a95d2b |
| SHA1 | 5b0c7479fa93ae72dbb712a43b874741ae437dc7 |
| SHA256 | a2df6e32931e543984b32e89cb4d985a9410da892a43b928681d2c3c48506e1e |
| SHA512 | 829e0b9b44b3e822cfe55c1de9de62faefc401d02ebbd606c98dd50c7d63609a26a9d25c72f6e950ba1bf61b9a9f101fbb02ec29e5d55d1f486dcd8bf308d105 |
C:\Users\Admin\AppData\Local\Temp\cAQm.exe
| MD5 | 7360d38502fb9ed8f53dd47553aee05e |
| SHA1 | 6575fdab42632b3e8c72fdff47fd79075fb81f58 |
| SHA256 | c8531794d38cd9acef9663dac48b768246d590d94388a548933858bd33d7c922 |
| SHA512 | 2b3a4d349d100a5f1b7ded56aa37ce2afb91342d3b591c3e73eb62e469bbb05fc00f7db16ea6cbe689ab4761dc1863a156fd4737c2260b0dfce1140e3e4c60ae |
C:\Users\Admin\AppData\Local\Temp\SEke.exe
| MD5 | ce60e051ce803c71331a5693c7648d67 |
| SHA1 | 1c29a2d23808faee231bff70dc091c3d9dc89089 |
| SHA256 | cb95690ec427468728374cd3287f1b287dfed094b3158d0b14f810e44aa89a48 |
| SHA512 | 695ac6f16f723f5c1f351356913f52f448ca07574632e7e8376163cfb9be4df39d98fc5fd76e7c7b2fa8cbf5c7b7caf24578920fe650ddcfe1c7f051724aa0ea |
C:\Users\Admin\AppData\Local\Temp\CUQO.exe
| MD5 | c32ac53a3d004589ce5efc3d5cd5c0b7 |
| SHA1 | 6057618c32cb964fc0e8fe21a3533bd444310820 |
| SHA256 | 0eca376b44a2846f335f8fc83d2916dddd51e85b7a42822c68abb1cd83a03cb6 |
| SHA512 | 154ebaf853bceef4d2aac77b6c3b4017f1ed93c53c26b985a0a1138d0ea6b56147a4c5aa4933eea7756a203a3a3980047f78920309075b58fbf25e7848b39a38 |
C:\Users\Admin\AppData\Local\Temp\aYAsgkcU.bat
| MD5 | 06e1cbcba4da99d0801ae20f9cc6aebd |
| SHA1 | 3922f7cf8c23d8dd87a3d0a9ed3bf41da32c0a48 |
| SHA256 | 1a72bebc643686c14d54795c408dab331f6e83a0e2159cb871aca160aa0ff472 |
| SHA512 | 58753563f33065694cbf8cf8fb86532bdcfe8fa0aea43dc248e847fbe8b4ae1aa332c4a54de34f6c6fd25ee8068eff7abef08f9cf9c9408727af43c24697e4ef |
C:\Users\Admin\AppData\Local\Temp\uQAo.exe
| MD5 | fdb231ae238e0b26a2cc0c15341f474e |
| SHA1 | 33331e6460fd763d410bac98be75e0443b97aaf8 |
| SHA256 | 1a53741d281e83e1dad1e4e70984c3ae4b014c1890461c5a8b534fdb04c5c678 |
| SHA512 | e8735ce6b06f41b64a64f8bdd652edd46d735b181fa83d6e57fb6868fce79d70f586b8adeba4cc0c571b29ae616434df91b31f7a0642b4d478c93f5db58679dd |
C:\Users\Admin\AppData\Local\Temp\yckQ.exe
| MD5 | f3cb5da41fcd44796e7648cd9692ae22 |
| SHA1 | 1138b7234b21e36c243f4d8149a5aecd120079b3 |
| SHA256 | d3b2d1c4c3be2b1024dbfc359825839c5ac1fc0fcfce14e5ee7dbead98fd3ffe |
| SHA512 | 2b8bb51e0433b091a16ac3b3b2b7cd49c61bd0eff04ac996335c5e61584223539efbf2adf65ca11ae559af982944159c0fab2257c1baf56e514f72a5e60602b1 |
C:\Users\Admin\AppData\Local\Temp\kkUc.exe
| MD5 | 9c053ad46b0e65e686aa64baf01a2110 |
| SHA1 | e808d7110e9bc29f489cd3a98dcd2479c80edc69 |
| SHA256 | 75a2f35bbd10fb6c19d511bb46109c7f151eaa6b636a415a3b02eb453232e069 |
| SHA512 | ae6d0e842eaf83f89d072b1d7f3ca9306fa9575d8907f83d99c6c951cd5915b29741f9927eb39cea363a334ed614b1be4acdb03c7fc9513f24dfaeec6e4da930 |
C:\Users\Admin\AppData\Local\Temp\XwYgwEwY.bat
| MD5 | 2e48b891488bc34f2f01b5983e13b2f2 |
| SHA1 | 327abe2720c3cd3c6f9160c4ef1f5f485fdfa50b |
| SHA256 | 69c275a5e2935b5d73c5ec9eb64236708a979da21bfaa2b253163334e4aa13be |
| SHA512 | 5f2a8649c916a50dde072abe8abc100b46eb472d083ae84754bf3d04b514a5b9d2270fbe2ded52c16dd64f867968612ae85cf8d014dd1c3835722f7836d2e208 |
C:\Users\Admin\AppData\Local\Temp\BOwAMIUA.bat
| MD5 | 8f8a1556c83826b63236f73147aad89e |
| SHA1 | 6db108f80a9a32cb546c5bd5bb3d59db4dee00e8 |
| SHA256 | c0dac684d6c3beb0a46aa5ee4680754535f22ccd347e56bc4497ef9994d268b0 |
| SHA512 | 16ce29390e4a8ad507348c2bca68b621bdbf7d61f178625cbdecd48199948b7936c72c683c8d2b01d07248f1d0b65400c5920a05bcdaf5cfee43e645b7047dcc |
C:\Users\Admin\AppData\Local\Temp\aMoY.ico
| MD5 | 6edd371bd7a23ec01c6a00d53f8723d1 |
| SHA1 | 7b649ce267a19686d2d07a6c3ee2ca852a549ee6 |
| SHA256 | 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7 |
| SHA512 | 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8 |
C:\Users\Admin\AppData\Local\Temp\iEMY.exe
| MD5 | 62c849ef96489a61d470b7eee433447a |
| SHA1 | 3735b77646803555fbd4c9d1977fba763259b824 |
| SHA256 | ed0dc33deee3b1e5a1cf225eed68495f1aba481da0edc23a78daa32fbdc6f7d4 |
| SHA512 | 273e79273cedd520a95c33fbc54f20636feb043628280bd433850d13439917ad515d36bf1ce099df659797606c6fd76a57d29106a44b589758e51bfa6b2caa4b |
C:\Users\Admin\AppData\Local\Temp\CMYG.exe
| MD5 | c97576c38e8ade3a5d401d4564ebb690 |
| SHA1 | 28cbdf9ebaf807141a33e1be268b5e70dd951217 |
| SHA256 | f44a82798a5eb3c524d0e0030db343932b75f5ec4adb98df487ba392e8a4bbfc |
| SHA512 | c87e7e4431de3563e4b79a241a5db325531e289f33ab77c286d5d6c712ad1e61a3453c526b9c196a1a8578fe83a363b37fe28541c31ef00276c72ea99e74b46d |
C:\Users\Admin\AppData\Local\Temp\SMoY.exe
| MD5 | c0683a28ba29b76118baecd403ee5ae4 |
| SHA1 | f7ba110264064c904f48e32c57be5af193fb5be0 |
| SHA256 | b616462a702708675f692ac254d08ad8c125f4d7d23e99dafb74e1e5414ed643 |
| SHA512 | ad5a9d4ea6211ad249e8d590a7d64de544c426920f31259975fd126023a307febce1d7ef2819b686028364890ed6daf32c7d00999f54e774ae7372aae28e3c15 |
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.exe
| MD5 | 29cbc961c4fe40c43998b6cb066bcfc9 |
| SHA1 | 935db7705a5bfe8deebb4a32aa0b1c461d25c8a3 |
| SHA256 | 35086c01980b79c88911f1d8911b20742d34c2e1cc649b4e039121d1057cba49 |
| SHA512 | ba462aa3d5839e45b56a2efb12d79eb8bef298bef4bd085390d1a07a3ee3af7b4dc6dd157c4c824544515e35e458a03f85c8eded4f87a112050a10a2aa7ac906 |
C:\Users\Admin\AppData\Local\Temp\HgAMUYUU.bat
| MD5 | dad96468d27c7b0521255072fced72a0 |
| SHA1 | 5bc96ba2ab5d457d25bcfd116f681f6d9b61410e |
| SHA256 | 9e2419d29244069e13fa584f8f96f069d23a3618c88349308fd864a08cbd65c1 |
| SHA512 | aaf5d516f02ca334822dfa75abd8a6ca62866c1cbad735f2a34f6af0797865163057ef325ec92746abdcb54c6ad44d57aad6fafbe628d8f2790a2f518c84ef5e |
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.exe
| MD5 | b52cdf793c3333882cce7e40b1703591 |
| SHA1 | df77adc5390622fba7ab13a909d8ccd1d17ea88f |
| SHA256 | 7fd77cfe8009d3570fb4651367b70062e86d817c92a93e6c1ba9be41618adc4a |
| SHA512 | 7421833863275caadae49db0aae5d2e90dfc0f371d267ef01a051275cef8eb53a20ac0fda3c71c7e0620489c4d18c9cffde67dabc7b96f284e62fd6f9c163ca1 |
C:\Users\Admin\AppData\Local\Temp\swMoMMYo.bat
| MD5 | 668d5ace2c502b94137080053b9d9cfb |
| SHA1 | ba44c6d0ef116b50442f7374fb477999ba685c8c |
| SHA256 | 8779adacfa3a03f3a3be10d44b619426f1d2722748d1dd8ccf56ed7632f0c5fb |
| SHA512 | 8ff3eb549be295cec9b725695d0dd53ecd41399d3c23110f280cb91d88612ef1e8966936a62eb8c9669b65ffe95d9ae72587b165bb608ad682e12aea1fa1c6a6 |
C:\Users\Admin\AppData\Local\Temp\gcQS.exe
| MD5 | 825e0a077c712c1946aa539d6cc86cb3 |
| SHA1 | e29db1d08bc5cd5bee7c5e751f8f87ef9498528c |
| SHA256 | d59601d2697775a9502f00283384dea9bcc20f405a7ebef0d1f038a15f879bfd |
| SHA512 | ffacfe8f80a2a14edbb620d196dbfab480efd3c78e14fce617da62279fd1e387215fc44558066021fcd8fe6a5b1729000f61bc1a2bcc6c2b620436f391b1293f |
C:\Users\Admin\AppData\Local\Temp\mwse.exe
| MD5 | 5c32f8013ab598397bacf696c8856674 |
| SHA1 | a96e5438aa38b75472325e21270a26dba02c024d |
| SHA256 | d02b512b34e74b0c1b4a7ac1b0fef00cf7f037a06e699399d309f9ddd88fe9ba |
| SHA512 | 28d73414a0af684d30c934bf739c34b1bf82c50ce76ac6d689cf289b4ac774114c86bc714ab52038beec4d64eb1a8ff646676a39980851bafa6498d1950770f3 |
C:\Users\Admin\AppData\Local\Temp\WcsQEcYQ.bat
| MD5 | 7f7d43a4ae85fe1026fc4fae57223c4e |
| SHA1 | 6656d1b61f014b61e7c772aaf81d28e932e957c6 |
| SHA256 | b1e4fd4d17ab41b5947edf33fe523c6865ee7395af28e565d19c0698c3cea801 |
| SHA512 | 8c800df1703219a33f419ae95bdc44655622b6f28d7fde23d3e154104c6906f09c3605187c24173176d3cfa12026a8fa5ace66fb973f2879be4aa7858761987d |
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.exe
| MD5 | 7d7c2b1cf2aed1cec15675017127e9e7 |
| SHA1 | 1c00d25eaf9f5b01e899ab8c3a9e3739aa027247 |
| SHA256 | 36bf001ee5c73d4c011446d622563d047cbb45ac8eea61f7f850847863a38f5b |
| SHA512 | 615b3f600acef9bddd58c11ca52e902cbdedcb705002c220b4045b0ea850b5c79d47373bbac92eac87dc9e573a7668b673ac05c83e075648f575de936266ba7e |
C:\Users\Admin\AppData\Local\Temp\aMow.exe
| MD5 | 0537c69cb2c2663993a29840537d01d5 |
| SHA1 | 73c9303160dcdc328f2c3c5866831d95bc116d5a |
| SHA256 | 88b0775a33c06fbcac7291a750523c7c3febafb795e45d8257ab399ed8e7cbe3 |
| SHA512 | b1948669b2fb5950973120a3788497b99968dc3282abbd42bb4582bcfc71f345a2a3b0ed74332941b9529e591deb85fdbb3b52aea8e10dcf86a282bfce96df30 |
C:\Users\Admin\AppData\Local\Temp\NsYEwAIs.bat
| MD5 | a648dababbc69ce6bf5f2d570793797c |
| SHA1 | 933331325ae7c056b741ed021e28981a27992f42 |
| SHA256 | 2d3ff149c0e6c1026d44276e4da1aed863c233fb2da98ad54083747e2c09e9ef |
| SHA512 | 2d382609fbf2e7c55bf9ee1f9b98d2bed60ce314ac593343ade10ab82b04ab515866960e61e04800382d4b1871ba8faeb66b2f5edf9f0dac9100beb9d2790f85 |
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe
| MD5 | 68f89cf1bea6419000747e761883d2cc |
| SHA1 | edb009d889837862a72b8d2c5cb7f9e6d806f5d6 |
| SHA256 | bd3ed44309def7d2c5c6198de0cac230d0f0f020ef97a264d3485180c5769325 |
| SHA512 | deb7d748c8b5e4b660cc69f71690554d49c358cf0938709870c3441ab1cf8ee2b9a93bc970358c6399b6ebddc07e9420200f91c272a5b22b6c40745fa5a89dd1 |
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.exe
| MD5 | 484ada3c364cd26e3a6e2579a2f845a7 |
| SHA1 | 9a4cb618582434dca040ea92c646b2ae25aefaa0 |
| SHA256 | d0d4ec08684d9b76ab864605fb177d0b6f39e2e8044d108ceb961fe6f02db7ff |
| SHA512 | 1f1837ea7854bdeaf0576077fce451b983cea7688fd8b2a3922c46382f00bdb662fda7f8ab0bf06d94a6c94982d37b3cacc17895d7ee5f730b4047423f498843 |
C:\Users\Admin\AppData\Local\Temp\YWIgQwsY.bat
| MD5 | 021dde8d42dc4c04e7cc7acd18cf9992 |
| SHA1 | 33ee12cb46552ce405af1dfcb543548f57087d76 |
| SHA256 | 89397eed4ecefd2d3ab181ad6ac6bd2ab90b173b40a51c51809ca9d0d771f774 |
| SHA512 | 2a74f7c45c9a39c9a933b5d859eb35f893176e6e329e48c28a9ef69abae863efabfb15203e5aa84f8e66373d03bba18c49f3caf2150bf6f441fd21df4805eed1 |
C:\Users\Admin\AppData\Local\Temp\MAgQYMUc.bat
| MD5 | af07dbe95670dbe0113ded730b236a04 |
| SHA1 | 770b8fc7e33e528d25bdf4fc743d2f079f4c8810 |
| SHA256 | 120c3428c66c1edc7133d1c41b09ea9efade11134a6ff3c4ab021d21074f6dd7 |
| SHA512 | 4e1fc6c2fb9130f352ca61b7dcc66e36323e7276847946519c1922bccfb7df331c6fcecac26f91773409a97cb751d59a9380ad8068765dbb8af6283af41022ee |
memory/2280-2831-0x0000000076E40000-0x0000000076F5F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LyUQkUgM.bat
| MD5 | caa3953e90dbee1fa1fa0702ac3f3770 |
| SHA1 | 2d7294128365f9be3281e83239e813b58606a8a5 |
| SHA256 | c8a46d5a28ddae48bc755e9b68c0908aba40b9a626e16a36896f94bad30fbfee |
| SHA512 | 8cc9306d8f94740fde1829df48b8a646625845ad0f795d361b76869f355bfe80d64996c45db9aad38bf3d50337f3de43fcf06c25c8a0a021e72b81f08396ca4d |
C:\Users\Admin\AppData\Local\Temp\BUcIsoIU.bat
| MD5 | 3dd880f6ef2a273f7fe4113cfc960b22 |
| SHA1 | c3173f1d2e3844437c2a58873dfecac7a22096df |
| SHA256 | 0515e4ca745355409e9790ba26f04f49bcb2a797386437146fb57a2bc64a2928 |
| SHA512 | d2dbaabd718a17bcfe22d93fc803221bb3f782d049ffbfa728d608fbddf3757873ec90c4736459b161ce9223866586b17f7c5b4876a45c4f6e9f406c0320ee86 |
C:\Users\Admin\AppData\Local\Temp\paQAokYw.bat
| MD5 | 9f785ff6c3bc41da9038ff3ae64c2cb0 |
| SHA1 | 0e66635833c8e5cac377528213a7e205e9b1586d |
| SHA256 | 57b14e703f329d9d5c25df241ee843f25f4d599df66b2598119a6360ae40ee56 |
| SHA512 | 5b13b2ec9cc4bebbf206a5e476f6e694c31d09971df4cada9c4dddaf7f68f676365134d61dffd7ef1d45b870f2a2956b0d62a049927a08d3f49927910d344e63 |
C:\Users\Admin\AppData\Local\Temp\lgscMAkQ.bat
| MD5 | c728d3ff50525c3fbe3b92181e66c79d |
| SHA1 | 23f6f46b3a5838ca48e47781620ecf875ef17a11 |
| SHA256 | 82b790e37e37154d4e565227d9916e2e755ac8ac36f8b4cefce01f87b33f4c6b |
| SHA512 | d51f8c03aa1cc3b7dd7a5598bb3b06f94c8d9e2ea1b1badf36f4da5e1afdbdb7599a1200abf9a2b3955709b221d4e314e26d5d2bc653b27a40d667cf089c2a07 |
C:\Users\Admin\AppData\Local\Temp\EQMwMcUw.bat
| MD5 | 222c7e022f988792aa8353d6cb68c432 |
| SHA1 | bcfb5a31238a4050c4e419dc3374b53610c1b14a |
| SHA256 | 409662229e7335e4542ed87f3a33aee9f47562bc8b7b738c9799e5ea9e193447 |
| SHA512 | 9b2006da99265b07b018128fc3bf1e199b08fc04be6b7fc7cd007a4dfe6c26939746ca91befc28c999780dc501b3fb02d5f2e48403d9915f8221f2e4de1883de |
C:\Users\Admin\AppData\Local\Temp\aeEAIAAk.bat
| MD5 | 203281e88cd0d02c2b666ceaf362fd32 |
| SHA1 | c9ca00d39a12db1b3c36a08b8490c94506bdd3af |
| SHA256 | 559a1f0c8096fd42e8a07adabd7ededfa7e7009d4b00fbbb5db5cf58bce0f4d9 |
| SHA512 | 596e87520372c7160f331382fa8806a6d71e04670d58ab1dfba2418a63d71e81b68c05029f4b4f4e4b97310bd9ba14942f206eab7818095a2d895261c6a37113 |
C:\Users\Admin\AppData\Local\Temp\WKgssgoo.bat
| MD5 | 1e88e62b6aff8619c8d9c7564ff105db |
| SHA1 | 30643cd3b2b1660e421c9a0cc17dfc31f0497a1b |
| SHA256 | eaf8f45a0437e11a1cb77f20450a11820753924194acbd151a21f8155b581814 |
| SHA512 | 35128b029248e8621661a2620cc01c48b58f8f0ef544518f45b38e9de980fe43662e7eb494a77a7862d172e40e6bf31b4c40d3f1ce1906d04722f662610208b7 |
C:\Users\Admin\AppData\Local\Temp\iCkYosgk.bat
| MD5 | 53d7fbf2b79308f023dc3bdeb89ec755 |
| SHA1 | d1832cdc86eacdc3782efc9f57f93d0907cf908d |
| SHA256 | ed23d9e3d08104139ae2570aaccbdc1902ff8e3a1d293f256fb48c87993f1cbe |
| SHA512 | c8f0ab7a6360eaa3b30d452605dd3c264e075791be37a676b7bc3f345abcd396aeef825f71edc2442df8480150f7e5959ae95778eb31945a6bff42fc0b933630 |
C:\Users\Admin\AppData\Local\Temp\DAggscMI.bat
| MD5 | 4b7132f830337726c14880a8e999bd85 |
| SHA1 | 4d6fbeedeecefb1a6ac64e54dd94486d1c590464 |
| SHA256 | 506fd74803a301c137b2ea221994ee3346949eb0195e968968dcb7f78a327588 |
| SHA512 | a5ddd51b0388500d481e726ca2f42b28fe996aa62c60d609bf7e93641381415f9132e79f434477ec7023a530416a0d3bf3e7dd78b6ed6e5016e79989eaa70045 |
C:\Users\Admin\AppData\Local\Temp\hQMcwgAI.bat
| MD5 | 0fd570981226fd4117036cce4657dae6 |
| SHA1 | a5fd530fdc0f0092fbc1595dfafa685de2cabd17 |
| SHA256 | d8fa8c28ecb9b69586c603e513fe6465612f3f81a56f41eb49aa9ecd59d90b24 |
| SHA512 | ac3a5a544cd0418d0567086e358992833344a450acde4347beeef68265097c26491399bafc8acdbdc41d6b77f2d2f817951af3cc3dbf61a4262e65b77227da5c |
C:\Users\Admin\AppData\Local\Temp\dgsUAwUI.bat
| MD5 | e527056cff27596118c8bcfe6dc2f2b0 |
| SHA1 | 3e6259b5b0767eda04a924e5a83f6dcddd6f9dfa |
| SHA256 | 99e488765171c4eea683b536711606b87954e0cee9efbf2ca6c206e8fde382b5 |
| SHA512 | a38ab99b03a61b228d8d212330e51a22e0d2bf90530deda05b26557c26f4f3940f3d52ff9403e5d23e5fe07f0b74d85c1519dbb02d94c0372975e567f4afbafe |
C:\Users\Admin\AppData\Local\Temp\pYUsQgwU.bat
| MD5 | 740b4296633c350fc6af00967667f663 |
| SHA1 | a668e15f11ed30fbdab9b5515268d12ff3704672 |
| SHA256 | 2676d4249f2f04b0a26bba79780867ce3546877402efd88d1cf44f954b62b1b0 |
| SHA512 | 1547643a65c1703fbd09a7b338e4e3e0fb3b5811fb9995ad7e05f8872fa773e1a4b0fdb4e75f599e7ea8292d02228b420a65265b751969f70104d13f695ae8cd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-20 22:21
Reported
2024-10-20 22:24
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
99s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Renames multiple (83) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\ngEYQMQY\XggosUsQ.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\ngEYQMQY\XggosUsQ.exe | N/A |
| N/A | N/A | C:\ProgramData\CCgYYgAk\baoIMQAs.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XggosUsQ.exe = "C:\\Users\\Admin\\ngEYQMQY\\XggosUsQ.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baoIMQAs.exe = "C:\\ProgramData\\CCgYYgAk\\baoIMQAs.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XggosUsQ.exe = "C:\\Users\\Admin\\ngEYQMQY\\XggosUsQ.exe" | C:\Users\Admin\ngEYQMQY\XggosUsQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baoIMQAs.exe = "C:\\ProgramData\\CCgYYgAk\\baoIMQAs.exe" | C:\ProgramData\CCgYYgAk\baoIMQAs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eQAkQcoo.exe = "C:\\Users\\Admin\\YGoswEoY\\eQAkQcoo.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Veokogws.exe = "C:\\ProgramData\\qIgcssEE\\Veokogws.exe" | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\ngEYQMQY\XggosUsQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\ngEYQMQY\XggosUsQ.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\YGoswEoY\eQAkQcoo.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\qIgcssEE\Veokogws.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\CCgYYgAk\baoIMQAs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\ngEYQMQY\XggosUsQ.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"
C:\Users\Admin\ngEYQMQY\XggosUsQ.exe
"C:\Users\Admin\ngEYQMQY\XggosUsQ.exe"
C:\ProgramData\CCgYYgAk\baoIMQAs.exe
"C:\ProgramData\CCgYYgAk\baoIMQAs.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiMAokck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiMEAQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwwkcQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaAkAMcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raMQUAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAocAckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOskYoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUEcYIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgkgEwck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roQEYgII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RosQYEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcowoowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAIEAQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owkMsoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWUYkAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqEQwMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scEscQUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMMsYYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsQgMoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMwkAMMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oeIQcAso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcEMoEso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAcgIcgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maUcIcYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGIIEYoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmYUAYgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xqwcggwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyYMAwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWYgsMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\YGoswEoY\eQAkQcoo.exe
"C:\Users\Admin\YGoswEoY\eQAkQcoo.exe"
C:\ProgramData\qIgcssEE\Veokogws.exe
"C:\ProgramData\qIgcssEE\Veokogws.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3292 -ip 3292
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IewwoMco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5100 -ip 5100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 228
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYsIwggU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCwsckYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiYEsQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEcMIEUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tegwQUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKkAwooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsIcUQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcEoMgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOgYwQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqUUkcok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEUgkoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqYcgcYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asUAYgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esUQAMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyEQYEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukIUoYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOMIQgcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaYYUkYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOsockEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwEgEUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyMEoUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOoMIokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioMYcswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okQIUIYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkEEQYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQsMowMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hycAUEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaoYYEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUEkggYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQowMwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsIcwYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEogcUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmIoooII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuEgEsYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teAEgAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UawIsgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQkQAwgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiwkIwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmYUckYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCEQMYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiQIQwgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOwwkEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEMcgMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uukYUwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIAMsIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKQIwkIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiwQQgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huIQkcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCAYUAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiMsMwQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWYoEMMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQwEAsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqMEUIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMsIwooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgcowAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCwMAwco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIgkksMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMAswEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yuooAIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmQokgAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgUAogcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYogAgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMcUgkEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwAgoEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGgksccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCQcYIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AysYocsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWgoIkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsokIkcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgsgMIsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv xSWlaYUSmUmu8x67XfEttQ.0.2
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 172.217.169.14:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| GB | 172.217.169.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/3512-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\ngEYQMQY\XggosUsQ.exe
| MD5 | 7e8ad3abf50f951435f53d67193fd84b |
| SHA1 | f101531970a1f94fafe54912b77a6b9227740d8b |
| SHA256 | cbb0b0e61c6209266e011a485f0a09b99549f0ee66191adf553fec55abc1848d |
| SHA512 | 1263e017b2773041b5fe31f02d08401f6e1c3398cd257f588d0277b335712111ae4490e8b872fbb6a5a70a4689add5ce4b68cbaa6c1942dce05d7e8cdb6e8666 |
memory/3816-5-0x0000000000400000-0x000000000041D000-memory.dmp
C:\ProgramData\CCgYYgAk\baoIMQAs.exe
| MD5 | 904a723e58d740f86e9e2dd2b37cf531 |
| SHA1 | 2255d1fbee26e53d55da261ecab559dba77b65d5 |
| SHA256 | e8925066a2d5036636ddb0bfd52a82683fa5ca0c56b8978a2990ea29c528a72f |
| SHA512 | e82d00081b4248d3596f76531cf72b881813aa8493a0fa20c9dcaf46a82cdc477874acb7dc9ec93005870ee7098eacd735caa0182c93d9849e7d30a46333d4d2 |
memory/3284-14-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3512-19-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kiMAokck.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock
| MD5 | 9adaf3a844ce0ce36bfed07fa2d7ef66 |
| SHA1 | 3a804355d5062a6d2ed9653d66e9e4aebaf90bc0 |
| SHA256 | d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698 |
| SHA512 | e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5 |
C:\Users\Admin\AppData\Local\Temp\file.vbs
| MD5 | 4afb5c4527091738faf9cd4addf9d34e |
| SHA1 | 170ba9d866894c1b109b62649b1893eb90350459 |
| SHA256 | 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc |
| SHA512 | 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5 |
memory/3184-30-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1508-41-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1060-42-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1060-53-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4116-64-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3680-75-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1088-76-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1088-87-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2292-88-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2292-99-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4752-110-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4584-121-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3748-132-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4612-143-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1464-154-0x0000000000400000-0x000000000043E000-memory.dmp
memory/744-165-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4620-176-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4888-177-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4888-188-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3616-199-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2476-209-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3016-221-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4052-224-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4052-233-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3400-234-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3400-246-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2756-245-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2756-254-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2704-262-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4040-263-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4040-271-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1008-272-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1008-280-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3212-288-0x0000000000400000-0x000000000043E000-memory.dmp
memory/460-296-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3680-304-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4052-312-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4724-314-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5100-315-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3292-316-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4724-317-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3924-325-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3292-327-0x0000000000400000-0x000000000041D000-memory.dmp
memory/5100-328-0x0000000000400000-0x000000000041D000-memory.dmp
memory/688-335-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2096-343-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3320-351-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1464-352-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1464-360-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1600-366-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3908-369-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1600-377-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3308-385-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4292-393-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5028-394-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4012-410-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5028-402-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3960-418-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1756-426-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4900-427-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4900-435-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2348-443-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4568-451-0x0000000000400000-0x000000000043E000-memory.dmp
memory/744-460-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1476-459-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1476-468-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1096-476-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3888-484-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4808-492-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5016-500-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SAok.exe
| MD5 | 51019e0772ce85a639f1e92f610c109f |
| SHA1 | 21319744097a577a850e6153abacdc4fb17533a5 |
| SHA256 | 2277192f29413e5b100de4df1fa2afa3a0429865c30ccb365c705dbc1d8348fe |
| SHA512 | 5bd6fcddbb527420e32928ae74dd45310cdcf42f30d744749ea6f543acbe395df8bde37f6e405208888a138d5fdb64d82f21ee09ad807a9316f754d1cb51528a |
memory/1564-523-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4008-531-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GUYo.exe
| MD5 | ffc0339d4ae8348c82eef9a6e7dfdd3b |
| SHA1 | c7ae8d26894887e3caa8b1e311df6facdc244122 |
| SHA256 | fdbfce15694803d7458cf9a7f1135caf3f295da1d60f066d8647522d0235a4c6 |
| SHA512 | 6888d01c14ec8ea57cd0e4c1b6f9b166a0441aef439ffa8bab12cd3b32bbea3eb79314f5fc4bd6a9d5315fa23792f048c3e1794ff16757f9869d72f68e725156 |
C:\Users\Admin\AppData\Local\Temp\KIUe.exe
| MD5 | 3d65562cd6ac96928a5752dedf417bdb |
| SHA1 | 06f572abc66f193d880d9c8e4d8ede2df9d9bddf |
| SHA256 | f8541d4ce27f91a228b8e8af7b2cad4438bb59c8075c21b218819cdf33b94322 |
| SHA512 | 17ec3f5d8cb71299de678f22929c0f552d8ace66baf8fa0303cd03cc6320a507c0038f8aea74dc15e6c612dc3c6b87283fc8019bcf5a6922e8320a3a7c85a513 |
C:\Users\Admin\AppData\Local\Temp\mUMC.ico
| MD5 | ee421bd295eb1a0d8c54f8586ccb18fa |
| SHA1 | bc06850f3112289fce374241f7e9aff0a70ecb2f |
| SHA256 | 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563 |
| SHA512 | dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897 |
C:\Users\Admin\AppData\Local\Temp\sMcO.exe
| MD5 | 4e6276009a82ef537147022c5dfd17d5 |
| SHA1 | 1afc98eed8f3f9ebba9994191cf98c41109eff21 |
| SHA256 | 1e0058ac3d48e3d6e3aa8bd19f9edaa10d05fae0ce84d98f9ef572e36a9cb465 |
| SHA512 | fc0ba634ec76eecc2e42f01bcbf6a635281e1a74476f1c113501442faa4d4f79aab1c97648f58d35a201c16469a854cb94c85da39434c75ae953125c44d9daf1 |
C:\Users\Admin\AppData\Local\Temp\QoMU.exe
| MD5 | 6aa4be97b418bb9bbc3786f282e2aa3f |
| SHA1 | 68e170798f1da1820c07c43aad489ab98465907c |
| SHA256 | ab89d82162f1fbdd8ec46732f01907046c750d6f3e7c18362e5dbb773fb62bc6 |
| SHA512 | f1d7651ba89cd4614371bf681c7e098ae07e5ce9fcd33c2f0324e51bc11b6bf13e25b7b43b9e8945bdd26979bdb6edaeea63d8a2f4ddd0e2688f72eb6189f5ca |
memory/3176-595-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UIgG.exe
| MD5 | 9d7d4bfa31d6b51ecf05815c91ffc516 |
| SHA1 | 149857767bdd0cc1f0862a1bbe8541af56d4a1ef |
| SHA256 | 399c7389f3660538776987748588ee7fd93566971480ea6577a9003c5b1b55e1 |
| SHA512 | 92a9cfaf7b1f81095b74cfff5f39bce6ea016813cfd9bbea71d71caad100dcd95c60c687279265b24430f5adffa6cd975f6825dd241f03862d64f3284d075d37 |
C:\Users\Admin\AppData\Local\Temp\mMca.exe
| MD5 | fc911ddb0b837bb3a15ec9bd2ca74ee6 |
| SHA1 | 5bc897ba8e2fcd6f7d2efd640c404d8683e41b89 |
| SHA256 | 2e6c3496af0fa0b28964667a383b2b262b293432d2f3c8758f13a73a1a5a009f |
| SHA512 | a38d294d727f36a816262d95fe15fd3f72a84d2ad8690a8b9c33981e27bd6b12bd16fa8d31f6ba4f3585710ebe0a2c099d8c3d06cff27cda0eafc556d8919c24 |
C:\Users\Admin\AppData\Local\Temp\acsC.exe
| MD5 | 6a546b3e56071ff90853567fb18ee174 |
| SHA1 | 10964cea0cdf9b65cdf2ee2fd1429b40e6d6a343 |
| SHA256 | b46d5f32401a05ea71ba4c18813fadd57ae88772b59f46b478d8fae3454c83af |
| SHA512 | ccafedd36929606744d398ddf55f3f925a11dac367f9e924a2fc03ea9be91c084672a51486fa2de73354d8182752021fab833b89da749216438de872022e241f |
C:\Users\Admin\AppData\Local\Temp\yYEQ.exe
| MD5 | 9f57f969bd8fd4dd86b6af56827be487 |
| SHA1 | b11c32fc2713e345b71b759525e1749f993aa1b4 |
| SHA256 | 4c72b94cf980839b24e6e79620a2cd9d1b31d75f42376a4e073cfb87a6fc21d8 |
| SHA512 | a63345766071dbde40fcfef936e083bb40514718ad460ca8f1c117ed03e3558a61b2e0aaa25a689c3c24bc5d7a1f8a75bd2e343a7c4ca78c2b21497aa9e402e2 |
memory/3004-650-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kIsM.exe
| MD5 | 9d3d702ab96ceca1630d1ed40fb11720 |
| SHA1 | ff7367fe71570a20a69cec0b75436da1e4860d86 |
| SHA256 | 75ceca7035a4f9148ea7f80c64d9a50d5fb8398959d6bc344c22e90344ecff1c |
| SHA512 | cb61e07d60e53e9cd6e7b205b0b677e86d4924bc8dfa6fc8ae6e0aa213f9d4ad5b304a695fbf10b9502d4ddf3d64af92bffb8756bf03128dfcd8f55dc409d611 |
C:\Users\Admin\AppData\Local\Temp\Iwoc.exe
| MD5 | 4b23fa8dd8ab1b76ef9cc8943ced914c |
| SHA1 | 36db9ba821fdc6cf45f3044ecf976a881ed37512 |
| SHA256 | 0ba6a477439f8020117abfce4dc04aa2fadb8cff0a0208a03c4d8c82938a570e |
| SHA512 | a8af7fcc1a8cc91b8db83178ac865834a6e5597a5e70c7c4d9292755fd90f745f1f57344f16f66593b8ad8b2123c1110f61ddefafa44aa0519f4cd926f6f4a60 |
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe
| MD5 | aafdea8e6270f832c97030bb6ca4865a |
| SHA1 | e4c0a41f6539c222c012eb2c63c4bbcad1d630d9 |
| SHA256 | 63553fb381f067dafb886ea32d07498cf09ade2efb0f4e9f4870796e5f7cf35d |
| SHA512 | 45a0671258e4f6fc78d5c660282e495e6c0d30235dc7f6e6432d0171cabc998bbb149205ed19cb0c8c986647009b2aa37fe71ade6dd9d8f6a6dc2e1bad3906a8 |
C:\Users\Admin\AppData\Local\Temp\qoUo.exe
| MD5 | 50147a99f140768ad258d1f8ab231b72 |
| SHA1 | 85820fdc1b9b6c117d44770c9cb842251a88c6eb |
| SHA256 | aca4586199bdbd270dcf353a4fb42b4f1b74dcfb11e2e35e0ca4eb2e403ecbcc |
| SHA512 | b2fcd2d8703eea592f9a22f56fab1333f1f92e15f980ee9f29f78217ba9e137315a4f354d389a0f2dbeeb3782f09c7893de4e26c73cc84e670c4d4ad90e444e2 |
memory/4880-737-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kwka.exe
| MD5 | dd77e0bc5104e6bbf434c4cd6674f543 |
| SHA1 | e8314d7cf63c78c8a910c3b0275c522dc3e593d7 |
| SHA256 | d91a6769dc9982237b03052fcc47b1c84d680a5775cf786a7f328a335e2fe33f |
| SHA512 | aff128be78d6b72cc34183f99e3580fb0a4fcd03047b8489f8cb196791a2bc4eb2483b2a2624459ab6a1e8734cdc54293a4f4b39a377cc0a850ed6bcadb70b65 |
C:\Users\Admin\AppData\Local\Temp\IMcK.exe
| MD5 | 7d99b91a9bce3c061ba82bfe24f4ccaf |
| SHA1 | a376913470dcd2ab7214fe4f791587bf163193e9 |
| SHA256 | c3b482bf6116c13353a5a8e78009927eb90293230eeaaaffc435a058e9dc027d |
| SHA512 | bb09b98f8552290455a122102c55b12e2d38c0f417a731540f4e073119e858b972e1fbf0d6a024935a86ee2c68783b3dd319ef09e6fcf4960a531b278bafbfdd |
C:\Users\Admin\AppData\Local\Temp\MkEG.exe
| MD5 | 2b80a08669c98aca3ca38ed620cdb385 |
| SHA1 | 461d7c0362cd85d5884175159bb9add9f2e90973 |
| SHA256 | e49dc01e1b9209f6765e5159cc4d2fd89abd85ac9254f2c88a627816c26b5cee |
| SHA512 | f51da101c7dbb96c82034424a71ff37d9d08f93cdb0d9f26fc0f930bac46cbd6e90bdbee84852ff31e836fe9095a5a63755f7017887782d9f86700cc759f657d |
C:\Users\Admin\AppData\Local\Temp\aEsA.ico
| MD5 | ac4b56cc5c5e71c3bb226181418fd891 |
| SHA1 | e62149df7a7d31a7777cae68822e4d0eaba2199d |
| SHA256 | 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3 |
| SHA512 | a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998 |
C:\Users\Admin\AppData\Local\Temp\ukIy.exe
| MD5 | 856afa43ca95b13d0887abe39d199314 |
| SHA1 | a8c3406cd2b40349e4ff7643c7c083892a673abc |
| SHA256 | 65395994487e4ad28d231ffc26fe36e33f67d35617cc5c7c107e2c8fcc7617db |
| SHA512 | 8eddcd6a8f77480b3eec42c4580b2208fa6d3295d73d289f731c3673ee7195cfd12b7d03d8ea485ad2f5ebdd71c667118b1589a5dba00465f34b18dd2c2beddb |
C:\Users\Admin\AppData\Local\Temp\GMMY.exe
| MD5 | 187c03f700d1ecd3ed6d4de027c00df2 |
| SHA1 | 4e02d67d13366fd99909a66348850c89e4e34696 |
| SHA256 | b207453a194a4f8d091f4e7e315bf72dea1fb68d84e5dfc9b5b034c1284a30a7 |
| SHA512 | 0a7efc13e16526812df6b8a3b7b3e17c75ccb6204827fc8eb1888fc26244cbc7dff87de15b6a6b60b08447e4f44014a43cbea171358f25b632671f9c251c601a |
memory/4568-802-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AsEW.exe
| MD5 | f796c6701e81d316e36ed7c469c27146 |
| SHA1 | 4c43431961620e303ce5cbbb2f893e0ddc2f86f1 |
| SHA256 | fa2ce89790fc4f4bc100cc803d79bdd2b130e86385a84f547e11b72ac4068ed8 |
| SHA512 | 822306519a7df91e48a3ab34ea6d490a062e7148763a0f9f6589dcf01a9b8ea7d2e8f06220edd287427b99fb98ab73c9f0e6e5a8f88ce91b3429cf1eb0ad2eb5 |
C:\Users\Admin\AppData\Local\Temp\oUkm.exe
| MD5 | a3a1a7c72a4e4daf382971ab01b053e4 |
| SHA1 | 5ca353c194a48af9a62256225b5ce93f2aa01d03 |
| SHA256 | 097dd7b58453d83c00ebc36587365b5d457c0b95cf6dc25f8d635709a09e4eb2 |
| SHA512 | a0c64450ded2127b3165e5810542dbb3bfc4a2a5be8d425588061eb11ad67cbface087ab2ab4c53c3536039c3900e84a2db7c2a3aac9c8c5bead83cdfd0e8643 |
C:\Users\Admin\AppData\Local\Temp\MMcW.exe
| MD5 | 636c8a600dc289a965737dab3a346645 |
| SHA1 | a130417a6801432e303c3345f29c051eed248dc0 |
| SHA256 | 558297ffffff62c83a95b330232eb1ad4753f49b16116ed7ed6e1d0b21083ce9 |
| SHA512 | 9db867470c2499e355c1b63f1719bcfb1ec806deedf7acfbd9b87e08f04c355cb6fb8513aed464acad94f1560c87eaa1228deac13b1a0541380c3eca77ce9f1e |
C:\Users\Admin\AppData\Local\Temp\kAcq.exe
| MD5 | 808391d37a616eb895610d055255500a |
| SHA1 | 3a483e961a408b31ab0021460de306c61493c384 |
| SHA256 | 03c9ae11afe2c6a9f64f1829a601c8e74ccccf566e1d9ff6269eee79c41c40f9 |
| SHA512 | bea0384c5d4c95703de700bf074bb4511ba93f20cd6ab67a12872f5f9e6dac0beb299dca254fb4b3433d67a37af8ebb6558e86547b044dad1eaad9e6519b1825 |
C:\Users\Admin\AppData\Local\Temp\MMEy.exe
| MD5 | 82254a2b6df22ab85e587230ba96503a |
| SHA1 | aa83fa64ccb349f7ff7b69c21cb8625ebd36e985 |
| SHA256 | 721922144c05ce5d9021dcd32db316f4481b2ae8a228583a7252b343c1ca04f3 |
| SHA512 | a639106db86418740cdc063b1a0c114dfe1e7e5297b5796fa6b136ea7cad6f859ed16fc1aa360e0c3da955387af3e64ad2887d9972f0438429adbcca813208d1 |
memory/3132-879-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aAMY.exe
| MD5 | 96b9c10e5e4544aa9075fab977deac91 |
| SHA1 | 5157d58cb231e1e9db8a891d28490012f3f21148 |
| SHA256 | 9dcf94005910bca0565f478e2de3de3f694f50bf3a73845433e4b6a3ec7bd41d |
| SHA512 | 45a535632f6ea0b4afb2a4a46b2019baf5e9be20c1d45b0cd684daa3a5931951bbff201704dc143d00f833000c6ef2b4a58b9e49ac5d9829b63ce63989f910dd |
C:\Users\Admin\AppData\Local\Temp\sgUS.exe
| MD5 | 5099db625a2fd919e6ed83007b61e60c |
| SHA1 | a9a8fe351a10a432f1ede8c5835af27b3d42f896 |
| SHA256 | ebb92fadd944b3dc6865bdd16a36f32d66b7182ae559b89b46e4e17da24b8059 |
| SHA512 | 1a35ab0f7902776bfdd49f47e7756677326c45f2a8b60c09b103195586d8a4145f7fc4bf0041079d89897d131e0ca57bccd3f0d9d07bf9677619600d64f41305 |
C:\Users\Admin\AppData\Local\Temp\gUka.exe
| MD5 | 604c0656b446de75a317cc47065f33b4 |
| SHA1 | e908c1e6aa0d29cf28d9e47fdf2179c685fb0dc9 |
| SHA256 | a7c8ddb4fa76d63b643cf706b2f4615fadb9a7a1bebe0ca5b7a85042bf672ca2 |
| SHA512 | 24f17518746c2fb09e557948a538e26ef5e76608abb227c1a5d801dc19dfd7fdf837747fa7d1d1e85feb22dc35d3d44012dcfc539734793f7bc423e6ec5fcdab |
memory/2064-934-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gAkq.exe
| MD5 | 9a6390b5dcafc45b08166fe008ac5b24 |
| SHA1 | 75b1287b2f06bd605f4c7b71eca47476e1aee059 |
| SHA256 | fc4a11aab312aa39fcafd023d650475767d03bf29c37b951fed811946149f19a |
| SHA512 | 395644f1e7b55d11add7e6d9060966bc492a8ab4ad7c65d119bdc9bf55a0d237437586ed5476f908248ce9463bcb87f241d1a239a03c33f177427549af9bfaa4 |
C:\Users\Admin\AppData\Local\Temp\uYwO.exe
| MD5 | b1e95099edbf3dc88e7b740669326d94 |
| SHA1 | bb5686f91d322e9ebbfb20b18814a8398a9c823f |
| SHA256 | 0debfc629137eb4c3491b45572fcb8857af8580a8037de6adf0cf33718aa1cf5 |
| SHA512 | a36020f77db324173a373cef989e717085b65099e455a2d0df2afe33c5d6052283784de1828cd01769a5fd08e5fc9911cbac77bb06d468266cbc7739163ce792 |
C:\Users\Admin\AppData\Local\Temp\WMwC.exe
| MD5 | 9ecbce7c726f7160baaaecbd18ec89a5 |
| SHA1 | 4da4ac6a9300180029c6950142ab8fb414ed2f48 |
| SHA256 | ba559bab1dcedb86f01d0dfa4bd8d55c45a575e77fd7c0f0beed0c8bfdf0e401 |
| SHA512 | 0a332e277798c2c3dd0491f69c40d824178155fbe3c54d7818aab97ea228cecad71a7709404106fb75e1256e7a2bce4cc9dc24a6af56f19df04e7ec3a8cb7523 |
C:\Users\Admin\AppData\Local\Temp\sEAM.exe
| MD5 | e4ea1b122d4bb62894f5b9befb6cbbf4 |
| SHA1 | 1578739418c7dd1adcca6f0c8fced19906d7f69c |
| SHA256 | 893e0aead1464019fb29aff6be82f8eee0449d5f2c7acfbbef251192c3934704 |
| SHA512 | 19ff408207a62a6f807f8e319eec5fb7fde0eaf42d00459b30bae31161f39a7c1cbdb13025946ebe40447983f1f2ee576e3c999bba945939198ad6503f1a0b9e |
C:\Users\Admin\AppData\Local\Temp\KEky.exe
| MD5 | 2487f007e96bf52430d933b513cc0997 |
| SHA1 | bedfc09d1b295037403a1579744b1d2765894bc3 |
| SHA256 | 681a844003006c0f0b9b6e71f828cab9007bf671d0d3842c1962c5cb95f33316 |
| SHA512 | 1a6687379c9c2102e095394419f8e0bf58eccd01568466d3956660e2bb1d7fc095500ee043235074523d91e9cab95e49ebcbf55ff067ceadac0c45e9d6590a06 |
memory/3688-1007-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yIMk.exe
| MD5 | 3f81b29472ab33b0b1448270381891f2 |
| SHA1 | 740d48fbf392a5d57928941fd9092a74135a5536 |
| SHA256 | ceefb1a156631ce3913c361af7e5f3836dba200604fbfc3849758b23489a562c |
| SHA512 | f4457a02d6a5891fec5210543d1121d3799c9f4a5e068aff1c819aeab85a43759a7af58a4054bb533c3d527873bc302391728ebaa46faaf4fb5b29d5b1171e9a |
C:\Users\Admin\AppData\Local\Temp\GEcU.exe
| MD5 | 7a08ac42c1d3fc2afaa6f44d9f502c18 |
| SHA1 | 2a1c96f88d92c92c3a229be4f8ab903685cffe7a |
| SHA256 | 6207178118c35db141fb1a98bcdf49b064d69c7365ad817183fd5a8f54684c4c |
| SHA512 | 56e0c7d0dd21220cd85837337e4788ad3879a6178b91bcebcbc9db8c1820d20729b3f276e874d8a363054acaa0e8cd68b43f3cafc6149a140eb9d89b6925f1e0 |
C:\Users\Admin\AppData\Local\Temp\Woka.exe
| MD5 | 11240a66a9d6696379c1aa62bb7876c4 |
| SHA1 | 17c2d3ceb54ffb8eeb8afbd7b81c07153afa07ee |
| SHA256 | 45cac3b4a2ded4f0ac11a3bcdde2cb280b6f9110188938f3d54c66f1e09fc3fb |
| SHA512 | 751ff154ddd540563a6691f967d42990bbc229861fb5d0981f909dcc92d39bbded91cc71be581a2b8e5802d51c4786414aa1598b724888e95088d339e41cc20f |
memory/4228-1071-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cEge.exe
| MD5 | f0d245eccba90750b6ef1fc7cb039086 |
| SHA1 | 13ef322d5ec35f740d64319d7c853fcf330c4bd4 |
| SHA256 | d3a340e5deb780ea19b50957c595fb5945efe95cd7cb65d254f4813f8df83ab5 |
| SHA512 | 691be96b198856f876d16386a6a13cee160ff6ce23d3b5ce2be8897fc4ecf89a950b4fa1a6921ce6ae78fac6976dcf1efc9b72360fd42ec28e987513efb8abdd |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe
| MD5 | 624ef8e008a69762858ff0ae043b4317 |
| SHA1 | a89ecab2ffa540b65ad469237896e473aa6a2ea7 |
| SHA256 | bf6dd1b4bc98e9759735574ee780c4815e7b41ebd0c5e6b4ab816c341ba4cb7f |
| SHA512 | 7f5c83a2e60ba05d8e7c49e7acadae39dbb0510d54cd5c8e1a7fb91edd1e863bf602176de74679b105f90399c52ec65d28d8241509d9270c5edb22651f52dce2 |
C:\Users\Admin\AppData\Local\Temp\mkYS.exe
| MD5 | 03abec487de80d0c0fd2f5016ec99e2b |
| SHA1 | 7ac827dec77dbd4d50aa0ffbf86658f1da79dea7 |
| SHA256 | 22dfcc74e8db874d777829d8c2b4755a49f93db29c1a8546a3068ab0fe3910d8 |
| SHA512 | 2d47a65ac4ab768906c1060b5e88520d284f11305beb70cbbca095bf0629e22df2270dab422fe855aec0224b7e4b33fcf3c026e628d1a0f6a925dd80abe61549 |
C:\Users\Admin\AppData\Local\Temp\igMA.exe
| MD5 | 7e3f81146246fb428dc748222091b70b |
| SHA1 | 72d60ff3196ed96368d74da3f50c67678f079430 |
| SHA256 | 2119e57985ba7ddcf7017a652a808e4f69abf09322e631d2865e9c8faffd3da8 |
| SHA512 | fe93bded2d2413a652496beefd8949b2baf874cce985876c8befb2f39bfc77e96e08b1807ed567845477c04efb16f4b7b04f79e450fe34692386af512a2a8d0b |
memory/1480-1121-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qccu.exe
| MD5 | 91528b5bcfbd585209b805c5572821de |
| SHA1 | 20e2ec43eead996de3d70f1e00d5c7d4d0a66926 |
| SHA256 | 616bafd2a41f3d6b0da1d164ee1e0bc6a2c7dfab2295a257983b43b5bb85a94b |
| SHA512 | 9dc109110b6a6d061ff7ca9f75c860c44f9fff940be96a01d61dee9248c99d3d24cc11150861ea98b5d2e76fec9864dd44e2718847989f305e4ab753f404b15c |
C:\Users\Admin\AppData\Local\Temp\uAsA.exe
| MD5 | b2a948335efe59c31983b91031d9e261 |
| SHA1 | 563a836cd780d71083a159c41d22d0568085aab3 |
| SHA256 | fd92394c6ad50211bd82bbc127374d425699924aba414547760414544aa0b15c |
| SHA512 | 19878af1b7e53bfbd384078ba5cf0129ced5413d4919496942c610137cfcfc98e1511eb094338cfb69a050e0d99ffec7e56e7f7b34cedbaf421e2c52f41a77a1 |
C:\Users\Admin\AppData\Local\Temp\isYM.exe
| MD5 | c3560815784836ca7fe1b6284009e950 |
| SHA1 | a1218ae3746706853fbcb7e479bff57fa5353551 |
| SHA256 | 589414721748b1781990555ec626e5c20b7f22b825339a556907bfaca0e50f08 |
| SHA512 | 3f958017670ed523b67486d473e3610de636d772320c3fc00becac194a49369e7deb4816a523891ab285eab612c279c8a28ad1a85c48005da32ee94332b23ffd |
memory/1520-1172-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kcIm.exe
| MD5 | af4b9a82d66d13f473792446f2756331 |
| SHA1 | 7cd5c67060e729603c32f02779ea68a1be3d73b7 |
| SHA256 | 154695a7d7a279fb15558193243d826e9e6ad31ab66fac0eb630ec0d2a6c0816 |
| SHA512 | 7f1f5f7b9c4a45799fa84a4f185aff18464050dedcf336cf0dff05724754b28d0cb4cb538c17eccf84d21383117bdb189060d409549bbae7a30696a4592bc029 |
C:\Users\Admin\AppData\Local\Temp\WIko.exe
| MD5 | a8022d25338e87ebce8b9688f49f1f81 |
| SHA1 | cd460ed8bc22c1092eb19ab48d05520ae9481fd1 |
| SHA256 | e83ca5368f664855054d1103bb610d37bde58e307b14bde4d64909ca1824f384 |
| SHA512 | 7f2ecd6e1f47936fd966a70668b3d467d6129904d0027d0b346a36f63ba00405e289b5ffd5e86c5e369ec0025edb6786a10e4239609c79beb16d31414103fe5d |
C:\Users\Admin\AppData\Local\Temp\kEwW.exe
| MD5 | 6b1b83f08eea7db47631525ce42a3484 |
| SHA1 | 7a5c2020fe9ae2c1f04c8421848ea1dd2585b942 |
| SHA256 | bc0cc877e618e862e1519a41c569ae44b8d2ef17032f57e4c436b6241d939c78 |
| SHA512 | 7a71a6c34d8a2bc9df7c3944657d4128208f55bed6b96126c9d664f560e1c973604a31b3f41a0827e17f41bc1bab21e2514d6f94887db6496652a9486cffe26d |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
| MD5 | 43715859e7fb1c0a6e06878fc0cba598 |
| SHA1 | ebbde86245865cb439c1e52c8015d0f4775a99c2 |
| SHA256 | 8a56b55508b24852f34a93ae38efe8dc93b6a06a12a55e69e2873cc3f970d482 |
| SHA512 | 0b13ca96d7935ec5d4555f1ba8dffb7d85b24ef6f8477250bf4328c5200cb8d6e17be0c98badc0aec1bc4a7ab8d9ce3cc3d3e0e3838340da33f7c2291f956711 |
C:\Users\Admin\AppData\Local\Temp\igkQ.exe
| MD5 | 24aebe6dbde5c23132a775945e980aaa |
| SHA1 | dc44146dd38b67e98f36d4cfd4a36eb6b161f137 |
| SHA256 | e3c8395911abc55ba74a235570c9b970661b379b03e1186251efed882afab424 |
| SHA512 | 91ccd8fb56698dabf5aa7853b57e2bba720ed8191537c07054c1516056af36e5048f8ad9aec5af3662918d05b96bd45216adb076fce837a8dbcff3b59a007b16 |
C:\Users\Admin\AppData\Local\Temp\WkQc.exe
| MD5 | 38f0ea9839e3d42ea1cb4d1b144f8df5 |
| SHA1 | 7a8d7b0142233a7f7ae459181f29f94f4ce77c2c |
| SHA256 | a040a14b4ec3d48e17f611201458ec946c905fd188c9d2643c8cfcd4aa360991 |
| SHA512 | af1f70e0fab6796d1b58afd74c275a7183c298e645a79fc0fed55e5cfc0f5943d7813db5c1cd7ec29f0b93be66369ca9412480ecc2abafd26fd4d9c61e27c67a |
memory/3648-1264-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3556-1263-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oAAW.exe
| MD5 | 617502c0e9ff2c55615c749dd1591a3f |
| SHA1 | f109090f8ca6ad0cdb5e3fe48553f8c741450c1e |
| SHA256 | f44f27ec4b8d0df828a4ded6e38b424090935c3c607f33bc00eea03c9257b309 |
| SHA512 | 5b5b375363ef4f3e25b3d34ca9e1f3c6a7c7b595f958842112830c1bfd04ab1b866b29441368ff8f886d726a5beb37ccaf3d4229ae1f741aa25a71323d46dbbf |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe
| MD5 | a98ba26ef98f05adf0d8afe3e748e5fe |
| SHA1 | efe07e3a73a9b6bb65821f623d698256dabd0d1b |
| SHA256 | b542337806490ecc053e018bcd203ac07fcf8dde34a4da4844b1226b4528923e |
| SHA512 | 2cbea51ef34f9f71ace911b039801e3d877b7f4a8f357cb13e22ed0a12b706ca9579a65d080cfcfbf1ce5db7a23e8ecdbb530f0d0fa95811c8bdf6d087ce7930 |
C:\Users\Admin\AppData\Local\Temp\MEEE.exe
| MD5 | c73086dcfbdeecbebca8dbbd6926b772 |
| SHA1 | 7fea34be762fe5f738753b8b2fe62e248f8ee87a |
| SHA256 | 9bc3603d593698c5eeeefdb5188b8987488039f95101c096545d001898e7885a |
| SHA512 | 100db0375fff44a35fe8cd6129c94d15234b5a449da41e491c04344a74d4be8e111dd738b8f39fe8f58b7570d0491d4c8e6790d56c622ef2efe88befe99a9d02 |
memory/3556-1328-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4440-1329-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coUc.exe
| MD5 | 2b3cf813ebe20100f1e731af11f09805 |
| SHA1 | 8ba64bb64833a8db3fbfe4f791509a7ca117dd5a |
| SHA256 | c87225e9e051521e914e70d1a0c40f9a4cc8b144932be2d6453bd8d742464e1b |
| SHA512 | 3878ee0df7ad8f548e0a6a503699235389e91733ded97dcc55e34705f3fcb792c227225b5121361b044d6f749b13b1ee781d6422223c2a0c7f9748b55ec58a96 |
C:\Users\Admin\AppData\Local\Temp\SwkU.exe
| MD5 | 4d15e9ec6335e71ba5c2395811504def |
| SHA1 | c9a4a18b1a93e4597fa67c9bd597f13caacbd065 |
| SHA256 | f65167c784f4732c5b23262d49a687c4b17327eae042d6b849c1c7eadcb6fae8 |
| SHA512 | b4b090127f9bbce50fd3bf223761bc547ece8fc74d0c19e260f15e317db75326c992250144dce5aed5e9092593834766e488fc4de476076ce87f981a8239c71d |
C:\Users\Admin\AppData\Local\Temp\mcsC.exe
| MD5 | ec3fdda486a7b3071f4873905f88e976 |
| SHA1 | 6106ff7d053fc2f3ec037743aa8119db8375e5bf |
| SHA256 | 0da4337ccf65d1a990c534abd6677752fef5cbc440ae02172224b70e17c20937 |
| SHA512 | 540329938317dc60a6073d505e6859b55025905778c0eb4bbc849298408f81ca3db8d15e574da5ce3eda893e85b9a4d3ff7ee91f0318341652254a21d2625c7a |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe
| MD5 | 8f8b4dcbd01313d3d423c8126ce8fed9 |
| SHA1 | d13c831f799cf4438c6c3614e111f0f132858d7c |
| SHA256 | 0b125c429326d134eb5d14b2cac5d0cf935219fc5366c96d710b6be005df5dcb |
| SHA512 | 860d22f7ae647d7f50927fe338c17d5d4a06b82fd8d6e9587ef1cc23cb1e7d75171504263bc904cb926da5af4570c91e2d37ec960defd71a768060f64fea6e25 |
C:\Users\Admin\AppData\Local\Temp\WQsc.exe
| MD5 | 7f7e008fd5d38b13719c569d17ad3baf |
| SHA1 | b6e963f1e1396c056fe0e2bbdb02f4aaa21b2c82 |
| SHA256 | 8e453ebb6bd410f05d5f061fdc4b55bc0f70f54de03314347a10db3cd4949693 |
| SHA512 | 623ba4825c3eb7880dbf4ea735d838874c0bc74dddb6fda7ed42f84efd2cde2b41da3a017e7cba46e0c9686134a2eb072c2bed0742ee98f5cabea2a6d6a275ae |
C:\Users\Admin\AppData\Local\Temp\OMQU.exe
| MD5 | 941fb819e0e9201b93705b73984eb418 |
| SHA1 | 3fa082c6baffe3b76974883c26dbfcd6cbbf7cdb |
| SHA256 | a5e03cb656004f1f5415cd102cbe5b7530a44e142f7db903653e0afd01045e7a |
| SHA512 | 670a6d538d688de4e63a735bb29110208faf5e56dd2c23944d1b1eec1a0bede6de187ab8f3e3a5f7290cd60fbb7715d9ee8b3b97fe4d8c1109436c71cf81f4fe |
memory/4440-1407-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uIok.exe
| MD5 | f3fbf44b5b854070a3c3dcfafd4b76a1 |
| SHA1 | af38697e586c8cebccd30fcd25c80704c8bfdbc4 |
| SHA256 | 5982a62a3739a1eaee381cf1f110f77dfc92764c9196d60563f775981f11149d |
| SHA512 | afd98b57eb4fc6a78521ff2724db611cc70329bdd44671a75c94d6296c7f20579d4ba410dbf2126789f79e014a4cc15b52ad4d8ce3b593a786f16bb5a4019a87 |
C:\Users\Admin\AppData\Local\Temp\qcck.exe
| MD5 | d6c295b729d0365b0be68cbf38c5db73 |
| SHA1 | 6bf28f983ec7cde1eede1fc530b52e42ce7c6618 |
| SHA256 | 19530732a74aeda75e7d0f4ae7ab50e80d587dc4a158e2798f4decafd93797a2 |
| SHA512 | 75a9dc9c871f5100b66602f1afa6a638c0463882341929a86d363fe83322bae9c5e559b932947728e80cae4e2fd44d096b57cc514c42078b1fed96b4cd8acc41 |
C:\Users\Admin\AppData\Local\Temp\MMES.exe
| MD5 | ea557696c7eb1ce93f52a8241ba42d12 |
| SHA1 | 7395b5f7707c0a71ae8d0f3cce7e44d0a4ecc22a |
| SHA256 | 6db5d20166979deec9c0df6ecc4182715674797d16ed6602a69c4e69ce8d6ccd |
| SHA512 | ea6e7540fd77e5e1ba378dc160f8e33c06da6d5bf7d3f6307aa1f4252c2aa4c1ff6cc361159e7672e828fec02e952131291fcab0157d8614797dc7b46d8f48d2 |
C:\Users\Admin\AppData\Local\Temp\SYEm.exe
| MD5 | 5a70ca350956554d928f4860ede40dad |
| SHA1 | da7310c3a7281b694e71809769efb106a02b6184 |
| SHA256 | 6e14f447301b6f2869b9f0e8563f8e02748d84c9653a268ab624715cd2740c90 |
| SHA512 | 079b64cc212d0840702f03a032f874e208f674a1e5744c35eae5e9697f177f2c62ce9d3bfaef0768418c174eabb9b42d36c4e369e99b378437417fc6fe5a2603 |
memory/3548-1469-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GUsk.exe
| MD5 | 22d9af67a1eebebe25c713c39286968c |
| SHA1 | c3d646ddaad8de5f23460370d08d7495c402c532 |
| SHA256 | 28c210213fa5b01adde0508b92647840abe1d182c7298475a936caf806c8c766 |
| SHA512 | 8e869870da3c887ff387942adec07f0fb7fd32a3f18e9e1edff4eefd45d7b41dc37ada83fb343ad0966d82c98bb7564e911bdc91b5d8e06a628557703d0dd3e3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe
| MD5 | 14f075e19e0d6d5bb7b515a34b4e5c19 |
| SHA1 | 23951168566be59cb3e171efde0ebc3f1fed0471 |
| SHA256 | af3683f6e9d4a8b8576b94700463779ea2d721603ea2c4d81c4782f304cab162 |
| SHA512 | 97a0851207c62493966fef873ddd386b7146cea3236460ce670faa71fe4a345a4db79cc2081165828dbefe1a1a815bf4fb44c9ee4e598d8fe5742bee6079465b |
C:\Users\Admin\AppData\Local\Temp\yswE.exe
| MD5 | ab92a4c887c0c1a5e4dc7ea8ad45d22d |
| SHA1 | caee7a756f235c659bc2c994ac16e8d2aa042c3b |
| SHA256 | 571c746b4b9934beb6b422f1eba942d065634dc3ca6d08a63f77962afdbd20bb |
| SHA512 | 86843a1594ced76897d8e214ec243f10cd694002862d37d40949d342fc80b49652fa72eb174eabc56b9ade48ca3662225a652265368912fd6efd7ad794763f01 |
C:\Users\Admin\AppData\Local\Temp\IkAS.exe
| MD5 | 90ce4ceb263b811d4d057a6a467effff |
| SHA1 | af2ca8747ad90237553172bb8011b7a201419b10 |
| SHA256 | 73a85b081daf670a80bac4f76fe7ce92870201fdf5178566d93fb2c871591fb2 |
| SHA512 | 03496d945e0c83a19b606f4cf3cb0b5eb7fbdb39b39875b8539c85c985615529b971ea9970a1aa97cfe9e2747771b275700bfeb8f36cf26b44abe35e700c6d10 |
C:\Users\Admin\AppData\Local\Temp\wsIS.exe
| MD5 | b8c0048517c5d9940011688da46d48a5 |
| SHA1 | d06969e5fc86ccfc4f365e506c7eaee36eb5fb5c |
| SHA256 | 4447c15233430b833be9302dfa9624d87051263dc2d982bfa04fb598a20d96da |
| SHA512 | 96d6d0dcdc8c862545456322d25a17638dc22ca6128adb7e799e105067f297805ffff2e1ce47595a6913b7c3867fde788a1cc57c1a6e79ff9307332c713128b4 |
memory/3912-1547-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qAoa.exe
| MD5 | 58d1f018dbd716cf5d2bd5de9416f7d2 |
| SHA1 | 191b81b1cc21891df39a47ce2ff07368ff5fe2c5 |
| SHA256 | b56f961a8f18694dd75a58ea02c7d2c2701e4f5433be506a3f7b353482f811ca |
| SHA512 | a37d51e5a9b44e06827cd7ed86e519f92484c43685bee53f9aaed6dd6f697c7ca8ba62762c0fd4a642d6ded55f0dea1a18836de2a651c2f6d60f50c83224c46a |
C:\Users\Admin\AppData\Local\Temp\Ycoy.exe
| MD5 | 9a17350eaffedbb68e1380459b4f60e5 |
| SHA1 | 5120e77b044529eb2671069bb8ac719131e044c9 |
| SHA256 | f51a1d742397f7586c00f0d0ff1ad4029ef7dd7766f7cfa33d564971f873c2c4 |
| SHA512 | ab4cf96c1e7e6f99cb6c9736e3750db5da122eb6ac4c54ca07b93c1afdae312a61d163ee8868b1c389a149f6cff96159d28627c1de67a53a589afa05ae08e8ab |
C:\Users\Admin\AppData\Local\Temp\uwsI.exe
| MD5 | 56ac796c3428b6feba9ce0540162fc9c |
| SHA1 | 93895a3069da0809d04157725718165ed8f17189 |
| SHA256 | 2202a04528c4867f021da3c684b0046d5762a53e4271d8415be5d93ba7994e38 |
| SHA512 | a3274d65e701c8a4c080ffb336e88d013804d6e0b85ed038d32a42ef3c41f845a1234d56f3a4485a7ccabba96a18dde5019b63244e8ba11b9a32f0ac98df949b |
C:\Users\Admin\AppData\Local\Temp\kkUa.exe
| MD5 | 5046034b0304b7eee220598acc8d79ed |
| SHA1 | 8e43a674b3034da08523285b50e01d5d9380ba83 |
| SHA256 | 0c4dc511a13f74c50f78f5f3b3f5d1fafd32e8ff4ca8aa48002e7fcc5aa383f5 |
| SHA512 | 858065cea263bd9b874fadb847e7894c5bd43cbfdcbc710e5b116b90e23e6701bf8933c650fa4d17447b837abee787e9055c4ee2633bffb5736b0507ee89644c |
memory/3604-1611-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OkwQ.exe
| MD5 | 7a304e101b6859df97afd69c34f17596 |
| SHA1 | 77ad3d2a92c0c502b4bfda687a73273664fa6540 |
| SHA256 | 90e887615ab57c0d834fe2dc692a0aea30a8a32ba82ede6857b8aaaeac429039 |
| SHA512 | be025cbc8319b19401170034696fd229aff027f9b1b91c90bed2073fe72e07bd35cc09df08a5242e45779149bef46b84169babd09c0085c9ad750597b5a58120 |
C:\Users\Admin\AppData\Local\Temp\gMYy.exe
| MD5 | 3649b40543eab7015bcd2175302f8878 |
| SHA1 | ece83f10693e401819946ec9503c25b3f495ba3c |
| SHA256 | 5548b04c8682b8b8494e84eb1ece8a8bd1e04f2c24f943033981baf824fdfe9c |
| SHA512 | e6e0eafdeb4bc26278919f301b6da82be2dd6ef9023878dd73386738a3219e376673682a0ec1a19bdcb065f237e0d7d0d722e20dfac102d45112d787d1323aa7 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe
| MD5 | db09b52bd1364457196a75180bce7b6b |
| SHA1 | b2e5f0c8df43e90192ad16d59dd53cc916c761ba |
| SHA256 | fb3c397a369fdcc52b5f92d6c42bb21b716f2764740ce8530e00177e8b8bece2 |
| SHA512 | 4789d6410f706944b3237181716712857ed301a80f129874e64c22e124efe58cdac8fb5faabcaf2d5ff0bb5752535cf9b1715047babc0b26dd0fc0aaa821796f |
memory/1060-1661-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qEkw.exe
| MD5 | 755d0b38c359d304baccba5af24ba767 |
| SHA1 | 60150ccbe0161f690f2ea26fcf118f57e34eb3f2 |
| SHA256 | 4348b65ada289cd55859fbb5f7d3c1a622c44ded8533a48fbf59796102f8544e |
| SHA512 | 02e108922e2761eb0b39864b5076e302188c5aa0d2b0f56e7056ab18149c83f8e06a86d54643076fa3f969b21604bee621c44909bac78da6e3d65f32debc461d |
C:\Users\Admin\AppData\Local\Temp\CUwi.exe
| MD5 | 7151dee1e551bec79b0ff16089aa2bc8 |
| SHA1 | 86b48dccae95b6eaa14db154de43b94c47cf840d |
| SHA256 | abba3647b31ac94f0c74570be99dd3edf97cab57bf44b20a9f62b09619e10114 |
| SHA512 | fa631f8575de51a5c56be8b6b06669cdca14dc40425327760d5056f02569b154ff8b29d90058412799e412a04cb8fdeef800531a8967a745b038fa0120d83168 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
| MD5 | 7fdfed60c5cec800b7ac10dc24cbb50e |
| SHA1 | a41027ca6d822bdf7ebaeda7ea5d5d33af7bf601 |
| SHA256 | 318cd63ecb1d179fe402a3260ee64b78ae9984eda6c137c286c5e45c7ab798d6 |
| SHA512 | d9767f9090673db33abc5a286db279508d11d85d3b9aab723dcbfce8daf4794c31e2afc4ac709e9d3f52ecfd113883ca1e00c007db594ff3f7e862d778dc7d65 |
C:\Users\Admin\AppData\Local\Temp\IMww.exe
| MD5 | bf988e365cf4ab2672351ae2f209c180 |
| SHA1 | 05e7dbdf229323a8a39f3e2d373e1810f2b8172f |
| SHA256 | fc7beb0520efa63f1bb6eff54c99d42b8be3c39db78c87ebbac6eb4533639ea5 |
| SHA512 | b567ceae7664142d50146579c6f414d25d9e806e0bee48c950d2918da679323841d53afd7069d676aac329ff71ee356e9857b26cb636437c19cf3bb403858b19 |
memory/4860-1725-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GAMS.exe
| MD5 | e4ef2882e8a767b1aff63bd214ec1335 |
| SHA1 | a375d753a38a945650b6faed06a99d65cc2c6e2a |
| SHA256 | 8215a7d6f36fb616036acbba9293bcc58c58704c85e7cb97f64335ca4678c719 |
| SHA512 | a11edfff8850e78aa490e58a425b3e623ae3886b31dd81059daf8e89ece20421b0e618553d0f3aa2229da60228aca0610b2434452306b63d1134bd59753ef903 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe
| MD5 | e62b130b1940ae2246adc86050b5b9fc |
| SHA1 | 4fd25629b485508d921872fe3aae0da036dfbd0e |
| SHA256 | 889930cd0d0ece56decb881d4b17ae330e069342fc8059fcfda6d5e6c7de5eea |
| SHA512 | cce7501d7bf4ad6f684685e5208c3215188f26dbe024602123c5a3d48b59afcd7c6ddd8cb2b7664cac651b06a2bd98547364020832eb94dc6cf708d27f8e790c |
C:\Users\Admin\AppData\Local\Temp\ogka.exe
| MD5 | 578d17572bcddaccf88f0e6232b76253 |
| SHA1 | c9e431ba05fd91f6ace7315f6aec1f5d53159681 |
| SHA256 | 0e133b0b099c68569c1c4183ad89ac68b19d7e93244c8241e1e2f0f11609891e |
| SHA512 | 420a8961cc7770c434e01c9cb555d1d4e9e180c7f2150c9adb1a13e284217ea5c22152364e1f072f56326b3d3088895e214310e69c6320629c5a2095d3ed64b1 |
C:\Users\Admin\AppData\Local\Temp\oYgE.exe
| MD5 | 45a65254e36f703d5aa4d23aa994b633 |
| SHA1 | 84b419a43f41dba4b5e50d1fcb4baed8bedd1746 |
| SHA256 | c67c156e0f4238bcc8bb21c814331461e9e969c6e02020284929e590185d10f4 |
| SHA512 | 23e566d644f13af725142a582004ba56baa4731a9e73f2f7dce11afa1be5da20585814d3061e606dbce589a3b8c23c7ddff5a16f77e92a553dde8b963a01c4cd |
C:\Users\Admin\AppData\Local\Temp\OIIi.exe
| MD5 | 7a3084ff6830b7113386c0f628119ed4 |
| SHA1 | 22bf0e4231783cb201c73b308ec5c067bbba9fc3 |
| SHA256 | 953a8a7e1c2fb787cbccc7d69baf827039bf2a48c81b01c5c8005f7df7e70fe9 |
| SHA512 | 6b7e59ab893b62c68908a0ee11cc8ae55a224c2670459e9fdae7e182237e3f837100f13526febfa31fc423fe354abf4213494ce0ce0e93889524a4c157f0427d |
C:\Users\Admin\AppData\Local\Temp\mEcS.exe
| MD5 | 64563997ee7c50219bbe2273afb7a12c |
| SHA1 | cb1917573d96841f4a992012188c0c8658a42747 |
| SHA256 | 1f4d83cdf9f2f12fef9dc65fcf2065835ba57b0c42cfcedd9bd0dbfab8553346 |
| SHA512 | a6217dae89db9a40a62ded3d2b847490c0755f6dfb7b2ba29cd4f3c371d7e0b36a90ab06f327c4b5d9a6f2a529367d2e8d36b88f41cf6bad19b4b9a30c72fb0b |
C:\Users\Admin\AppData\Local\Temp\GEca.exe
| MD5 | b846288e47a636933cbffb4185118990 |
| SHA1 | 928b138e8f905b11b4eaff2073e152e1f2bebcc6 |
| SHA256 | aad906729210549dbb09907cae2ad5dab6fbf54724741a8335543fcfc0f124b0 |
| SHA512 | 83293630fb354ed4f6ac5a959bf803ef9241667bc178f594d11b92066ef80baa0cc535e051dd03a69dc047acd1d16e3d4635eaef5f7a6631123b13be2503eb68 |
C:\Users\Admin\AppData\Local\Temp\mcgY.exe
| MD5 | 72289a5fd515761ad7ef5af73a9d6801 |
| SHA1 | 6a6d26165ca069ae164930a487cda271e3a6ba40 |
| SHA256 | 06e535496a7ace8f8936055f51c433e29a74d4ea70ea4b5370ed8ba63a182c1f |
| SHA512 | 909635cbf4ecfd332c18e45e5f64f7f0ed2d7744f09f467c3fc79093690739930c453ccc064ca93433d1a9db059e3de3c37e6a2a64fb03958882455ad2051701 |
C:\Users\Admin\AppData\Local\Temp\GIwO.exe
| MD5 | 86f0e2c74adbc48e8e9ee49180cd4096 |
| SHA1 | a9e4185536f4482a7eaeb871327029c1f1dfffce |
| SHA256 | 62d29e8f9a9a5f22bffb450f6b75b91cba27c62484d05e1c9e1db96c2bd60651 |
| SHA512 | 5900e45a4dbd203bf31d7ced962172d83e6b53035ccd334351533e26a1fa039fecc68e1ff842ec9de2b57996174856696a8ae4fa975b211f5bd19ebdc0609fa5 |
C:\Users\Admin\AppData\Local\Temp\eYwq.exe
| MD5 | 98dbfc6c128dceb23850ac97af5e603e |
| SHA1 | d1b6a6c098f2b054eda65f73e3b2ba967d4d44db |
| SHA256 | 3dfedb3aa2375a6efde11ad5fd086f703ca0b47bbb39bab54a1ef0091344448e |
| SHA512 | 48fd3119e7e713b55662c50f8dcd96f1cb1db384a3c10bd9ea370ba7a9c1c46a3aef07189008e0fed9392c26b6d664f77a37b5e362e7a8588a4d886051f92efa |
C:\Users\Admin\AppData\Local\Temp\oEQK.exe
| MD5 | 27502aec9703f231012eb08a53f23171 |
| SHA1 | aee4235ba1bd1948d1ad7c9ace1822367e5731ea |
| SHA256 | 4b63f10281046df7ad73553f002d2500114e94d825f7eebbb4af6645e93fb166 |
| SHA512 | 1f3c627cfc428fda837c22f4f066ee2613558259d3d76fb9dd8f6437ff1c0dda8fb9770f64a37de730bdb49d8ab222c17abab3d6bce4eb623e42cb1d47ea5189 |
C:\Users\Admin\AppData\Local\Temp\SMQK.exe
| MD5 | c828225b4862539ed18f453764055853 |
| SHA1 | 99e3a27e2d1b27717f83eb2f3f9174de4663b6c0 |
| SHA256 | 43360493a5f4aa98e90f45f4e2c96bfe79dab93eebd1c2a180b2ef90c9c5ab07 |
| SHA512 | 51b83473dbc489e7ee21ccdbfabba9bb15a4e0082750d4479704909ee472c618bc952fea99fbb6a3cb5efed485ba34925c3b6a7009b46326fd3d8e0167b9c0c7 |
C:\Users\Admin\AppData\Local\Temp\iYUK.exe
| MD5 | 1cbc604a8c3e8d205f32e20084a9a131 |
| SHA1 | 62464c4c27082deceed6f7933b5ee326c83cc28c |
| SHA256 | 270160c0a165097e9f89a84bc691a7999fd8872670c28dc76714610b34d48c76 |
| SHA512 | 7ebc136188dd7dcf7bd1d0f7e566f3eb82aac8aa015ce7935151b1d03965c6da34a7d9cfc99801246c8cd8425071ed76ce16ed81e249fe49df0672b3de9c3be7 |
C:\Users\Admin\AppData\Local\Temp\GcQC.exe
| MD5 | a8156443414b66b0448337dc20ded0e7 |
| SHA1 | 1a18e2ae6a088023574c9b9c87b9c13665507574 |
| SHA256 | f92b48eb7667e53d7474593995917b71ac376941e0433ca9d483097b940e03e0 |
| SHA512 | 536c2220470f2a18d267037dc6828b8301bc9f20c0a334da826c8e7e3e2a1764b87c7871949e72815ee624d8bf0599920b45b127861159c3954da4e7e5fc6849 |
C:\Users\Admin\AppData\Local\Temp\qwsu.exe
| MD5 | bde7535d5b79fc97e73c20f05cd32134 |
| SHA1 | b4dc2966c061f6186f9b3baaa1b25d3f75bf5eb6 |
| SHA256 | da2f1793da14ecb68c644642a0e316bb4b0fec673a3f086be77f6fa9f3952ced |
| SHA512 | 009a8173733b5ccffaff83285726b0b6e680826533e7ed18aaa4777c2ba11266b8a3fc293e0e86841037e3f11604258115ba9ea3f4845c43494976d3d59d4b81 |
C:\Users\Admin\AppData\Local\Temp\QAsY.ico
| MD5 | f31b7f660ecbc5e170657187cedd7942 |
| SHA1 | 42f5efe966968c2b1f92fadd7c85863956014fb4 |
| SHA256 | 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6 |
| SHA512 | 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462 |
C:\Users\Admin\AppData\Local\Temp\swgQ.exe
| MD5 | 3984dd63015e7b085efd7d690375ba1c |
| SHA1 | 57c0f9308e3cc50bb6a41e1285e8db6104a4b646 |
| SHA256 | 27d26f29db3339800c2464f2ab226b51c9eded5838bb40ad8f12cd134f12fa23 |
| SHA512 | e5d24a055a8ef2fdfcc1435dbb47eb9d2f61cea6ce206d9c871017732106a3303c842db93d0dcd191f6a4fb8f1bde16579735fd7f15def6ecf41be4f6a78d6fe |
C:\Users\Admin\AppData\Local\Temp\kIos.exe
| MD5 | 6df71d137328d51877aadecb63c3d7f2 |
| SHA1 | e2504cebaeaced73572ed7b33e7126d9a6207b4f |
| SHA256 | b4916e236ba57fd8613d7fc9a8b85f37f3405682bb1ecba5966c360286de68d9 |
| SHA512 | 2d89034b144b43081f359c4b66aff1f824597aa383c0cd2119043f131f93ea1abfdc88fc34087bf04b9b8ae5e87b83b8d63610a4436fa0da48034deee3c112b8 |
C:\Users\Admin\Music\ImportOptimize.zip.exe
| MD5 | 89783e13a0076585c8f4306c0fcecbd4 |
| SHA1 | e7d9f2d55085cf1b5a2e9a9f9c08961e1a62ea0d |
| SHA256 | 62a386e9c67ae2e448870e382aae8d281d24bcc409f0f7f2b405d5ffb516b4ea |
| SHA512 | 482a93f686c3f5179bc13edfdd2b8a6e41264f49b676c9cd7aa7b2190c20c5fa073c77f0fccf9bd5fee104ae60703e9ff0ea688b273dd7e12e65983b447034fe |
C:\Users\Admin\AppData\Local\Temp\EcMM.exe
| MD5 | c838c2a7e97e95795d6acb1328eba625 |
| SHA1 | 8db8020b2c287c7b669353bbb75b8f9fd42cfcb0 |
| SHA256 | 20189a8859762b67478ff0c70f6771fa099b7cfee430a0d18327baf50fce4aa9 |
| SHA512 | f4d8cd3a5bd39bf27dd97d514adffbc930e179779ac0cf54e3fa0f9d6f0c4b359f5afd1d5b2bca4b519a877a04d580886708438b9ed3cc4e7cf791278c44edd0 |
C:\Users\Admin\Pictures\CompressGrant.jpg.exe
| MD5 | 9766ee553d339f6035ec6e20b5a95ad6 |
| SHA1 | 473888d6903944cd8a5b1609da15aba82c3f0bfb |
| SHA256 | 84a55dde657f0f5ac644c6ee4deca54c2ed02921c2c512e4f95d83b871a24ce2 |
| SHA512 | dd7555eb4d4e5b5ceccc66773ed6fe81de3aeb64495f2712ab2bb257b3a4139933e5545098074e8b0adadbee910bc814ca724ebb37833a0286adc8406170ccd6 |
C:\Users\Admin\AppData\Local\Temp\GYQs.ico
| MD5 | ace522945d3d0ff3b6d96abef56e1427 |
| SHA1 | d71140c9657fd1b0d6e4ab8484b6cfe544616201 |
| SHA256 | daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd |
| SHA512 | 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e |
C:\Users\Admin\AppData\Local\Temp\KkEI.exe
| MD5 | c483e05ade4d41651cf00483c36a4d01 |
| SHA1 | 5c3c4a550dc466471b960a371b6e3e951f24440a |
| SHA256 | 571498dc0e02f47368ae1541edba9e76225752e297f699dab30e28190c43d359 |
| SHA512 | 52b63ba7ce783eb2dda5d2674344fc904baecbe85cb00f4f151a2b4fd1db39e2f52ed65e11d5f804b6bd37317af0a72e1292905da0b7524190b196d15fdb64a8 |
C:\Users\Admin\AppData\Local\Temp\EAoG.exe
| MD5 | fe069512691de3b047963b68d19072fe |
| SHA1 | b0958f8f9ee1d763175bc9c610cacf88cc59a5f6 |
| SHA256 | 80976857f906b30d3b3dc56838bae30db7f980fce5de621649c51d90c4a4b27e |
| SHA512 | 83b739da4f350fea52dd4aacb3b8e6df27a207a62583f3e12cf10a23ed5897cc932dd6b317124097843389089e4c84575f792bf85e97f9284289078b4f380b9d |
C:\Users\Admin\AppData\Local\Temp\YIMs.exe
| MD5 | 4956c7d83a01c1cf42ca9d05ddfb036d |
| SHA1 | 72d406e7968b8b8ef3b25bc8782a50f304c38da3 |
| SHA256 | c21b39a4deb1ab5dc9d33262710739f1694426795ce04cb4622de07e3ce23100 |
| SHA512 | 1d97f62cd8f650fe7902aa6511db0cba75d42aa185128dc96878ded2f0015469b47163a22619c09c996c4d51963c2dacc7e10b7eee7d004f1b35c9083f102526 |
C:\Users\Admin\AppData\Local\Temp\mEcE.exe
| MD5 | a108993c4d42913a0fd0b63606dbd0c6 |
| SHA1 | 690a003c513c7c680e53004b17e669b760860c6c |
| SHA256 | bc3cb49a1c181d3ae3fce9da854de4e48f0b0f0f19a109ef2d0136285e5c6922 |
| SHA512 | 35125c4a644270f76fe77e5f6f09f8e7b5ddc0e7b09bf9060d717380ad05ed917d36bb205f02a007f1478cd6fefc391efbc9311a4cdccc5cae7a9b89b6b4a313 |
C:\Users\Admin\AppData\Local\Temp\CUci.exe
| MD5 | 2416d4abc4101949f435453dc22db192 |
| SHA1 | 4c53b78a97bb2a10995c8c0b68047d54b8e0dbe8 |
| SHA256 | a2ce053393e96cfd477b942a4c3d2658c1068eef14ffdf635ea55f85ed113d2e |
| SHA512 | 6c00db039f63a50a4745f1c4efd6be62f38e3a2d16c077896e3dc88eac12400df1cf04bb7ef9a46f23d49dfaf691e669005280153e4d7ade39dd6a0d03f02c70 |
C:\Users\Admin\AppData\Local\Temp\ggwE.exe
| MD5 | 4e8189de9d2f66e6ba303c4ab8b15818 |
| SHA1 | 8d355917b175920bf362f5c46678d8d678d6825f |
| SHA256 | 4f7f5bf9c6a85fa7213d045ec69d5f0cb729b634e06881fb0ce11047fbdeb66e |
| SHA512 | d19d07cc93a9695e6e35e9d11a60571511333660742a625c53456ad700ecb9f099cc727fd57ec2147b14359b122a4978b3e9f49a358fd322783976653dd10619 |
C:\Users\Admin\AppData\Local\Temp\CgwW.exe
| MD5 | c9c23df1f8cf0d46ec4a94cab6de364b |
| SHA1 | 47fd86aea01f42abe9c461ec46d53c6107f112db |
| SHA256 | d4c6d804b8f3934932113b6d8df9eb22a560acc32054bd2097cb3222b515dd9b |
| SHA512 | aa58440ad2125cef142f9e58e5d04c5a55181c89a334c2fa8fa0b63b553f7518d8a2d36fe35e1be0916841e1cf1ee06d0444288bb648425d72ee6c9930dbe9d2 |
C:\Users\Admin\AppData\Local\Temp\AsQg.exe
| MD5 | ba996bc3e098772ea9d94a171ad0aa48 |
| SHA1 | 8473035638b645eb3300bc5153f46691105e477f |
| SHA256 | b50c498e831349ede6df6dd0fb56fab3be99a638e57c4f4cb9d0f536a2bb771e |
| SHA512 | 6563e295b3228bf7bac3f9a5d9c33671dd10dee8ad67cc745562e34c87bd4027fa9e8efb5702713461061c1b2a827384f933425a7be4795b4fdb0936b80f7a9e |
C:\Users\Admin\AppData\Local\Temp\sMYs.exe
| MD5 | 658ec3ce3165eca1b95b25774f7e29a7 |
| SHA1 | 42d074b936706fbfd321705622978a7082eb58a5 |
| SHA256 | 7e370b5090e713484440fbb4ec9bf419f7ae2e6a7c7efdd83f8aad30ca32b160 |
| SHA512 | a7e50b0215ffe38e575d23736334a44a09b3872158c77d593767645f34207d5b5fd0b4c4498e25cfb6471771f983f2c5650897473b4368e41eab61831026930d |
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
| MD5 | 5806af5789c3a92afed845f81c1f4107 |
| SHA1 | 83dea29fe50fe87ccc2021ff77d5b249124ae8ba |
| SHA256 | 0e4c4fe3c97b286ca87aaed80ccf75745a67b247940b0ecc205ec0a6a648277a |
| SHA512 | c154727336d989f5e383cfefd95cb7fca7411dfad9b012c29d8dd4af6cc3b78a2a2e709f40fc75e21723e570fa3951dfb5dbc0f54c299cc95363485e0f3cb589 |
C:\Users\Admin\AppData\Local\Temp\EkcK.exe
| MD5 | 9c25a2085d0f93e09e69cc4a2c85c41e |
| SHA1 | d3b1304ea8bbec825cb93b1e52eec31736c0391f |
| SHA256 | 030ff7d70342d6c07af8fb29060d85a8a6f73cdd2462aa7bbc493c258f90dc92 |
| SHA512 | bd7e8ae9a6e27c8ca1d791d4be3df2329e5c6b6a8d3d6898d9af090e77ea388f7ba76797b6a7430998f2e738cf5ae4e1903e94b93b1983d9867056aff6fc12ae |
C:\Users\Admin\AppData\Local\Temp\uMkO.exe
| MD5 | aa2d490a82022cd8d2be78e54ca54749 |
| SHA1 | 1613bacaf18a97899fbe39dbd2359c6a798eef68 |
| SHA256 | 8d75cbf556d3ca2e562226f67ea44f53ff80b5aafd29c719dc48bc23db588362 |
| SHA512 | 84a25b07ca1c95502a9d29da11e07dd69b44f687802fc5a20de5c46de883b2262fb80ed3dab7f2c8d92e3c8121019bf8db352685565e48055a74cbe01d8ebb98 |
C:\Users\Admin\AppData\Local\Temp\yQUo.exe
| MD5 | fd4f7ac4d61abe26af3896bd88646d89 |
| SHA1 | b2827eea486d45b0d63c74191701630e3e289599 |
| SHA256 | 699de1c0809e5d9ee17812fb73c2b2454e38bf84f854fe611558caa442b8c7db |
| SHA512 | dfc676beb9ccc1854432e2a61922b5a2bffb9aa41015561d5a54207c1f9b1dcf554bfe5ed7f74e455442ff772eb19e7ef7cd3d90ba978467644e24dbb6adf68c |